--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], Simon McVittie <[email protected]>
Control: affects -1 + src:gnutls28
User: [email protected]
Usertags: pu
Hello,
I would like to fix #1130152 for trixie. Simon has done all the heavy
and not so heavy lifting on this, let's quote #1130152:
8X-------------------
A regression in GnuTLS 3.8.5, which started shuffling the extensions
order, causes an interoperability issue leading to handshake failures
with some SSL/TLS servers. I'm reporting this at important severity since
it's an interop regression affecting an unknown number of remote services.
From the linked regression report https://github.com/luakit/luakit/issues/1101,
it seems that at the time of writing, search.dismail.de is a good test-case,
for example:
[...]
# gnutls-cli search.dismail.de
Processed 150 CA certificate(s).
Resolving 'search.dismail.de:443'...
Connecting to '128.140.68.142:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [47]: Illegal parameter
[...]
I've confirmed that 3.8.12-2 in forky and 3.7.9-2+deb12u6 in bookworm
are both unaffected by this: they successfully connect to that server,
with gnutls-cli output that includes "Handshake was completed". (Press
Ctrl+D to exit after seeing this.)
This appears to have been fixed by
https://gitlab.com/gnutls/gnutls/-/merge_requests/1930
after the 3.8.9 release, commit
[...]
8X-------------------
I have verified the proposed change and that it fixes the issue.
TIA, cu Andreas
--
"You people are noisy," Nia said.
I made the gesture of agreement.
diff --git a/debian/changelog b/debian/changelog
index ee6981c..867d2f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+gnutls28 (3.8.9-3+deb13u3) trixie; urgency=medium
+
+ [ Simon McVittie ]
+ * d/p/51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch:
+ Preserve extension order across client Hello retry.
+ This resolves an interop regression in 3.8.5 with servers that enforce
+ the RFC requirement that the Client Hello after a Hello Retry Request
+ has the same extensions as the original Client Hello, in the same order
+ (Closes: #1130152)
+
+ -- Andreas Metzler <[email protected]> Sat, 14 Mar 2026 07:19:14 +0100
+
gnutls28 (3.8.9-3+deb13u2) trixie-security; urgency=high
* libgnutls: Fix name constraint processing performance issue
diff --git a/debian/patches/51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch b/debian/patches/51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch
new file mode 100644
index 0000000..dd48dfa
--- /dev/null
+++ b/debian/patches/51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch
@@ -0,0 +1,213 @@
+From: Daiki Ueno <[email protected]>
+Date: Sun, 9 Feb 2025 10:31:20 +0900
+Subject: handshake: only shuffle extensions in the first Client Hello
+
+RFC 8446 section 4.1.2 states that the second Client Hello after HRR
+should preserve the same content as the first Client Hello with
+limited exceptions. Since GnuTLS 3.8.5, however, the library started
+shuffling the order of extensions for privacy reasons and that didn't
+comply with the RFC, leading to a connectivity issue against the
+server configuration with a stricter check on that.
+
+Signed-off-by: Daiki Ueno <[email protected]>
+Origin: upstream, 3.8.10, commit:dc5ee80c3a28577e9de0f82fb08164e4c02b96af
+Bug: https://gitlab.com/gnutls/gnutls/-/work_items/1660
+Bug-Debian: https://bugs.debian.org/1130152
+Bug-SteamRT: steamrt/tasks#938
+---
+ lib/gnutls_int.h | 4 +++
+ lib/hello_ext.c | 41 +++++++++++++++++++------------
+ lib/state.c | 2 ++
+ tests/tls13/hello_retry_request.c | 51 ++++++++++++++++++++++++++++++++++++---
+ 4 files changed, 79 insertions(+), 19 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index d10a028..572de5a 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -1666,6 +1666,10 @@ typedef struct {
+ /* Compression method for certificate compression */
+ gnutls_compression_method_t compress_certificate_method;
+
++ /* To shuffle extension sending order */
++ extensions_t client_hello_exts[MAX_EXT_TYPES];
++ bool client_hello_exts_set;
++
+ /* If you add anything here, check _gnutls_handshake_internal_state_clear().
+ */
+ } internals_st;
+diff --git a/lib/hello_ext.c b/lib/hello_ext.c
+index 45237b8..94e6d86 100644
+--- a/lib/hello_ext.c
++++ b/lib/hello_ext.c
+@@ -438,8 +438,6 @@ int _gnutls_gen_hello_extensions(gnutls_session_t session,
+ int pos, ret;
+ size_t i;
+ hello_ext_ctx_st ctx;
+- /* To shuffle extension sending order */
+- extensions_t indices[MAX_EXT_TYPES];
+
+ msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK;
+
+@@ -469,26 +467,39 @@ int _gnutls_gen_hello_extensions(gnutls_session_t session,
+ ret - 4);
+ }
+
+- /* Initializing extensions array */
+- for (i = 0; i < MAX_EXT_TYPES; i++) {
+- indices[i] = i;
+- }
++ if (msg & GNUTLS_EXT_FLAG_CLIENT_HELLO &&
++ !session->internals.client_hello_exts_set) {
++ /* Initializing extensions array */
++ for (i = 0; i < MAX_EXT_TYPES; i++) {
++ session->internals.client_hello_exts[i] = i;
++ }
+
+- if (!session->internals.priorities->no_shuffle_extensions) {
+- /* Ordering padding and pre_shared_key as last extensions */
+- swap_exts(indices, MAX_EXT_TYPES - 2, GNUTLS_EXTENSION_DUMBFW);
+- swap_exts(indices, MAX_EXT_TYPES - 1,
+- GNUTLS_EXTENSION_PRE_SHARED_KEY);
++ if (!session->internals.priorities->no_shuffle_extensions) {
++ /* Ordering padding and pre_shared_key as last extensions */
++ swap_exts(session->internals.client_hello_exts,
++ MAX_EXT_TYPES - 2, GNUTLS_EXTENSION_DUMBFW);
++ swap_exts(session->internals.client_hello_exts,
++ MAX_EXT_TYPES - 1,
++ GNUTLS_EXTENSION_PRE_SHARED_KEY);
+
+- ret = shuffle_exts(indices, MAX_EXT_TYPES - 2);
+- if (ret < 0)
+- return gnutls_assert_val(ret);
++ ret = shuffle_exts(session->internals.client_hello_exts,
++ MAX_EXT_TYPES - 2);
++ if (ret < 0)
++ return gnutls_assert_val(ret);
++ }
++ session->internals.client_hello_exts_set = true;
+ }
+
+ /* hello_ext_send() ensures we don't send duplicates, in case
+ * of overridden extensions */
+ for (i = 0; i < MAX_EXT_TYPES; i++) {
+- size_t ii = indices[i];
++ size_t ii;
++
++ if (msg & GNUTLS_EXT_FLAG_CLIENT_HELLO)
++ ii = session->internals.client_hello_exts[i];
++ else
++ ii = i;
++
+ if (!extfunc[ii])
+ continue;
+
+diff --git a/lib/state.c b/lib/state.c
+index 020f212..8090686 100644
+--- a/lib/state.c
++++ b/lib/state.c
+@@ -518,6 +518,8 @@ static void handshake_internal_state_clear1(gnutls_session_t session)
+
+ session->internals.hrr_cs[0] = CS_INVALID_MAJOR;
+ session->internals.hrr_cs[1] = CS_INVALID_MINOR;
++
++ session->internals.client_hello_exts_set = false;
+ }
+
+ /* This function will clear all the variables in internals
+diff --git a/tests/tls13/hello_retry_request.c b/tests/tls13/hello_retry_request.c
+index f407b64..6c5f698 100644
+--- a/tests/tls13/hello_retry_request.c
++++ b/tests/tls13/hello_retry_request.c
+@@ -51,14 +51,37 @@ static void tls_log_func(int level, const char *str)
+ }
+
+ #define HANDSHAKE_SESSION_ID_POS 34
++#define MAX_EXT_TYPES 64
+
+ struct ctx_st {
+ unsigned hrr_seen;
+ unsigned hello_counter;
+ uint8_t session_id[32];
+ size_t session_id_len;
++ unsigned extensions[MAX_EXT_TYPES];
++ size_t extensions_size1;
++ size_t extensions_size2;
+ };
+
++static int ext_callback(void *_ctx, unsigned tls_id, const unsigned char *data,
++ unsigned size)
++{
++ struct ctx_st *ctx = _ctx;
++ if (ctx->hello_counter == 0) {
++ assert(ctx->extensions_size1 < MAX_EXT_TYPES);
++ ctx->extensions[ctx->extensions_size1++] = tls_id;
++ } else {
++ assert(ctx->extensions_size2 < MAX_EXT_TYPES);
++ if (tls_id != ctx->extensions[ctx->extensions_size2]) {
++ fail("extension doesn't match at position %zu, %u != %u\n",
++ ctx->extensions_size2, tls_id,
++ ctx->extensions[ctx->extensions_size2]);
++ }
++ ctx->extensions_size2++;
++ }
++ return 0;
++}
++
+ static int hello_callback(gnutls_session_t session, unsigned int htype,
+ unsigned post, unsigned int incoming,
+ const gnutls_datum_t *msg)
+@@ -73,15 +96,25 @@ static int hello_callback(gnutls_session_t session, unsigned int htype,
+ post == GNUTLS_HOOK_POST) {
+ size_t session_id_len;
+ uint8_t *session_id;
++ unsigned pos = HANDSHAKE_SESSION_ID_POS;
++ gnutls_datum_t mmsg;
++ int ret;
+
+- assert(msg->size > HANDSHAKE_SESSION_ID_POS + 1);
+- session_id_len = msg->data[HANDSHAKE_SESSION_ID_POS];
+- session_id = &msg->data[HANDSHAKE_SESSION_ID_POS + 1];
++ assert(msg->size > pos + 1);
++ session_id_len = msg->data[pos];
++ session_id = &msg->data[pos + 1];
++
++ SKIP8(pos, msg->size);
++ SKIP16(pos, msg->size);
++ SKIP8(pos, msg->size);
++
++ mmsg.data = &msg->data[pos];
++ mmsg.size = msg->size - pos;
+
+ if (ctx->hello_counter > 0) {
+ assert(msg->size > 4);
+ if (msg->data[0] != 0x03 || msg->data[1] != 0x03) {
+- fail("version is %d.%d expected 3,3\n",
++ fail("version is %d.%d expected 3.3\n",
+ (int)msg->data[0], (int)msg->data[1]);
+ }
+
+@@ -95,6 +128,12 @@ static int hello_callback(gnutls_session_t session, unsigned int htype,
+ ctx->session_id_len = session_id_len;
+ memcpy(ctx->session_id, session_id, session_id_len);
+
++ ret = gnutls_ext_raw_parse(ctx, ext_callback, &mmsg, 0);
++ if (ret < 0) {
++ fail("unable to parse extensions: %s\n",
++ gnutls_strerror(ret));
++ }
++
+ ctx->hello_counter++;
+ }
+
+@@ -164,6 +203,10 @@ void doit(void)
+ myfail("group doesn't match the expected: %s\n",
+ gnutls_group_get_name(gnutls_group_get(server)));
+
++ if (ctx.extensions_size1 != ctx.extensions_size2)
++ myfail("the number of extensions don't match in second Client Hello: %zu != %zu\n",
++ ctx.extensions_size1, ctx.extensions_size2);
++
+ gnutls_bye(client, GNUTLS_SHUT_WR);
+ gnutls_bye(server, GNUTLS_SHUT_WR);
+
diff --git a/debian/patches/series b/debian/patches/series
index 8270734..6d55279 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@
50_0007-x509-name_constraints-implement-name_constraints_nod.patch
50_0008-x509-name_constraints-make-types_with_empty_intersec.patch
50_0009-x509-name_constraints-name_constraints_node_list_int.patch
+51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch
signature.asc
Description: PGP signature
--- End Message ---
