Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1
From: Andreas Metzler <ametzler@bebt.de>
Date: Sun, 19 Jan 2020 18:58:33 +0100
Message-id: <[🔎] 20200119175833.GA346318@argenau.bebt.de>
Reply-to: Andreas Metzler <ametzler@bebt.de>, 949310@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

there is a regression in gnutls/buster compared to stretch. It fails to
parse certificates using Registered ID in Subject Alternative Name.

See upstream report https://gitlab.com/gnutls/gnutls/issues/905 for more
details.

I would like to fix this in pu, by pulling the fix from GnuTLS 3.6.9.
The respective upstream change also adds a testcase and therefore
adds/modifies binaries. The proposed Debian changes are not
representable as debdiff, I am attaching git-format-patch diff instead.

cu Andreas

From de3d573242195eddab914709584242610b2e2762 Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametzler@bebt.de>
Date: Sun, 19 Jan 2020 18:00:12 +0100
Subject: [PATCH] Fix parsing of certificates using RegisteredID Closes:
 #949293

---
 debian/binary/cert10.der                      | Bin 0 -> 571 bytes
 debian/binary/cert5.der                       | Bin 0 -> 414 bytes
 debian/changelog                              |   6 +
 ...ralname-registeredID-from-RFC-5280-i.patch | 242 ++++++++++++++++++
 debian/patches/series                         |   1 +
 debian/rules                                  |   8 +
 debian/source/include-binaries                |   2 +
 7 files changed, 259 insertions(+)
 create mode 100644 debian/binary/cert10.der
 create mode 100644 debian/binary/cert5.der
 create mode 100644 debian/patches/41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch

diff --git a/debian/binary/cert10.der b/debian/binary/cert10.der
new file mode 100644
index 0000000000000000000000000000000000000000..07ab16d3eec034bd14cd94dd0174a2a76c768918
GIT binary patch
literal 571
zcmXqLVlp>qV!XS6nTe5!i7~~1i;Y98&EuRc3p0~}r=h5UFdK6y3o{Rod$6ygLP%<H
ziGs7Ip`ZajNSK?4Bg8d0#Mw0{#8AM14<y9J!yXhI01`FiHsAz_un9AHh8W0+^BS5P
z7#SEE8XH@fnnj888W|vQ4O9(z4Y(l&usAyVx*CcY2!XiFJlr6|6oP$qT>`WXB7yE<
z2fL4n5$aH8Ms{W=1{U9cSH5JrPuwpy_1pr3D$^|zjMJuCRBw;2RdL_8Rbf7h>pH)<
zAeoC69oOR@)U-AzX+7fIwMMr5Y?*=QWGCtCmWvy28Z=%rkOx{StIQ%{Al4xA)v;*r
z&#tN0V)pImvRHUfwt=hluz@T{0UwJPi^$%nrZZC05)>tNl_o6w-@LqAk^3n)5M%{e
z*bP`am^;k5AbfsC#{Vq90A+755C>^j0P%tT1qKj%dZQ2{6C;a3G)O|8CBz`eKz)Jg
z0_8TvjFOT9D}DXsOuZ6du<NB4=O*eU=jZA>2l?na>LnND5TnoutPm+unLQW`T$vOZ
zKAwN?_-Mxhr6h5Iomr{=|DUv8=uvo<@*?`vb#(?Ub_*tjOx3;Lceh_Su}`~V!O>ZX
Wj1`&&hyKl2t6N}^n#Cltcsc-wAErzI

literal 0
HcmV?d00001

diff --git a/debian/binary/cert5.der b/debian/binary/cert5.der
new file mode 100644
index 0000000000000000000000000000000000000000..f950ff3e1b1c3bdac0afcafc21301dc49041d298
GIT binary patch
literal 414
zcmXqLVw`2r#K^pWnTe5!iIrjX+4uVlc-c6$+C196^D;8BvN9Mj7|4n98krj!7?~S@
zfMJw4uQ4(gsG@N`vMxqe2Ij_IplB!4ZwC4U2Q8?b$)N|M&OB#gW@KPotY9E#Aj8HS
zDl5n$Y9QRkpHWg$P;8~IZ)m8eXQ*e`$bjqtptqSD8yT*aah+=6FIw}h=PuiXI_1f4
zjO}l_7B(=|un6DSbvJtr%dXy6-G}cxmQKx*-MiUR_O`VBL+Qk(3D%vDzl3h&ysw<&
zyp-`_YHz|MkvGayTkSrdl3Mnxul!d_+T{}q_@dUQofGUa{3yTitAVP$$&aJO<`d^y
RD_LK5pB*+m;E!y@E&!)kWTgNA

literal 0
HcmV?d00001

diff --git a/debian/changelog b/debian/changelog
index 4944112..ab8c730 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+gnutls28 (3.6.7-4+deb10u2) buster; urgency=medium
+
+  * Fix parsing of certificates using RegisteredID Closes: #949293
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 19 Jan 2020 14:03:08 +0100
+
 gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium
 
   * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
diff --git a/debian/patches/41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch b/debian/patches/41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
new file mode 100644
index 0000000..9129642
--- /dev/null
+++ b/debian/patches/41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
@@ -0,0 +1,242 @@
+From 55c76aab7620aa2609bb488a8ab72c7d782e8424 Mon Sep 17 00:00:00 2001
+From: Karsten Ohme <k_o_@users.sourceforge.net>
+Date: Sat, 22 Jun 2019 00:39:56 +0200
+Subject: [PATCH] Support for Generalname registeredID from RFC 5280 in subject
+ alt name
+
+Added test certificates (cert10.der) with registered ID
+
+Updated Makefile for inclusion of test certificates
+
+Updated SAN unknown test certificates (cert5.der)
+
+Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
+---
+ NEWS                               |   3 ++
+ lib/includes/gnutls/gnutls.h.in    |   4 ++-
+ lib/x509/common.c                  |   5 +++
+ lib/x509/extensions.c              |   3 ++
+ lib/x509/output.c                  |   4 +++
+ lib/x509/x509.c                    |   9 ++++--
+ tests/Makefile.am                  |   4 +--
+ tests/certs-interesting/cert10.der | Bin 0 -> 571 bytes
+ tests/certs-interesting/cert5.der  | Bin 418 -> 414 bytes
+ tests/crt_apis.c                   |  49 +++++++++++++++++++++++------
+ 10 files changed, 66 insertions(+), 15 deletions(-)
+ create mode 100644 tests/certs-interesting/cert10.der
+
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,8 @@ Copyright (C) 2000-2016 Free Software Fo
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+ 
++** libgnutls: Added support for Generalname registeredID.
++
+ * Version 3.6.7 (released 2019-03-27)
+ 
+ ** libgnutls, gnutls tools: Every gnutls_free() will automatically set
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -2547,6 +2547,7 @@ gnutls_psk_set_server_params_function(gn
+  * @GNUTLS_SAN_IPADDRESS: IP address SAN.
+  * @GNUTLS_SAN_OTHERNAME: OtherName SAN.
+  * @GNUTLS_SAN_DN: DN SAN.
++ * @GNUTLS_SAN_REGISTERED_ID: RegisteredID.
+  * @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
+  * @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
+  *
+@@ -2559,7 +2560,8 @@ typedef enum gnutls_x509_subject_alt_nam
+ 	GNUTLS_SAN_IPADDRESS = 4,
+ 	GNUTLS_SAN_OTHERNAME = 5,
+ 	GNUTLS_SAN_DN = 6,
+-	GNUTLS_SAN_MAX = GNUTLS_SAN_DN,
++	GNUTLS_SAN_REGISTERED_ID = 7,
++	GNUTLS_SAN_MAX = GNUTLS_SAN_REGISTERED_ID,
+ 	/* The following are "virtual" subject alternative name types, in
+ 	   that they are represented by an otherName value and an OID.
+ 	   Used by gnutls_x509_crt_get_subject_alt_othername_oid.  */
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -537,6 +537,9 @@ gnutls_x509_subject_alt_name_t _gnutls_x
+ 		return GNUTLS_SAN_OTHERNAME;
+ 	if (strcmp(str_type, "directoryName") == 0)
+ 		return GNUTLS_SAN_DN;
++	if (strcmp(str_type, "registeredID") == 0)
++		return GNUTLS_SAN_REGISTERED_ID;
++
+ 	return (gnutls_x509_subject_alt_name_t) - 1;
+ }
+ 
+@@ -703,6 +706,8 @@ x509_read_value(ASN1_TYPE c, const char
+ 	if (result == 0 && allow_null == 0 && len == 0) {
+ 		/* don't allow null strings */
+ 		return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
++	} else if (result == 0 && allow_null == 0 && etype == ASN1_ETYPE_OBJECT_ID && len == 1) {
++		return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
+ 	}
+ 
+ 	if (result != ASN1_MEM_ERROR) {
+--- a/lib/x509/extensions.c
++++ b/lib/x509/extensions.c
+@@ -715,6 +715,9 @@ _gnutls_write_general_name(ASN1_TYPE ext
+ 	case GNUTLS_SAN_IPADDRESS:
+ 		str = "iPAddress";
+ 		break;
++	case GNUTLS_SAN_REGISTERED_ID:
++		str = "registeredID";
++		break;
+ 	default:
+ 		gnutls_assert();
+ 		return GNUTLS_E_INTERNAL_ERROR;
+--- a/lib/x509/output.c
++++ b/lib/x509/output.c
+@@ -144,6 +144,10 @@ print_name(gnutls_buffer_st *str, const
+ 		addf(str,  _("%sdirectoryName: %.*s\n"), prefix, name->size, NON_NULL(name->data));
+ 		break;
+ 
++	case GNUTLS_SAN_REGISTERED_ID:
++			addf(str,  _("%sRegistered ID: %.*s\n"), prefix, name->size, NON_NULL(name->data));
++			break;
++
+ 	case GNUTLS_SAN_OTHERNAME_XMPP:
+ 		addf(str,  _("%sXMPP Address: %.*s\n"), prefix, name->size, NON_NULL(name->data));
+ 		break;
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -1344,7 +1344,7 @@ inline static int is_type_printable(int
+ {
+ 	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
+ 	    type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
+-	    type == GNUTLS_SAN_OTHERNAME)
++	    type == GNUTLS_SAN_OTHERNAME || type == GNUTLS_SAN_REGISTERED_ID)
+ 		return 1;
+ 	else
+ 		return 0;
+@@ -1657,7 +1657,6 @@ _gnutls_parse_general_name2(ASN1_TYPE sr
+ 
+ 	len = sizeof(choice_type);
+ 	result = asn1_read_value(src, nptr, choice_type, &len);
+-
+ 	if (result == ASN1_VALUE_NOT_FOUND
+ 	    || result == ASN1_ELEMENT_NOT_FOUND) {
+ 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+@@ -1739,6 +1738,12 @@ _gnutls_parse_general_name2(ASN1_TYPE sr
+ 			return ret;
+ 		}
+ 
++		if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) {
++			/* see #805; OIDs contain the null termination byte */
++			assert(tmp.data[tmp.size-1] == 0);
++			tmp.size--;
++		}
++
+ 		/* _gnutls_x509_read_value() null terminates */
+ 		dname->size = tmp.size;
+ 		dname->data = tmp.data;
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -50,9 +50,9 @@ EXTRA_DIST = suppressions.valgrind eagai
+ 	certs-interesting/README.md certs-interesting/cert1.der certs-interesting/cert1.der.err \
+ 	certs-interesting/cert2.der certs-interesting/cert2.der.err certs-interesting/cert3.der \
+ 	certs-interesting/cert3.der.err certs-interesting/cert4.der certs-interesting/cert5.der \
+-	certs-interesting/cert6.der certs-interesting/cert6.der.err \
++	certs-interesting/cert5.der.err certs-interesting/cert6.der certs-interesting/cert6.der.err \
+ 	certs-interesting/cert7.der certs-interesting/cert8.der \
+-	certs-interesting/cert9.der certs-interesting/cert5.der.err \
++	certs-interesting/cert9.der certs-interesting/cert10.der \
+ 	certs-interesting/cert3.der.err certs-interesting/cert4.der \
+ 	scripts/common.sh scripts/starttls-common.sh \
+ 	rng-op.c x509sign-verify-common.h common-key-tests.h \
+--- a/tests/crt_apis.c
++++ b/tests/crt_apis.c
+@@ -39,19 +39,19 @@
+ 
+ static unsigned char saved_crt_pem[] =
+ 	"-----BEGIN CERTIFICATE-----\n"
+-	"MIICWTCCAcKgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
++	"MIICWjCCAcOgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
+ 	"a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n"
+ 	"Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n"
+ 	"ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n"
+ 	"17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n"
+ 	"fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n"
+-	"jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3sw\n"
+-	"eTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNgYDVR0RBC8wLYIDYXBh\n"
+-	"ghF4bi0tbXhhYTRhczZkLmNvbYETdGVzdEB4bi0ta3hhd2hrLm9yZzAgBgNVHSUB\n"
+-	"Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAsCHT\n"
+-	"vpIFkQG8th0DbEU3BE3KP5aa93HDLpZPu5PVLkoBb4PPWjKPK+737mwaSs9zXe58\n"
+-	"awhM0ycZ1ymSC+MiRuQlzt4Opx1Fm8WFsDr7d0g/C96Arr1Ss4ZhNi15nyoYeaWJ\n"
+-	"1n7nX+msWnuc+aABt1d8aAhAvaU8do0+WI2jY90=\n"
++	"jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3ww\n"
++	"ejAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNwYDVR0RBDAwLogEKgME\n"
++	"BYIReG4tLW14YWE0YXM2ZC5jb22BE3Rlc3RAeG4tLWt4YXdoay5vcmcwIAYDVR0l\n"
++	"AQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4GBADzP\n"
++	"piA0s50R+oM/OWcHrARRMFhmOv8oj4mQeXjePCUJub8CDj1XnZwseIY9K9IU6Lxm\n"
++	"43p7kw1jFzPRBJyuZC5X92AdG1meR1RKd91M3VEvn2cgfesX7/MbhZIYJ8ZD2S1L\n"
++	"rqzVabXTZjKdHT727mCJdqzjDh7CFmb9Q2ZU6jDR\n"
+ 	"-----END CERTIFICATE-----\n";
+ 
+ const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 };
+@@ -71,6 +71,8 @@ static time_t mytime(time_t * t)
+ 	return then;
+ }
+ 
++#define REGISTERED_OID "1.2.3.4.5"
++
+ void doit(void)
+ {
+ 	gnutls_x509_privkey_t pkey;
+@@ -79,9 +81,9 @@ void doit(void)
+ 	const char *err = NULL;
+ 	unsigned char buf[64];
+ 	unsigned char large_buf[5*1024];
+-	unsigned int status;
++	unsigned int status, san_type;
+ 	gnutls_datum_t out;
+-	size_t s = 0;
++	size_t s = 0, i;
+ 	int ret;
+ 
+ 	ret = global_init();
+@@ -181,6 +183,11 @@ void doit(void)
+ 	if (ret != 0)
+ 		fail("gnutls_x509_crt_set_subject_alt_name\n");
+ 
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_REGISTERED_ID,
++						   REGISTERED_OID, strlen(REGISTERED_OID), 0);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
+ 	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
+ 						   "απαλό.com", strlen("απαλό.com"), 1);
+ #if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
+@@ -355,6 +362,28 @@ void doit(void)
+ 	assert(s == out.size);
+ 	assert(memcmp(large_buf, out.data, out.size) == 0);
+ 
++	/* verify some values written in the original cert */
++	gnutls_x509_crt_deinit(crt2);
++	ret = gnutls_x509_crt_init(&crt2);
++	if (ret != 0)
++		fail("gnutls_x509_crt_init\n");
++
++	ret = gnutls_x509_crt_import(crt2, &out, GNUTLS_X509_FMT_DER);
++	if (ret != 0)
++		fail("gnutls_x509_crt_import\n");
++
++	i = 0;
++	do {
++		s = sizeof(buf);
++		ret = gnutls_x509_crt_get_subject_alt_name2(crt2, i++, buf, &s, &san_type, NULL);
++		if (ret < 0)
++			fail("gnutls_x509_crt_get_subject_alt_name2: %s\n", gnutls_strerror(ret));
++	} while (san_type != GNUTLS_SAN_REGISTERED_ID);
++
++	assert(san_type == GNUTLS_SAN_REGISTERED_ID);
++	assert(s == strlen(REGISTERED_OID));
++	assert(memcmp(buf, REGISTERED_OID, s) == 0);
++
+ 	gnutls_free(out.data);
+ 
+ 	gnutls_x509_crt_deinit(crt);
diff --git a/debian/patches/series b/debian/patches/series
index 858c893..0eda2a6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,4 +5,5 @@
 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch
 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch
 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
+41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
diff --git a/debian/rules b/debian/rules
index 8c7300c..cbdf7fd 100755
--- a/debian/rules
+++ b/debian/rules
@@ -35,6 +35,10 @@ CONFIGUREARGS = \
 BDIR = -O--builddirectory=b4deb
 
 override_dh_auto_configure:
+	# Binary files related to
+	# 41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
+	cp debian/binary/cert10.der debian/binary/cert5.der \
+		tests/certs-interesting/
 	dh_auto_configure --verbose $(BDIR) -- \
 		$(CONFIGUREARGS) \
 		--enable-static \
@@ -61,6 +65,10 @@ override_dh_auto_clean:
 	if [ -e doc/gnutls.pdf.debbackup ] && [ ! -e doc/gnutls.pdf ] ; \
 		then mv -v doc/gnutls.pdf.debbackup doc/gnutls.pdf ; fi
 	rm -fv `grep -El 'has been AutoGen-ed |has been AutoGen-ed *$$' doc/manpages/*.?`
+	# Binary files related to
+	# 41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
+	rm -f tests/certs-interesting/cert10.der \
+		tests/certs-interesting/cert5.der
 
 override_dh_auto_build:
 	dh_auto_build $(BDIR) --verbose --parallel
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 95a390b..3e2a5af 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,3 @@
 debian/upstream-signing-key.pgp
+debian/binary/cert10.der
+debian/binary/cert5.der
-- 
2.24.1

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#949310: gnutls28 3.6.7-4+deb10u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#949185: transition: libffi
Next by Date: Bug#949326: transition: libgwenhywfar
Previous by thread: Processed: forcibly merging 949150 941557
Next by thread: Processed: Re: Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1
Index(es):
- Date
- Thread