gnutls_idna_map() hostname conversion vulnerability

Using libidn2 2.0.4 or higher, gnutls_idna_map() may convert to wrong hostnames.

Example: evil.c\u2100.example.com will convert to evil.ca/c.example.com which is a different domain.

The reason is that we removed IDN2_USE_STD3_ASCII_RULES from the default flags after libidn2 2.0.3. That was done to be more compatible to libidn.

The solution would be to distinguish between hostnames and domain names for DNS lookup (DNS lookup strings have no character restrictions). Only the caller of gnutls_idna_map() knows the context and thus should be able to give a flag (or call a different function).

The safest mitigation would be to use IDN2_USE_STD3_ASCII_RULES in gnutls_idna_map() and provide a function gnutls_idna_map2() with an additional flag parameter to tel if the argument is a hostname or a domain name.