Bug#930491: marked as done (unblock: gnutls28/3.6.7-4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 16 Jun 2019 14:27:07 +0100
with message-id <20190616132707.GA30575@powdarrmonkey.net>
and subject line Re: Bug#930491: unblock: gnutls28/3.6.7-4
has caused the Debian Bug report #930491,
regarding unblock: gnutls28/3.6.7-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930491
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: gnutls28/3.6.7-4
• From: Andreas Metzler <ametzler@bebt.de>
• Date: Thu, 13 Jun 2019 19:13:22 +0200
• Message-id: <[🔎] 20190613171321.GA2523@argenau.bebt.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gnutls28. This upload cherry-picks the
recommended fixes[1] from upstream latest stable release (3.6.8) and fixes
#929907.

+ 40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
  The gnutls_srp_set_server_credentials_function can be used with the 8192
  parameters as well.
  https://gitlab.com/gnutls/gnutls/issues/761
+ 40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
  Fix calculation of Streebog digests (incorrect carry operation in
  512 bit addition).
+ 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
  Fix compatibility of GnuTLS 3.6.[456] server with GnuTLS 3.6.7 client.
  Closes: #929907
+ 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
  Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain
  crafting via IDNA conversion.
  https://gitlab.com/gnutls/gnutls/issues/720
+ 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
  Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
  gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN
  flag.
  https://gitlab.com/gnutls/gnutls/issues/754

(explain the reason for the unblock here)

(include/attach the debdiff against the package in testing)

unblock gnutls28/3.6.7-4

cu Andreas

[1] https://lists.gnutls.org/pipermail/gnutls-help/2019-June/004552.html
I have left out the fix for the DH security hardening measure in this
upload as adds new symbols.

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files only in first set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d5/67cd17694664c4204ff158450183359925afb1.debug

Files only in first set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/6c/cd7f2e8735b2f7448f0757271b8413bbaac807.debug

Files only in first set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fe/becd51bb621afd4a8f0352f55d6c2ed96df57a.debug

New files in second set of .debs, found in package libgnutls-dane0-dbgsym
-------------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d3/28298de34135fca5f236357f2f2dd56cb109f3.debug

New files in second set of .debs, found in package libgnutls-openssl27-dbgsym
-----------------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/fe/4c3c0c38af44779c38ae5d1e187b6250f7afe0.debug

New files in second set of .debs, found in package libgnutls30-dbgsym
---------------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/4d/66d28cd2e7537e1e1d2905595b260226b22ad2.debug


Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: gnutls-bin (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14), libunbound8 (>= 1.8.0)
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Build-Ids: [-d567cd17694664c4204ff158450183359925afb1-] {+d328298de34135fca5f236357f2f2dd56cb109f3+}
Depends: libgnutls-dane0 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14)
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Build-Ids: [-6ccd7f2e8735b2f7448f0757271b8413bbaac807-] {+fe4c3c0c38af44779c38ae5d1e187b6250f7afe0+}
Depends: libgnutls-openssl27 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutls-openssl27 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutlsxx28 (= [-3.6.7-3),-] {+3.6.7-4),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1)
Installed-Size: [-4312-] {+4313+}
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-febecd51bb621afd4a8f0352f55d6c2ed96df57a-] {+4d66d28cd2e7537e1e1d2905595b260226b22ad2+}
Depends: libgnutls30 (= [-3.6.7-3)-] {+3.6.7-4)+}
Installed-Size: [-4058-] {+4061+}
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.6.7-3-] {+3.6.7-4+}

Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Depends: libgnutlsxx28 (= [-3.6.7-3)-] {+3.6.7-4)+}
Version: [-3.6.7-3-] {+3.6.7-4+}
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2019-05-19 10:48:52.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2019-06-12 19:21:23.000000000 +0200
@@ -1,3 +1,28 @@
+gnutls28 (3.6.7-4) unstable; urgency=medium
+
+  * Cherry-pick important bug-fixes from 3.6.8:
+    + 40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
+      The gnutls_srp_set_server_credentials_function can be used with the 8192
+      parameters as well.
+      https://gitlab.com/gnutls/gnutls/issues/761
+    + 40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
+      Fix calculation of Streebog digests (incorrect carry operation in
+      512 bit addition).
+    + 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
+      Fix compatibility of GnuTLS 3.6.[456] server with GnuTLS 3.6.7 client.
+      Closes: #929907
+    + 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
+      Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain
+      crafting via IDNA conversion.
+      https://gitlab.com/gnutls/gnutls/issues/720
+    + 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+      Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
+      gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN
+      flag.
+      https://gitlab.com/gnutls/gnutls/issues/754
+
+ -- Andreas Metzler <ametzler@debian.org>  Wed, 12 Jun 2019 19:21:23 +0200
+
 gnutls28 (3.6.7-3) unstable; urgency=medium
 
   * Revert debhelper upgrade, use DH 10.
diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
--- gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch	2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,65 @@
+From 0bdca5d51f203cf414d645e75ac197e3fadfadc8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri, 10 May 2019 06:30:12 +0200
+Subject: [PATCH] _gnutls_srp_entry_free: follow consistent behavior in freeing
+ data
+
+_gnutls_srp_entry_free would previously not free any parameters that
+were known to gnutls to account for documented behavior of
+gnutls_srp_set_server_credentials_function(). This was not updated
+when the newly added 8192 parameter was added to the library.
+
+This introduces a safety check for generator parameters, even though
+in practice they are the same pointer.
+
+Resolves: #761
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ NEWS                  |  3 +++
+ lib/auth/srp_passwd.c | 12 ++++++++----
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -47,6 +47,9 @@ See the end for copying conditions.
+ 
+ ** gnutls-cli: Added option --logfile to redirect informational messages output.
+ 
++** libgnutls: the gnutls_srp_set_server_credentials_function can be used
++   with the 8192 parameters as well (#995).
++
+ ** API and ABI modifications:
+ No changes since last version.
+ 
+--- a/lib/auth/srp_passwd.c
++++ b/lib/auth/srp_passwd.c
+@@ -447,20 +447,24 @@ void _gnutls_srp_entry_free(SRP_PWD_ENTR
+ 	_gnutls_free_key_datum(&entry->v);
+ 	_gnutls_free_datum(&entry->salt);
+ 
+-	if ((entry->g.data != gnutls_srp_1024_group_generator.data)
+-	    && (entry->g.data != gnutls_srp_3072_group_generator.data))
++	if ((entry->g.data != gnutls_srp_1024_group_generator.data) &&
++	    (entry->g.data != gnutls_srp_1536_group_generator.data) &&
++	    (entry->g.data != gnutls_srp_2048_group_generator.data) &&
++	    (entry->g.data != gnutls_srp_3072_group_generator.data) &&
++	    (entry->g.data != gnutls_srp_4096_group_generator.data) &&
++	    (entry->g.data != gnutls_srp_8192_group_generator.data))
+ 		_gnutls_free_datum(&entry->g);
+ 
+ 	if (entry->n.data != gnutls_srp_1024_group_prime.data &&
+ 	    entry->n.data != gnutls_srp_1536_group_prime.data &&
+ 	    entry->n.data != gnutls_srp_2048_group_prime.data &&
+ 	    entry->n.data != gnutls_srp_3072_group_prime.data &&
+-	    entry->n.data != gnutls_srp_4096_group_prime.data)
++	    entry->n.data != gnutls_srp_4096_group_prime.data &&
++	    entry->n.data != gnutls_srp_8192_group_prime.data)
+ 		_gnutls_free_datum(&entry->n);
+ 
+ 	gnutls_free(entry->username);
+ 	gnutls_free(entry);
+ }
+ 
+-
+ #endif				/* ENABLE SRP */
diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
--- gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch	2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,81 @@
+From c1441665abe761536b3ed67d36b12f2198be6b12 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Tue, 7 May 2019 14:49:05 +0300
+Subject: [PATCH] lib/nettle: fix carry flag in Streebog code
+
+Fix carry flag being calculated incorrectly in Streebog code.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+---
+ NEWS                       |  3 +++
+ lib/crypto-selftests.c     | 16 ++++++++++++++++
+ lib/nettle/gost/streebog.c | 12 +++++++-----
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -50,6 +50,9 @@ See the end for copying conditions.
+ ** libgnutls: the gnutls_srp_set_server_credentials_function can be used
+    with the 8192 parameters as well (#995).
+ 
++** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
++   512 bit addition)
++
+ ** API and ABI modifications:
+ No changes since last version.
+ 
+--- a/lib/crypto-selftests.c
++++ b/lib/crypto-selftests.c
+@@ -1239,6 +1239,22 @@ const struct hash_vectors_st streebog_51
+ 		"\x03\x5f\xe8\x35\x49\xad\xa2\xb8\x62\x0f\xcd\x7c\x49\x6c\xe5\xb3"
+ 		"\x3f\x0c\xb9\xdd\xdc\x2b\x64\x60\x14\x3b\x03\xda\xba\xc9\xfb\x28"),
+ 	},
++	{
++            STR(plaintext, plaintext_size,
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
++		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"),
++            STR(output, output_size,
++		"\x90\xa1\x61\xd1\x2a\xd3\x09\x49\x8d\x3f\xe5\xd4\x82\x02\xd8\xa4"
++		"\xe9\xc4\x06\xd6\xa2\x64\xae\xab\x25\x8a\xc5\xec\xc3\x7a\x79\x62"
++		"\xaa\xf9\x58\x7a\x5a\xbb\x09\xb6\xbb\x81\xec\x4b\x37\x52\xa3\xff"
++		"\x5a\x83\x8e\xf1\x75\xbe\x57\x72\x05\x6b\xc5\xfe\x54\xfc\xfc\x7e"),
++	},
+ };
+ 
+ /* GOST R 34.11-2012 */
+--- a/lib/nettle/gost/streebog.c
++++ b/lib/nettle/gost/streebog.c
+@@ -1200,7 +1200,7 @@ static void
+ streebog512_compress (struct streebog512_ctx *ctx, const uint8_t *input, size_t count)
+ {
+   uint64_t M[8];
+-  uint64_t l;
++  uint64_t l, cf;
+   int i;
+ 
+   for (i = 0; i < 8; i++, input += 8)
+@@ -1219,12 +1219,14 @@ streebog512_compress (struct streebog512
+         }
+     }
+ 
++  cf = 0;
+   ctx->sigma[0] += M[0];
+   for (i = 1; i < 8; i++)
+-    if (ctx->sigma[i-1] < M[i-1])
+-      ctx->sigma[i] += M[i] + 1;
+-    else
+-      ctx->sigma[i] += M[i];
++    {
++      if (ctx->sigma[i-1] != M[i-1])
++	cf = (ctx->sigma[i-1] < M[i-1]);
++      ctx->sigma[i] += M[i] + cf;
++    }
+ }
+ 
+ static void
diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
--- gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch	2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,312 @@
+From 2dc96e3b8d0e043bebf0815edaaa945f66ac0531 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 25 Apr 2019 17:08:43 +0200
+Subject: [PATCH] ext/record_size_limit: distinguish sending and receiving
+ limits
+
+The previous behavior was that both sending and receiving limits are
+negotiated to be the same value.  It was problematic when:
+
+- client sends a record_size_limit with a large value in CH
+- server sends a record_size_limit with a smaller value in EE
+- client updates the limit for both sending and receiving, upon
+  receiving EE
+- server sends a Certificate message larger than the limit
+
+With this patch, each peer maintains the sending / receiving limits
+separately so not to confuse with the contradicting settings.
+
+Andreas Metzler for Debian upload:
+Strip out addition of gnutls_record_set_max_recv_size() to the API from
+this patchset.
+
+--- a/lib/constate.c
++++ b/lib/constate.c
+@@ -821,14 +821,12 @@ int _gnutls_write_connection_state_init(
+ 	    session->security_parameters.epoch_next;
+ 	int ret;
+ 
+-	/* reset max_record_recv_size if it was negotiated in the
++	/* reset max_record_send_size if it was negotiated in the
+ 	 * previous handshake using the record_size_limit extension */
+-	if (session->security_parameters.max_record_recv_size !=
+-	    session->security_parameters.max_record_send_size &&
+-	    !(session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED) &&
++	if (!(session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED) &&
+ 	    session->security_parameters.entity == GNUTLS_SERVER)
+-		session->security_parameters.max_record_recv_size =
+-			session->security_parameters.max_record_send_size;
++		session->security_parameters.max_record_send_size =
++			session->security_parameters.max_user_record_send_size;
+ 
+ /* Update internals from CipherSuite selected.
+  * If we are resuming just copy the connection session
+--- a/lib/dtls.c
++++ b/lib/dtls.c
+@@ -65,8 +65,8 @@ transmit_message(gnutls_session_t sessio
+ 	unsigned int mtu =
+ 	    gnutls_dtls_get_data_mtu(session);
+ 
+-	if (session->security_parameters.max_record_recv_size < mtu)
+-		mtu = session->security_parameters.max_record_recv_size;
++	if (session->security_parameters.max_record_send_size < mtu)
++		mtu = session->security_parameters.max_record_send_size;
+ 
+ 	mtu -= DTLS_HANDSHAKE_HEADER_SIZE;
+ 
+--- a/lib/ext/max_record.c
++++ b/lib/ext/max_record.c
+@@ -105,11 +105,13 @@ _gnutls_max_record_recv_params(gnutls_se
+ 			}
+ 
+ 			if (new_size != session->security_parameters.
+-			    max_record_send_size) {
++			    max_user_record_send_size) {
+ 				gnutls_assert();
+ 				return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 			} else {
+ 				session->security_parameters.
++				    max_record_send_size = new_size;
++				session->security_parameters.
+ 				    max_record_recv_size = new_size;
+ 			}
+ 
+@@ -132,11 +134,18 @@ _gnutls_max_record_send_params(gnutls_se
+ 
+ 	/* this function sends the client extension data (dnsname) */
+ 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
+-		if (session->security_parameters.max_record_send_size !=
++		/* if the user limits for sending and receiving are
++		 * different, that means the programmer had chosen to
++		 * use record_size_limit instead */
++		if (session->security_parameters.max_user_record_send_size !=
++		    session->security_parameters.max_user_record_recv_size)
++			return 0;
++
++		if (session->security_parameters.max_user_record_send_size !=
+ 		    DEFAULT_MAX_RECORD_SIZE) {
+ 			ret = _gnutls_mre_record2num
+ 			      (session->security_parameters.
+-			       max_record_send_size);
++			       max_user_record_send_size);
+ 
+ 			/* it's not an error, as long as we send the
+ 			 * record_size_limit extension with that value */
+@@ -239,23 +248,18 @@ size_t gnutls_record_get_max_size(gnutls
+  * @session: is a #gnutls_session_t type.
+  * @size: is the new size
+  *
+- * This function sets the maximum record packet size in this
+- * connection.
+- *
+- * The requested record size does get in effect immediately only while
+- * sending data. The receive part will take effect after a successful
+- * handshake.
++ * This function sets the maximum amount of plaintext sent and
++ * received in a record in this connection.
+  *
+  * Prior to 3.6.4, this function was implemented using a TLS extension
+- * called 'max record size', which limits the acceptable values to
+- * 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12). Since 3.6.4,
+- * it uses another TLS extension called 'record size limit', which
+- * doesn't have the limitation, as long as the value ranges between
+- * 512 and 16384.  Note that not all TLS implementations use or even
+- * understand those extension.
++ * called 'max fragment length', which limits the acceptable values to
++ * 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12).
+  *
+- * In TLS 1.3, the value is the length of plaintext content plus its
+- * padding, excluding content type octet.
++ * Since 3.6.4, the limit is also negotiated through a new TLS
++ * extension called 'record size limit', which doesn't have the
++ * limitation, as long as the value ranges between 512 and 16384.
++ * Note that while the 'record size limit' extension is preferred, not
++ * all TLS implementations use or even understand the extension.
+  *
+  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+  *   otherwise a negative error code is returned.
+@@ -265,7 +269,11 @@ ssize_t gnutls_record_set_max_size(gnutl
+ 	if (size < MIN_RECORD_SIZE || size > DEFAULT_MAX_RECORD_SIZE)
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 
+-	session->security_parameters.max_record_send_size = size;
++	if (session->internals.handshake_in_progress)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++	session->security_parameters.max_user_record_send_size = size;
++	session->security_parameters.max_user_record_recv_size = size;
+ 
+ 	return 0;
+ }
+--- a/lib/ext/record_size_limit.c
++++ b/lib/ext/record_size_limit.c
+@@ -81,6 +81,12 @@ _gnutls_record_size_limit_recv_params(gn
+ 
+ 	session->internals.hsk_flags |= HSK_RECORD_SIZE_LIMIT_NEGOTIATED;
+ 
++	/* client uses the reception of this extension as an
++	 * indication of the request was accepted by the server */
++	if (session->security_parameters.entity == GNUTLS_CLIENT)
++		session->security_parameters.max_record_recv_size =
++			session->security_parameters.max_user_record_recv_size;
++
+ 	_gnutls_handshake_log("EXT[%p]: record_size_limit %u negotiated\n",
+ 			      session, (unsigned)new_size);
+ 
+@@ -89,9 +95,9 @@ _gnutls_record_size_limit_recv_params(gn
+ 	if (unlikely(vers == NULL))
+ 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ 
+-	session->security_parameters.max_record_recv_size =
++	session->security_parameters.max_record_send_size =
+ 		MIN(new_size - vers->tls13_sem,
+-		    session->security_parameters.max_record_send_size);
++		    session->security_parameters.max_user_record_send_size);
+ 
+ 	return 0;
+ }
+@@ -105,11 +111,11 @@ _gnutls_record_size_limit_send_params(gn
+ 	int ret;
+ 	uint16_t send_size;
+ 
+-	assert(session->security_parameters.max_record_send_size >= 64 &&
+-	       session->security_parameters.max_record_send_size <=
++	assert(session->security_parameters.max_user_record_recv_size >= 64 &&
++	       session->security_parameters.max_user_record_recv_size <=
+ 	       DEFAULT_MAX_RECORD_SIZE);
+ 
+-	send_size = session->security_parameters.max_record_send_size;
++	send_size = session->security_parameters.max_user_record_recv_size;
+ 
+ 	if (session->security_parameters.entity == GNUTLS_SERVER) {
+ 		const version_entry_st *vers;
+@@ -124,6 +130,9 @@ _gnutls_record_size_limit_send_params(gn
+ 		if (unlikely(vers == NULL))
+ 			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ 
++		session->security_parameters.max_record_recv_size =
++			send_size;
++
+ 		send_size += vers->tls13_sem;
+ 	} else {
+ 		const version_entry_st *vers;
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -779,12 +779,18 @@ typedef struct {
+ 	/* whether client has agreed in post handshake auth - only set on server side */
+ 	uint8_t post_handshake_auth;
+ 
+-	/* The send size is the one requested by the programmer.
+-	 * The recv size is the one negotiated with the peer.
++	/* The maximum amount of plaintext sent in a record,
++	 * negotiated with the peer.
+ 	 */
+ 	uint16_t max_record_send_size;
+ 	uint16_t max_record_recv_size;
+ 
++	/* The maximum amount of plaintext sent in a record, set by
++	 * the programmer.
++	 */
++	uint16_t max_user_record_send_size;
++	uint16_t max_user_record_recv_size;
++
+ 	/* The maximum amount of early data */
+ 	uint32_t max_early_data_size;
+ 
+@@ -1552,17 +1558,17 @@ inline static int _gnutls_set_current_ve
+ 	return 0;
+ }
+ 
+-/* Returns the maximum size of the plaintext to be sent, considering
++/* Returns the maximum amount of the plaintext to be sent, considering
+  * both user-specified/negotiated maximum values.
+  */
+-inline static size_t max_user_send_size(gnutls_session_t session,
+-					record_parameters_st *
+-					record_params)
++inline static size_t max_record_send_size(gnutls_session_t session,
++					  record_parameters_st *
++					  record_params)
+ {
+ 	size_t max;
+ 
+ 	max = MIN(session->security_parameters.max_record_send_size,
+-		  session->security_parameters.max_record_recv_size);
++		  session->security_parameters.max_user_record_send_size);
+ 
+ 	if (IS_DTLS(session))
+ 		max = MIN(gnutls_dtls_get_data_mtu(session), max);
+--- a/lib/range.c
++++ b/lib/range.c
+@@ -66,7 +66,7 @@ _gnutls_range_max_lh_pad(gnutls_session_
+ 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ 
+ 	if (vers->tls13_sem) {
+-		max_pad = max_user_send_size(session, record_params);
++		max_pad = max_record_send_size(session, record_params);
+ 		fixed_pad = 2;
+ 	} else {
+ 		max_pad = MAX_PAD_SIZE;
+@@ -182,7 +182,7 @@ gnutls_range_split(gnutls_session_t sess
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	max_frag = max_user_send_size(session, record_params);
++	max_frag = max_record_send_size(session, record_params);
+ 
+ 	if (orig_high == orig_low) {
+ 		int length = MIN(orig_high, max_frag);
+--- a/lib/record.c
++++ b/lib/record.c
+@@ -467,7 +467,7 @@ _gnutls_send_tlen_int(gnutls_session_t s
+ 			return GNUTLS_E_INVALID_SESSION;
+ 		}
+ 
+-	max_send_size = max_user_send_size(session, record_params);
++	max_send_size = max_record_send_size(session, record_params);
+ 
+ 	if (data_size > max_send_size) {
+ 		if (IS_DTLS(session))
+--- a/lib/session_pack.c
++++ b/lib/session_pack.c
+@@ -918,20 +918,22 @@ pack_security_parameters(gnutls_session_
+ 		BUFFER_APPEND_PFX1(ps, session->security_parameters.server_random,
+ 			      GNUTLS_RANDOM_SIZE);
+ 
+-		BUFFER_APPEND_NUM(ps,
+-				  session->security_parameters.
+-				  max_record_send_size);
+-
+ 		/* reset max_record_recv_size if it was negotiated
+ 		 * using the record_size_limit extension */
+ 		if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED) {
+ 			BUFFER_APPEND_NUM(ps,
+ 					  session->security_parameters.
+-					  max_record_send_size);
++					  max_user_record_send_size);
++			BUFFER_APPEND_NUM(ps,
++					  session->security_parameters.
++					  max_user_record_recv_size);
+ 		} else {
+ 			BUFFER_APPEND_NUM(ps,
+ 					  session->security_parameters.
+ 					  max_record_recv_size);
++			BUFFER_APPEND_NUM(ps,
++					  session->security_parameters.
++					  max_record_send_size);
+ 		}
+ 
+ 		if (session->security_parameters.grp) {
+--- a/lib/state.c
++++ b/lib/state.c
+@@ -522,6 +522,10 @@ int gnutls_init(gnutls_session_t * sessi
+ 	    DEFAULT_MAX_RECORD_SIZE;
+ 	(*session)->security_parameters.max_record_send_size =
+ 	    DEFAULT_MAX_RECORD_SIZE;
++	(*session)->security_parameters.max_user_record_recv_size =
++	    DEFAULT_MAX_RECORD_SIZE;
++	(*session)->security_parameters.max_user_record_send_size =
++	    DEFAULT_MAX_RECORD_SIZE;
+ 
+ 	/* set the default early data size for TLS
+ 	 */
diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
--- gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch	2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,73 @@
+From b697e948b6f66440ee1f15337dfc83b6816bd21a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Mon, 20 May 2019 11:10:11 +0200
+Subject: [PATCH] Apply STD3 ASCII rules in gnutls_idna_map()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
+---
+ NEWS             |  3 +++
+ lib/str-idna.c   | 10 +++++++---
+ tests/str-idna.c |  5 +++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -53,6 +53,9 @@ See the end for copying conditions.
+ ** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
+    512 bit addition)
+ 
++** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
++   hostname/domain crafting via IDNA conversion
++
+ ** API and ABI modifications:
+ No changes since last version.
+ 
+--- a/lib/str-idna.c
++++ b/lib/str-idna.c
+@@ -76,9 +76,13 @@ int gnutls_idna_map(const char *input, u
+ 	 * Since IDN2_NONTRANSITIONAL implicitly does NFC conversion, we don't need
+ 	 * the additional IDN2_NFC_INPUT. But just for the unlikely case that the linked
+ 	 * library is not matching the headers when building and it doesn't support TR46,
+-	 * we provide IDN2_NFC_INPUT. */
+-	idn2_flags |= IDN2_NONTRANSITIONAL;
+-	idn2_tflags |= IDN2_TRANSITIONAL;
++	 * we provide IDN2_NFC_INPUT.
++	 *
++	 * Without IDN2_USE_STD3_ASCII_RULES, the result could contain any ASCII characters,
++	 * e.g. 'evil.c\u2100.example.com' will be converted into
++	 * 'evil.ca/c.example.com', which seems no good idea. */
++	idn2_flags |= IDN2_NONTRANSITIONAL | IDN2_USE_STD3_ASCII_RULES;
++	idn2_tflags |= IDN2_TRANSITIONAL | IDN2_USE_STD3_ASCII_RULES;
+ #endif
+ 
+ 	/* This avoids excessive CPU usage with libidn2 < 2.1.1 */
+--- a/tests/str-idna.c
++++ b/tests/str-idna.c
+@@ -94,12 +94,16 @@ MATCH_FUNC(test_caps_german1, "Ü.ü", "
+ MATCH_FUNC(test_caps_german2, "Bücher.de", "xn--bcher-kva.de");
+ MATCH_FUNC(test_caps_german3, "Faß.de", "xn--fa-hia.de");
+ MATCH_FUNC(test_dots, "a.b.c。d。", "a.b.c.d.");
++
++/* without STD3 ASCII rules, the result is: evil.ca/c..example.com */
++MATCH_FUNC(test_evil, "evil.c\u2100.example.com", "evil.c.example.com");
+ # else
+ EMPTY_FUNC(test_caps_german1);
+ EMPTY_FUNC(test_caps_german2);
+ EMPTY_FUNC(test_caps_german3);
+ EMPTY_FUNC(test_caps_greek);
+ EMPTY_FUNC(test_dots);
++EMPTY_FUNC(test_evil);
+ # endif
+ 
+ int main(void)
+@@ -130,6 +134,7 @@ int main(void)
+ 		cmocka_unit_test(test_jp2),
+ 		cmocka_unit_test(test_jp2_reverse),
+ 		cmocka_unit_test(test_dots),
++		cmocka_unit_test(test_evil),
+ 		cmocka_unit_test(test_valid_idna2003)
+ 	};
+ 
diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
--- gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch	2019-06-12 19:21:15.000000000 +0200
@@ -0,0 +1,52 @@
+From b1476abeb6f8b5046e6cd62724cdac241f71aa7b Mon Sep 17 00:00:00 2001
+From: "Kenneth J. Miller" <ken@miller.ec>
+Date: Mon, 15 Apr 2019 17:56:13 +0200
+Subject: [PATCH 1/2] pubkey: remove deprecated TLS1_RSA flag check
+
+The gnutls_certificate_verify_flags comparisons against
+OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with
+GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to
+both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it
+seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA.
+
+Resolves: #754
+
+Signed-off-by: Kenneth J. Miller <ken@miller.ec>
+---
+ lib/pubkey.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/pubkey.c b/lib/pubkey.c
+index f1a0302fc..2dfe5d56e 100644
+--- a/lib/pubkey.c
++++ b/lib/pubkey.c
+@@ -1678,8 +1678,6 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
+ 
+ }
+ 
+-#define OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA 1
+-
+ /* Updates the gnutls_x509_spki_st parameters based on the signature
+  * information, and reports any incompatibilities between the existing
+  * parameters (if any) with the signature algorithm */
+@@ -1758,7 +1756,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA)
++	if (flags & GNUTLS_VERIFY_USE_TLS1_RSA)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	memcpy(&params, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
+@@ -1830,7 +1828,7 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
+ 
+ 	memcpy(&params, &key->params.spki, sizeof(gnutls_x509_spki_st));
+ 
+-	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
++	if (flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
+ 		if (!GNUTLS_PK_IS_RSA(key->params.algo))
+ 			return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
+ 		params.pk = GNUTLS_PK_RSA;
+-- 
+2.20.1
+
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2019-03-09 10:44:53.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/series	2019-06-12 19:21:15.000000000 +0200
@@ -1,2 +1,7 @@
 14_version_gettextcat.diff
 30_guile-snarf.diff
+40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch
+40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch
+40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
+40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
+40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Andreas Metzler <ametzler@bebt.de>, 930491-done@bugs.debian.org
• Subject: Re: Bug#930491: unblock: gnutls28/3.6.7-4
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sun, 16 Jun 2019 14:27:07 +0100
• Message-id: <20190616132707.GA30575@powdarrmonkey.net>
• In-reply-to: <[🔎] 20190613171321.GA2523@argenau.bebt.de>
• References: <[🔎] 20190613171321.GA2523@argenau.bebt.de>

On Thu, Jun 13, 2019 at 07:13:22PM +0200, Andreas Metzler wrote:
> Please unblock package gnutls28. This upload cherry-picks the
> recommended fixes[1] from upstream latest stable release (3.6.8) and fixes
> #929907.

Unblocked; thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---