Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gnutls28. This upload cherry-picks the recommended fixes[1] from upstream latest stable release (3.6.8) and fixes #929907. + 40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch The gnutls_srp_set_server_credentials_function can be used with the 8192 parameters as well. https://gitlab.com/gnutls/gnutls/issues/761 + 40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch Fix calculation of Streebog digests (incorrect carry operation in 512 bit addition). + 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch Fix compatibility of GnuTLS 3.6.[456] server with GnuTLS 3.6.7 client. Closes: #929907 + 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion. https://gitlab.com/gnutls/gnutls/issues/720 + 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch Fixed bug preventing the use of gnutls_pubkey_verify_data2() and gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag. https://gitlab.com/gnutls/gnutls/issues/754 (explain the reason for the unblock here) (include/attach the debdiff against the package in testing) unblock gnutls28/3.6.7-4 cu Andreas [1] https://lists.gnutls.org/pipermail/gnutls-help/2019-June/004552.html I have left out the fix for the DH security hardening measure in this upload as adds new symbols.
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files only in first set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/d5/67cd17694664c4204ff158450183359925afb1.debug
Files only in first set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/6c/cd7f2e8735b2f7448f0757271b8413bbaac807.debug
Files only in first set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/fe/becd51bb621afd4a8f0352f55d6c2ed96df57a.debug
New files in second set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/d3/28298de34135fca5f236357f2f2dd56cb109f3.debug
New files in second set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/fe/4c3c0c38af44779c38ae5d1e187b6250f7afe0.debug
New files in second set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/4d/66d28cd2e7537e1e1d2905595b260226b22ad2.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: gnutls-bin (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14),
libunbound8 (>= 1.8.0)
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff
format)
----------------------------------------------------------------------------------
Build-Ids: [-d567cd17694664c4204ff158450183359925afb1-]
{+d328298de34135fca5f236357f2f2dd56cb109f3+}
Depends: libgnutls-dane0 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14)
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff
format)
--------------------------------------------------------------------------------------
Build-Ids: [-6ccd7f2e8735b2f7448f0757271b8413bbaac807-]
{+fe4c3c0c38af44779c38ae5d1e187b6250f7afe0+}
Depends: libgnutls-openssl27 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-3),-] {+3.6.7-4),+}
libgnutls-openssl27 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutls30 (= [-3.6.7-3),-]
{+3.6.7-4),+} libgnutlsxx28 (= [-3.6.7-3),-] {+3.6.7-4),+} libidn2-dev,
libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1)
Installed-Size: [-4312-] {+4313+}
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-febecd51bb621afd4a8f0352f55d6c2ed96df57a-]
{+4d66d28cd2e7537e1e1d2905595b260226b22ad2+}
Depends: libgnutls30 (= [-3.6.7-3)-] {+3.6.7-4)+}
Installed-Size: [-4058-] {+4061+}
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14), libgcc1
(>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.6.7-3-] {+3.6.7-4+}
Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Depends: libgnutlsxx28 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog 2019-05-19 10:48:52.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog 2019-06-12 19:21:23.000000000 +0200
@@ -1,3 +1,28 @@
+gnutls28 (3.6.7-4) unstable; urgency=medium
+
+ * Cherry-pick important bug-fixes from 3.6.8:
+ + 40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
+ The gnutls_srp_set_server_credentials_function can be used with the 8192
+ parameters as well.
+ https://gitlab.com/gnutls/gnutls/issues/761
+ + 40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
+ Fix calculation of Streebog digests (incorrect carry operation in
+ 512 bit addition).
+ + 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
+ Fix compatibility of GnuTLS 3.6.[456] server with GnuTLS 3.6.7 client.
+ Closes: #929907
+ + 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
+ Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain
+ crafting via IDNA conversion.
+ https://gitlab.com/gnutls/gnutls/issues/720
+ + 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+ Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
+ gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN
+ flag.
+ https://gitlab.com/gnutls/gnutls/issues/754
+
+ -- Andreas Metzler <ametz...@debian.org> Wed, 12 Jun 2019 19:21:23 +0200
+
gnutls28 (3.6.7-3) unstable; urgency=medium
* Revert debhelper upgrade, use DH 10.
diff -Nru
gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
---
gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,65 @@
+From 0bdca5d51f203cf414d645e75ac197e3fadfadc8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Fri, 10 May 2019 06:30:12 +0200
+Subject: [PATCH] _gnutls_srp_entry_free: follow consistent behavior in freeing
+ data
+
+_gnutls_srp_entry_free would previously not free any parameters that
+were known to gnutls to account for documented behavior of
+gnutls_srp_set_server_credentials_function(). This was not updated
+when the newly added 8192 parameter was added to the library.
+
+This introduces a safety check for generator parameters, even though
+in practice they are the same pointer.
+
+Resolves: #761
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org>
+---
+ NEWS | 3 +++
+ lib/auth/srp_passwd.c | 12 ++++++++----
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -47,6 +47,9 @@ See the end for copying conditions.
+
+ ** gnutls-cli: Added option --logfile to redirect informational messages
output.
+
++** libgnutls: the gnutls_srp_set_server_credentials_function can be used
++ with the 8192 parameters as well (#995).
++
+ ** API and ABI modifications:
+ No changes since last version.
+
+--- a/lib/auth/srp_passwd.c
++++ b/lib/auth/srp_passwd.c
+@@ -447,20 +447,24 @@ void _gnutls_srp_entry_free(SRP_PWD_ENTR
+ _gnutls_free_key_datum(&entry->v);
+ _gnutls_free_datum(&entry->salt);
+
+- if ((entry->g.data != gnutls_srp_1024_group_generator.data)
+- && (entry->g.data != gnutls_srp_3072_group_generator.data))
++ if ((entry->g.data != gnutls_srp_1024_group_generator.data) &&
++ (entry->g.data != gnutls_srp_1536_group_generator.data) &&
++ (entry->g.data != gnutls_srp_2048_group_generator.data) &&
++ (entry->g.data != gnutls_srp_3072_group_generator.data) &&
++ (entry->g.data != gnutls_srp_4096_group_generator.data) &&
++ (entry->g.data != gnutls_srp_8192_group_generator.data))
+ _gnutls_free_datum(&entry->g);
+
+ if (entry->n.data != gnutls_srp_1024_group_prime.data &&
+ entry->n.data != gnutls_srp_1536_group_prime.data &&
+ entry->n.data != gnutls_srp_2048_group_prime.data &&
+ entry->n.data != gnutls_srp_3072_group_prime.data &&
+- entry->n.data != gnutls_srp_4096_group_prime.data)
++ entry->n.data != gnutls_srp_4096_group_prime.data &&
++ entry->n.data != gnutls_srp_8192_group_prime.data)
+ _gnutls_free_datum(&entry->n);
+
+ gnutls_free(entry->username);
+ gnutls_free(entry);
+ }
+
+-
+ #endif /* ENABLE SRP */
diff -Nru
gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
---
gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,81 @@
+From c1441665abe761536b3ed67d36b12f2198be6b12 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbarysh...@gmail.com>
+Date: Tue, 7 May 2019 14:49:05 +0300
+Subject: [PATCH] lib/nettle: fix carry flag in Streebog code
+
+Fix carry flag being calculated incorrectly in Streebog code.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbarysh...@gmail.com>
+---
+ NEWS | 3 +++
+ lib/crypto-selftests.c | 16 ++++++++++++++++
+ lib/nettle/gost/streebog.c | 12 +++++++-----
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -50,6 +50,9 @@ See the end for copying conditions.
+ ** libgnutls: the gnutls_srp_set_server_credentials_function can be used
+ with the 8192 parameters as well (#995).
+
++** libgnutls: Fix calculation of Streebog digests (incorrect carry operation
in
++ 512 bit addition)
++
+ ** API and ABI modifications:
+ No changes since last version.
+
+--- a/lib/crypto-selftests.c
++++ b/lib/crypto-selftests.c
+@@ -1239,6 +1239,22 @@ const struct hash_vectors_st streebog_51
+
"\x03\x5f\xe8\x35\x49\xad\xa2\xb8\x62\x0f\xcd\x7c\x49\x6c\xe5\xb3"
+
"\x3f\x0c\xb9\xdd\xdc\x2b\x64\x60\x14\x3b\x03\xda\xba\xc9\xfb\x28"),
+ },
++ {
++ STR(plaintext, plaintext_size,
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"),
++ STR(output, output_size,
++
"\x90\xa1\x61\xd1\x2a\xd3\x09\x49\x8d\x3f\xe5\xd4\x82\x02\xd8\xa4"
++
"\xe9\xc4\x06\xd6\xa2\x64\xae\xab\x25\x8a\xc5\xec\xc3\x7a\x79\x62"
++
"\xaa\xf9\x58\x7a\x5a\xbb\x09\xb6\xbb\x81\xec\x4b\x37\x52\xa3\xff"
++
"\x5a\x83\x8e\xf1\x75\xbe\x57\x72\x05\x6b\xc5\xfe\x54\xfc\xfc\x7e"),
++ },
+ };
+
+ /* GOST R 34.11-2012 */
+--- a/lib/nettle/gost/streebog.c
++++ b/lib/nettle/gost/streebog.c
+@@ -1200,7 +1200,7 @@ static void
+ streebog512_compress (struct streebog512_ctx *ctx, const uint8_t *input,
size_t count)
+ {
+ uint64_t M[8];
+- uint64_t l;
++ uint64_t l, cf;
+ int i;
+
+ for (i = 0; i < 8; i++, input += 8)
+@@ -1219,12 +1219,14 @@ streebog512_compress (struct streebog512
+ }
+ }
+
++ cf = 0;
+ ctx->sigma[0] += M[0];
+ for (i = 1; i < 8; i++)
+- if (ctx->sigma[i-1] < M[i-1])
+- ctx->sigma[i] += M[i] + 1;
+- else
+- ctx->sigma[i] += M[i];
++ {
++ if (ctx->sigma[i-1] != M[i-1])
++ cf = (ctx->sigma[i-1] < M[i-1]);
++ ctx->sigma[i] += M[i] + cf;
++ }
+ }
+
+ static void
diff -Nru
gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
---
gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,312 @@
+From 2dc96e3b8d0e043bebf0815edaaa945f66ac0531 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <du...@redhat.com>
+Date: Thu, 25 Apr 2019 17:08:43 +0200
+Subject: [PATCH] ext/record_size_limit: distinguish sending and receiving
+ limits
+
+The previous behavior was that both sending and receiving limits are
+negotiated to be the same value. It was problematic when:
+
+- client sends a record_size_limit with a large value in CH
+- server sends a record_size_limit with a smaller value in EE
+- client updates the limit for both sending and receiving, upon
+ receiving EE
+- server sends a Certificate message larger than the limit
+
+With this patch, each peer maintains the sending / receiving limits
+separately so not to confuse with the contradicting settings.
+
+Andreas Metzler for Debian upload:
+Strip out addition of gnutls_record_set_max_recv_size() to the API from
+this patchset.
+
+--- a/lib/constate.c
++++ b/lib/constate.c
+@@ -821,14 +821,12 @@ int _gnutls_write_connection_state_init(
+ session->security_parameters.epoch_next;
+ int ret;
+
+- /* reset max_record_recv_size if it was negotiated in the
++ /* reset max_record_send_size if it was negotiated in the
+ * previous handshake using the record_size_limit extension */
+- if (session->security_parameters.max_record_recv_size !=
+- session->security_parameters.max_record_send_size &&
+- !(session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
&&
++ if (!(session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
&&
+ session->security_parameters.entity == GNUTLS_SERVER)
+- session->security_parameters.max_record_recv_size =
+- session->security_parameters.max_record_send_size;
++ session->security_parameters.max_record_send_size =
++ session->security_parameters.max_user_record_send_size;
+
+ /* Update internals from CipherSuite selected.
+ * If we are resuming just copy the connection session
+--- a/lib/dtls.c
++++ b/lib/dtls.c
+@@ -65,8 +65,8 @@ transmit_message(gnutls_session_t sessio
+ unsigned int mtu =
+ gnutls_dtls_get_data_mtu(session);
+
+- if (session->security_parameters.max_record_recv_size < mtu)
+- mtu = session->security_parameters.max_record_recv_size;
++ if (session->security_parameters.max_record_send_size < mtu)
++ mtu = session->security_parameters.max_record_send_size;
+
+ mtu -= DTLS_HANDSHAKE_HEADER_SIZE;
+
+--- a/lib/ext/max_record.c
++++ b/lib/ext/max_record.c
+@@ -105,11 +105,13 @@ _gnutls_max_record_recv_params(gnutls_se
+ }
+
+ if (new_size != session->security_parameters.
+- max_record_send_size) {
++ max_user_record_send_size) {
+ gnutls_assert();
+ return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ } else {
+ session->security_parameters.
++ max_record_send_size = new_size;
++ session->security_parameters.
+ max_record_recv_size = new_size;
+ }
+
+@@ -132,11 +134,18 @@ _gnutls_max_record_send_params(gnutls_se
+
+ /* this function sends the client extension data (dnsname) */
+ if (session->security_parameters.entity == GNUTLS_CLIENT) {
+- if (session->security_parameters.max_record_send_size !=
++ /* if the user limits for sending and receiving are
++ * different, that means the programmer had chosen to
++ * use record_size_limit instead */
++ if (session->security_parameters.max_user_record_send_size !=
++ session->security_parameters.max_user_record_recv_size)
++ return 0;
++
++ if (session->security_parameters.max_user_record_send_size !=
+ DEFAULT_MAX_RECORD_SIZE) {
+ ret = _gnutls_mre_record2num
+ (session->security_parameters.
+- max_record_send_size);
++ max_user_record_send_size);
+
+ /* it's not an error, as long as we send the
+ * record_size_limit extension with that value */
+@@ -239,23 +248,18 @@ size_t gnutls_record_get_max_size(gnutls
+ * @session: is a #gnutls_session_t type.
+ * @size: is the new size
+ *
+- * This function sets the maximum record packet size in this
+- * connection.
+- *
+- * The requested record size does get in effect immediately only while
+- * sending data. The receive part will take effect after a successful
+- * handshake.
++ * This function sets the maximum amount of plaintext sent and
++ * received in a record in this connection.
+ *
+ * Prior to 3.6.4, this function was implemented using a TLS extension
+- * called 'max record size', which limits the acceptable values to
+- * 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12). Since 3.6.4,
+- * it uses another TLS extension called 'record size limit', which
+- * doesn't have the limitation, as long as the value ranges between
+- * 512 and 16384. Note that not all TLS implementations use or even
+- * understand those extension.
++ * called 'max fragment length', which limits the acceptable values to
++ * 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12).
+ *
+- * In TLS 1.3, the value is the length of plaintext content plus its
+- * padding, excluding content type octet.
++ * Since 3.6.4, the limit is also negotiated through a new TLS
++ * extension called 'record size limit', which doesn't have the
++ * limitation, as long as the value ranges between 512 and 16384.
++ * Note that while the 'record size limit' extension is preferred, not
++ * all TLS implementations use or even understand the extension.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
+@@ -265,7 +269,11 @@ ssize_t gnutls_record_set_max_size(gnutl
+ if (size < MIN_RECORD_SIZE || size > DEFAULT_MAX_RECORD_SIZE)
+ return GNUTLS_E_INVALID_REQUEST;
+
+- session->security_parameters.max_record_send_size = size;
++ if (session->internals.handshake_in_progress)
++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++ session->security_parameters.max_user_record_send_size = size;
++ session->security_parameters.max_user_record_recv_size = size;
+
+ return 0;
+ }
+--- a/lib/ext/record_size_limit.c
++++ b/lib/ext/record_size_limit.c
+@@ -81,6 +81,12 @@ _gnutls_record_size_limit_recv_params(gn
+
+ session->internals.hsk_flags |= HSK_RECORD_SIZE_LIMIT_NEGOTIATED;
+
++ /* client uses the reception of this extension as an
++ * indication of the request was accepted by the server */
++ if (session->security_parameters.entity == GNUTLS_CLIENT)
++ session->security_parameters.max_record_recv_size =
++ session->security_parameters.max_user_record_recv_size;
++
+ _gnutls_handshake_log("EXT[%p]: record_size_limit %u negotiated\n",
+ session, (unsigned)new_size);
+
+@@ -89,9 +95,9 @@ _gnutls_record_size_limit_recv_params(gn
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+- session->security_parameters.max_record_recv_size =
++ session->security_parameters.max_record_send_size =
+ MIN(new_size - vers->tls13_sem,
+- session->security_parameters.max_record_send_size);
++ session->security_parameters.max_user_record_send_size);
+
+ return 0;
+ }
+@@ -105,11 +111,11 @@ _gnutls_record_size_limit_send_params(gn
+ int ret;
+ uint16_t send_size;
+
+- assert(session->security_parameters.max_record_send_size >= 64 &&
+- session->security_parameters.max_record_send_size <=
++ assert(session->security_parameters.max_user_record_recv_size >= 64 &&
++ session->security_parameters.max_user_record_recv_size <=
+ DEFAULT_MAX_RECORD_SIZE);
+
+- send_size = session->security_parameters.max_record_send_size;
++ send_size = session->security_parameters.max_user_record_recv_size;
+
+ if (session->security_parameters.entity == GNUTLS_SERVER) {
+ const version_entry_st *vers;
+@@ -124,6 +130,9 @@ _gnutls_record_size_limit_send_params(gn
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
++ session->security_parameters.max_record_recv_size =
++ send_size;
++
+ send_size += vers->tls13_sem;
+ } else {
+ const version_entry_st *vers;
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -779,12 +779,18 @@ typedef struct {
+ /* whether client has agreed in post handshake auth - only set on
server side */
+ uint8_t post_handshake_auth;
+
+- /* The send size is the one requested by the programmer.
+- * The recv size is the one negotiated with the peer.
++ /* The maximum amount of plaintext sent in a record,
++ * negotiated with the peer.
+ */
+ uint16_t max_record_send_size;
+ uint16_t max_record_recv_size;
+
++ /* The maximum amount of plaintext sent in a record, set by
++ * the programmer.
++ */
++ uint16_t max_user_record_send_size;
++ uint16_t max_user_record_recv_size;
++
+ /* The maximum amount of early data */
+ uint32_t max_early_data_size;
+
+@@ -1552,17 +1558,17 @@ inline static int _gnutls_set_current_ve
+ return 0;
+ }
+
+-/* Returns the maximum size of the plaintext to be sent, considering
++/* Returns the maximum amount of the plaintext to be sent, considering
+ * both user-specified/negotiated maximum values.
+ */
+-inline static size_t max_user_send_size(gnutls_session_t session,
+- record_parameters_st *
+- record_params)
++inline static size_t max_record_send_size(gnutls_session_t session,
++ record_parameters_st *
++ record_params)
+ {
+ size_t max;
+
+ max = MIN(session->security_parameters.max_record_send_size,
+- session->security_parameters.max_record_recv_size);
++ session->security_parameters.max_user_record_send_size);
+
+ if (IS_DTLS(session))
+ max = MIN(gnutls_dtls_get_data_mtu(session), max);
+--- a/lib/range.c
++++ b/lib/range.c
+@@ -66,7 +66,7 @@ _gnutls_range_max_lh_pad(gnutls_session_
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (vers->tls13_sem) {
+- max_pad = max_user_send_size(session, record_params);
++ max_pad = max_record_send_size(session, record_params);
+ fixed_pad = 2;
+ } else {
+ max_pad = MAX_PAD_SIZE;
+@@ -182,7 +182,7 @@ gnutls_range_split(gnutls_session_t sess
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+- max_frag = max_user_send_size(session, record_params);
++ max_frag = max_record_send_size(session, record_params);
+
+ if (orig_high == orig_low) {
+ int length = MIN(orig_high, max_frag);
+--- a/lib/record.c
++++ b/lib/record.c
+@@ -467,7 +467,7 @@ _gnutls_send_tlen_int(gnutls_session_t s
+ return GNUTLS_E_INVALID_SESSION;
+ }
+
+- max_send_size = max_user_send_size(session, record_params);
++ max_send_size = max_record_send_size(session, record_params);
+
+ if (data_size > max_send_size) {
+ if (IS_DTLS(session))
+--- a/lib/session_pack.c
++++ b/lib/session_pack.c
+@@ -918,20 +918,22 @@ pack_security_parameters(gnutls_session_
+ BUFFER_APPEND_PFX1(ps,
session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+
+- BUFFER_APPEND_NUM(ps,
+- session->security_parameters.
+- max_record_send_size);
+-
+ /* reset max_record_recv_size if it was negotiated
+ * using the record_size_limit extension */
+ if (session->internals.hsk_flags &
HSK_RECORD_SIZE_LIMIT_NEGOTIATED) {
+ BUFFER_APPEND_NUM(ps,
+ session->security_parameters.
+- max_record_send_size);
++ max_user_record_send_size);
++ BUFFER_APPEND_NUM(ps,
++ session->security_parameters.
++ max_user_record_recv_size);
+ } else {
+ BUFFER_APPEND_NUM(ps,
+ session->security_parameters.
+ max_record_recv_size);
++ BUFFER_APPEND_NUM(ps,
++ session->security_parameters.
++ max_record_send_size);
+ }
+
+ if (session->security_parameters.grp) {
+--- a/lib/state.c
++++ b/lib/state.c
+@@ -522,6 +522,10 @@ int gnutls_init(gnutls_session_t * sessi
+ DEFAULT_MAX_RECORD_SIZE;
+ (*session)->security_parameters.max_record_send_size =
+ DEFAULT_MAX_RECORD_SIZE;
++ (*session)->security_parameters.max_user_record_recv_size =
++ DEFAULT_MAX_RECORD_SIZE;
++ (*session)->security_parameters.max_user_record_send_size =
++ DEFAULT_MAX_RECORD_SIZE;
+
+ /* set the default early data size for TLS
+ */
diff -Nru
gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
---
gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,73 @@
+From b697e948b6f66440ee1f15337dfc83b6816bd21a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de>
+Date: Mon, 20 May 2019 11:10:11 +0200
+Subject: [PATCH] Apply STD3 ASCII rules in gnutls_idna_map()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Tim Rühsen <tim.rueh...@gmx.de>
+---
+ NEWS | 3 +++
+ lib/str-idna.c | 10 +++++++---
+ tests/str-idna.c | 5 +++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -53,6 +53,9 @@ See the end for copying conditions.
+ ** libgnutls: Fix calculation of Streebog digests (incorrect carry operation
in
+ 512 bit addition)
+
++** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
++ hostname/domain crafting via IDNA conversion
++
+ ** API and ABI modifications:
+ No changes since last version.
+
+--- a/lib/str-idna.c
++++ b/lib/str-idna.c
+@@ -76,9 +76,13 @@ int gnutls_idna_map(const char *input, u
+ * Since IDN2_NONTRANSITIONAL implicitly does NFC conversion, we don't
need
+ * the additional IDN2_NFC_INPUT. But just for the unlikely case that
the linked
+ * library is not matching the headers when building and it doesn't
support TR46,
+- * we provide IDN2_NFC_INPUT. */
+- idn2_flags |= IDN2_NONTRANSITIONAL;
+- idn2_tflags |= IDN2_TRANSITIONAL;
++ * we provide IDN2_NFC_INPUT.
++ *
++ * Without IDN2_USE_STD3_ASCII_RULES, the result could contain any
ASCII characters,
++ * e.g. 'evil.c\u2100.example.com' will be converted into
++ * 'evil.ca/c.example.com', which seems no good idea. */
++ idn2_flags |= IDN2_NONTRANSITIONAL | IDN2_USE_STD3_ASCII_RULES;
++ idn2_tflags |= IDN2_TRANSITIONAL | IDN2_USE_STD3_ASCII_RULES;
+ #endif
+
+ /* This avoids excessive CPU usage with libidn2 < 2.1.1 */
+--- a/tests/str-idna.c
++++ b/tests/str-idna.c
+@@ -94,12 +94,16 @@ MATCH_FUNC(test_caps_german1, "Ü.ü", "
+ MATCH_FUNC(test_caps_german2, "Bücher.de", "xn--bcher-kva.de");
+ MATCH_FUNC(test_caps_german3, "Faß.de", "xn--fa-hia.de");
+ MATCH_FUNC(test_dots, "a.b.c。d。", "a.b.c.d.");
++
++/* without STD3 ASCII rules, the result is: evil.ca/c..example.com */
++MATCH_FUNC(test_evil, "evil.c\u2100.example.com", "evil.c.example.com");
+ # else
+ EMPTY_FUNC(test_caps_german1);
+ EMPTY_FUNC(test_caps_german2);
+ EMPTY_FUNC(test_caps_german3);
+ EMPTY_FUNC(test_caps_greek);
+ EMPTY_FUNC(test_dots);
++EMPTY_FUNC(test_evil);
+ # endif
+
+ int main(void)
+@@ -130,6 +134,7 @@ int main(void)
+ cmocka_unit_test(test_jp2),
+ cmocka_unit_test(test_jp2_reverse),
+ cmocka_unit_test(test_dots),
++ cmocka_unit_test(test_evil),
+ cmocka_unit_test(test_valid_idna2003)
+ };
+
diff -Nru
gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
---
gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,52 @@
+From b1476abeb6f8b5046e6cd62724cdac241f71aa7b Mon Sep 17 00:00:00 2001
+From: "Kenneth J. Miller" <k...@miller.ec>
+Date: Mon, 15 Apr 2019 17:56:13 +0200
+Subject: [PATCH 1/2] pubkey: remove deprecated TLS1_RSA flag check
+
+The gnutls_certificate_verify_flags comparisons against
+OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with
+GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to
+both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it
+seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA.
+
+Resolves: #754
+
+Signed-off-by: Kenneth J. Miller <k...@miller.ec>
+---
+ lib/pubkey.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/pubkey.c b/lib/pubkey.c
+index f1a0302fc..2dfe5d56e 100644
+--- a/lib/pubkey.c
++++ b/lib/pubkey.c
+@@ -1678,8 +1678,6 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
+
+ }
+
+-#define OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA 1
+-
+ /* Updates the gnutls_x509_spki_st parameters based on the signature
+ * information, and reports any incompatibilities between the existing
+ * parameters (if any) with the signature algorithm */
+@@ -1758,7 +1756,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+- if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags &
GNUTLS_VERIFY_USE_TLS1_RSA)
++ if (flags & GNUTLS_VERIFY_USE_TLS1_RSA)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ memcpy(¶ms, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
+@@ -1830,7 +1828,7 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
+
+ memcpy(¶ms, &key->params.spki, sizeof(gnutls_x509_spki_st));
+
+- if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags &
GNUTLS_VERIFY_USE_TLS1_RSA) {
++ if (flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
+ if (!GNUTLS_PK_IS_RSA(key->params.algo))
+ return
gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
+ params.pk = GNUTLS_PK_RSA;
+--
+2.20.1
+
diff -Nru gnutls28-3.6.7/debian/patches/series
gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series 2019-03-09 10:44:53.000000000
+0100
+++ gnutls28-3.6.7/debian/patches/series 2019-06-12 19:21:15.000000000
+0200
@@ -1,2 +1,7 @@
14_version_gettextcat.diff
30_guile-snarf.diff
+40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
+40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
+40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
+40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
+40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
signature.asc
Description: PGP signature
