From gnutls-devel at lists.gnutls.org Wed Aug 1 08:38:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 06:38:30 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: @rockdaboot from the application developer pov, what do you think about this feature (and change of semantics)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_91724528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 09:05:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 07:05:58 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/buffers.c: > { > uint8_t *dataptr = NULL; /* for realloc */ > size_t handshake_header_size = general question on this patch. Do we need to handle empty fragments? DTLS 1.2 doesn't seem to say anything about it, but allowing them, looks like a potential DoS threat. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91729603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 11:56:19 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 09:56:19 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/buffers.c: > } else { /* received new message */ > + if (unlikely > + (session->internals. > + handshake_header_recv_buffer.length > 0)) { > + bufel = _mbuffer_head_pop_first(&session->internals. > + record_buffer); > + _mbuffer_enqueue(&session->internals. > + handshake_header_recv_buffer, > + bufel); > + ret = _mbuffer_linearize_align16(&session->internals. > + handshake_header_recv_buffer, > + get_total_headers(session)); > + if (ret < 0) > + return gnutls_assert_val(ret); > + bufel = _mbuffer_head_pop_first(&session->internals. > + handshake_header_recv_buffer); LGTM. Nice clean fix -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91778212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 11:57:50 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 09:57:50 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/record.c: > record_check_version(session, htype, record->version)) < 0) > return gnutls_assert_val(ret); > > - if (record->length == 0 || record->length > max_record_recv_size(session)) { > + /* Checks for empty records are done after decryption, in It is not clear to me why this is done. Which case are you trying to address? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91778630 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 12:00:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 10:00:58 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/suite/tls-fuzzer/gnutls-nocert.json: > "multiple extensions 1", > "multiple extensions 16353"]}, > {"name" : "test-large-hello.py", > - "comment" : "These tests rely on fragmenting the first bytes of the handshake header. Gnutls is limited on that, and doesn't accept handshake header fragmentation.", > "arguments" : > ["sanity check - fragmented", > "fragmented, padding ext 0 bytes", > "fragmented, padding ext 65354 bytes", > - "fragmented, padding ext 16213 bytes"], > - "exp_pass" : false}, Hmm, could we now run all the large-hello tests? (i.e., combine all the various calls?) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91779387 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 12:01:17 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 10:01:17 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Reassigned Merge Request 708 https://gitlab.com/gnutls/gnutls/merge_requests/708 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 12:03:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 10:03:41 +0000 Subject: [gnutls-devel] GnuTLS | client hello fragmentation (#272) In-Reply-To: References: Message-ID: Reassigned Issue 272 https://gitlab.com/gnutls/gnutls/issues/272 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 12:04:05 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 10:04:05 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Looks good to me. I had few questions which I asked inline. I think it should close #272. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91780171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 12:45:23 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 10:45:23 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/buffers.c: > { > uint8_t *dataptr = NULL; /* for realloc */ > size_t handshake_header_size = Sorry for the confusion, the commit message was wrong: the patch doesn't actually allow empty fragments, but empty payloads (i.e., the length of `bufel` is equal to `handshake_header_size`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91789133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 1 14:04:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Aug 2018 12:04:49 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/record.c: > record_check_version(session, htype, record->version)) < 0) > return gnutls_assert_val(ret); > > - if (record->length == 0 || record->length > max_record_recv_size(session)) { > + /* Checks for empty records are done after decryption, in That is to distinguish the following cases: - an empty Handshake message follows an incomplete Handshake message - an empty Application Data message follows an incomplete Handshake message. Both cases are error, but the latter should send unexpected_message alert. Note that under TLS 1.3, all encrypted records have the Application Data content type, and it is not possible to determine the actual content type at this point. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_91815421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 03:27:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 01:27:33 +0000 Subject: [gnutls-devel] GnuTLS | Add support for TLS handshake with raw public keys (#26) In-Reply-To: References: Message-ID: I'd like this for adding TLS (1.3) to distcc. I think there has been avoidance in implementing this as you can just use a self-signed certificate, but that isn't the clean way to do it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/26#note_91972346 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 10:47:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 08:47:56 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/record.c: > record_check_version(session, htype, record->version)) < 0) > return gnutls_assert_val(ret); > > - if (record->length == 0 || record->length > max_record_recv_size(session)) { > + /* Checks for empty records are done after decryption, in Ah, thanks. Would it make sense to add your description above in the code as comment? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_92047239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 10:48:38 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 08:48:38 +0000 Subject: [gnutls-devel] GnuTLS | Fix interleaved handshake handling in TLS 1.3 (!708) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/buffers.c: > { > uint8_t *dataptr = NULL; /* for realloc */ > size_t handshake_header_size = ok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/708#note_92047506 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 13:04:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 11:04:45 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: I have updated the patch to properly switch to "early start" when certificate authentication is used and the client is unauthenticated, and to switch the server side to application keys after the finished message. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92080241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 15:35:48 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 13:35:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli does not null terminate buffer when sending messages (#534) References: Message-ID: New Issue was created. Issue 534: https://gitlab.com/gnutls/gnutls/issues/534 Author: Hubert Kario Assignee: ## Description of problem: When using `gnutls-cli`, the client will always send as much data as it was in the biggest line sent thus far (i.e. Enter does not insert a 0x00 character in the buffer). That means the server sees garbage (data from previous lines) when receiving the shorter lines from client. ## Version of gnutls used: 4e87865c0152a98b899272dbe7cf3a459e04b351 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) local compile, Fedora 27 ## How reproducible: Steps to Reproduce: * `openssl req -x509 -newkey rsa -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch` * `openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt` * `gnutls-cli --insecure --port 4433 --inline-commands --priority NORMAL:+VERS-TLS1.3 localhost` * on the gnutls-cli command line enter: ``` some very long line to send Hello! ``` ## Actual results: On the server side: ``` No server certificate CA names sent CIPHER is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported some very long line to send Hello! ry long line to send DONE shutting down SSL CONNECTION CLOSED ``` ## Expected results: ``` No server certificate CA names sent CIPHER is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported some very long line to send Hello! DONE shutting down SSL CONNECTION CLOSED ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/534 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 16:19:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 14:19:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: corrected input buffer null-termination (!723) References: Message-ID: New Merge Request !723 https://gitlab.com/gnutls/gnutls/merge_requests/723 Branches: tmp-cli-buffer-term to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This was a regression in the previous cleanup at f138ff85df69976badce44a5c46157cce091020f included in 3.6.3. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 16:22:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 14:22:36 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli does not null terminate buffer when sending messages (#534) In-Reply-To: References: Message-ID: Reassigned Issue 534 https://gitlab.com/gnutls/gnutls/issues/534 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/534 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 17:35:09 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 15:35:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535) References: Message-ID: New Issue was created. Issue 535: https://gitlab.com/gnutls/gnutls/issues/535 Author: Hubert Kario Assignee: ## Description of problem: When GnuTLS is forced to perform HRR, it will send a Client Hello with version set to 0x7f1c (TLS 1.3 draft 28), this breaks the connection as the first and second Client Hello must be identical with just few exceptions, it is also a protocol violation, as the new versions can show only in the `supported_versions` extension ## Version of gnutls used: 4e87865c0152a98b899272dbe7cf3a459e04b351 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) local compile, Fedora 27 ## How reproducible: Steps to Reproduce: * use tlslite-ng (master, 02852484e5ca), reconfigure it using the following patch to force sending HRR: ```patch diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py index ccf08d6..821277f 100644 --- a/tlslite/handshakesettings.py +++ b/tlslite/handshakesettings.py @@ -213,11 +213,11 @@ class HandshakeSettings(object): self.rsaSigHashes = list(RSA_SIGNATURE_HASHES) self.rsaSchemes = list(RSA_SCHEMES) # DH key settings - self.eccCurves = list(CURVE_NAMES) + self.eccCurves = ['secp384r1']#list(CURVE_NAMES) self.dhParams = None self.dhGroups = list(ALL_DH_GROUP_NAMES) - self.defaultCurve = "secp256r1" - self.keyShares = ["secp256r1", "x25519"] + self.defaultCurve = "secp384r1" + self.keyShares = []#["secp256r1", "x25519"] self.padding_cb = None def _init_misc_extensions(self): diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py index 154bbcf..e71fdd5 100644 --- a/tlslite/tlsconnection.py +++ b/tlslite/tlsconnection.py @@ -3060,6 +3060,8 @@ class TLSConnection(TLSRecordLayer): clientHello1.extensions.remove(old_ext) if clientHello1 != clientHello: + print("old hello: {0!r}".format(clientHello1)) + print("new hello: {0!r}".format(clientHello)) for result in self._sendError(AlertDescription .illegal_parameter, "Old Client Hello does not " ``` * start server: `PYTHONPATH=. python scripts/tls.py server -c tests/serverX509Cert.pem -k tests/serverX509Key.pem localhost:4433` * connect gnutls: `src/gnutls-cli --insecure --port 4433 --resume --priority NORMAL:+VERS-TLS1.3 localhost` ## Actual results: ``` Processed 0 CA certificate(s). Resolving 'localhost:4433'... Connecting to '::1:4433'... Connecting to '127.0.0.1:4433'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [47]: Illegal parameter *** handshake has failed: A TLS fatal alert has been received. ``` on server side: ``` I am an HTTPS test server, I will listen on localhost:4433 Serving files from /home/hkario/dev/tlslite-1 Using certificate and private key... About to handshake... old hello: ClientHello(ssl2=False, client_version=(3.3), random=bytearray(b'K\xddly6\xf2\xcb\xb8\xc70H\xf3\xac\xdb\x19\x13\xfb\xd4\xb7\x07\xa0.\x0b\xb9\xbe\x98\x95\xfd+Df\xea'), session_id=bytearray(b''), cipher_suites=[4866, 4867, 4865, 4868, 49196, 52393, 49325, 49162, 49195, 49324, 49161, 49200, 52392, 49172, 49199, 49171, 157, 49309, 53, 156, 49308, 47, 159, 52394, 49311, 57, 158, 49310, 51], compression_methods=[0], extensions=[StatusRequestExtension(status_type=1, responder_id_list=[], request_extensions=bytearray(b'')), SupportedGroupsExtension(groups=[secp256r1, secp384r1, secp521r1, x25519, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe8192]), ECPointFormatsExtension(formats=[uncompressed]), SignatureAlgorithmsExtension(sigalgs=[rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, (sha256, ecdsa), (8, 7), rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, (sha384, ecdsa), rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, (sha512, ecdsa), rsa_pkcs1_sha1, (sha1, ecdsa)]), TLSExtension(extType=22, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=23, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=35, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=51, extData=bytearray(b'\x00e\x00\x18\x00a\x04\xfc\xfb\x1e\xc9\x8e\xbf\xa2 \x90|\xae\xbd\x05\x92\x18\r\xc5\xb8PuK?Nv\x15\x1f\xe2\x8dp\xf3\x1b\x9e\xac\xc1!\x8d\x9e\xbeW&\xfd\x12v\x18XbK\xf6\xfb\x1f\xc6\x93\xff\xe2A|/0re%\xe9C\xb1\xf3d\x93\xaf\xa9V\xe1{XZ\x18\xed\x10\x83\x1a\xbd\x1d\xa9a\xb1\xdb\xeb\xb0`\xeb\x01=\x865\xe7%\x8e'), serverType=False, encExtType=False), SupportedVersionsExtension(versions=[(3, 3), (3, 2), (3, 1), (127, 28)]), RenegotiationInfoExtension(len(renegotiated_connection)=0), SNIExtension(serverNames=[ServerName(name_type=0, name=bytearray(b'localhost'))]), CookieExtension(len(cookie)=32), PskKeyExchangeModesExtension(modes=[psk_dhe_ke, psk_ke])]) new hello: ClientHello(ssl2=False, client_version=(127.28), random=bytearray(b'K\xddly6\xf2\xcb\xb8\xc70H\xf3\xac\xdb\x19\x13\xfb\xd4\xb7\x07\xa0.\x0b\xb9\xbe\x98\x95\xfd+Df\xea'), session_id=bytearray(b''), cipher_suites=[4866, 4867, 4865, 4868, 49196, 52393, 49325, 49162, 49195, 49324, 49161, 49200, 52392, 49172, 49199, 49171, 157, 49309, 53, 156, 49308, 47, 159, 52394, 49311, 57, 158, 49310, 51], compression_methods=[0], extensions=[StatusRequestExtension(status_type=1, responder_id_list=[], request_extensions=bytearray(b'')), SupportedGroupsExtension(groups=[secp256r1, secp384r1, secp521r1, x25519, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe8192]), ECPointFormatsExtension(formats=[uncompressed]), SignatureAlgorithmsExtension(sigalgs=[rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, (sha256, ecdsa), (8, 7), rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, (sha384, ecdsa), rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, (sha512, ecdsa), rsa_pkcs1_sha1, (sha1, ecdsa)]), TLSExtension(extType=22, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=23, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=35, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=51, extData=bytearray(b'\x00e\x00\x18\x00a\x04\xfc\xfb\x1e\xc9\x8e\xbf\xa2 \x90|\xae\xbd\x05\x92\x18\r\xc5\xb8PuK?Nv\x15\x1f\xe2\x8dp\xf3\x1b\x9e\xac\xc1!\x8d\x9e\xbeW&\xfd\x12v\x18XbK\xf6\xfb\x1f\xc6\x93\xff\xe2A|/0re%\xe9C\xb1\xf3d\x93\xaf\xa9V\xe1{XZ\x18\xed\x10\x83\x1a\xbd\x1d\xa9a\xb1\xdb\xeb\xb0`\xeb\x01=\x865\xe7%\x8e'), serverType=False, encExtType=False), SupportedVersionsExtension(versions=[(3, 3), (3, 2), (3, 1), (127, 28)]), RenegotiationInfoExtension(len(renegotiated_connection)=0), SNIExtension(serverNames=[ServerName(name_type=0, name=bytearray(b'localhost'))]), CookieExtension(len(cookie)=32), PskKeyExchangeModesExtension(modes=[psk_dhe_ke, psk_ke])]) ---------------------------------------- Exception happened during processing of request from ('127.0.0.1', 46552) Traceback (most recent call last): File "/usr/lib64/python2.7/SocketServer.py", line 596, in process_request_thread self.finish_request(request, client_address) File "/home/hkario/dev/tlslite-1/tlslite/integration/tlssocketservermixin.py", line 55, in finish_request if self.handshake(tlsConnection) == True: File "scripts/tls.py", line 500, in handshake sni=sni) File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1694, in handshakeServer nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni): File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1723, in handshakeServerAsync for result in self._handshakeWrapperAsync(handshaker, checker): File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 3462, in _handshakeWrapperAsync for result in handshaker: File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1767, in _handshakeServerAsyncHelper anon, alpn, sni): File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 3067, in _serverGetClientHello "Old Client Hello does not " File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 581, in _sendError raise TLSLocalAlert(alert, errorStr) TLSLocalAlert: illegal_parameter: Old Client Hello does not match the updated Client Hello ---------------------------------------- ``` ## Expected results: Connection established -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 18:06:14 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 16:06:14 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/handshake-tls13.c: > + _gnutls_write_uint24(session->security_parameters.prf->output_size, finished+1); > + > + ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, finished, > + TLS_HANDSHAKE_HEADER_SIZE+session->security_parameters.prf->output_size); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1, > + session->internals.handshake_hash_buffer.data, > + session->internals.handshake_hash_buffer.length, > + session->key.proto.tls13.temp_secret, > + session->key.proto.tls13.ap_rms); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + session->internals.handshake_hash_buffer.length = spos; Although it's very unlikely, but shouldn't this line also be called when `_tls13_derive_secret()` fails (line 207)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92155429 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 18:24:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 16:24:47 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/handshake-tls13.c: > IMED_RET("send finished", ret, 0); > /* fall through */ > case STATE107: > + /* At this point our sending keys should be the app keys > + * see 4.4.4 at draft-ietf-tls-tls13-28 */ > + ret = > + generate_ap_traffic_keys(session); > + IMED_RET("generate app keys", ret, 0); > + > + /* If the session is unauthenticated, try to optimize the handshake by > + * sending the session ticket early. */ > + if (!(session->internals.hsk_flags & (HSK_CRT_REQ_SENT|HSK_PSK_SELECTED))) { > + STATE = STATE107; I am a bit confused with the use of STATE here; in the surrounding code it is used like this: ```c case STATEXXX: ret = do_something(session, AGAIN(STATEXXX)); STATE = STATEXXX; IMED_RET("something", ret, 0); /* fallthrough */ ``` If I understand correctly, this pattern is to allow callers to re-enter if any of the function returns EAGAIN. However, here, `generate_ap_traffic_keys()` is not reentrant, because it overwrites temp_secret. Wouldn't that be a problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92158495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 18:31:09 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 16:31:09 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: I couldn't find any serious issue; it looks fine. This seems to be a prerequisite of !706 as test-tls13-0rtt-garbage.py also requires the application keys are calculated before receiving client Finished. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92159483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 20:44:29 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 18:44:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: corrected input buffer null-termination (!723) In-Reply-To: References: Message-ID: Reassigned Merge Request 723 https://gitlab.com/gnutls/gnutls/merge_requests/723 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 20:45:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 18:45:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: corrected input buffer null-termination (!723) In-Reply-To: References: Message-ID: Merge Request !723 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/723 Branches: tmp-cli-buffer-term to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 2 21:05:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Aug 2018 19:05:47 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535) In-Reply-To: References: Message-ID: That is a side effect of the fix in !718 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535#note_92182147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 08:54:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 06:54:30 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/handshake-tls13.c: > + _gnutls_write_uint24(session->security_parameters.prf->output_size, finished+1); > + > + ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, finished, > + TLS_HANDSHAKE_HEADER_SIZE+session->security_parameters.prf->output_size); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1, > + session->internals.handshake_hash_buffer.data, > + session->internals.handshake_hash_buffer.length, > + session->key.proto.tls13.temp_secret, > + session->key.proto.tls13.ap_rms); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + session->internals.handshake_hash_buffer.length = spos; What is the trace you are thinking of? I see that the failure in derive secret is fatal (as opposed to returning EAGAIN), so it will lead to the handshake being canceled anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92266213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 09:00:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 07:00:49 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/handshake-tls13.c: > IMED_RET("send finished", ret, 0); > /* fall through */ > case STATE107: > + /* At this point our sending keys should be the app keys > + * see 4.4.4 at draft-ietf-tls-tls13-28 */ > + ret = > + generate_ap_traffic_keys(session); > + IMED_RET("generate app keys", ret, 0); > + > + /* If the session is unauthenticated, try to optimize the handshake by > + * sending the session ticket early. */ > + if (!(session->internals.hsk_flags & (HSK_CRT_REQ_SENT|HSK_PSK_SELECTED))) { > + STATE = STATE107; Thanks for pointing that out. I was troubled by it too. I've introduced another macro for the functions which are not expected to return (EAGAIN or INTERRUPTED) errors. I do not think that the previous approach would have been a problem (unless there was a bug), but the new approach should make the state machine reading more clear. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92267237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 09:15:28 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 07:15:28 +0000 Subject: [gnutls-devel] GnuTLS | improve test suite of gnutls-cli (#536) References: Message-ID: New Issue was created. Issue 536: https://gitlab.com/gnutls/gnutls/issues/536 Author: Nikos Mavrogiannopoulos Assignee: The existing testing of `gnutls-cli` is restricted to a single command sending to the server, and thus cannot detect issues like in #534. We should extend the test suite of `gnutls-cli` in a way that: * more than a single command is sent to server * varying sizes messages are sent to the server * the server's response is verified to be the expected -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/536 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 10:52:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 08:52:16 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/handshake-tls13.c: > + _gnutls_write_uint24(session->security_parameters.prf->output_size, finished+1); > + > + ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, finished, > + TLS_HANDSHAKE_HEADER_SIZE+session->security_parameters.prf->output_size); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1, > + session->internals.handshake_hash_buffer.data, > + session->internals.handshake_hash_buffer.length, > + session->key.proto.tls13.temp_secret, > + session->key.proto.tls13.ap_rms); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + session->internals.handshake_hash_buffer.length = spos; In that case, that would be fine. By the way, couldn't this be written like the following to share some code with `generate_rms_keys()`? ```c spos = session->internals.handshake_hash_buffer.length; ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, ...); session->internals.handshake_hash_buffer_client_finished_len = session->internals.handshake_hash_buffer.length; session->internals.handshake_hash_buffer.length = spos; return generate_rms_keys(session); ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92291898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 14:12:59 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 12:12:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535) In-Reply-To: References: Message-ID: Reassigned Issue 535 https://gitlab.com/gnutls/gnutls/issues/535 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 14:31:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 12:31:54 +0000 Subject: [gnutls-devel] GnuTLS | Ensure we are sending the right protocol version on second client hello (!724) References: Message-ID: New Merge Request !724 https://gitlab.com/gnutls/gnutls/merge_requests/724 Branches: tmp-hrr-protov-fix to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list That is, when we respond to a Hello Retry Request as client, we put the TLS1.2 version on the second client hello to send a hello that is as close as possible to the original hello. That effectively separates the handling of TLS1.2 rehandshake and TLS1.3 hello retry request when sending a client hello. Resolves #535 ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 14:32:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 12:32:56 +0000 Subject: [gnutls-devel] GnuTLS | Wrong alert when client does not advertise any groups that server supports (#537) References: Message-ID: New Issue was created. Issue 537: https://gitlab.com/gnutls/gnutls/issues/537 Author: Hubert Kario Assignee: ## Description of problem: When server receives a ClientHello that does include only groups from unassigned ranges in supported_groups (and a fake key_share for those groups), it aborts the connection with an illegal_parameter instead of handshake_failure. ## Version of gnutls used: 4e87865c0152a98b8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) local compile on Fedora 27 ## How reproducible: Steps to Reproduce: * tlsfuzzer scripts/test-tls13-unrecognised-groups.py ## Actual results:
tlsfuzzer output

``` only unknown supported_groups from EC range, key_share of size 256 ... Error encountered while processing node (child: ) with last message being: Error while processing Traceback (most recent call last): File "scripts/test-tls13-unrecognised-groups.py", line 310, in main runner.run() File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 212, in run node.process(self.state, msg) File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1110, in process raise AssertionError(problem_desc) AssertionError: Expected alert description "handshake_failure" does not match received "illegal_parameter" ```

gnutls output

``` * Accepted connection from IPv4 127.0.0.1 port 53708 on Fri Aug 3 14:30:00 2018 |<5>| REC[0x205df60]: Allocating epoch #1 |<3>| ASSERT: buffers.c[get_last_packet]:1172 |<5>| REC[0x205df60]: SSL 3.0 Handshake packet received. Epoch 0, length: 16384 |<5>| REC[0x205df60]: Expected Packet Handshake(22) |<5>| REC[0x205df60]: Received Packet Handshake(22) with length: 16384 |<5>| REC[0x205df60]: Decrypted Packet[0] Handshake(22) with length: 16384 |<4>| HSK[0x205df60]: CLIENT HELLO (1) was received. Length 58826[16380], frag offset 0, frag length: 16380, sequence: 0 |<3>| ASSERT: buffers.c[_gnutls_parse_record_buffered_msgs]:1281 |<3>| ASSERT: buffers.c[get_last_packet]:1172 |<5>| REC[0x205df60]: SSL 3.0 Handshake packet received. Epoch 0, length: 16384 |<5>| REC[0x205df60]: Expected Packet Handshake(22) |<5>| REC[0x205df60]: Received Packet Handshake(22) with length: 16384 |<5>| REC[0x205df60]: Decrypted Packet[1] Handshake(22) with length: 16384 |<3>| ASSERT: buffers.c[_gnutls_parse_record_buffered_msgs]:1281 |<3>| ASSERT: buffers.c[get_last_packet]:1172 |<5>| REC[0x205df60]: SSL 3.0 Handshake packet received. Epoch 0, length: 16384 |<5>| REC[0x205df60]: Expected Packet Handshake(22) |<5>| REC[0x205df60]: Received Packet Handshake(22) with length: 16384 |<5>| REC[0x205df60]: Decrypted Packet[2] Handshake(22) with length: 16384 |<3>| ASSERT: buffers.c[_gnutls_parse_record_buffered_msgs]:1281 |<3>| ASSERT: buffers.c[get_last_packet]:1172 |<5>| REC[0x205df60]: SSL 3.0 Handshake packet received. Epoch 0, length: 9678 |<5>| REC[0x205df60]: Expected Packet Handshake(22) |<5>| REC[0x205df60]: Received Packet Handshake(22) with length: 9678 |<5>| REC[0x205df60]: Decrypted Packet[3] Handshake(22) with length: 9678 |<4>| HSK[0x205df60]: Client's version: 3.3 |<4>| EXT[0x205df60]: Parsing extension 'Supported Versions/43' (5 bytes) |<4>| EXT[0x205df60]: Found version: 127.28 |<4>| EXT[0x205df60]: Negotiated version: 127.28 |<4>| EXT[0x205df60]: Parsing extension 'Supported Groups/10' (450 bytes) |<4>| EXT[0x205df60]: Received group unknown (0x1f) |<4>| EXT[0x205df60]: Received group unknown (0x20) |<4>| EXT[0x205df60]: Received group unknown (0x21) |<4>| EXT[0x205df60]: Received group unknown (0x22) |<4>| EXT[0x205df60]: Received group unknown (0x23) |<4>| EXT[0x205df60]: Received group unknown (0x24) |<4>| EXT[0x205df60]: Received group unknown (0x25) |<4>| EXT[0x205df60]: Received group unknown (0x26) |<4>| EXT[0x205df60]: Received group unknown (0x27) |<4>| EXT[0x205df60]: Received group unknown (0x28) |<4>| EXT[0x205df60]: Received group unknown (0x29) |<4>| EXT[0x205df60]: Received group unknown (0x2a) |<4>| EXT[0x205df60]: Received group unknown (0x2b) |<4>| EXT[0x205df60]: Received group unknown (0x2c) |<4>| EXT[0x205df60]: Received group unknown (0x2d) |<4>| EXT[0x205df60]: Received group unknown (0x2e) |<4>| EXT[0x205df60]: Received group unknown (0x2f) |<4>| EXT[0x205df60]: Received group unknown (0x30) |<4>| EXT[0x205df60]: Received group unknown (0x31) |<4>| EXT[0x205df60]: Received group unknown (0x32) |<4>| EXT[0x205df60]: Received group unknown (0x33) |<4>| EXT[0x205df60]: Received group unknown (0x34) |<4>| EXT[0x205df60]: Received group unknown (0x35) |<4>| EXT[0x205df60]: Received group unknown (0x36) |<4>| EXT[0x205df60]: Received group unknown (0x37) |<4>| EXT[0x205df60]: Received group unknown (0x38) |<4>| EXT[0x205df60]: Received group unknown (0x39) |<4>| EXT[0x205df60]: Received group unknown (0x3a) |<4>| EXT[0x205df60]: Received group unknown (0x3b) |<4>| EXT[0x205df60]: Received group unknown (0x3c) |<4>| EXT[0x205df60]: Received group unknown (0x3d) |<4>| EXT[0x205df60]: Received group unknown (0x3e) |<4>| EXT[0x205df60]: Received group unknown (0x3f) |<4>| EXT[0x205df60]: Received group unknown (0x40) |<4>| EXT[0x205df60]: Received group unknown (0x41) |<4>| EXT[0x205df60]: Received group unknown (0x42) |<4>| EXT[0x205df60]: Received group unknown (0x43) |<4>| EXT[0x205df60]: Received group unknown (0x44) |<4>| EXT[0x205df60]: Received group unknown (0x45) |<4>| EXT[0x205df60]: Received group unknown (0x46) |<4>| EXT[0x205df60]: Received group unknown (0x47) |<4>| EXT[0x205df60]: Received group unknown (0x48) |<4>| EXT[0x205df60]: Received group unknown (0x49) |<4>| EXT[0x205df60]: Received group unknown (0x4a) |<4>| EXT[0x205df60]: Received group unknown (0x4b) |<4>| EXT[0x205df60]: Received group unknown (0x4c) |<4>| EXT[0x205df60]: Received group unknown (0x4d) |<4>| EXT[0x205df60]: Received group unknown (0x4e) |<4>| EXT[0x205df60]: Received group unknown (0x4f) |<4>| EXT[0x205df60]: Received group unknown (0x50) |<4>| EXT[0x205df60]: Received group unknown (0x51) |<4>| EXT[0x205df60]: Received group unknown (0x52) |<4>| EXT[0x205df60]: Received group unknown (0x53) |<4>| EXT[0x205df60]: Received group unknown (0x54) |<4>| EXT[0x205df60]: Received group unknown (0x55) |<4>| EXT[0x205df60]: Received group unknown (0x56) |<4>| EXT[0x205df60]: Received group unknown (0x57) |<4>| EXT[0x205df60]: Received group unknown (0x58) |<4>| EXT[0x205df60]: Received group unknown (0x59) |<4>| EXT[0x205df60]: Received group unknown (0x5a) |<4>| EXT[0x205df60]: Received group unknown (0x5b) |<4>| EXT[0x205df60]: Received group unknown (0x5c) |<4>| EXT[0x205df60]: Received group unknown (0x5d) |<4>| EXT[0x205df60]: Received group unknown (0x5e) |<4>| EXT[0x205df60]: Received group unknown (0x5f) |<4>| EXT[0x205df60]: Received group unknown (0x60) |<4>| EXT[0x205df60]: Received group unknown (0x61) |<4>| EXT[0x205df60]: Received group unknown (0x62) |<4>| EXT[0x205df60]: Received group unknown (0x63) |<4>| EXT[0x205df60]: Received group unknown (0x64) |<4>| EXT[0x205df60]: Received group unknown (0x65) |<4>| EXT[0x205df60]: Received group unknown (0x66) |<4>| EXT[0x205df60]: Received group unknown (0x67) |<4>| EXT[0x205df60]: Received group unknown (0x68) |<4>| EXT[0x205df60]: Received group unknown (0x69) |<4>| EXT[0x205df60]: Received group unknown (0x6a) |<4>| EXT[0x205df60]: Received group unknown (0x6b) |<4>| EXT[0x205df60]: Received group unknown (0x6c) |<4>| EXT[0x205df60]: Received group unknown (0x6d) |<4>| EXT[0x205df60]: Received group unknown (0x6e) |<4>| EXT[0x205df60]: Received group unknown (0x6f) |<4>| EXT[0x205df60]: Received group unknown (0x70) |<4>| EXT[0x205df60]: Received group unknown (0x71) |<4>| EXT[0x205df60]: Received group unknown (0x72) |<4>| EXT[0x205df60]: Received group unknown (0x73) |<4>| EXT[0x205df60]: Received group unknown (0x74) |<4>| EXT[0x205df60]: Received group unknown (0x75) |<4>| EXT[0x205df60]: Received group unknown (0x76) |<4>| EXT[0x205df60]: Received group unknown (0x77) |<4>| EXT[0x205df60]: Received group unknown (0x78) |<4>| EXT[0x205df60]: Received group unknown (0x79) |<4>| EXT[0x205df60]: Received group unknown (0x7a) |<4>| EXT[0x205df60]: Received group unknown (0x7b) |<4>| EXT[0x205df60]: Received group unknown (0x7c) |<4>| EXT[0x205df60]: Received group unknown (0x7d) |<4>| EXT[0x205df60]: Received group unknown (0x7e) |<4>| EXT[0x205df60]: Received group unknown (0x7f) |<4>| EXT[0x205df60]: Received group unknown (0x80) |<4>| EXT[0x205df60]: Received group unknown (0x81) |<4>| EXT[0x205df60]: Received group unknown (0x82) |<4>| EXT[0x205df60]: Received group unknown (0x83) |<4>| EXT[0x205df60]: Received group unknown (0x84) |<4>| EXT[0x205df60]: Received group unknown (0x85) |<4>| EXT[0x205df60]: Received group unknown (0x86) |<4>| EXT[0x205df60]: Received group unknown (0x87) |<4>| EXT[0x205df60]: Received group unknown (0x88) |<4>| EXT[0x205df60]: Received group unknown (0x89) |<4>| EXT[0x205df60]: Received group unknown (0x8a) |<4>| EXT[0x205df60]: Received group unknown (0x8b) |<4>| EXT[0x205df60]: Received group unknown (0x8c) |<4>| EXT[0x205df60]: Received group unknown (0x8d) |<4>| EXT[0x205df60]: Received group unknown (0x8e) |<4>| EXT[0x205df60]: Received group unknown (0x8f) |<4>| EXT[0x205df60]: Received group unknown (0x90) |<4>| EXT[0x205df60]: Received group unknown (0x91) |<4>| EXT[0x205df60]: Received group unknown (0x92) |<4>| EXT[0x205df60]: Received group unknown (0x93) |<4>| EXT[0x205df60]: Received group unknown (0x94) |<4>| EXT[0x205df60]: Received group unknown (0x95) |<4>| EXT[0x205df60]: Received group unknown (0x96) |<4>| EXT[0x205df60]: Received group unknown (0x97) |<4>| EXT[0x205df60]: Received group unknown (0x98) |<4>| EXT[0x205df60]: Received group unknown (0x99) |<4>| EXT[0x205df60]: Received group unknown (0x9a) |<4>| EXT[0x205df60]: Received group unknown (0x9b) |<4>| EXT[0x205df60]: Received group unknown (0x9c) |<4>| EXT[0x205df60]: Received group unknown (0x9d) |<4>| EXT[0x205df60]: Received group unknown (0x9e) |<4>| EXT[0x205df60]: Received group unknown (0x9f) |<4>| EXT[0x205df60]: Received group unknown (0xa0) |<4>| EXT[0x205df60]: Received group unknown (0xa1) |<4>| EXT[0x205df60]: Received group unknown (0xa2) |<4>| EXT[0x205df60]: Received group unknown (0xa3) |<4>| EXT[0x205df60]: Received group unknown (0xa4) |<4>| EXT[0x205df60]: Received group unknown (0xa5) |<4>| EXT[0x205df60]: Received group unknown (0xa6) |<4>| EXT[0x205df60]: Received group unknown (0xa7) |<4>| EXT[0x205df60]: Received group unknown (0xa8) |<4>| EXT[0x205df60]: Received group unknown (0xa9) |<4>| EXT[0x205df60]: Received group unknown (0xaa) |<4>| EXT[0x205df60]: Received group unknown (0xab) |<4>| EXT[0x205df60]: Received group unknown (0xac) |<4>| EXT[0x205df60]: Received group unknown (0xad) |<4>| EXT[0x205df60]: Received group unknown (0xae) |<4>| EXT[0x205df60]: Received group unknown (0xaf) |<4>| EXT[0x205df60]: Received group unknown (0xb0) |<4>| EXT[0x205df60]: Received group unknown (0xb1) |<4>| EXT[0x205df60]: Received group unknown (0xb2) |<4>| EXT[0x205df60]: Received group unknown (0xb3) |<4>| EXT[0x205df60]: Received group unknown (0xb4) |<4>| EXT[0x205df60]: Received group unknown (0xb5) |<4>| EXT[0x205df60]: Received group unknown (0xb6) |<4>| EXT[0x205df60]: Received group unknown (0xb7) |<4>| EXT[0x205df60]: Received group unknown (0xb8) |<4>| EXT[0x205df60]: Received group unknown (0xb9) |<4>| EXT[0x205df60]: Received group unknown (0xba) |<4>| EXT[0x205df60]: Received group unknown (0xbb) |<4>| EXT[0x205df60]: Received group unknown (0xbc) |<4>| EXT[0x205df60]: Received group unknown (0xbd) |<4>| EXT[0x205df60]: Received group unknown (0xbe) |<4>| EXT[0x205df60]: Received group unknown (0xbf) |<4>| EXT[0x205df60]: Received group unknown (0xc0) |<4>| EXT[0x205df60]: Received group unknown (0xc1) |<4>| EXT[0x205df60]: Received group unknown (0xc2) |<4>| EXT[0x205df60]: Received group unknown (0xc3) |<4>| EXT[0x205df60]: Received group unknown (0xc4) |<4>| EXT[0x205df60]: Received group unknown (0xc5) |<4>| EXT[0x205df60]: Received group unknown (0xc6) |<4>| EXT[0x205df60]: Received group unknown (0xc7) |<4>| EXT[0x205df60]: Received group unknown (0xc8) |<4>| EXT[0x205df60]: Received group unknown (0xc9) |<4>| EXT[0x205df60]: Received group unknown (0xca) |<4>| EXT[0x205df60]: Received group unknown (0xcb) |<4>| EXT[0x205df60]: Received group unknown (0xcc) |<4>| EXT[0x205df60]: Received group unknown (0xcd) |<4>| EXT[0x205df60]: Received group unknown (0xce) |<4>| EXT[0x205df60]: Received group unknown (0xcf) |<4>| EXT[0x205df60]: Received group unknown (0xd0) |<4>| EXT[0x205df60]: Received group unknown (0xd1) |<4>| EXT[0x205df60]: Received group unknown (0xd2) |<4>| EXT[0x205df60]: Received group unknown (0xd3) |<4>| EXT[0x205df60]: Received group unknown (0xd4) |<4>| EXT[0x205df60]: Received group unknown (0xd5) |<4>| EXT[0x205df60]: Received group unknown (0xd6) |<4>| EXT[0x205df60]: Received group unknown (0xd7) |<4>| EXT[0x205df60]: Received group unknown (0xd8) |<4>| EXT[0x205df60]: Received group unknown (0xd9) |<4>| EXT[0x205df60]: Received group unknown (0xda) |<4>| EXT[0x205df60]: Received group unknown (0xdb) |<4>| EXT[0x205df60]: Received group unknown (0xdc) |<4>| EXT[0x205df60]: Received group unknown (0xdd) |<4>| EXT[0x205df60]: Received group unknown (0xde) |<4>| EXT[0x205df60]: Received group unknown (0xdf) |<4>| EXT[0x205df60]: Received group unknown (0xe0) |<4>| EXT[0x205df60]: Received group unknown (0xe1) |<4>| EXT[0x205df60]: Received group unknown (0xe2) |<4>| EXT[0x205df60]: Received group unknown (0xe3) |<4>| EXT[0x205df60]: Received group unknown (0xe4) |<4>| EXT[0x205df60]: Received group unknown (0xe5) |<4>| EXT[0x205df60]: Received group unknown (0xe6) |<4>| EXT[0x205df60]: Received group unknown (0xe7) |<4>| EXT[0x205df60]: Received group unknown (0xe8) |<4>| EXT[0x205df60]: Received group unknown (0xe9) |<4>| EXT[0x205df60]: Received group unknown (0xea) |<4>| EXT[0x205df60]: Received group unknown (0xeb) |<4>| EXT[0x205df60]: Received group unknown (0xec) |<4>| EXT[0x205df60]: Received group unknown (0xed) |<4>| EXT[0x205df60]: Received group unknown (0xee) |<4>| EXT[0x205df60]: Received group unknown (0xef) |<4>| EXT[0x205df60]: Received group unknown (0xf0) |<4>| EXT[0x205df60]: Received group unknown (0xf1) |<4>| EXT[0x205df60]: Received group unknown (0xf2) |<4>| EXT[0x205df60]: Received group unknown (0xf3) |<4>| EXT[0x205df60]: Received group unknown (0xf4) |<4>| EXT[0x205df60]: Received group unknown (0xf5) |<4>| EXT[0x205df60]: Received group unknown (0xf6) |<4>| EXT[0x205df60]: Received group unknown (0xf7) |<4>| EXT[0x205df60]: Received group unknown (0xf8) |<4>| EXT[0x205df60]: Received group unknown (0xf9) |<4>| EXT[0x205df60]: Received group unknown (0xfa) |<4>| EXT[0x205df60]: Received group unknown (0xfb) |<4>| EXT[0x205df60]: Received group unknown (0xfc) |<4>| EXT[0x205df60]: Received group unknown (0xfd) |<4>| EXT[0x205df60]: Received group unknown (0xfe) |<4>| EXT[0x205df60]: Parsing extension 'Signature Algorithms/13' (6 bytes) |<4>| EXT[0x205df60]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 |<4>| EXT[0x205df60]: rcvd signature algo (8.9) RSA-PSS-SHA256 |<4>| HSK[0x205df60]: Received safe renegotiation CS |<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility |<3>| ASSERT: server_name.c[gnutls_server_name_get]:235 |<4>| HSK[0x205df60]: Requested server name: '' |<4>| HSK[0x205df60]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509) |<4>| checking cert compat with RSA-PSS-RSAE-SHA256 |<4>| checking cert compat with RSA-PSS-SHA256 |<4>| Selected signature algorithm: RSA-PSS-SHA256 |<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0x205df60]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0x205df60]: Selected version TLS1.3 |<4>| EXT[0x205df60]: Parsing extension 'Key Share/51' (58242 bytes) |<3>| ASSERT: key_share.c[key_share_recv_params]:575 |<3>| ASSERT: hello_ext.c[hello_ext_parse]:265 |<3>| ASSERT: extv.c[_gnutls_extv_parse]:69 |<3>| ASSERT: hello_ext.c[_gnutls_parse_hello_extensions]:298 |<3>| ASSERT: handshake.c[read_client_hello]:776 |<3>| ASSERT: handshake.c[_gnutls_recv_handshake]:1494 |<4>| EXT[0x205df60]: Not sending extension (Maximum Record Size/1) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (OCSP Status Request/5) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Supported Groups/10) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Supported EC Point Formats/11) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (SRP/12) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Signature Algorithms/13) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (SRTP/14) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Heartbeat/15) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (ALPN/16) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Encrypt-then-MAC/22) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Extended Master Secret/23) for 'hello retry request' |<4>| EXT[0x205df60]: Not sending extension (Session Ticket/35) for 'hello retry request' |<4>| EXT[0x205df60]: Preparing extension (Key Share/51) for 'hello retry request' |<3>| ASSERT: key_share.c[key_share_send_params]:733 |<3>| ASSERT: hello_ext.c[hello_ext_send]:360 |<3>| ASSERT: extv.c[_gnutls_extv_append]:220 |<3>| ASSERT: hello_ext.c[_gnutls_gen_hello_extensions]:429 |<3>| ASSERT: tls13/hello_retry.c[_gnutls13_send_hello_retry_request]:86 |<3>| ASSERT: handshake-tls13.c[_gnutls13_handshake_server]:288 Error in handshake: No common key share with peer. |<5>| REC: Sending Alert[2|47] - Illegal parameter |<5>| REC[0x205df60]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<5>| REC[0x205df60]: Sent Packet[1] Alert(21) in epoch 0 and length: 7 |<5>| REC[0x205df60]: Start of epoch cleanup |<5>| REC[0x205df60]: End of epoch cleanup |<5>| REC[0x205df60]: Epoch #0 freed |<5>| REC[0x205df60]: Epoch #1 freed ```

## Expected results: Test cases pass, server sends `handshake_failure` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 14:39:52 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 12:39:52 +0000 Subject: [gnutls-devel] GnuTLS | Wrong alert when client does not advertise any groups that server supports (#537) In-Reply-To: References: Message-ID: Thanks, most likely the fix is trivial, though I haven't tried it yet (may be side-effects if the server and client use this error code for different purposes). ``` diff --git a/lib/alert.c b/lib/alert.c index 6b1950778..39797c165 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -220,7 +220,6 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: case GNUTLS_E_ILLEGAL_SRP_USERNAME: case GNUTLS_E_PK_INVALID_PUBKEY: - case GNUTLS_E_NO_COMMON_KEY_SHARE: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; @@ -254,6 +253,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL: case GNUTLS_E_UNKNOWN_PK_ALGORITHM: case GNUTLS_E_UNWANTED_ALGORITHM: + case GNUTLS_E_NO_COMMON_KEY_SHARE: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/537#note_92344438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:08:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:08:13 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/handshake-tls13.c: > + _gnutls_write_uint24(session->security_parameters.prf->output_size, finished+1); > + > + ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer, finished, > + TLS_HANDSHAKE_HEADER_SIZE+session->security_parameters.prf->output_size); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + ret = _tls13_derive_secret(session, RMS_MASTER_LABEL, sizeof(RMS_MASTER_LABEL)-1, > + session->internals.handshake_hash_buffer.data, > + session->internals.handshake_hash_buffer.length, > + session->key.proto.tls13.temp_secret, > + session->key.proto.tls13.ap_rms); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + session->internals.handshake_hash_buffer.length = spos; it looks nice functionally but I don't think it is a good idea to set the value of `session->internals.handshake_hash_buffer_client_finished_len` prior to the finished message being received. Indeed on that particular function we are predicting what it will be to calculate rms, but should we set its value for anyone else to use? grepping through the code it seems that in no other case this value is being used, so it is a kind of philosophical question which approach is better. I prefer the current one because I find it nicer to contain the side effects of this prediction, but I'd be happy to discuss that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711#note_92364795 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:12:48 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:12:48 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Merge Request !711 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/711 Branches: tmp-handshake-return-early to master Author: Nikos Mavrogiannopoulos Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:19:53 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:19:53 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: All discussions on Merge Request !711 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/711 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:20:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:20:15 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: return early on handshake when no cert is provided by client (#457) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #457: https://gitlab.com/gnutls/gnutls/issues/457 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/457 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:20:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:20:15 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not transition to application data keys after sending server Finished message (#481) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #481: https://gitlab.com/gnutls/gnutls/issues/481 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:20:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:20:15 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not transition to application data keys after sending server Finished message (#481) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #481: https://gitlab.com/gnutls/gnutls/issues/481 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:20:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:20:15 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: server returns early on handshake when no cert is provided by client (!711) In-Reply-To: References: Message-ID: Merge Request !711 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/711 Branches: tmp-handshake-return-early to master Author: Nikos Mavrogiannopoulos Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:20:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:20:15 +0000 Subject: [gnutls-devel] GnuTLS | tls1.3: return early on handshake when no cert is provided by client (#457) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #457: https://gitlab.com/gnutls/gnutls/issues/457 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/457 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:37:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:37:36 +0000 Subject: [gnutls-devel] GnuTLS | WIP: TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/record.c: > > _mbuffer_head_remove_bytes(&session->internals.record_recv_buffer, > record.header_size + record.length); > + /* As early data must always be encrypted, treat it as > + * decryption failure if otherwise. */ > + if (ret >= 0 && would it make sense to combine this with the check above? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706#note_92371933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 16:40:03 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 14:40:03 +0000 Subject: [gnutls-devel] GnuTLS | WIP: TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/record.c: > > _mbuffer_head_remove_bytes(&session->internals.record_recv_buffer, > record.header_size + record.length); > + /* As early data must always be encrypted, treat it as > + * decryption failure if otherwise. */ > + if (ret >= 0 && > + (session->internals.hsk_flags & HSK_EARLY_DATA_INDICATED) && Is my understanding that this flag is used while the early data are in flight only and reset afterwards? Maybe the name `HSK_EARLY_DATA_IN_FLIGHT` is more descriptive to help understand for this particular test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706#note_92372438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 20:17:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 18:17:56 +0000 Subject: [gnutls-devel] GnuTLS | TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/record.c: > + goto discard; > + } > + > gnutls_assert(); > _gnutls_audit_log(session, > "Discarded message[%u] due to invalid decryption\n", > (unsigned int) > _gnutls_uint64touint32(packet_sequence)); > + > goto sanity_check_error; > } > > + /* FIXME: as 0-RTT is not implemented yet, when the early data > + * is indicated and the record is properly decrypted, treat it > + * as the start of client's second flight. */ > + session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT; nit: I guess that's a cheap operation, but we are doing it unconditionally for every record packet received. What if we combine it with the if check in 1337. i.e. only run it if we know we are handling early data? ``` if (unlikely(session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT)) { if (record.type == GNUTLS_APPLICATION_DATA) { if (record.length > session->security_parameters.max_early_data_size - session->internals.early_data_received) . . . } else { session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT; } } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706#note_92414012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:06:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:06:58 +0000 Subject: [gnutls-devel] GnuTLS | Bootstrap fails (#514) In-Reply-To: References: Message-ID: After comparing and updating packages without any success I've tried to install a fresh system with Mint 19 on a different machine. This solved the problem. After a fresh clone I ran the bootstrap script and everything seems to compile fine now. I still don't know what the problem was exactly but it has something to do with incompatible dependencies. Unless you want me to find out what the problem was exactly on my other older Mint machine I think we can close this issue. Thanks for the help. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/514#note_92433391 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:35:04 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:35:04 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from stefanb@us.ibm.com): Cannot read EC public key with certtool in 3.6.3 (Fedora 28) (#538) In-Reply-To: References: Message-ID: Reassigned Issue 538 https://gitlab.com/gnutls/gnutls/issues/538 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:36:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:36:30 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) References: Message-ID: New Merge Request !725 https://gitlab.com/gnutls/gnutls/merge_requests/725 Branches: tmp-fix-ecdsa-pubkey-import to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This seems to be a regression since EdDSA support. The call to _gnutls_x509_get_pk_algorithm() in public key import was unnecessary and in fact it was overriding the available curve with a curve associated with the OID. As the ECDSA OID doesn't include the curve, that had the result of deleting the already read curve. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:38:43 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:38:43 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from stefanb@us.ibm.com): Cannot read EC public key with certtool in 3.6.3 (Fedora 28) (#538) In-Reply-To: References: Message-ID: Thank you for reporting that, it seems to be a regression. It should be addressed by !725 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/538#note_92436358 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:44:40 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:44:40 +0000 Subject: [gnutls-devel] GnuTLS | Bootstrap fails (#514) In-Reply-To: References: Message-ID: Thanks for trying so hard and reporting back ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/514#note_92436934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 3 22:44:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Aug 2018 20:44:44 +0000 Subject: [gnutls-devel] GnuTLS | Bootstrap fails (#514) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #514: https://gitlab.com/gnutls/gnutls/issues/514 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/514 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 10:58:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 08:58:26 +0000 Subject: [gnutls-devel] GnuTLS | TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/record.c: > + goto discard; > + } > + > gnutls_assert(); > _gnutls_audit_log(session, > "Discarded message[%u] due to invalid decryption\n", > (unsigned int) > _gnutls_uint64touint32(packet_sequence)); > + > goto sanity_check_error; > } > > + /* FIXME: as 0-RTT is not implemented yet, when the early data > + * is indicated and the record is properly decrypted, treat it > + * as the start of client's second flight. */ > + session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT; Yes that sounds like a good idea; I have consolidated all the early data related conditions in to a single `if`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706#note_92655175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 10:58:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 08:58:36 +0000 Subject: [gnutls-devel] GnuTLS | TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: All discussions on Merge Request !706 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/706 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 12:01:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 10:01:33 +0000 Subject: [gnutls-devel] GnuTLS | TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Merge Request !706 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/706 Branches: tmp-skip-zero-rtt to master Author: Daiki Ueno Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 12:33:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 10:33:44 +0000 Subject: [gnutls-devel] GnuTLS | TLS 1.3: ignore "early_data" extension (!706) In-Reply-To: References: Message-ID: Merge Request !706 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/706 Branches: tmp-skip-zero-rtt to master Author: Daiki Ueno Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/706 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 12:33:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 10:33:44 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS is intolerant to 0-RTT handshake (#512) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #512: https://gitlab.com/gnutls/gnutls/issues/512 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 12:46:34 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 10:46:34 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Reassigned Merge Request 721 https://gitlab.com/gnutls/gnutls/merge_requests/721 Assignee changed to Hubert Kario -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 13:02:00 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 11:02:00 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Reassigned Merge Request 725 https://gitlab.com/gnutls/gnutls/merge_requests/725 Assignee changed to Jakub Jelen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 13:54:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 11:54:26 +0000 Subject: [gnutls-devel] GnuTLS | Use nproc to detect number of CPUs and add documentation creation into CI (!77) In-Reply-To: References: Message-ID: I have used this PR as inspiration to improve CI in other project. Particularly the '-j' option. From what I've found, I also added the option '--output-sync' to instruct make to output text in an orderly matter, which makes things a little bit more comfortable to read. Just in case you want to add it too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/77#note_92698171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 14:46:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 12:46:33 +0000 Subject: [gnutls-devel] GnuTLS | replace the max record size extension (#524) In-Reply-To: References: Message-ID: Reassigned Issue 524 https://gitlab.com/gnutls/gnutls/issues/524 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/524 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 14:55:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 12:55:56 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Jakub Jelen started a new discussion on tests/cert-tests/certtool-ecdsa: > + > + > +# Create an ECDSA > +${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \ > + --ecdsa --outfile "$KEYFILE" > +rc=$? > + > +if test "${rc}" != "0"; then > + echo "Could not generate an ECDSA key" > + exit 1 > +fi > + > +${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$KEYFILE" >/dev/null > +rc=$? > +if test "${rc}" != "0"; then > + echo "Could not read generated an EdDSA key" This should probably say ECDSA instead of EdDSA. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725#note_92713896 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:03:09 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:03:09 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Hubert Kario started a new discussion on lib/session.c: > - * resumed. That is because resumed sessions share the same session ID > - * with the original session. > - * > - * The session ID is selected by the server, that identify the > - * current session. In all supported TLS protocols, the session id > - * is less than %GNUTLS_MAX_SESSION_ID_SIZE. > - * > - * The TLS session ID cannot be relied for uniquely identifying sessions. > - * It should not be used by new applications, nor be assumed > - * that it will remain the same on resumption. The session ID changes > - * even on resumed sessions under session tickets, and has no defined meaning > - * under TLS 1.3. > + * Returns the TLS session identifier. The session ID is selected by the > + * server, and in older versions of TLS was a unique identifier shared > + * between client and server which was persistent across resumption. > + * In the latest version of TLS (1.3) or TLS 1.2 with session tickets, the technically speaking, session tickets are not limited to TLS 1.2 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92747175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:06:21 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:06:21 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Hubert Kario started a new discussion on lib/gnutls_int.h: > */ > #define MAX_HANDSHAKE_PACKET_SIZE 128*1024 > > -#define GNUTLS_DEF_SESSION_ID_SIZE 32 > +#define GNUTLS_DEF_SESSION_ID_SIZE 16 in TLS 1.3 the server is obliged to turn on middlebox compatibility mode only if the client sends a SessionID 32 bytes long or is it not used for TLS 1.3 CH? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92747872 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:08:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:08:18 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Merge Request !721 was approved by Hubert Kario Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/721 Branches: tmp-persistent-id to master Author: Nikos Mavrogiannopoulos Assignee: Hubert Kario -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:08:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:08:18 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Hubert Kario started a new discussion on src/serv.c: > - snprintf(tmp_buffer, tmp_buffer_size, "\n

Session ID: "); > - for (i = 0; i < sesid_size; i++) > - snprintf(tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]); > - snprintf(tmp_buffer, tmp_buffer_size, "

\n"); > - snprintf(tmp_buffer, tmp_buffer_size, > - "
If your browser supports session resuming, then you should see the " > - "same session ID, when you press the reload button.
\n"); > - } > + sesid_size = sizeof(sesid); > + gnutls_session_get_id(session, sesid, &sesid_size); > + snprintf(tmp_buffer, tmp_buffer_size, "\n

Session ID: "); > + for (i = 0; i < sesid_size; i++) > + snprintf(tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]); > + snprintf(tmp_buffer, tmp_buffer_size, "

\n"); > + snprintf(tmp_buffer, tmp_buffer_size, > + "
If your browser supports session resuming, then you should see the " "session resuming" doesn't sound too good to me, how about "resuming a session", "session resumption"? or do you want to keep the same phrasing for backwards compatibility? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92748212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:08:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:08:37 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: I have few nits, but in general looks ok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92748393 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:20:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:20:45 +0000 Subject: [gnutls-devel] GnuTLS | client hello fragmentation (#272) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #272: https://gitlab.com/gnutls/gnutls/issues/272 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 6 17:21:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Aug 2018 15:21:13 +0000 Subject: [gnutls-devel] GnuTLS | client hello fragmentation (#272) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #272: https://gitlab.com/gnutls/gnutls/issues/272 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 06:46:50 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 04:46:50 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/gnutls_int.h: > */ > #define MAX_HANDSHAKE_PACKET_SIZE 128*1024 > > -#define GNUTLS_DEF_SESSION_ID_SIZE 32 > +#define GNUTLS_DEF_SESSION_ID_SIZE 16 It is for everything, so let me decouple this change from the rest of the change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92859088 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 06:47:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 04:47:11 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/session.c: > - * resumed. That is because resumed sessions share the same session ID > - * with the original session. > - * > - * The session ID is selected by the server, that identify the > - * current session. In all supported TLS protocols, the session id > - * is less than %GNUTLS_MAX_SESSION_ID_SIZE. > - * > - * The TLS session ID cannot be relied for uniquely identifying sessions. > - * It should not be used by new applications, nor be assumed > - * that it will remain the same on resumption. The session ID changes > - * even on resumed sessions under session tickets, and has no defined meaning > - * under TLS 1.3. > + * Returns the TLS session identifier. The session ID is selected by the > + * server, and in older versions of TLS was a unique identifier shared > + * between client and server which was persistent across resumption. > + * In the latest version of TLS (1.3) or TLS 1.2 with session tickets, the Rephrased. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92859120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 06:47:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 04:47:37 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/serv.c: > - snprintf(tmp_buffer, tmp_buffer_size, "\n

Session ID: "); > - for (i = 0; i < sesid_size; i++) > - snprintf(tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]); > - snprintf(tmp_buffer, tmp_buffer_size, "

\n"); > - snprintf(tmp_buffer, tmp_buffer_size, > - "
If your browser supports session resuming, then you should see the " > - "same session ID, when you press the reload button.
\n"); > - } > + sesid_size = sizeof(sesid); > + gnutls_session_get_id(session, sesid, &sesid_size); > + snprintf(tmp_buffer, tmp_buffer_size, "\n

Session ID: "); > + for (i = 0; i < sesid_size; i++) > + snprintf(tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]); > + snprintf(tmp_buffer, tmp_buffer_size, "

\n"); > + snprintf(tmp_buffer, tmp_buffer_size, > + "
If your browser supports session resuming, then you should see the " No, rephrased. Thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721#note_92859179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 06:47:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 04:47:37 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: All discussions on Merge Request !721 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/721 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 06:47:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 04:47:54 +0000 Subject: [gnutls-devel] GnuTLS | keep same session ID (#484) In-Reply-To: References: Message-ID: Reassigned Issue 484 https://gitlab.com/gnutls/gnutls/issues/484 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/484 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 07:24:10 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 05:24:10 +0000 Subject: [gnutls-devel] GnuTLS | improve documentation on certificate authentication (#540) References: Message-ID: New Issue was created. Issue 540: https://gitlab.com/gnutls/gnutls/issues/540 Author: Nikos Mavrogiannopoulos Assignee: Now the bits and pieces are all over the documentation but there is not a single section which can answer all the following: - [ ] how the CA trust store is set, system vs custom, system via p11-kit DB vs files - [ ] what do the verify functions cover (verification of signatures, checking for right name, checking against OCSP responses, CRL lists, blacklists in case of p11-kit DB, etc) - [ ] trust lists We should re-organize and add documentation in order to provide an easy to read section for users to understand the current certificate validation subsystem. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/540 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 07:38:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 05:38:11 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/cert-tests/certtool-ecdsa: > + > + > +# Create an ECDSA > +${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \ > + --ecdsa --outfile "$KEYFILE" > +rc=$? > + > +if test "${rc}" != "0"; then > + echo "Could not generate an ECDSA key" > + exit 1 > +fi > + > +${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$KEYFILE" >/dev/null > +rc=$? > +if test "${rc}" != "0"; then > + echo "Could not read generated an EdDSA key" Updated,thanks -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725#note_92863958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 07:38:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 05:38:11 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: All discussions on Merge Request !725 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/725 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 07:46:07 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 05:46:07 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/stek.c: > + * > + */ > +#include "gnutls_int.h" > +#include > +#include "stek.h" > + > +#define T0 0 > + > +#define NAME_POS (0) > +#define KEY_POS (TICKET_KEY_NAME_SIZE) > +#define MAC_SECRET_POS (TICKET_KEY_NAME_SIZE+TICKET_CIPHER_KEY_SIZE) > + > +static int totp_sha3(gnutls_session_t session, > + uint64_t t, > + const gnutls_datum_t *secret, > + gnutls_datum_t *out) thanks for updating it to a stack stored value. Note that a convention used all over the lib is to pass such values as an array, e.g., `uint8_t out[MAX_HASH_SIZE]`. The datum form is used when the function assigns the pointers in it. The array form gives also a better hint to compiler and static analyzers about the constraints. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_92864809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 08:02:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 06:02:46 +0000 Subject: [gnutls-devel] GnuTLS | keep same session ID (#484) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #484: https://gitlab.com/gnutls/gnutls/issues/484 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/484 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 08:02:48 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 06:02:48 +0000 Subject: [gnutls-devel] GnuTLS | resumption: keep persistent session identifiers (!721) In-Reply-To: References: Message-ID: Merge Request !721 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/721 Branches: tmp-persistent-id to master Author: Nikos Mavrogiannopoulos Assignee: Hubert Kario -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/721 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:38:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:38:41 +0000 Subject: [gnutls-devel] GnuTLS | Ensure we are sending the right protocol version on second client hello (!724) In-Reply-To: References: Message-ID: Reassigned Merge Request 724 https://gitlab.com/gnutls/gnutls/merge_requests/724 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:39:28 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:39:28 +0000 Subject: [gnutls-devel] GnuTLS | Ensure we are sending the right protocol version on second client hello (!724) In-Reply-To: References: Message-ID: Merge Request !724 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/724 Branches: tmp-hrr-protov-fix to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:39:28 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:39:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #535: https://gitlab.com/gnutls/gnutls/issues/535 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:39:28 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:39:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #535: https://gitlab.com/gnutls/gnutls/issues/535 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:49:08 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:49:08 +0000 Subject: [gnutls-devel] GnuTLS | switch statements: use a consistent way to fall through (#306) In-Reply-To: References: Message-ID: Reassigned Issue 306 https://gitlab.com/gnutls/gnutls/issues/306 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 09:59:35 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 07:59:35 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Otherwise, it looks good. Can you assign me as a reviewer, so I can add my ack? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725#note_92888814 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 10:02:25 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 08:02:25 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) References: Message-ID: New Merge Request !726 https://gitlab.com/gnutls/gnutls/merge_requests/726 Branches: tmp-consistent-falltrough to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list Use a consistent method to mark fall-through in switch cases and document that method in contribution guide. ## Checklist * [x] Code modified for feature * [x] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 10:04:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 08:04:39 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Thank you. Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725#note_92889864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 10:39:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 08:39:47 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Merge Request !725 was approved by Jakub Jelen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/725 Branches: tmp-fix-ecdsa-pubkey-import to master Author: Nikos Mavrogiannopoulos Assignee: Jakub Jelen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 12:54:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 10:54:18 +0000 Subject: [gnutls-devel] GnuTLS | Corrected the importing of ECDSA public keys (!725) In-Reply-To: References: Message-ID: Merge Request !725 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/725 Branches: tmp-fix-ecdsa-pubkey-import to master Author: Nikos Mavrogiannopoulos Assignee: Jakub Jelen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 12:54:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 10:54:24 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from stefanb@us.ibm.com): Cannot read EC public key with certtool in 3.6.3 (Fedora 28) (#538) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #538: https://gitlab.com/gnutls/gnutls/issues/538 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 12:54:17 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 10:54:17 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from stefanb@us.ibm.com): Cannot read EC public key with certtool in 3.6.3 (Fedora 28) (#538) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #538: https://gitlab.com/gnutls/gnutls/issues/538 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 15:15:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 13:15:56 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: update to the latest version (!727) References: Message-ID: New Merge Request !727 https://gitlab.com/gnutls/gnutls/merge_requests/727 Branches: tmp-tlsfuzzer-update-tls13 to master Author: Daiki Ueno Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This updates the tlsfuzzer to the latest git master to enable more tests. Note that this also introduces FFDHE6144 and fixes PSK crash. ## Checklist * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 16:13:20 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 14:13:20 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: update to the latest version to enable more TLS 1.3 tests (!727) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on symbols.last: > gnutls_ffdhe_4096_group_generator at GNUTLS_3_4 > gnutls_ffdhe_4096_group_prime at GNUTLS_3_4 > gnutls_ffdhe_4096_key_bits at GNUTLS_3_4 > +gnutls_ffdhe_6144_group_generator at GNUTLS_3_6_4 The changes look good to me. My only comment is that it is good to have sanity tests (e.g. at `tls12-ffdhe.c`, and `tls13-cert-key-exchange.c`). There is also a check at `tests/suite/prime-check.c` for primality of the included parameters (e.g., due to an accidental corruption or typo). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/727#note_93013317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 16:21:23 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 14:21:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should use explicit_bzero if available (#230) In-Reply-To: References: Message-ID: Reassigned Issue 230 https://gitlab.com/gnutls/gnutls/issues/230 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 16:33:00 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 14:33:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (!728) References: Message-ID: New Merge Request !728 https://gitlab.com/gnutls/gnutls/merge_requests/728 Branches: tmp-use-explicit-bzero to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list That is, use the glibc function when available and the second parameter is zero. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/728 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 17:25:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 15:25:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (d087db43) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/safe-memfuncs.c: > * This function will operate similarly to memset(), but will > * not be optimized out by the compiler. > * > - * Returns: void. > - * > * Since: 3.4.0 > **/ > void gnutls_memset(void *data, int c, size_t size) > { > - volatile unsigned volatile_zero = 0; > + volatile unsigned volatile_zero; > volatile char *vdata = (volatile char*)data; > +#ifdef HAVE_EXPLICIT_BZERO > + if (c == 0) { > + explicit_bzero(data, size); What makes explicit_bzero() save from being optimized out ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/commit/d087db43e07c9b9df115ae9467bede5fa796c302#note_93035926 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 18:04:07 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 16:04:07 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on CONTRIBUTING.md: > 1. Input parameters > 2. Output parameters > > -When data and size is expected, a gnutls_datum structure should be > -used (or more precisely a pointer to the structure). > +When data and size is expected as input, a const gnutls_datum_t structure typo: is -> are -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726#note_93049109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 18:12:12 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 16:12:12 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: it seems the following places still use `/* fall through */`: ``` lib/ext/heartbeat.c:209: /* fallthrough */ lib/crypto-selftests.c:1315: /* fall through */ lib/nettle/pk.c:1727: /* fallthrough */ lib/x509/pkcs12.c:1648: /* fallthrough */ lib/x509/supported_exts.h:89: /*FALLTHROUGH*/ lib/x509/x509.c:3982: /* fall through */ lib/tls13/post_handshake.c:102: /* fall through */ lib/pubkey.c:304: /* fallthrough */ lib/crypto-selftests-pk.c:704: /* fall through */ lib/accelerated/x86/sha-padlock.c:123: /* Fall through */ lib/pkcs11.c:571: /* fallthrough */ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726#note_93052146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 19:38:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 17:38:11 +0000 Subject: [gnutls-devel] GnuTLS | Support for alternative to NIST elliptic curves (#20) In-Reply-To: References: Message-ID: brainpool never made it into GnuTLS despite https://tools.ietf.org/html/rfc7027? Got the entire CA based on brainpoolP512r1 and now an essential app that builds upon GnuTLS. However that app is not able to connect to the host serving a X509v3 ecdsa-with-SHA512 ASN1 OID: brainpoolP512r1 certificate. Any plans to ever/soon add support for brainpool? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/20#note_93069625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 7 20:08:40 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Aug 2018 18:08:40 +0000 Subject: [gnutls-devel] GnuTLS | Support for alternative to NIST elliptic curves (#20) In-Reply-To: References: Message-ID: brainpool was published as an informational rfc but was not made an internet standard. Given that it was marked as obsolete by [TLS 1.3](https://tools.ietf.org/html/draft-ietf-tls-tls13-28) I do not think it makes sense to consider implementing it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/20#note_93077836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 11:20:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 09:20:36 +0000 Subject: [gnutls-devel] GnuTLS | Wrong alert when client does not advertise any groups that server supports (#537) In-Reply-To: References: Message-ID: Reassigned Issue 537 https://gitlab.com/gnutls/gnutls/issues/537 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 13:58:19 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 11:58:19 +0000 Subject: [gnutls-devel] GnuTLS | Wrong alert when client does not advertise any groups that server supports (#537) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #537: https://gitlab.com/gnutls/gnutls/issues/537 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:06:20 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:06:20 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: All discussions on Merge Request !726 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/726 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:06:21 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:06:21 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on CONTRIBUTING.md: > 1. Input parameters > 2. Output parameters > > -When data and size is expected, a gnutls_datum structure should be > -used (or more precisely a pointer to the structure). > +When data and size is expected as input, a const gnutls_datum_t structure corrected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726#note_93286488 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:06:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:06:44 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Thanks for catching them. I didn't address `supported_exts.h` because it is an auto-generated file and that's the same value used by libunistring. Unless we have a problem later maybe we shouldn't touch the auto-generated files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726#note_93286580 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:08:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:08:54 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (d087db43) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/safe-memfuncs.c: > * This function will operate similarly to memset(), but will > * not be optimized out by the compiler. > * > - * Returns: void. > - * > * Since: 3.4.0 > **/ > void gnutls_memset(void *data, int c, size_t size) > { > - volatile unsigned volatile_zero = 0; > + volatile unsigned volatile_zero; > volatile char *vdata = (volatile char*)data; > +#ifdef HAVE_EXPLICIT_BZERO > + if (c == 0) { > + explicit_bzero(data, size); According to manpage: ``` It differs from bzero() in that it guarantees that compiler optimizations will not remove the erase operation if the compiler deduces that the operation is "unnecessary". ``` Implementation wise it adds a barrier after memset(). https://code.woboq.org/userspace/glibc/string/explicit_bzero.c.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/commit/d087db43e07c9b9df115ae9467bede5fa796c302#note_93287236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:10:02 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:10:02 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Merge Request !726 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/726 Branches: tmp-consistent-falltrough to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:18:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:18:15 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Reassigned Merge Request 726 https://gitlab.com/gnutls/gnutls/merge_requests/726 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 15:47:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 13:47:37 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (!728) In-Reply-To: References: Message-ID: Merge Request !728 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/728 Branches: tmp-use-explicit-bzero to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/728 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 16:22:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 14:22:27 +0000 Subject: [gnutls-devel] GnuTLS | use a consistent method to mark fall-through in switch cases (!726) In-Reply-To: References: Message-ID: Merge Request !726 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/726 Branches: tmp-consistent-falltrough to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 16:22:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 14:22:24 +0000 Subject: [gnutls-devel] GnuTLS | switch statements: use a consistent way to fall through (#306) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #306: https://gitlab.com/gnutls/gnutls/issues/306 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 16:37:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 14:37:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (!728) In-Reply-To: References: Message-ID: Thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/728#note_93311100 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 18:30:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 16:30:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_memset: use explicit_bzero (!728) In-Reply-To: References: Message-ID: Merge Request !728 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/728 Branches: tmp-use-explicit-bzero to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/728 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 18:30:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 16:30:41 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should use explicit_bzero if available (#230) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #230: https://gitlab.com/gnutls/gnutls/issues/230 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 18:30:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 16:30:41 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should use explicit_bzero if available (#230) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #230: https://gitlab.com/gnutls/gnutls/issues/230 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 8 23:00:01 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Aug 2018 21:00:01 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS cannot find Nettle 3.4 (#526) In-Reply-To: References: Message-ID: Any news on this ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/526#note_93384207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 9 16:29:29 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Aug 2018 14:29:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fixes from issues identified ny static analyzers (!729) References: Message-ID: New Merge Request !729 https://gitlab.com/gnutls/gnutls/merge_requests/729 Branches: tmp-fixes-cov to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 11 20:30:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Aug 2018 18:30:30 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on tests/suite/resume-with-stek-expiration.c: > + > + gnutls_bye(session, GNUTLS_SHUT_RDWR); > + gnutls_deinit(session); > + gnutls_certificate_free_credentials(serverx509cred); > + serverx509cred = NULL; > + } > + > +end: > + if (serverx509cred) > + gnutls_certificate_free_credentials(serverx509cred); > + gnutls_free(session_ticket_key.data); > +} > + > +void doit(void) > +{ > + pid_t child; Yes, but how does this line relate to that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_93909113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 12 04:27:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Aug 2018 02:27:56 +0000 Subject: [gnutls-devel] libtasn1 | Detecting Bug in libtasn1-4.12 by fuzzing. (#4) References: Message-ID: New Issue was created. Issue 4: https://gitlab.com/gnutls/libtasn1/issues/4 Author: stuartly Assignee: ## Description of problem: program was Killed when running asn1Parser to process a file. ## Version of libtasn1 used: libtasn1-4.12 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * intall libtasn1-4.12 * ./asn1Parser -c id\:000000\,sig\:11\,src\:000721\,op\:havoc\,rep\:2 Note that: id\:000000\,sig\:11\,src\:000721\,op\:havoc\,rep\:2 is in the attachment named Bug1-POC ## Expected results: stly at ubuntu:~/Documents/TargetFuzz/Benchmark/libtasn1-4.12/out-AFL-Org$ ../installed-Org/bin/asn1Parser -c crashes/id\:000000\,sig\:11\,src\:000721\,op\:havoc\,rep\:2 crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:23: Warning: UniversalString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:56: Warning: VisibleString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:58: Warning: NumericString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:60: Warning: IA5String is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:62: Warning: TeletexString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:64: Warning: PrintableString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:66: Warning: UniversalString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:92: Warning: VisibleString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:94: Warning: NumericString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:96: Warning: IA5String is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:98: Warning: TeletexString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:100: Warning: PrintableString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:102: Warning: UniversalString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:105: Warning: BMPString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:126: Warning: VisibleString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:128: Warning: NumericString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:130: Warning: IA5String is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:132: Warning: TeletexString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:134: Warning: PrintableString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:136: Warning: UniversalString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:163: Warning: VisibleString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:165: Warning: NumericString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:167: Warning: IA5String is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:169: Warning: TeletexString is a built-in ASN.1 type. crashes/id:000000,sig:11,src:000721,op:havoc,rep:2:171: Warning: PrintableString is a built-in ASN.1 type. Killed [Bug1-POC](/uploads/2fbc7e6c00ea8da8c5c6538d5b39ef81/Bug1-POC) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/4 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 08:31:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 06:31:31 +0000 Subject: [gnutls-devel] GnuTLS | racecondition in posix platform (#541) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #541: https://gitlab.com/gnutls/gnutls/issues/541 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/541 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 08:31:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 06:31:30 +0000 Subject: [gnutls-devel] GnuTLS | racecondition in posix platform (#541) In-Reply-To: References: Message-ID: I've opened the issue because I do not believe there is something confidential to be addressed here. I see that as a non-issue because on this bug you are actually reporting every use of access without any investigation on whether that's an issue or not. To report a security flaw it is important to understand what are you security against, and how does the library prevents you from doing that. Unless that information is there, I'll close that issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/541#note_94073002 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 08:32:38 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 06:32:38 +0000 Subject: [gnutls-devel] libtasn1 | Detecting Bug in libtasn1-4.13 by fuzzing. (#4) In-Reply-To: References: Message-ID: Thanks, would you like to submit an MR to address the issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/4#note_94073150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 15:42:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 13:42:36 +0000 Subject: [gnutls-devel] libtasn1 | Detecting Bug in libtasn1-4.13 by fuzzing. (#4) In-Reply-To: References: Message-ID: Yes, I will try. Nikos Mavrogiannopoulos ?2018?8?13??? ??2:32??? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/4#note_94189286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 16:17:53 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 14:17:53 +0000 Subject: [gnutls-devel] GnuTLS | update version numbers to final protocol version (#542) References: Message-ID: New Issue was created. Issue 542: https://gitlab.com/gnutls/gnutls/issues/542 Author: Nikos Mavrogiannopoulos Assignee: We need to update the TLS1.3 version number to the final protocol version as in: * https://tools.ietf.org/html/rfc8446 We should also ensure that the downgrade protection mechanism is in place in both client and server side and tested. - [ ] TLS1.3 numbers are updated - [ ] downgrade protection is available and tested in client side - [ ] downgrade protection is available and tested in server side -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 16:18:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 14:18:41 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/suite/resume-with-stek-expiration.c: > + > + gnutls_bye(session, GNUTLS_SHUT_RDWR); > + gnutls_deinit(session); > + gnutls_certificate_free_credentials(serverx509cred); > + serverx509cred = NULL; > + } > + > +end: > + if (serverx509cred) > + gnutls_certificate_free_credentials(serverx509cred); > + gnutls_free(session_ticket_key.data); > +} > + > +void doit(void) > +{ > + pid_t child; I wanted to comment on the test as a whole, not for this particular line :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_94197157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 20:56:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 18:56:31 +0000 Subject: [gnutls-devel] GnuTLS | oss-fuzz: test TLS 1.3 (#359) In-Reply-To: References: Message-ID: Reassigned Issue 359 https://gitlab.com/gnutls/gnutls/issues/359 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 20:56:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 18:56:32 +0000 Subject: [gnutls-devel] GnuTLS | update version numbers to final protocol version (#542) In-Reply-To: References: Message-ID: Reassigned Issue 542 https://gitlab.com/gnutls/gnutls/issues/542 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 20:57:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 18:57:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Update library to use the final RFC8446 version numbers (!730) References: Message-ID: New Merge Request !730 https://gitlab.com/gnutls/gnutls/merge_requests/730 Branches: tmp-update-version-numbers to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This updates the library, the fuzzers and test suite to expect the final TLS1.3 (RFC8446) version numbers. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 13 21:48:48 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Aug 2018 19:48:48 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) References: Message-ID: New Merge Request !731 https://gitlab.com/gnutls/gnutls/merge_requests/731 Branches: tmp-document-none to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This documents the existing issues with creating a priority string starting with 'NONE'. ## Checklist * [x] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 10:53:29 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 08:53:29 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: @juaristi is this ready for review? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_94358700 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 14:29:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 12:29:39 +0000 Subject: [gnutls-devel] GnuTLS | Fixes for issues identified by static analyzers (!729) In-Reply-To: References: Message-ID: Merge Request !729 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/729 Branches: tmp-fixes-cov to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 14:40:00 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 12:40:00 +0000 Subject: [gnutls-devel] GnuTLS | Fixes for issues identified by static analyzers (!729) In-Reply-To: References: Message-ID: Reassigned Merge Request 729 https://gitlab.com/gnutls/gnutls/merge_requests/729 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 14:40:05 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 12:40:05 +0000 Subject: [gnutls-devel] GnuTLS | Fixes for issues identified by static analyzers (!729) In-Reply-To: References: Message-ID: Merge Request !729 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/729 Branches: tmp-fixes-cov to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 19:33:05 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 17:33:05 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) In-Reply-To: References: Message-ID: Looks good, will (try to) approve. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731#note_94482337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 19:33:21 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 17:33:21 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) In-Reply-To: References: Message-ID: Merge Request !731 was approved by Andreas Metzler Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/731 Branches: tmp-document-none to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 14 21:00:51 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Aug 2018 19:00:51 +0000 Subject: [gnutls-devel] GnuTLS | GOST certificates/PKCS#7/PKCS#12 support (!654) In-Reply-To: References: Message-ID: Vladim?r ?un?t started a new discussion on lib/includes/gnutls/gnutls.h.in: > * @GNUTLS_DIG_SHA3_384: SHA3-384 algorithm. > * @GNUTLS_DIG_SHA3_512: SHA3-512 algorithm. > * @GNUTLS_DIG_MD5_SHA1: Combined MD5+SHA1 algorithm. > + * @GNUTLS_DIG_GOSTR_94: GOST R 34.10-94 algorithm. You seem to be consistently using "GOST R 34.10-94" in documentation even for the digest function, but all other sources I've seen use "GOST R 34.11-94", e.g. https://tools.ietf.org/html/rfc4357 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/654#note_94499212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 08:53:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 06:53:46 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) In-Reply-To: References: Message-ID: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731#note_94610060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 08:53:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 06:53:47 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) In-Reply-To: References: Message-ID: Reassigned Merge Request 731 https://gitlab.com/gnutls/gnutls/merge_requests/731 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 09:44:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 07:44:41 +0000 Subject: [gnutls-devel] GnuTLS | DTLS handshake failure for lost SessionTicket in 3.6.3 (#543) References: Message-ID: New Issue was created. Issue 543: https://gitlab.com/gnutls/gnutls/issues/543 Author: Hanno Becker Assignee: Running a GnuTLS 3.6.3 DTLS client, if the server's `NewSessionTicket` gets lost while the `ChangeCipherSpec` goes through, the client does not request retransmission by retransmitting his last flight, and the handshake comes to halt. Steps to reproduce using Mbed TLS 2.7, from within the Mbed TLS base directory: - Run UDP proxy emulating a lossy network `./programs/tests/udp_proxy server_addr=localhost server_port=10000 listen_addr=localhost listen_port=20000 drop=5 delay=5 duplicate=5 seed=14` - Run Mbed TLS server `./programs/ssl/ssl_server2 dtls=1 server_addr=localhost server_port=10000 crt_file=tests/data_files/server5.crt key_file=tests/data_files/server5.key` - Run GnuTLS 3.6.3 client `GNUTLS_DIR/gnutls-cli --udp --port=20000 --insecure localhost` The proxy log shows that the `NewSessionTicket` message gets dropped, while the `ChangeCipherSpec` goes through. Looking at the code, the following might be the reason: - When `_gnutls_recv_new_session_ticket()` is called first, it finds a CCS, which seems to be ignored but not dropped, see [here](https://github.com/gnutls/gnutls/blob/gnutls_3_6_3/lib/buffers.c#L1294). - When `_gnutls_recv_new_session_ticket()` is called again, the [retransmission timeout check]( https://github.com/gnutls/gnutls/blob/gnutls_3_6_3/lib/ext/session_ticket.c#L726) is omitted because `gnutls_record_check_pending()` signals the pending CCS. This leads to `_gnutls_io_recv_int()` being called, which as far as I see falls down to `_gnutls_recv_in_buffers` [here](https://github.com/gnutls/gnutls/blob/gnutls_3_6_3/lib/buffers.c#L1423) as the calls to `get_last_packet()` return `EAGAIN`. The timeout for the call to `_gnutls_recv_in_buffers` is the entire remaining maximum handshake time, and not the retransmission timeout (in the test ~38s), hence the handshake comes to a halt. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 09:58:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 07:58:45 +0000 Subject: [gnutls-devel] GnuTLS | GOST certificates/PKCS#7/PKCS#12 support (!654) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/includes/gnutls/gnutls.h.in: > * @GNUTLS_DIG_SHA3_384: SHA3-384 algorithm. > * @GNUTLS_DIG_SHA3_512: SHA3-512 algorithm. > * @GNUTLS_DIG_MD5_SHA1: Combined MD5+SHA1 algorithm. > + * @GNUTLS_DIG_GOSTR_94: GOST R 34.10-94 algorithm. @vcunat thanks for the notice, I will review documentation. Basically 34.10 is digital signature algorithm, while 34.11 is a digest. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/654#note_94621301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 10:07:04 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 08:07:04 +0000 Subject: [gnutls-devel] GnuTLS | doc: document the non-portability of NONE priority string (!731) In-Reply-To: References: Message-ID: Merge Request !731 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/731 Branches: tmp-document-none to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 11:22:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 09:22:24 +0000 Subject: [gnutls-devel] GnuTLS | docs: stress the byte order in GOST key points (!732) References: Message-ID: New Merge Request !732 https://gitlab.com/gnutls/gnutls/merge_requests/732 Project:Branches: vcunat/gnutls:doc-gost to gnutls/gnutls:master Author: Vladim?r ?un?t Assignee: ## Checklist * [x] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code - - - This is just a suggestion, feel free to amend. /cc @lumag I also noticed these new functions are mostly missing from https://www.gnutls.org/documentation.html but I don't know how that is generated/updated. Related: https://gitlab.com/gnutls/gnutls/merge_requests/654#note_94621301 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/732 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 11:30:43 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 09:30:43 +0000 Subject: [gnutls-devel] GnuTLS | docs: stress the byte order in GOST key points (!732) In-Reply-To: References: Message-ID: BTW, in case someone is interested where we're going to support GOST: https://gitlab.labs.nic.cz/knot/knot-dns/merge_requests/923 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/732#note_94638534 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 13:12:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 11:12:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: record_size_limit extension (!733) References: Message-ID: New Merge Request !733 https://gitlab.com/gnutls/gnutls/merge_requests/733 Branches: tmp-record-size-limit to master Author: Daiki Ueno Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This implements [the record_size_limit extension](https://tools.ietf.org/html/draft-ietf-tls-record-limit-03). Although it obsoletes the max_record_size extension, for compatibility reasons GnuTLS still sends it on certain occasions. For example, when the new size is representable as a codepoint for max_record_size. Fixes #524 ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 14:37:51 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 12:37:51 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) References: Message-ID: New Merge Request !734 https://gitlab.com/gnutls/gnutls/merge_requests/734 Project:Branches: ametzler/gnutls:tmp-ametzler-typo-guarranteed_overriden to gnutls/gnutls:master Author: Andreas Metzler Assignee: Fix two typoes (overriden/guarranteed), cannot_be_overriden in hello_ext_entry_st is still left. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 14:48:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 12:48:46 +0000 Subject: [gnutls-devel] GnuTLS | docs: stress the byte order in GOST key points (!732) In-Reply-To: References: Message-ID: @vcunat thank you. I will take a look in the evening. For the reference: GOSTs are particularly unclear about endianness and different areas tend to use different endianness approaches. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/732#note_94675727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 15:00:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 13:00:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Tom commented on a discussion on lib/ext/server_cert_type.c: > + _gnutls_session_server_cert_type_set(session, cert_type); > + ret = GNUTLS_E_SUCCESS; > + } else { > + // No valid cert type found > + ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; > + } > + > + // Clean-up > + _gnutls_free_datum(&cert_types); > + > + return ret; > + > + } else // server mode > + { > + // Compare packet length with expected packet length. > + DECR_LEN(len, 1); I think it would be possible because there are no other extensions that depend on the certificate type I think. But how would you enforce that this extension will be parsed after the PSK extension? By putting it lower in the `hello_ext_entry_st`? That is already the case in my implementation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_94677997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 15:04:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 13:04:49 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Merge Request !734 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/734 Project:Branches: ametzler/gnutls:tmp-ametzler-typo-guarranteed_overriden to gnutls/gnutls:master Author: Andreas Metzler Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 15:05:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 13:05:33 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Merge Request !734 was unapproved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/734 Project:Branches: ametzler/gnutls:tmp-ametzler-typo-guarranteed_overriden to gnutls/gnutls:master Author: Andreas Metzler Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 15:06:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 13:06:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: You have a typo in the subject "typoes -> typos" ;-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94678941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 15:19:20 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 13:19:20 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: Hi @nmav, Yes, it's ready. Just one detail to be taken care of. The tests do not explicitly check whether the key has been rotated. It is assumed that it was, since session was successfully resumed (and would fail otherwise), but not explicitly checked. To do this I would need to call some GnuTLS internal function from the tests, and so far haven't figured out how to do that. Do you have any clue? Could you point me at some other tests that do this (call internal functions) so I can have a look at them? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_94681523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 15 16:59:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Aug 2018 14:59:54 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: > You have a typo in the subject "typoes -> typos" ;-) Ah, the plural of "typo" is "typos". Live and learn. :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94703747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 13:24:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 11:24:26 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: If you push -f a change, I would approve+merge the MR :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94888295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 18:23:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 16:23:26 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: Can you provide more info on the core dump? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_94959630 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 18:25:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 16:25:41 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: See `x509sign-verify-error.c` and its use of `_gnutls_lib_simulate_error` which is exported as an internal symbol (in the map file it has the version `GNUTLS_PRIVATE_3_4`) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_94959959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 18:32:34 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 16:32:34 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/ext/server_cert_type.c: > + _gnutls_session_server_cert_type_set(session, cert_type); > + ret = GNUTLS_E_SUCCESS; > + } else { > + // No valid cert type found > + ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; > + } > + > + // Clean-up > + _gnutls_free_datum(&cert_types); > + > + return ret; > + > + } else // server mode > + { > + // Compare packet length with expected packet length. > + DECR_LEN(len, 1); The problem is that you cannot do that. The PSK extension must be sent last according to tls 1.3, and the order of parsing and sending is determined by the order in that structure. The preshared key extension has parse type `GNUTLS_EXT_TLS` which is the type to be parsed last from the "exported" parse types. However there is the type `_GNUTLS_EXT_TLS_POST_CS` which is used by internal extensions and is parsed after the `EXT_TLS` type by `read_client_hello`. Would that work? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_94961005 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 19:10:12 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 17:10:12 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Tim R?hsen @rockdaboot wrote > If you push -f a change, I would approve+merge the MR :-) Okay, done that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94967058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 20:42:15 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 18:42:15 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Merge Request !734 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/734 Project:Branches: ametzler/gnutls:tmp-ametzler-typo-guarranteed_overriden to gnutls/gnutls:master Author: Andreas Metzler Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 20:42:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 18:42:30 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Please restart the one failing pipeline job, Fedora.x86 (I can't do it for your repo). @nmav Is it possible to use a pre-installed gnulib from the CI image (Fedora.x86) ? Savannah is / was down... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94981584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 20:59:43 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 18:59:43 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: @rockdaboot the `/builds/common/gnulib` directory is there. Not sure why bootstrap tries to download it. You can verify as: ``` docker run registry.gitlab.com/gnutls/build-images:buildenv-f28-x86 /bin/bash -ti ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94983981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 21:03:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 19:03:16 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: No time to test it tonight. Is the image not too old ? Are the env variables correctly set (GNULIB_SRCDIR and GNULIB_TOOL) ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94984504 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 21:24:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 19:24:16 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typoes (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Seems to be right ``` # env|grep GNULIB GNULIB_SRCDIR=/builds/common/gnulib GNULIB_TOOL=/builds/common/gnulib/gnulib-tool ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94991502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 16 21:27:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Aug 2018 19:27:27 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typos (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Maybe it is too old, I'm regenerating it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_94992378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 05:33:59 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 03:33:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sending incorrect data to IRC servers (#545) References: Message-ID: New Issue was created. Issue 545: https://gitlab.com/gnutls/gnutls/issues/545 Author: Jay Kamat Assignee: Hi, I'm a user of gnutls-cli, and while I don't know exactly what is wrong, I think there has been a regression in the 3.6.x line. When using gnutls-cli to connect to freenode, and joining a channel, freenode returns "invalid command" on 3.6.x but not 3.5.19 ``` $ src/gnutls-cli --insecure chat.freenode.net -p 6697 Processed 0 CA certificate(s). Resolving 'chat.freenode.net:6697'... Connecting to '2600:3c02::f03c:91ff:fe59:7d2e:6697'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=moon.freenode.net', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03cb534cf7f15ebee7803920301991ee1625, RSA key 4096 bits, signed using RSA-SHA256, activated `2018-07-20 17:47:51 UTC', expires `2018-10-18 17:47:51 UTC', pin-sha256="CqI0jeD7wEejQQ0BFjZhYP/VIEgy7fhy8rKRxMp8YAY=" Public Key ID: sha1:2b0af114ed176f00dda73af4cc805890af6da59e sha256:0aa2348de0fbc047a3410d0116366160ffd5204832edf872f2b291c4ca7c6006 Public Key PIN: pin-sha256:CqI0jeD7wEejQQ0BFjZhYP/VIEgy7fhy8rKRxMp8YAY= - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... - Successfully sent 0 certificate(s) to server. - Description: (TLS1.2)-(ECDHE-X25519)-(RSA-SHA512)-(AES-256-GCM) - Session ID: C9:42:34:A8:26:56:17:1D:50:CC:0D:7B:BA:02:55:D8:42:1E:E3:66:84:46:F8:FA:31:39:69:B9:51:09:7A:B7 - Ephemeral EC Diffie-Hellman parameters - Using curve: X25519 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA512 - Cipher: AES-256-GCM - MAC: AEAD - Options: extended master secret, safe renegotiation, - Handshake was completed - Simple Client Mode: :moon.freenode.net NOTICE * :*** Looking up your hostname... :moon.freenode.net NOTICE * :*** Checking Ident :moon.freenode.net NOTICE * :*** Couldn't look up your hostname NICK joebloe USER joebloe 0.0.0.0 joe :Joe Bloe :moon.freenode.net NOTICE * :*** No Ident response :moon.freenode.net 451 * :You have not registered :moon.freenode.net 001 joebloe :Welcome to the freenode Internet Relay Chat Network joebloe [] JOIN #flood :joebloe!~joebloe at 2601:647:5801:7d1f::672f JOIN #flood :moon.freenode.net 332 joebloe #flood :Topic for #flood: Please don't paste useless stuff, such as ascii art or the nicks in #flood | If you abuse this channel, you will be banned temporarily | Remove comments from lengthy files (ex: grep -v '^#' file) | For large amounts of text, consider a paste site (like http://pastie.org/ or http://channels.debian.net/paste/), or a separate channel | Problems? /msg dondelelcaro, Udon :moon.freenode.net 333 joebloe #flood dondelelcaro!~don at hemlock.ucr.edu 1287079923 :moon.freenode.net 353 joebloe = #flood :joebloe alphamule altendky moser Evidlo benzalaniline diarything Erkan_Yilmaz martiniss_ hieronymus naf hodapp mrsteveman1 ArneBab xnox mondkalbantrieb_ Stitch1 ketas DuClare mbo_ noeatnosleep makomk Foxtrot ipv6_user :moon.freenode.net 366 joebloe #flood :End of /NAMES list. :moon.freenode.net 421 joebloe nnect!frigg at freenode/utility-bot/frigg :Unknown command :joebloe!~joebloe at 2601:647:5801:7d1f::672f NOTICE joebloe :Due to the persistent ongoing spam, all new connections are being set +R (block messages from unidentified users) and will be scanned for vulnerabilities. This will not harm your computer, and vulnerable hosts will be notified. ``` The `:moon.freenode.net 421 joebloe nnect!frigg at freenode/utility-bot/frigg :Unknown command` line is the odd one. Freenode (and any other irc server that I tried at least) seems to think we are sending invalid commands (although the exact error changes) every time something is sent. I bisected this, and I think f138ff85d is the first commit with the issue. Please let me know if I can provide any additional information! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/545 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 08:25:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 06:25:11 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sending incorrect data to IRC servers (#545) In-Reply-To: References: Message-ID: Hi, does b2f18aeeb8aee0eb62d6ce430dd0c848ccc2bc63 address the issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/545#note_95054147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 13:13:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 11:13:13 +0000 Subject: [gnutls-devel] GnuTLS | test the reception of multiple and split async handshake messages (NST) (#511) In-Reply-To: References: Message-ID: Reassigned Issue 511 https://gitlab.com/gnutls/gnutls/issues/511 Assignee changed to Hubert Kario -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/511 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 14:35:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 12:35:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/ext/server_cert_type.c: > + _gnutls_session_server_cert_type_set(session, cert_type); > + ret = GNUTLS_E_SUCCESS; > + } else { > + // No valid cert type found > + ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; > + } > + > + // Clean-up > + _gnutls_free_datum(&cert_types); > + > + return ret; > + > + } else // server mode > + { > + // Compare packet length with expected packet length. > + DECR_LEN(len, 1); Ok, makes sense. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95129112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 14:46:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 12:46:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_resumption_requested: is not functional under TLS1.3 (#546) References: Message-ID: New Issue was created. Issue 546: https://gitlab.com/gnutls/gnutls/issues/546 Author: Nikos Mavrogiannopoulos Assignee: The value returned by gnutls_session_resumption_requested() is always false under TLS1.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/546 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 14:46:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 12:46:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_resumption_requested: is not functional under TLS1.3 (#546) In-Reply-To: References: Message-ID: Reassigned Issue 546 https://gitlab.com/gnutls/gnutls/issues/546 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/546 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 14:53:17 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 12:53:17 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) References: Message-ID: New Merge Request !735 https://gitlab.com/gnutls/gnutls/merge_requests/735 Branches: tmp-fix-resumption-requested to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This fixes gnutls_session_resumption_requested() under TLS1.3. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 14:56:57 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 12:56:57 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) References: Message-ID: New Issue was created. Issue 547: https://gitlab.com/gnutls/gnutls/issues/547 Author: Nikos Mavrogiannopoulos Assignee: It seems that ./bootstrap attempts to contact savannah.gnu.org even if the gnulib directory is present. That due to savannah instability causes several CI failures. The bootstrap script should not have attempted to contact savannah since we ship a recent copy of gnulib in our CI images. ``` ./bootstrap: getting gnulib files... Submodule 'gnulib' (https://git.savannah.gnu.org/git/gnulib.git) registered for path 'gnulib' Cloning into '/builds/gnutls/gnutls/gnulib'... fatal: unable to access 'https://git.savannah.gnu.org/git/gnulib.git/': The requested URL returned error: 502 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 15:03:50 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 13:03:50 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: (gdb) bt #0 0x000076184023eb3a in kill () from /usr/lib/libc.so.12 #1 0x0000761841a0b430 in pthread__assertfunc (file=file at entry=0x761841a0c3d0 "/usr/src/lib/libpthread/pthread_tsd.c", line=line at entry=176, function=function at entry=0x761841a0c480 "pthread__add_specific", expr=expr at entry=0x761841a0c410 "pthread__tsd_destructors[key] != NULL") at /usr/src/lib/libpthread/pthread.c:1100 #2 0x0000761841a07aed in pthread__add_specific (self=0x761842f09800, key=0, value=value at entry=0x0) at /usr/src/lib/libpthread/pthread_tsd.c:176 #3 0x0000761841a07d86 in pthread_setspecific (key=, value=value at entry=0x0) at /usr/src/lib/libpthread/pthread_specific.c:69 #4 0x00007618426f6546 in p11_library_uninit () at common/library.c:153 #5 0x000076184262f509 in ?? () from /usr/pkg/lib/libp11-kit.so.0 #6 0x0000761842f16d00 in ?? () #7 0x00007618426f6629 in ?? () from /usr/pkg/lib/libp11-kit.so.0 #8 0x0000000000000000 in ?? () Looking at the p11-kit source code I see: void p11_library_uninit (void) { uninit_common (); /* Some cleanup to pacify valgrind */ free (pthread_getspecific (thread_local)); pthread_setspecific (thread_local, NULL); #ifdef HAVE_STRERROR_L freelocale (p11_message_locale); #endif p11_message_storage = dont_store_message; pthread_key_delete (thread_local); p11_mutex_uninit (&p11_virtual_mutex); p11_mutex_uninit (&p11_library_mutex); } where pthread_setspecific is in line 153. Is this possibly a problem in p11-kit instead? Thomas P.S.: Is this bug report available via HTTP(S) as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_95134764 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 15:05:17 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 13:05:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Tom commented on a discussion on lib/ext/server_cert_type.c: > + _gnutls_session_server_cert_type_set(session, cert_type); > + ret = GNUTLS_E_SUCCESS; > + } else { > + // No valid cert type found > + ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; > + } > + > + // Clean-up > + _gnutls_free_datum(&cert_types); > + > + return ret; > + > + } else // server mode > + { > + // Compare packet length with expected packet length. > + DECR_LEN(len, 1); Alright, I'll update my code to make sure that the PSK extension will be last and include the extra resumption checks. Then I think we are there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95135053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 16:06:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 14:06:36 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) References: Message-ID: New Merge Request !736 https://gitlab.com/gnutls/gnutls/merge_requests/736 Branches: tmp-psk-ext-refactor to master Author: Daiki Ueno Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list Since the OfferedPsks struct consists of two arrays (identities and binders), we can traverse them in parallel; that eliminates `_gnutls13_psk_ext_parser_find_binder()` and out-of-bound index checks. ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 17:06:12 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 15:06:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sending incorrect data to IRC servers (#545) In-Reply-To: References: Message-ID: Yes, it does, sorry for the noise. I'll be waiting for the next 3.6.x release :) Thanks for all the work you do on gnults! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/545#note_95164132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 17:06:14 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 15:06:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli sending incorrect data to IRC servers (#545) In-Reply-To: References: Message-ID: Issue was closed by Jay Kamat Issue #545: https://gitlab.com/gnutls/gnutls/issues/545 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/545 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 17 17:14:30 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Aug 2018 15:14:30 +0000 Subject: [gnutls-devel] GnuTLS | WIP: RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: All discussions on Merge Request !498 were resolved by Tom https://gitlab.com/gnutls/gnutls/merge_requests/498 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 18 07:07:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Aug 2018 05:07:45 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typos (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: This is now marked "*Ready to be merged automatically. Ask someone with write access to this repository to merge this request.*" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734#note_95241731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 18 10:22:22 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Aug 2018 08:22:22 +0000 Subject: [gnutls-devel] GnuTLS | Fix two typos (overriden/guarranteed) (!734) In-Reply-To: References: Message-ID: Merge Request !734 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/734 Project:Branches: ametzler/gnutls:tmp-ametzler-typo-guarranteed_overriden to gnutls/gnutls:master Author: Andreas Metzler Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 06:34:43 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 04:34:43 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #547: https://gitlab.com/gnutls/gnutls/issues/547 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 06:47:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 04:47:18 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: @rockdaboot I've worked around it by using the same mirror as libidn2 to address the failing builds, but if you have any better idea that doesn't require cloning at all I think it would be best. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547#note_95309504 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 06:52:12 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 04:52:12 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: The issue looks p11-kit related, and there have been few changes in the latest versions regarding threading. You may want to try the latest version. Yes, the report is at: https://gitlab.com/gnutls/gnutls/issues/544 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_95309590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 07:51:53 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 05:51:53 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: Thank you for the pointer! Updating to the latest p11-kit did indeed fix this issue. There's a new error now, probably hidden before because tests stop when there are failures in one directory: FAIL: pkcs12-utf8 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_95311037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 10:48:01 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 08:48:01 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: For utf8 gnutls relies on libunistring (and in some cases libidn2). Do you have the latest version of these libs? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_95317525 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 11:33:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 09:33:32 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from tk@giga.or.at): gnutls-3.6.3: two problems on NetBSD (#544) In-Reply-To: References: Message-ID: > For utf8 gnutls relies on libunistring (and in some cases libidn2). Do you have the latest version of these libs? libunistring 0.9.10 is installed, https://www.gnu.org/software/libunistring/#TOCdownloading says it's the latest. libidn2 was not installed, but when I add it, the test fails in the same way. Thomas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/544#note_95319865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 12:37:55 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 10:37:55 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: In the gnutls/ dir, before `./bootstrap`: ``` $ rm -rf gnulib $ cp -a $GNULIB_SRCDIR ./gnulib ... ``` `./bootstrap` then automatically checks out the right version/commit in gnulib/, and here I can't see any access to upstream. At least if the gnulib/ dir is fresh enough. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547#note_95322767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 12:39:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 10:39:39 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: If gnulib/ is too old, `./bootstrap` will pull from upstream. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547#note_95322899 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 14:21:22 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 12:21:22 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: In the cases it happened it was a few days old image. It may be the oldness rule is too agressive -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547#note_95331207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 14:21:40 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 12:21:40 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: Issue was reopened by Nikos Mavrogiannopoulos Issue 547: https://gitlab.com/gnutls/gnutls/issues/547 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 19:00:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 17:00:27 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) References: Message-ID: New Merge Request !737 https://gitlab.com/gnutls/gnutls/merge_requests/737 Branches: tmp-no-git-in-bootstrap to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list That is, to reduce CI time, and avoid failures due to non-availability of the gnulib git repo. ## Checklist * [x] Code modified for feature * [ ] verified that no git was accessed in CI logs ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 19:01:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 17:01:41 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Reassigned Merge Request 737 https://gitlab.com/gnutls/gnutls/merge_requests/737 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 19:01:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 17:01:46 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Reassigned Merge Request 737 https://gitlab.com/gnutls/gnutls/merge_requests/737 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 19:02:06 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 17:02:06 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: Reassigned Issue 547 https://gitlab.com/gnutls/gnutls/issues/547 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 19 19:02:57 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Aug 2018 17:02:57 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: It seems that bootstrap has the `--no-git` option; in !737 I modify .gitlab-ci.yml to call that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547#note_95375822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 09:22:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 07:22:16 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Merge Request !737 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/737 Branches: tmp-no-git-in-bootstrap to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 09:22:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 07:22:26 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails often due to savannah (#547) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #547: https://gitlab.com/gnutls/gnutls/issues/547 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 09:22:25 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 07:22:25 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Merge Request !737 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/737 Branches: tmp-no-git-in-bootstrap to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 09:51:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 07:51:18 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: Reassigned Merge Request 695 https://gitlab.com/gnutls/gnutls/merge_requests/695 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 09:51:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 07:51:31 +0000 Subject: [gnutls-devel] GnuTLS | Session ticket key rotation with TOTP (!695) In-Reply-To: References: Message-ID: I'm removing me from assignee as I'll be on holidays until mid-september which is close to release time. When you are confident on this feature please ask a review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/695#note_95437392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:02:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:02:33 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) In-Reply-To: References: Message-ID: It looks good to me; perhaps `gnutls_session_set_data()` no longer needs to set `session->internals.resumption_requested`: https://gitlab.com/gnutls/gnutls/blob/master/lib/session.c#L295 because the document of `gnutls_session_resumption_requested()` says it is valid only on server. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735#note_95439842 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:03:00 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:03:00 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/Makefile.am: > psk_ke_modes.c psk_ke_modes.h pre_shared_key.c pre_shared_key.h \ comment on the commit message. We should refer to the final RFC instead https://tools.ietf.org/html/rfc8449 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95439931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:04:52 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:04:52 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) In-Reply-To: References: Message-ID: Merge Request !735 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/735 Branches: tmp-fix-resumption-requested to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:09:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:09:39 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/max_record.c: > * connection. This property can only be set to clients. The server > * may choose not to accept the requested size. > * > - * Acceptable values are 512(=2^9), 1024(=2^10), 2048(=2^11) and > - * 4096(=2^12). The requested record size does get in effect > - * immediately only while sending data. The receive part will take > - * effect after a successful handshake. > + * The requested record size does get in effect immediately only while > + * sending data. The receive part will take effect after a successful > + * handshake. > * Shouldn't we document the fact that prior to 3.6.4, that function would fail if ...? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95442814 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:21:10 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:21:10 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/record_size_limit.c: > +}; > + > +static int > +_gnutls_record_size_limit_recv_params(gnutls_session_t session, > + const uint8_t * data, size_t _data_size) > +{ > + ssize_t new_size; > + ssize_t data_size = _data_size; > + > + DECR_LEN(data_size, 2); > + new_size = _gnutls_read_uint16(data); > + > + /* treat receipt of a smaller value as a fatal error */ > + if (new_size < 64) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + 64 feels way too small for normal applications, and looks more likely to be used as an attack vector especially if the server needs to transfer gigabytes of data. What if we ignore values less than 512 (the previous min value), and allow overriding with a gnutls_init flag (e.g., `ALLOW_TINY_RECORDS`)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95445700 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:24:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:24:45 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls13/prf.c: > } \ > } > > -#define KEY_EXP_VALUE "\x2b\x6f\x94\xc8\xbc\xa0\x59\x4b\x61\xc8\x23\x12\x01\x8e\xb2\x3a\xdf\x48\x06\x98\x96\xaf\xf9\xe7\xcf\xd5\xa4\x56\x29\x6b\x84\xd3\xfc\x81" > -#define HELLO_VALUE "\x93\x78\x2d\x00\x88\x02\xd8\xd1\x75\xfe\x1d\xae\x99\x13\xf4\x36\xe0\x10\xc9\xfc\xae\xb8\xc0\x72\xd2\x99\x6e\xc3\x71\xf5\x1b" > -#define CONTEXT_VALUE "\x1e\x95\x2e\xa5\xb9\xff\xe4\xb0\xbe\xa3\x8b\x1f\x6c\x31\x74\x62\x4f\x9d\x0b\xf8\x1d\x5f\x3d\xa5\xa7\x45\x07\x99\xea\xfc\xa2" > -#define NULL_CONTEXT_VALUE "\x2f\x7e\x07\x52\xd4\x23\x0b\x7a\xa0\x7e\x2f\xad\xb5\xcc\xcf\x63\x8f\x6c\x27\x7e\xbb\x9e\xb8\xd3\xa0\x92\x3d\xd0\xaa\xe4\xb0" > +#define KEY_EXP_VALUE "\x42\xba\x1d\x14\x6d\x09\x4f\x64\x7a\x65\xc0\x39\xf8\xd6\x98\xa7\x71\xcd\xb5\xd1\x8d\xf7\x70\xca\x22\x2d\xad\x3f\xac\x47\xe9\x13\xfa\xd0" Shouldn't that not require any change? I would have expected that we don't send this extension by default. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95446661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:26:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:26:18 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls-record-size-limit.c: > + fail("client: didn't see max_record_size\n"); > + > + if (server_expect_record_size_limit && !server_handshake_cb_data.found_record_size_limit) > + fail("server: didn't see record_size_limit\n"); > + if (!server_expect_record_size_limit && server_handshake_cb_data.found_record_size_limit) > + fail("server: did see record_size_limit\n"); > + if (client_expect_record_size_limit && !client_handshake_cb_data.found_record_size_limit) > + fail("client: didn't see record_size_limit\n"); > + if (!client_expect_record_size_limit && client_handshake_cb_data.found_record_size_limit) > + fail("client: did see record_size_limit\n"); > + > +} > + > +void doit(void) > +{ > + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 512, 512, 1, 0, 1, 0); That may be because of me, but it would be greatly more readable of the parameters were part of a structure array. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95447315 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:28:07 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:28:07 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls-record-size-limit.c: > + if (!server_expect_record_size_limit && server_handshake_cb_data.found_record_size_limit) > + fail("server: did see record_size_limit\n"); > + if (client_expect_record_size_limit && !client_handshake_cb_data.found_record_size_limit) > + fail("client: didn't see record_size_limit\n"); > + if (!client_expect_record_size_limit && client_handshake_cb_data.found_record_size_limit) > + fail("client: did see record_size_limit\n"); > + > +} > + > +void doit(void) > +{ > + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 512, 512, 1, 0, 1, 0); > + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 8192, 8192, 0, 0, 1, 0); > + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 32768, 16384, 0, 0, 1, 0); > + > + start("NORMAL:-VERS-ALL:+VERS-TLS1.3", 512, 512, 1, 0, 1, 1); Some interesting test cases could also be minimum values (63, 64, as well max+1, 16385). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95447826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:30:02 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:30:02 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Looks good to me except the issues noted above. My major concern was about the minimum (64) which may be too small for gnutls. Apart from that a NEWS entry is also needed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95448528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:30:09 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:30:09 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/record_size_limit.c: > +}; > + > +static int > +_gnutls_record_size_limit_recv_params(gnutls_session_t session, > + const uint8_t * data, size_t _data_size) > +{ > + ssize_t new_size; > + ssize_t data_size = _data_size; > + > + DECR_LEN(data_size, 2); > + new_size = _gnutls_read_uint16(data); > + > + /* treat receipt of a smaller value as a fatal error */ > + if (new_size < 64) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + Yes that makes sense; I chose 64 because it's defined in RFC8449: ``` Endpoints MUST NOT send a "record_size_limit" extension with a value smaller than 64. An endpoint MUST treat receipt of a smaller value as a fatal error and generate an "illegal_parameter" alert. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95448555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:33:08 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:33:08 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/tls13/prf.c: > } \ > } > > -#define KEY_EXP_VALUE "\x2b\x6f\x94\xc8\xbc\xa0\x59\x4b\x61\xc8\x23\x12\x01\x8e\xb2\x3a\xdf\x48\x06\x98\x96\xaf\xf9\xe7\xcf\xd5\xa4\x56\x29\x6b\x84\xd3\xfc\x81" > -#define HELLO_VALUE "\x93\x78\x2d\x00\x88\x02\xd8\xd1\x75\xfe\x1d\xae\x99\x13\xf4\x36\xe0\x10\xc9\xfc\xae\xb8\xc0\x72\xd2\x99\x6e\xc3\x71\xf5\x1b" > -#define CONTEXT_VALUE "\x1e\x95\x2e\xa5\xb9\xff\xe4\xb0\xbe\xa3\x8b\x1f\x6c\x31\x74\x62\x4f\x9d\x0b\xf8\x1d\x5f\x3d\xa5\xa7\x45\x07\x99\xea\xfc\xa2" > -#define NULL_CONTEXT_VALUE "\x2f\x7e\x07\x52\xd4\x23\x0b\x7a\xa0\x7e\x2f\xad\xb5\xcc\xcf\x63\x8f\x6c\x27\x7e\xbb\x9e\xb8\xd3\xa0\x92\x3d\xd0\xaa\xe4\xb0" > +#define KEY_EXP_VALUE "\x42\xba\x1d\x14\x6d\x09\x4f\x64\x7a\x65\xc0\x39\xf8\xd6\x98\xa7\x71\xcd\xb5\xd1\x8d\xf7\x70\xca\x22\x2d\xad\x3f\xac\x47\xe9\x13\xfa\xd0" The RFC suggests to send this extension always: ``` Endpoints SHOULD advertise the "record_size_limit" extension, even if they have no need to limit the size of records. For clients, this allows servers to advertise a limit at their discretion. For servers, this allows clients to know that their limit will be respected. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95449266 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:35:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:35:39 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) In-Reply-To: References: Message-ID: Thank you. I had tried that actually originally, but it seems that handshake uses this value also in client side. It uses it as an indicator that client has requested session resumption under TLS1.2 or earlier. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735#note_95449808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 10:44:09 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 08:44:09 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls13/prf.c: > } \ > } > > -#define KEY_EXP_VALUE "\x2b\x6f\x94\xc8\xbc\xa0\x59\x4b\x61\xc8\x23\x12\x01\x8e\xb2\x3a\xdf\x48\x06\x98\x96\xaf\xf9\xe7\xcf\xd5\xa4\x56\x29\x6b\x84\xd3\xfc\x81" > -#define HELLO_VALUE "\x93\x78\x2d\x00\x88\x02\xd8\xd1\x75\xfe\x1d\xae\x99\x13\xf4\x36\xe0\x10\xc9\xfc\xae\xb8\xc0\x72\xd2\x99\x6e\xc3\x71\xf5\x1b" > -#define CONTEXT_VALUE "\x1e\x95\x2e\xa5\xb9\xff\xe4\xb0\xbe\xa3\x8b\x1f\x6c\x31\x74\x62\x4f\x9d\x0b\xf8\x1d\x5f\x3d\xa5\xa7\x45\x07\x99\xea\xfc\xa2" > -#define NULL_CONTEXT_VALUE "\x2f\x7e\x07\x52\xd4\x23\x0b\x7a\xa0\x7e\x2f\xad\xb5\xcc\xcf\x63\x8f\x6c\x27\x7e\xbb\x9e\xb8\xd3\xa0\x92\x3d\xd0\xaa\xe4\xb0" > +#define KEY_EXP_VALUE "\x42\xba\x1d\x14\x6d\x09\x4f\x64\x7a\x65\xc0\x39\xf8\xd6\x98\xa7\x71\xcd\xb5\xd1\x8d\xf7\x70\xca\x22\x2d\xad\x3f\xac\x47\xe9\x13\xfa\xd0" ok. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95451931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:30:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:30:45 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/server_cert_type.c: > ssize_t len = data_size; > const uint8_t* pdata = data; > > - /* Only activate this extension if cert type negotiation is enabled > - * and we have cert credentials set */ > + /* Only activate this extension if cert type negotiation is enabled, > + * we are not resuming a session and we have cert credentials set */ > if (!_gnutls_has_negotiate_ctypes(session) || > + gnutls_session_is_resumed(session) || I think given the previous discussion (that under TLS1.3 the psk extension is last), the `gnutls_session_is_resumed` does not help here. Under TLS1.2 or earlier if we are resuming only the extensions of type `GNUTLS_EXT_MANDATORY` are parsed (thus not this one), and under TLS1.3 `gnutls_session_is_resumed` will not be active already. As such I think what you suggested (negotiating and ignoring the value), the the only option. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95465221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:33:21 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:33:21 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Reassigned Merge Request 498 https://gitlab.com/gnutls/gnutls/merge_requests/498 Assignee changed from Nikos Mavrogiannopoulos to Tom -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:31:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:31:41 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Merge Request !498 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/498 Project:Branches: Vrancken/gnutls-kdh:rfc7250_cert-types to gnutls/gnutls:master Author: Tom Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:32:18 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:32:18 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Adding approval. Please address the comment above and add a NEWS entry. Thank you for getting this through. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95465563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:35:03 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:35:03 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) In-Reply-To: References: Message-ID: Reassigned Merge Request 735 https://gitlab.com/gnutls/gnutls/merge_requests/735 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:51:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:51:26 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/record_size_limit.c: > +}; > + > +static int > +_gnutls_record_size_limit_recv_params(gnutls_session_t session, > + const uint8_t * data, size_t _data_size) > +{ > + ssize_t new_size; > + ssize_t data_size = _data_size; > + > + DECR_LEN(data_size, 2); > + new_size = _gnutls_read_uint16(data); > + > + /* treat receipt of a smaller value as a fatal error */ > + if (new_size < 64) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + Although I increased the default minimum, I left the overriding option unimplemented. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95470709 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:52:14 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:52:14 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/tls-record-size-limit.c: > + fail("client: didn't see max_record_size\n"); > + > + if (server_expect_record_size_limit && !server_handshake_cb_data.found_record_size_limit) > + fail("server: didn't see record_size_limit\n"); > + if (!server_expect_record_size_limit && server_handshake_cb_data.found_record_size_limit) > + fail("server: did see record_size_limit\n"); > + if (client_expect_record_size_limit && !client_handshake_cb_data.found_record_size_limit) > + fail("client: didn't see record_size_limit\n"); > + if (!client_expect_record_size_limit && client_handshake_cb_data.found_record_size_limit) > + fail("client: did see record_size_limit\n"); > + > +} > + > +void doit(void) > +{ > + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 512, 512, 1, 0, 1, 0); Rewrote the fixtures as structs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95470941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:52:22 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:52:22 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: All discussions on Merge Request !733 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/733 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:52:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:52:46 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Thank you for the review; the new revision should address the issues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95471038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:52:51 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:52:51 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls_session_resumption_requested (!735) In-Reply-To: References: Message-ID: Merge Request !735 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/735 Branches: tmp-fix-resumption-requested to master Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/735 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 11:52:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 09:52:49 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_resumption_requested: is not functional under TLS1.3 (#546) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #546: https://gitlab.com/gnutls/gnutls/issues/546 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/546 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 12:57:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 10:57:47 +0000 Subject: [gnutls-devel] GnuTLS | Add support for TLS 1.3 Zero-RTT Data (#127) In-Reply-To: References: Message-ID: Reassigned Issue 127 https://gitlab.com/gnutls/gnutls/issues/127 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:30:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:30:31 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/record_size_limit.c: > new_size = _gnutls_read_uint16(data); > > /* treat receipt of a smaller value as a fatal error */ > - if (new_size < 64) > + if (new_size < MIN_RECORD_SIZE) What about doing: ``` /* protocol error */ if (new_size < 64) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* we do not want to accept sizes less than that */ if (new_size < MIN_RECORD_SIZE) return 0; ``` That way we will still allow clients making "legal" proposals, but we'll ignore them, right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95496625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:31:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:31:37 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Reassigned Merge Request 733 https://gitlab.com/gnutls/gnutls/merge_requests/733 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:31:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:31:39 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Made one more comment, but it is now fine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95496836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:31:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:31:45 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Merge Request !733 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/733 Branches: tmp-record-size-limit to master Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:38:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:38:46 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: All discussions on Merge Request !733 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/733 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:38:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:38:46 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/record_size_limit.c: > new_size = _gnutls_read_uint16(data); > > /* treat receipt of a smaller value as a fatal error */ > - if (new_size < 64) > + if (new_size < MIN_RECORD_SIZE) Thank you for the suggestion, changed along these lines. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95498254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 13:43:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 11:43:11 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Tom commented on a discussion on lib/ext/server_cert_type.c: > ssize_t len = data_size; > const uint8_t* pdata = data; > > - /* Only activate this extension if cert type negotiation is enabled > - * and we have cert credentials set */ > + /* Only activate this extension if cert type negotiation is enabled, > + * we are not resuming a session and we have cert credentials set */ > if (!_gnutls_has_negotiate_ctypes(session) || > + gnutls_session_is_resumed(session) || I agree. I was about to conclude the same thing after reading the code for TLS 1.2. But then you pointed me to the `gnutls_session_is_resumed` function and made me doubt whether I've missed a specific case, so I added this check to be sure. Since we both conclude that it is redundant I will remove it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95499076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 14:17:11 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 12:17:11 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: On second thoughts, it might not be a good idea to unify the iteration into one, because there is probably the reason to have those arrays in parallel. Still, however, the current parser interface looks confusing to me, as it's not obvious that psk_ext_parser_st is stateful or not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736#note_95506163 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 14:18:38 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 12:18:38 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/ext/server_cert_type.c: > ssize_t len = data_size; > const uint8_t* pdata = data; > > - /* Only activate this extension if cert type negotiation is enabled > - * and we have cert credentials set */ > + /* Only activate this extension if cert type negotiation is enabled, > + * we are not resuming a session and we have cert credentials set */ > if (!_gnutls_has_negotiate_ctypes(session) || > + gnutls_session_is_resumed(session) || Sorry for that. I'll be around until the 23rd, so if it ready by then ping me and I'll merge it; otherwise you'll have to ping one of the other committers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95506429 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 15:17:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 13:17:36 +0000 Subject: [gnutls-devel] GnuTLS | record_size_limit extension (!733) In-Reply-To: References: Message-ID: Merge Request !733 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/733 Branches: tmp-record-size-limit to master Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 15:17:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 13:17:36 +0000 Subject: [gnutls-devel] GnuTLS | replace the max record size extension (#524) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #524: https://gitlab.com/gnutls/gnutls/issues/524 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/524 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 15:37:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 13:37:49 +0000 Subject: [gnutls-devel] GnuTLS | be backwards compatible with priority strings (#549) References: Message-ID: New Issue was created. Issue 549: https://gitlab.com/gnutls/gnutls/issues/549 Author: Nikos Mavrogiannopoulos Assignee: Nikos Mavrogiannopoulos When priority strings are specified with the NONE keyword, they cannot be forward compatible with new protocol versions (e.g., when a new protocol requires a new option such as TLS1.3 requires GROUPS). In that case cope with legacy strings and allow them even if we need to disable a protocol. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 15:45:50 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 13:45:50 +0000 Subject: [gnutls-devel] GnuTLS | WIP: priority: be backwards compatible with priority strings starting with NONE (!738) References: Message-ID: New Merge Request !738 https://gitlab.com/gnutls/gnutls/merge_requests/738 Branches: tmp-be-backwards-compatible-with-prio to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list That is, we allow priority strings which do not enable any groups to work, by disabling TLS1.3. For example 'NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL' is still operational, but no TLS1.3 is enabled when specified. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 16:33:22 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 14:33:22 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: One more comment, `--no-git` takes the gnulib version that it finds in GNULIB_SRCDIR and not the version checked into the gnutls repo. So each rebuild of the CI images will introduce a current gnulib version that will be tested with. So the CI will test something different as (manual) developer builds (or user builds from tarball). This seems somewhat random / unreliable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95587366 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 17:01:01 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 15:01:01 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Tom commented on a discussion on lib/ext/server_cert_type.c: > ssize_t len = data_size; > const uint8_t* pdata = data; > > - /* Only activate this extension if cert type negotiation is enabled > - * and we have cert credentials set */ > + /* Only activate this extension if cert type negotiation is enabled, > + * we are not resuming a session and we have cert credentials set */ > if (!_gnutls_has_negotiate_ctypes(session) || > + gnutls_session_is_resumed(session) || It's ready. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95595464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 17:01:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 15:01:39 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: All discussions on Merge Request !498 were resolved by Tom https://gitlab.com/gnutls/gnutls/merge_requests/498 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 17:40:01 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 15:40:01 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: What can we do to address it? Should we include in the containers the same version as in the lib? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95605016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 19:03:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 17:03:37 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: I did a rebase and resolved the last conflicts. The MR is ready to be merged now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95638573 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 20 21:20:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Aug 2018 19:20:13 +0000 Subject: [gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498) In-Reply-To: References: Message-ID: Merge Request !498 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/498 Project:Branches: Vrancken/gnutls-kdh:rfc7250_cert-types to gnutls/gnutls:master Author: Tom Assignee: Tom -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 03:07:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 01:07:24 +0000 Subject: [gnutls-devel] libtasn1 | GENERIC_ERROR returned on asn1_der_coding method (#5) References: Message-ID: New Issue was created. Issue 5: https://gitlab.com/gnutls/libtasn1/issues/5 Author: Flo Assignee: ## Description of problem: GENERIC_ERROR (error code 6) returned on asn1_der_coding method ## Version of libtasn1 used: 1.4.13 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) https://www.gnu.org/software/libtasn1/ ## How reproducible: Always Steps to Reproduce: * one ingest the following schema with asn1_parser2tree --> ASN1_SUCCESS: ``` Schema { } DEFINITIONS IMPLICIT TAGS ::= BEGIN Response ::= SEQUENCE { a OCTET STRING (SIZE (2)), b BOOLEAN, c INTEGER, d INTEGER } END ``` * two populate the structure with asn1_write_value for each item, then print it with asn1_print_structure: ``` name:Schema type:DEFINITIONS attr:IMPLICIT, name:NULL type:OBJ_ID name:Response type:SEQUENCE name:a type:OCT_STR value:0100 attr:SIZE, name:NULL type:SIZE value:2 attr:1_PARAM, name:b type:BOOLEAN value:FALSE name:c type:INTEGER value:0x05 name:d type:INTEGER value:0x03 ``` * three try to generate the corresponding DER using asn1_der_coding(..., "Schema", ..., ..., ...) --> error code 6: GENERIC_ERROR ## Actual results: GENERIC_ERROR ## Expected results: DER encoded buffer or a meaningful error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/5 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 10:33:33 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 08:33:33 +0000 Subject: [gnutls-devel] GnuTLS | coverage drop (#550) References: Message-ID: New Issue was created. Issue 550: https://gitlab.com/gnutls/gnutls/issues/550 Author: Nikos Mavrogiannopoulos Assignee: In commit bc2fca13 the coverage [was more than 77%](https://gitlab.com/gnutls/gnutls/-/jobs/89025079). This dropped to 74.5 on the [next merge request](https://gitlab.com/gnutls/gnutls/-/jobs/90296745), without any obvious reason. Investigate the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 10:37:44 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 08:37:44 +0000 Subject: [gnutls-devel] GnuTLS | coverage drop (#550) In-Reply-To: References: Message-ID: What seems to have changed is gcc in build environment (gcc-7 vs gcc-8). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/550#note_95778086 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 11:18:53 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 09:18:53 +0000 Subject: [gnutls-devel] GnuTLS | priority: be backwards compatible with priority strings starting with NONE (!738) In-Reply-To: References: Message-ID: @ametzler what do you think of that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/738#note_95789569 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 11:47:53 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 09:47:53 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: > What can we do to address it? Basically what I wrote in #547. * do not use --no-git * `cp -a $GNULIB_SRCDIR ./gnulib` before ./bootstrap If $GNULIB_SRCDIR is recent enough (age >= that of the last gnulib commit in the GnuTLS project dir), upstream is not contacted and everything is smooth. `./bootstrap` checks out the right commit locally. If $GNULIB_SRCDIR is too old, `./bootstrap` pulls from upstream (better: your mirror repo). If that fails, you still can re-generate the CI images and restart the failed runners. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95797332 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 11:58:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 09:58:45 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Thanks. Would you like to propose this fix? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95802502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 12:02:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 10:02:58 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: Yes, should find some time today :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95803551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 13:12:07 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 11:12:07 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) References: Message-ID: New Merge Request !739 https://gitlab.com/gnutls/gnutls/merge_requests/739 Branches: tmp-gnulib-use-git to master Author: Tim R?hsen Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 13:12:20 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 11:12:20 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use --no-git to bootstrap (!737) In-Reply-To: References: Message-ID: I made some tests... looks like `./bootstrap` already does all the needed stuff (no manual cp -a needed). So all you have to do is remove --no-git and keep your gnulib mirror in .gitmodules. It's in !739 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/737#note_95826755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 14:22:21 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 12:22:21 +0000 Subject: [gnutls-devel] GnuTLS | Update library to use the final RFC8446 version numbers (!730) In-Reply-To: References: Message-ID: Merge Request !730 was approved by Hubert Kario Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/730 Branches: tmp-update-version-numbers to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 14:23:00 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 12:23:00 +0000 Subject: [gnutls-devel] GnuTLS | Update library to use the final RFC8446 version numbers (!730) In-Reply-To: References: Message-ID: lgtm -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/730#note_95847674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 14:33:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 12:33:31 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Thank you. I'm not sure I understand how it works. The following message to me: ``` ./bootstrap: getting gnulib files... Submodule 'gnulib' (https://gitlab.com/libidn/gnulib-mirror.git) registered for path 'gnulib' Cloning into '/builds/gnutls/gnutls/gnulib'... Submodule path 'gnulib': checked out 'b35c22af02271c8dd9844b98db17702b8bf2bd93' ``` is read that it cloned from the remote repo, or is it misleading? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739#note_95850505 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 15:23:23 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 13:23:23 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Oh, I guess that means you didn't do a `git submodule update --init ...`. In that case `./bootstrap` calls that for you as `git submodule update --init --reference /usr/oms/src/gnulib gnulib`. Just checked locally with `bash -x ./bootstrap`. The output of that command is ``` Submodule 'gnulib' (https://gitlab.com/libidn/gnulib-mirror.git) registered for path 'gnulib' Cloning into '/tmp/gnutls/gnulib'... Submodule path 'gnulib': checked out 'b35c22af02271c8dd9844b98db17702b8bf2bd93' ``` It clones from $GNULIB_SRCDIR (locally). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739#note_95865360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:01:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:01:27 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Thanks, then I think it is good to go. We'd need though better description in the commit message as in the future it would be unclear from the history why this was undone. What about: ``` This removes the --no-git option as bootstrap itself does not use the remote repository for cloning Relates #547 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739#note_95876931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:01:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:01:47 +0000 Subject: [gnutls-devel] GnuTLS | Update library to use the final RFC8446 version numbers (!730) In-Reply-To: References: Message-ID: Merge Request !730 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/730 Branches: tmp-update-version-numbers to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:01:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:01:47 +0000 Subject: [gnutls-devel] GnuTLS | oss-fuzz: test TLS 1.3 (#359) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #359: https://gitlab.com/gnutls/gnutls/issues/359 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:01:46 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:01:46 +0000 Subject: [gnutls-devel] GnuTLS | update version numbers to final protocol version (#542) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #542: https://gitlab.com/gnutls/gnutls/issues/542 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:01:47 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:01:47 +0000 Subject: [gnutls-devel] GnuTLS | oss-fuzz: test TLS 1.3 (#359) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #359: https://gitlab.com/gnutls/gnutls/issues/359 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:02:25 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:02:25 +0000 Subject: [gnutls-devel] GnuTLS | Update library to use the final RFC8446 version numbers (!730) In-Reply-To: References: Message-ID: thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/730#note_95877201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:08:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:08:49 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Amended the commit message and pushed with [skip ci] (the pipeline was already green). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739#note_95879122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 16:25:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 14:25:37 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: mention RFC8446 for TLS1.3 and RFC8422 for X25519 (!740) References: Message-ID: New Merge Request !740 https://gitlab.com/gnutls/gnutls/merge_requests/740 Branches: tmp-gnutls-cli-debug-fix to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list This updates the draft names used in gnutls-cli-debug. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/740 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 21 19:09:10 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Aug 2018 17:09:10 +0000 Subject: [gnutls-devel] libtasn1 | Detecting Bug in libtasn1-4.13 by fuzzing. (#4) In-Reply-To: References: Message-ID: CVE-2018-1000654 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/4#note_95931475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 06:04:48 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 04:04:48 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Merge Request !739 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/739 Branches: tmp-gnulib-use-git to master Author: Tim R?hsen Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 06:04:52 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 04:04:52 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Merge Request !739 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/739 Branches: tmp-gnulib-use-git to master Author: Tim R?hsen Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 06:04:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 04:04:58 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Reassigned Merge Request 739 https://gitlab.com/gnutls/gnutls/merge_requests/739 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 06:05:10 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 04:05:10 +0000 Subject: [gnutls-devel] GnuTLS | Remove --no-git from ./bootstrap (!739) In-Reply-To: References: Message-ID: Thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/739#note_96039298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 07:49:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 05:49:32 +0000 Subject: [gnutls-devel] libtasn1 | Detecting Bug in libtasn1-4.13 by fuzzing. (#4) In-Reply-To: References: Message-ID: Note that asn1Parser is the developer part of the libtasn1, not the runtime parser used by libraries like gnutls. As such the impact of such CVE is low, if any. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/4#note_96048438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 08:00:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 06:00:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: mention RFC8446 for TLS1.3 and RFC8422 for X25519 (!740) In-Reply-To: References: Message-ID: Merged manually. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/740#note_96053209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 08:00:27 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 06:00:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: mention RFC8446 for TLS1.3 and RFC8422 for X25519 (!740) In-Reply-To: References: Message-ID: Merge Request !740 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/740 Branches: tmp-gnutls-cli-debug-fix to master Author: Nikos Mavrogiannopoulos Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/740 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 09:54:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 07:54:32 +0000 Subject: [gnutls-devel] GnuTLS | DTLS handshake failure for lost SessionTicket in 3.6.3 (#543) In-Reply-To: References: Message-ID: Reassigned Issue 543 https://gitlab.com/gnutls/gnutls/issues/543 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 12:16:39 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 10:16:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: RFC7250 Raw public keys (!650) In-Reply-To: References: Message-ID: @gnutls Does anyone wants to give this a first review? In particular I would like to have some thoughts on the remarks that I've placed in the code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_96109129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 12:54:24 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 10:54:24 +0000 Subject: [gnutls-devel] GnuTLS | Building GnuTLS 3.5.19 fails to build with `guile/src/core.c:3338:31: error: expected ')' before '; ' token (void) gnutls_global_init (); ` (#551) References: Message-ID: New Issue was created. Issue 551: https://gitlab.com/gnutls/gnutls/issues/551 Author: Paul Menzel Assignee: ## Description of problem: Try to build GnuTLS 3.5.19: $ /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datarootdir=/usr/share --datadir=/usr/share --infodir=/usr/share/info --localedir=/usr/share/locale --mandir=/usr/share/man --docdir=/usr/share/doc/gnutls --exec-prefix=/usr $ make [?] make all-am make[4]: Entering directory '/dev/shm/bee-root/gnutls/gnutls-3.5.19-0/build/guile/src' CC guile_gnutls_v_2_la-core.lo /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c: In function 'scm_init_gnutls': /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3338:31: error: expected ')' before ';' token (void) gnutls_global_init (); ^ /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3338:3: error: invalid use of void expression (void) gnutls_global_init (); ^ In file included from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3335: : ./core.x:214:2: error: too few arguments to function 'scm_c_define_gsubr' scm_c_define_gsubr (s_scm_gnutls_set_log_level_x, ^~~~~~~~~~~~~~~~~~ In file included from /usr/include/libguile.h:52:0, from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:29: /usr/include/libguile/gsubr.h:47:13: note: declared here SCM_API SCM scm_c_define_gsubr (const char *name, ^~~~~~~~~~~~~~~~~~ /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3348:1: error: expected ')' before '}' token } ^ In file included from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3335: : ./core.x:213:2: error: too few arguments to function 'scm_c_define_gsubr' scm_c_define_gsubr (s_scm_gnutls_set_log_procedure_x, ^~~~~~~~~~~~~~~~~~ In file included from /usr/include/libguile.h:52:0, from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:29: /usr/include/libguile/gsubr.h:47:13: note: declared here SCM_API SCM scm_c_define_gsubr (const char *name, ^~~~~~~~~~~~~~~~~~ /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3348:1: error: expected ')' before '}' token } ^ In file included from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3335: : ./core.x:212:2: error: too few arguments to function 'scm_c_define_gsubr' scm_c_define_gsubr (s_scm_gnutls_set_certificate_credentials_openpgp_keys_x, ^~~~~~~~~~~~~~~~~~ In file included from /usr/include/libguile.h:52:0, from /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:29: /usr/include/libguile/gsubr.h:47:13: note: declared here SCM_API SCM scm_c_define_gsubr (const char *name, ^~~~~~~~~~~~~~~~~~ /dev/shm/bee-root/gnutls/gnutls-3.5.19-0/source/guile/src/core.c:3348:1: error: expected ')' before '}' token ``` ## Version of gnutls used: 3.5.19 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Upstream -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:20:45 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:20:45 +0000 Subject: [gnutls-devel] GnuTLS | dtls: recover when a NewSessionTicket message is lost (!741) References: Message-ID: New Merge Request !741 https://gitlab.com/gnutls/gnutls/merge_requests/741 Branches: tmp-new-session-ticket-fix to master Author: Nikos Mavrogiannopoulos Assignee: Approvers: Simon Josefsson, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list When the server's NewSessionTicket gets lost while the ChangeCipherSpec goes through, the client did not request retransmission by retransmitting his last flight, and the handshake was blocked. This commit addresses the issue and adds a reproducer. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/741 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:38:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:38:54 +0000 Subject: [gnutls-devel] GnuTLS | Building GnuTLS 3.5.19 fails to build with `guile/src/core.c:3338:31: error: expected ')' before '; ' token (void) gnutls_global_init (); ` (#551) In-Reply-To: References: Message-ID: Could you append the your config.log, please !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/551#note_96160499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:39:49 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:39:49 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Reassigned Merge Request 736 https://gitlab.com/gnutls/gnutls/merge_requests/736 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:42:16 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:42:16 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/pre_shared_key.c: > } > } > > - if (psk_index < 0) > - return 0; > - > - ret = _gnutls13_psk_ext_parser_find_binder(&psk_parser, psk_index, > - &binder_recvd); > - if (ret < 0) { > - gnutls_assert(); > - goto fail; > + _gnutls13_psk_ext_iter_init(&psk_iter, &psk_parser); > + for (i = 0; i <= psk_index; i++) { Seeing that code, I think a corner test case that is interesting is having a PSK structure which has 3 identities, and 2 binders while the 3rd identity is selected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736#note_96161397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:42:25 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:42:25 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Merge Request !736 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/736 Branches: tmp-psk-ext-refactor to master Author: Daiki Ueno Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:42:52 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:42:52 +0000 Subject: [gnutls-devel] GnuTLS | Building GnuTLS 3.5.19 fails to build with `guile/src/core.c:3338:31: error: expected ')' before '; ' token (void) gnutls_global_init (); ` (#551) In-Reply-To: References: Message-ID: Of course. Please find it attached. [config.log](/uploads/6e420337a77c2e36fbc9bbd625bb8638/config.log) [smime.p7s](/uploads/e8663103fade3da339180add3bc9e5bd/smime.p7s) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/551#note_96161607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:43:37 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:43:37 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Reassigned Merge Request 736 https://gitlab.com/gnutls/gnutls/merge_requests/736 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 15:43:58 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 13:43:58 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736#note_96161935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 22 16:30:56 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Aug 2018 14:30:56 +0000 Subject: [gnutls-devel] GnuTLS | Building GnuTLS 3.5.19 fails to build with `guile/src/core.c:3338:31: error: expected ')' before '; ' token (void) gnutls_global_init (); ` (#551) In-Reply-To: References: Message-ID: @nmav Paul has Guile 1.8. `config.log` says it is recent enough. Is it realy ? Maybe the check is wrong ? ``` configure:57112: checking whether GNU Guile is recent enough configure:57125: gcc -o conftest -g -O2 -pthread conftest.c -pthread -lguile -lltdl -lgmp -lcrypt -lm -lltdl >&5 conftest.c: In function 'main': conftest.c:775:1: warning: implicit declaration of function 'scm_from_locale_string' [-Wimplicit-function-declaration] scm_from_locale_string ("") ^~~~~~~~~~~~~~~~~~~~~~ configure:57125: $? = 0 configure:57135: checking the Guile effective version configure:57138: result: 1.8 configure:57142: result: yes ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/551#note_96176829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 23 14:50:29 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Aug 2018 12:50:29 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/pre_shared_key.c: > } > } > > - if (psk_index < 0) > - return 0; > - > - ret = _gnutls13_psk_ext_parser_find_binder(&psk_parser, psk_index, > - &binder_recvd); > - if (ret < 0) { > - gnutls_assert(); > - goto fail; > + _gnutls13_psk_ext_iter_init(&psk_iter, &psk_parser); > + for (i = 0; i <= psk_index; i++) { I added a test in `tests/tls13/psk-ext`. I'd expect at the protocol level it could be tested by tlsfuzzer in the future :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736#note_96429043 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 23 14:50:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Aug 2018 12:50:32 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: All discussions on Merge Request !736 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/736 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 23 16:19:19 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Aug 2018 14:19:19 +0000 Subject: [gnutls-devel] GnuTLS | tls13/psk_ext_parser: simplify the iterator interface (!736) In-Reply-To: References: Message-ID: Merge Request !736 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/736 Branches: tmp-psk-ext-refactor to master Author: Daiki Ueno Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 24 15:30:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Aug 2018 13:30:13 +0000 Subject: [gnutls-devel] GnuTLS | MinGW: gnutls_hash_fast() fails with -402 (GNUTLS_E_LIB_IN_ERROR_STATE) (#486) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #486: https://gitlab.com/gnutls/gnutls/issues/486 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/486 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 24 15:30:13 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Aug 2018 13:30:13 +0000 Subject: [gnutls-devel] GnuTLS | MinGW: gnutls_hash_fast() fails with -402 (GNUTLS_E_LIB_IN_ERROR_STATE) (#486) In-Reply-To: References: Message-ID: The problem seems to be gone since a while (CI images are re-built once a week). Thanks for investigating. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/486#note_96711062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 24 15:30:54 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Aug 2018 13:30:54 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS cannot find Nettle 3.4 (#526) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #526: https://gitlab.com/gnutls/gnutls/issues/526 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/526 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 24 17:03:22 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Aug 2018 15:03:22 +0000 Subject: [gnutls-devel] GnuTLS | Use gnutls_strdup() in library code (!742) References: Message-ID: New Merge Request !742 https://gitlab.com/gnutls/gnutls/merge_requests/742 Branches: tmp-strdup to master Author: Tim R?hsen Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Andreas Metzler, Daiki Ueno, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/742 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 25 18:09:32 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Aug 2018 16:09:32 +0000 Subject: [gnutls-devel] GnuTLS | priority: be backwards compatible with priority strings starting with NONE (!738) In-Reply-To: References: Message-ID: Good idea. Disabling TLS1.3 when no groups are set is what I would have expected to happen as user. :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/738#note_96856256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 27 18:15:28 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Aug 2018 16:15:28 +0000 Subject: [gnutls-devel] GnuTLS | Use gnutls_strdup() in library code (!742) In-Reply-To: References: Message-ID: This looks obviously correct, so approving :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/742#note_97124293 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 27 18:15:31 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Aug 2018 16:15:31 +0000 Subject: [gnutls-devel] GnuTLS | Use gnutls_strdup() in library code (!742) In-Reply-To: References: Message-ID: Merge Request !742 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/742 Branches: tmp-strdup to master Author: Tim R?hsen Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/742 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 27 18:20:41 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Aug 2018 16:20:41 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: remove duplicate tests and sort them alphabetically (!743) References: Message-ID: New Merge Request !743 https://gitlab.com/gnutls/gnutls/merge_requests/743 Branches: tmp-tlsfuzzer-dupes to master Author: Daiki Ueno Assignee: Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario, Tim R?hsen, Andreas Metzler, Tom, Ander Juaristi, Tom?? Mr?z, Anderson Sasaki and GnuTLS devel mailing list ## Reviewer's checklist: * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 29 18:55:50 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Aug 2018 16:55:50 +0000 Subject: [gnutls-devel] GnuTLS | Bugs and wrong documentation for gnutls_x509_trust_list_add_cas, gnutls_x509_trust_list_add_crls and gnutls_x509_trust_list_add_trust_mem (#552) References: Message-ID: New Issue was created. Issue 552: https://gitlab.com/gnutls/gnutls/issues/552 Author: Tim Kosse Assignee: # 1) The documentation for gnutls_x509_trust_list_add_cas is not correct: > If the flag GNUTLS_TL_NO_DUPLICATES is specified, then > the provided clist entries that are duplicates will not be > added to the list and will be deinitialized. > > Returns: The number of added elements is returned. The actual behavior is that the existing entries in the list will be deinitialized and replaced with the entries from clist. The return value includes both added _and_ replaced entries. The documentation does not mention that this behavior also applies to GNUTLS_TL_NO_DUPLICATE_KEY. > The list of CAs must not be deinitialized during this structure's lifetime. I find this misleading, I suggest rewording it to "The CAs in clist must not be deinitialized during the lifetime of list." Also this needs to be added: "If either the flags GNUTLS_TL_NO_DUPLICATES or GNUTLS_TL_NO_DUPLICATE_KEY are given, it required gnutls_x509_trust_list_deinit will be called with all=1. # 2) The documentation for gnutls_x509_trust_list_add_crls is not correct: Similarly to add_cas, gnutls_x509_trust_list_add_crls can replace existing crls and returns the sum of added and replaced entries when the GNUTLS_TL_NO_DUPLICATES flag is passed, though it depends which crl is newer. Likewise, the lifetime remark is misleading here as well. # 3) Wrong return value in gnutls_x509_trust_list_add_cas: If the GNUTLS_TL_USE_IN_TLS flag is given and add_new_ca_to_rdn_seq fails, the CA already got added to the list, but the return value does not include it. # 4) Memory leak in gnutls_x509_trust_list_add_trust_mem: If gnutls_x509_trust_list_add_cas returns less than clist_size, the extra certificates not added will never be freed. Compare with gnutls_x509_trust_list_add_crls which does not have this problem. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 29 19:19:26 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Aug 2018 17:19:26 +0000 Subject: [gnutls-devel] GnuTLS | Valid cert fails to verify due to different DN encodings (#553) References: Message-ID: New Issue was created. Issue 553: https://gitlab.com/gnutls/gnutls/issues/553 Author: David Caldwell Assignee: In "lib/x509/verify.c" `is_issuer()` uses `_gnutls_x509_compare_raw_dn()` but that doesn't account for different text encodings of the DN. We have a CA that has a Subject that looks like this when dumped with `openssl asn1parse -i`: ``` 159:d=2 hl=2 l= 91 cons: SEQUENCE 161:d=3 hl=2 l= 33 cons: SET 163:d=4 hl=2 l= 31 cons: SEQUENCE 165:d=5 hl=2 l= 3 prim: OBJECT :organizationName 170:d=5 hl=2 l= 24 prim: PRINTABLESTRING : 196:d=3 hl=2 l= 22 cons: SET 198:d=4 hl=2 l= 20 cons: SEQUENCE 200:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 205:d=5 hl=2 l= 13 prim: PRINTABLESTRING : 220:d=3 hl=2 l= 30 cons: SET 222:d=4 hl=2 l= 28 cons: SEQUENCE 224:d=5 hl=2 l= 3 prim: OBJECT :commonName 229:d=5 hl=2 l= 21 prim: PRINTABLESTRING :Certificate Authority 252:d=2 hl=4 l= 338 cons: SEQUENCE ``` We have a cert that is signed by the CA. It has an Issuer section that looks like this when dumped: ``` 36:d=2 hl=2 l= 91 cons: SEQUENCE 38:d=3 hl=2 l= 33 cons: SET 40:d=4 hl=2 l= 31 cons: SEQUENCE 42:d=5 hl=2 l= 3 prim: OBJECT :organizationName 47:d=5 hl=2 l= 24 prim: UTF8STRING : 73:d=3 hl=2 l= 22 cons: SET 75:d=4 hl=2 l= 20 cons: SEQUENCE 77:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 82:d=5 hl=2 l= 13 prim: UTF8STRING : 97:d=3 hl=2 l= 30 cons: SET 99:d=4 hl=2 l= 28 cons: SEQUENCE 101:d=5 hl=2 l= 3 prim: OBJECT :commonName 106:d=5 hl=2 l= 21 prim: UTF8STRING :Certificate Authority ``` The strings match, but the CA is encoded as `PRINTABLESTRING` and the cert uses `UTF8STRING` and so the binary DN comparison fails, and the cert doesn't verify. I believe this is incorrect behavior. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/553 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 30 10:15:04 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Aug 2018 08:15:04 +0000 Subject: [gnutls-devel] GnuTLS | Use gnutls_strdup() in library code (!742) In-Reply-To: References: Message-ID: Merge Request !742 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/742 Branches: tmp-strdup to master Author: Tim R?hsen Assignee: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/742 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 30 10:33:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Aug 2018 08:33:36 +0000 Subject: [gnutls-devel] GnuTLS | strdup vs. gnutls_strdup (#491) In-Reply-To: References: Message-ID: !742 fixes the code in /lib. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/491#note_97834897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 30 10:33:36 2018 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Aug 2018 08:33:36 +0000 Subject: [gnutls-devel] GnuTLS | strdup vs. gnutls_strdup (#491) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #491: https://gitlab.com/gnutls/gnutls/issues/491 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: