From gnutls-devel at lists.gnutls.org Sun Sep 1 12:29:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 10:29:02 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * eb94b8d2...6522c27d - 2 commits from branch `master` * 71da5358 - lib: define TC26 GOST curves * 82d3cb8b - nettle/gost: provide GOST 28147-89 CNT mode * e0862b3e - nettle/gost: provide GOST 28147-89 IMIT MAC mode * c08a340f - lib: provide GOST 28147-89 CNT mode support * 2ca24d5a - lib: provide GOST 28147-89 IMIT MAC support * 9cb13bd9 - nettle: provide GOST 28147-89 CNT mode support * 85c91e27 - nettle: provide GOST 28147-89 IMIT MAC support * 947656d2 - nettle/gost: provide GOST keywrapping support * 52b4735c - nettle/gost: add support for GOST VKO algorithm * 8decce92 - _gnutls_pk_derive: add argument for nonce * 2ffbe97c - nettle: add support for GOST key derivation * 2a10d6e6 - mpi: add _gnutls_mpi_bprint_size_le() * 7a66111a - Allow using implicit IV for stream ciphers with TLS * 9e0bd08f - Support GOST certificate request values * 6cc16be1 - Add GOST key transport support * 990827a2 - groups: add function to return group by curve * 61f59f32 - Add support for VKO GOST key exchange * 87bebeb9 - Support GOST cipher suite MAC calculation * be1494f6 - Add GOST cipher suites * 1d34bde2 - Declare groups corresponding to GOST curves * fcd7f260 - Add GOST values to cipher suites priorities * 598a35a8 - prf: add GOST R 34.11-94 and Streebog PRF support * 413f0e69 - tests: add tests for KX-GOST-VKO using different key variants * 31fd4d18 - lib: fix group selection in case of GOST cipher suites * 31d752cc - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * da05f290 - lib/algorithms: add AID values assigned by IANA * 728ebb88 - lib: pubkey vs TLS signature compatibility for GOST algorithms * 2ba40847 - cli-debug: include GOST VKO into KX list * 91a9a491 - priority: add GROUP-GOST-ALL keyword * 5a4036da - nettle/pk: add support for "new" TC26 256 B curve * 0f31727f - ecc: define curve->group relationship * e44baee7 - ext/supported_groups: don't consider non-EC groups for EC * b360ddaf - ext/signature: use GOST signatures for GOST ciphersiuites * ffd15dc2 - tests: correct gost server certificates * 897cec31 - tests: add verbose logging to server-kx-neg tests * 1ef45293 - Swap TLS signatures in case we are signing them with GOST keys * 6bf3e0b0 - crypto-selftests: add CNT and IMIT self tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 1 14:10:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 12:10:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/mac.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_210868909 > .id = GNUTLS_MAC_AES_CMAC_256, > .output_size = 16, > .key_size = 32}, > + {.name = "GOST28147-TC26Z-IMIT", Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_210868909 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 1 14:10:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 12:10:46 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/ciphers.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_210868918 > .type = CIPHER_BLOCK, > .explicit_iv = 16, > .cipher_iv = 16}, > + { .name = "GOST28147-TC26Z-CNT", Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_210868918 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 1 14:19:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 12:19:41 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS asm accelerated crypto for PowerPC (ppc64le) (#820) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Because nettle was slow in adopting accelerated versions of various ciphers, and in some cases they were slower than the cryptogams versions, we introduced the acceleration layer in gnutls adding several of the cryptogams ciphers for popular platforms, and platforms we could test in the CI. While it may not be hard to add these implementations to gnutls via cryptogams, it will be quite hard to test it in the CI. I wouldn't object to a patch set that includes the new CPUs and a test suite. Ideally though all optimized implementations should move to nettle. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/820#note_210869506 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 1 14:23:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 12:23:54 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_210869819 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 1 14:24:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 12:24:01 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 38c8dc43...6522c27d - 6 commits from branch `master` * 5074fb7f - tests: added interoperability test with gnutls 2.12.x * 99a09e97 - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 00:28:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Sep 2019 22:28:19 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) References: Message-ID: Tom created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1062 Project:Branches: Vrancken/gnutls:tmp_rawpk_fuzzing to gnutls/gnutls:master Author: Tom Assignees: This MR introduces fuzzing tests to test the raw public key functionality in the library. Closes #687 ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 15:32:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Sep 2019 13:32:56 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Crap, it's been over two years.... I talked to Daiki about this at GUADEC. I'm hoping to get around to this before 2020, but if I don't, then I probably won't get to it ever (I won't be working on networking for much longer) and somebody else can take it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/202#note_211188119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 15:46:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Sep 2019 13:46:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1063 Project:Branches: GostCrypt/gnutls:fix-cli-debug to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: Noticed that cli-debug will break if server does not support anything less than TLS 1.2 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 16:21:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Sep 2019 14:21:27 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: civodul pushed new commits to merge request !1061 https://gitlab.com/gnutls/gnutls/merge_requests/1061 * d341c517 - .gitlab-ci.yml: doc-dist.Fedora: Pass "GUILE", "GUILD", and "guile_snarf" to 'configure'. * 582320ec - .gitlab-ci.yml: minimal.Fedora.x86_64: Pass '--disable-guile' the 2nd time as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 16:30:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Sep 2019 14:30:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1063 https://gitlab.com/gnutls/gnutls/merge_requests/1063 * 90ced097 - gnutls-cli-debug: fix early break for no version supported check -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 2 20:41:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Sep 2019 18:41:44 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Tom pushed new commits to merge request !1062 https://gitlab.com/gnutls/gnutls/merge_requests/1062 * b1da7d4a - Implemented client rawpk fuzzer. * 5a604d3c - Implemented server rawpk fuzzer. * da762718 - Added initial corpora for rawpk client and server fuzzers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 08:52:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 06:52:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * f7bdd48b - gnutls-cli-debug: fix early break for no version supported check * bc3e5af1 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 08:52:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 06:52:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211412857 > #define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC" > #define ALL_COMP "+COMP-NULL" > #define ALL_MACS "+MAC-ALL:+MD5:+SHA1" > -#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" > +#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH:+VKO-GOST-12" Added tests for cipher, MAC and KX (as done for other algorithms). Would you like a separate test for CS? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211412857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 09:49:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 07:49:55 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211435701 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211435701 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 09:50:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 07:50:02 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 93e6a214 - priority: disable TLS 1.3 if VKO-GOST KX is enabled * b1e35cea - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 09:51:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 07:51:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211436462 > + i += len; > + > + cek.data = &data[i]; > + cek.size = ret; > + > + DECR_LEN(data_size, ret); > + > + if (data_size != 0) > + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > + > + ret = calc_ukm(session, &ukm); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + if (!privkey || privkey->type != GNUTLS_PRIVKEY_X509) { > + gnutls_assert(); Added return. HSM for now is unsupported, as I see no easy way to use it. Let's wait for GOST extensions to crawl closer to PKCS#11 standard (or at least in p11-kit). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_211436462 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 10:57:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 08:57:22 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) References: Message-ID: Dmitry Eremin-Solenikov created an issue: For now priority setup will disable TLS 1.3 if 'unsupported' KX is enabled (like SRP or PSK/RSA-PSK). This causes bad effects when adding VKO-GOST KX support, as one can not have `-VER-TLS-ALL:+VER-TLS1.3:+KX-ALL` setup anymore. It looks like priorities should be handled during SERVER HELLO stage: if TLS 1.3 is enabled and negotiation fails, switch to older TLS version and try negotiating again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 11:00:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 09:00:05 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I have stumbled upon this when I tried copying if-SRP-disable-1.3 code for VKO-GOST. It causes now errors with `gnutls-cli-debug`. I will try adding more robust code (that will check if we should disable TLS 1.3 or VKO depending on TLS 1.2 being enabled). However in general I think that having a server which supports both TLS 1.3 with current ciphersuites and TLS 1.2 with SRP or VKO-GOST is a legitimate setup. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_211475280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 3 13:36:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Sep 2019 11:36:42 +0000 Subject: [gnutls-devel] GnuTLS | Support ESNI (#595) In-Reply-To: References: Message-ID: Reassigned Issue 595 https://gitlab.com/gnutls/gnutls/issues/595 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/595 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 11:07:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 09:07:51 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) References: Message-ID: Aniketh Girish created an issue: https://gitlab.com/gnutls/gnutls/issues/826 ## Description of the feature: QUIC decided to use TLS 1.3 as the foundation for the crypto and security layer to avoid inventing something new and instead lean on a trustworthy and existing protocol. However, ## Applications that this feature may be relevant to: Currently any implementation of HTTP/3 ## Is this feature implemented in other libraries (and which) There are tweaked versions OpenSSL that currently has the crypto API for QUIC TLS. Similar to this, there is an ongoing boringSSL patch as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 11:11:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 09:11:29 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented: I'm willing to work on the implementation but then I need some help from the gnuTLS community to guide me quickly through the existing codebase :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_212182051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 11:49:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 09:49:11 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented: I suppose that change would be quite significant and we would first need to discuss how the API should look like, as in [the NSS changes](https://bugzilla.mozilla.org/show_bug.cgi?id=1471126) for that. In any case, I am happy to review/mentor; thank you for your interest! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_212203082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 12:25:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 10:25:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-3.6.4 release tarball isn't configured for guile 2.2 (#631) In-Reply-To: References: Message-ID: Nala Ginrut commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/631#note_212233221 Actually, you may put a workable `guile.m4` in your own `m4` directory, and it will be detected first. I do this in my project. I think it could be better when Guile-3.0 released. @sbirkholz @nmav -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/631#note_212233221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:09:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:09:33 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented: I would love to get some sort of mentorship in this context :) Yes, how about the API be something similar to how OpenSSL/BoringSSL does? in user perspective, it is always useful to have an API for similar functionality be similar to be implemented in their softwares. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_212257624 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:22:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:22:42 +0000 Subject: [gnutls-devel] GnuTLS | guile: Update the list of certificate status values. (!1060) In-Reply-To: References: Message-ID: Merge Request !1060 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1060 Project:Branches: civodul/gnutls:wip-certificate-status to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:23:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:23:27 +0000 Subject: [gnutls-devel] GnuTLS | guile: Update the list of certificate status values. (!1060) In-Reply-To: References: Message-ID: Merge Request !1060 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1060 Project:Branches: civodul/gnutls:wip-certificate-status to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:29:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:29:35 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212267221 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; Shouldn't this be enabled only when raw public keys are specified? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212267221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:39:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:39:28 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1059 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212271623 > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; You don't use the stack-args, so the max seems unnecessary here. -- Nikos Mavrogiannopoulos started a new discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212271626 > +/* Load the raw public key and corresponding private key. > + */ > +static void load_rawpk_keys(void) This is overly similar to `load_keys`. Could you abstract out the common functionality so that there is not so much of copied code? For example the private key loading seems like a simple copy paste from the original function. -- Nikos Mavrogiannopoulos started a new discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212271627 > > +flag = { > + name = rawpkkeyfile; Is that option necessary at all? Why not make it an alias over x509keyfile? -- Nikos Mavrogiannopoulos started a new discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212271628 > > - load_keys(); > + load_x509_keys(); The split seems no very intuitive to me after seen the commonalities shared. The only new option is the `rawpkfile`. Why not handle it in the original function? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:40:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:40:19 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, I've provided my comments inline. What I miss however mostly is a test suite for this new functionality. Something along the lines of `gnutls-cli-self-signed.sh` but for the new type of keys. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212272032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:42:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:42:57 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212273239 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; Why restrict only to a single key and not do the same as with the x509keyfile with `stack-arg`. That would allow different keys e.g., ECDSA and RSA keys on a server. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212273239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:43:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:43:00 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1059 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_212273258 > unsigned alpn_size; > - unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH; > + unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; Shouldn't this be added after a raw public key is specified? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:00 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Merge Request !1062 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1062 Project:Branches: Vrancken/gnutls:tmp_rawpk_fuzzing to gnutls/gnutls:master Author: Tom Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:06 +0000 Subject: [gnutls-devel] GnuTLS | fuzzying: enable raw public keys (#687) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1062 (https://gitlab.com/gnutls/gnutls/merge_requests/1062) Issue #687: https://gitlab.com/gnutls/gnutls/issues/687 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/687 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:06 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Merge Request !1062 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1062 Project:Branches: Vrancken/gnutls:tmp_rawpk_fuzzing to gnutls/gnutls:master Author: Tom Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:19 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062#note_212274737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:20 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Reassigned Merge Request 1062 https://gitlab.com/gnutls/gnutls/merge_requests/1062 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:27 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Reassigned Merge Request 1062 https://gitlab.com/gnutls/gnutls/merge_requests/1062 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 13:45:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 11:45:30 +0000 Subject: [gnutls-devel] GnuTLS | Raw public key fuzzing tests (!1062) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 14:35:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 12:35:36 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented: Sure, but each library has its own design principles. Do you have links to the other implementations that we can evaluate? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_212331794 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 17:04:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 15:04:45 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented: > Sure, but each library has its own design principles Yes, totally understandable. My initial plan was to study how other libraries does it at first and try to adapt something similar to gnuTLS. > Do you have links to the other implementations that we can evaluate? (1) https://github.com/openssl/openssl/pull/8797/ (2) https://github.com/tatsuhiro-t/openssl/tree/quic-draft-22 Check these out. > presume that the scope is to integrate it to QUIC libraries such as [ngtcp2](https://github.com/ngtcp2/ngtcp2), right? yes, but not limited to. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_212420768 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 4 17:24:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Sep 2019 15:24:22 +0000 Subject: [gnutls-devel] GnuTLS | ALPN behaviour with tlsfuzzer (#827) References: Message-ID: Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/827 The comment in the json file for ALPN tests is confusing: `tests/suite/tls-fuzzer/gnutls-alpn.json` the comment states "we do not not fail when ALPN name changes on resumption" but the test case is not expecting connection failure when ALPN changes, it expects the change to negotiated protocol through ALPN to be allowed, as is stated in the RFC (and as was stated explicitly by authors on TLS WG ML). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/827 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 07:00:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 05:00:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 78aee870 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 0b3fe1a9 - priority: disable TLS 1.3 if VKO-GOST KX is enabled * 3b146c82 - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 10:38:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 08:38:06 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix loop which removes systemwide disabled KX algos (!1064) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1064 Project:Branches: GostCrypt/gnutls:fix-priority-setting to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 12:49:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 10:49:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/920 was reviewed by Dmitry Eremin-Solenikov -- Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_212847633 > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, @nmav there doesn't seem to be an easy way for doing so. See #825. The only viable option I see for the time being is to remove `VKO-GOST` from `KX-ALL`, but this also looks incorrect to me. @dueno would you have any options on old-KX-vs-TLS1.3? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 13:14:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 11:14:50 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: (I'm reviewing it) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_212858543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 16:03:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 14:03:45 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It makes sense as a problem, but do you know how far are we from a TLS1.3 GOST? If priorities are handled later it would allow for other optimizations too, but it would add a fixed overhead to each connection on a server which doesn't look that good. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_212970986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 17:13:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 15:13:14 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: According to the current Russian draft TLS 1.3 GOST will use ecdhe_ke. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_213012226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 20:08:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 18:08:18 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav the major problem is that this looks very close to 1.3-to-1.2 downgrade. So if both server and a client support both 1.3 and 1.2 and one of them places GOST-CNT to first place in their priority lists, the server will send a "branded" ServerRandom message and client then must drop this connection. I do not really know how to solve this struggle. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_213075715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 20:37:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 18:37:28 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: this resolves issue #811 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_213084412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 20:42:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 18:42:49 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1054 was reviewed by Hubert Kario (@mention me if you need reply) -- Hubert Kario (@mention me if you need reply) started a new discussion on tests/suite/testcompat-oldgnutls.sh: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_213085855 > + echo >>${TMPFILE} > + ${VALGRIND} "${CLI}" -d 6 ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || > + fail ${PID} "Failed" wouldn't be a good idea to test with cipher that uses SHA258 or SHA384 HMAC? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 20:43:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 18:43:30 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) References: Message-ID: t184256 created an issue: https://gitlab.com/gnutls/gnutls/issues/828 ## Description of problem: (from https://tools.ietf.org/html/rfc5746#section-3.5) 3.5. Client Behavior: Secure Renegotiation * The client MUST include the "renegotiation_info" extension in the ClientHello, containing the saved client_verify_data. \ The SCSV MUST NOT be included. ## Version of gnutls used: 2c0a798e37685eca4ae2674f29603a4840213fc6 ## How reproducible: Steps to Reproduce: On a renegotiation, send both SCSV and renegotiation_info. tlfuzzer script for invoking this behaviour: https://github.com/tomato42/tlsfuzzer/pull/583/commits/f11c0e467c674d4d31e0cb8134c5edc14861c8e7 output: ``` sending both SCSV and renegotiation_info ... Error encountered while processing node (child: None) with last message being: Error while processing Traceback (most recent call last): File "scripts/test-legacy-renegotiation.py", line 320, in main runner.run() File "/home/asosedki/code/tlsfuzzer/tlsfuzzer/runner.py", line 225, in run RecordHeader2))) AssertionError: Unexpected message from peer: Handshake(server_hello) ``` ## Actual results: `ServerHello` ## Expected results: `handshake_failure` alert -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 21:21:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 19:21:44 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102536 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; Not necessarily. The `GNUTLS_ENABLE_RAWPK` flag tells the library that raw public key functionality must be enabled. Applications that are capable of dealing / working with raw public keys can enable this functionality. Since gnutls-cli is able to handle raw public keys (as per this MR) we can safely enable this functionality in the library. This rationale follows the outcome of the discussion that we had regarding this flag. We concluded that it should be up to the application developer to decide whether the application is capable of handling raw public keys and therefore whether this functionality should be enabled in the library. Of course you can change the init flags depending on the presence of raw pk key material but this introduces extra logic that is not necessary (IMO). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102536 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 21:22:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 19:22:18 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102839 > flags-must = x509keyfile; > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; Good point. I'll remove it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 21:28:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 19:28:41 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213108027 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; That's true but how are we going to make a distinction between these keys? We need an extra names argument per set of key pair arguments. This requires extra logic and makes setting up this application extra complex. Do we really want to add this functionality? Are people going to use this application with multiple rawpks for the server? I deliberately started out as simple as possible w.r.t. rawpk functionality. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213108027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 21:29:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 19:29:03 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213108097 > const char *err; > gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS]; > unsigned alpn_size; > - unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH; > + unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; See my comment on this issue for the client application -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213108097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 5 22:33:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Sep 2019 20:33:17 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: civodul pushed new commits to merge request !1061 https://gitlab.com/gnutls/gnutls/merge_requests/1061 * 3f0fb5ac - maint: Include Guile's M4 macros. * 508abbc6 - .gitlab-ci.yml: doc-dist.Fedora: Pass "GUILE", "GUILD", and "guile_snarf" to 'configure'. * 2879ddfa - .gitlab-ci.yml: minimal.Fedora.x86_64: Pass '--disable-guile' the 2nd time as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 06:31:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 04:31:04 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I do not think that the expected results in the report are based on the RFC expectations. The RFC according to what you quote above expects the client not to send those together. The expectation from the server is undefined. As such it seems to me that the current behavior is compliant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828#note_213332902 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 06:43:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 04:43:28 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If we co-ordinate the inclusion of both gost in tls1.3 and tls1.2 will this be addressed? The current approach is that given that GOST-CNT are TLS1.2-only we disable TLS1.3 completely when it is enabled, is quite simple easy to enforce and also for users to understand. I guess the problem you see arises when the gost algorithms are included in the default set (and `KX-ALL` includes it), right? My expectation from the string `-VER-TLS-ALL:+VER-TLS1.3:+KX-ALL` is that only TLS1.3 ciphersuites are negotiated and not gost. Isn't this correct, or isn't this the behavior you notice? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_213335812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 06:51:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 04:51:05 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix loop which removes systemwide disabled KX algos (!1064) In-Reply-To: References: Message-ID: Merge Request !1064 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1064 Project:Branches: GostCrypt/gnutls:fix-priority-setting to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 06:52:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 04:52:09 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix loop which removes systemwide disabled KX algos (!1064) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Is there something we can test to catch this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1064#note_213337245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 08:36:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 06:36:18 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 3c7ade44 - tests: check interoperability testing with gnutls 2.12.x and SHA384 * db3fe0ff - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 09:45:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 07:45:42 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * daa49b9e - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites * ee19d733 - tests: check interoperability testing with gnutls 2.12.x and SHA256 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 09:49:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 07:49:55 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: Merge Request !1063 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1063 Project:Branches: GostCrypt/gnutls:fix-cli-debug to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 09:51:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 07:51:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1063#note_213385134 > return ret; > } > > +test_code_t test_known_protocols(gnutls_session_t session) > +{ > + if (tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0 && Maybe we don't even need the different variables for this check. If we set a single variable `known_protocol` to non-zero once one is found, we wouldn't even need to update this function when a new protocol is added. Nevertheless I'm still ok with this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063#note_213385134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 09:55:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 07:55:36 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Has this been reported to the software that breaks? The log simply indicates the call of `gnutls_record_send()` to an already closed session. If you cannot reproduce the issue using `gnutls-cli` I'd suggest to investigate the issue with the software that has this behavior first. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_213386886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 09:59:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 07:59:50 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The fix you propose look reasonable to me. Why do you think it would be no benefit? Is it for this particular application with short-lived threads? An other solution would be to be re-using these areas, but I haven't really investigated how easy or reasonable that is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824#note_213388739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 10:29:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 08:29:57 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) In-Reply-To: References: Message-ID: Dave Craig commented: > The fix you propose look reasonable to me. Why do you think it would be no benefit? Well it does work, and in the cold light of day doesn't look so bad. I guess the trade off for us was whether there was much benefit to us of using TLS at all vs. backing out the change to TLS. I was probably confusing my own short term goals with what the best fix overall was. It was only getting called every couple of seconds, and so it's speed performance isn't that important. > Is it for this particular application with short-lived threads? I was slightly surprised at the GStreamer behaviour. It's re-using threads from a thread pool, but I guess the thread is being reset in some way, because with my pthreads TLS implementation I could see the storage being created and destroyed almost (but not quite) every call. That obviously makes using TLS less useful for this application. > An other solution would be to be re-using these areas, but I haven't really investigated how easy > or reasonable that is. If TLS has an advantage for some users, then keeping it as it is but with added destructor handling as in random.pthread_tls.c would seem the best approach. A colleague had suggested waiting for C11 threads.h support (which we had coming soon), but perhaps pthreads is still the approach with the widest coverage. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824#note_213402807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 11:05:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 09:05:17 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix loop which removes systemwide disabled KX algos (!1064) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Hmm, I don't think so. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1064#note_213421253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 11:06:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 09:06:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1063#note_213421965 > return ret; > } > > +test_code_t test_known_protocols(gnutls_session_t session) > +{ > + if (tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0 && I preferred to leave this as is, because later we use `tls1_X_ok` variables. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063#note_213421965 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 11:16:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 09:16:46 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: t184256 commented: I agree. Thanks for the explanation, TIL. While the server is required to send fatal alerts when it detects non-compliant client behaviour, apparently, a failure to detect it altogether *is* compliant. I cannot put any formal expectations on the server in this regard, and the current gnutls reaction to such a violation is sensible. I'm closing this, because, in this light, it's a low importance RFE at best. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828#note_213428134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 11:16:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 09:16:46 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: Issue was closed by t184256 Issue #828: https://gitlab.com/gnutls/gnutls/issues/828 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 12:03:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 10:03:50 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented: > (1) https://github.com/openssl/openssl/pull/8797/ (2) https://github.com/tatsuhiro-t/openssl/tree/quic-draft-22 Thank you. Looks like (1) is more up to date than (2) and in fact [the draft-22 branch of ngtcp2](https://github.com/ngtcp2/ngtcp2/blob/draft-22/examples/client.cc#L2114) is assuming [the API from (1)](https://github.com/openssl/openssl/pull/8797/files?short_path=cfb0d9d#diff-cfb0d9dad7f909619348dc0758d9f300). So we basically would need the following things: 1. a callback to notify the key (epoch) change 2. a callback to write a Handshake messsage, when it is being sent 3. a callback to write an Alert messasge, when it is being sent 4. a callback to flush the message - not sure if this is really needed in GnuTLS 5. a function to push data received from the peer to the TLS layer I guess (1) would be quite straightforward. Would you like to start with it? Basically you would need to hook the callback where new traffic keys are set, e.g.,: https://gitlab.com/gnutls/gnutls/blob/master/lib/constate.c#L379 See also the NSS design document linked from my first comment. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_213450784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 12:55:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 10:55:03 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Would you like to propose a fix? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824#note_213471981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 14:01:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 12:01:51 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: Issue was reopened by t184256 Issue 828: https://gitlab.com/gnutls/gnutls/issues/828 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 14:01:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 12:01:50 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: t184256 commented: Reopening this one because @tomato42 suggests that it's worth being investigated anyway, as it's easier to detect and abort such behaviour than to test the possible bugs that could crop up in proceeding with such session. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828#note_213501670 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 14:05:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 12:05:32 +0000 Subject: [gnutls-devel] GnuTLS | Resumption and renegotiation with extended master secret is not RFC compliant (#69) In-Reply-To: References: Message-ID: t184256 commented: @nmav, despite the commits mentioned above, `"renegotiate without EMS in session with EMS"` and `"EMS with session resume without extension"` are failing with the current master and are still excluded from [gnutls-nocert.json](https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/tls-fuzzer/gnutls-nocert.json#L178). Could you please enable and investigate those? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/69#note_213503215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 14:36:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 12:36:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: All discussions on Merge Request !1063 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1063 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 21:06:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 19:06:12 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: No, it won't. TLS 1.3 will use completely different ciphersuites/algorithms. And on top of that GOST-TLS1.3 probably won't get deployed in several years. For me the whole story is about server which supports both TLS 1.2 and TLS 1.3 and has both ECDSA and GOST certificates. Now assume misconfigured client which sends TLS 1.3 + TLS 1.2 + GOST ciphersuite. Should they be able to interoperate? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_213672391 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 21:08:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 19:08:21 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: fix early break for no version supported check (!1063) In-Reply-To: References: Message-ID: Merge Request !1063 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1063 Project:Branches: GostCrypt/gnutls:fix-cli-debug to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 21:08:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 19:08:38 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix loop which removes systemwide disabled KX algos (!1064) In-Reply-To: References: Message-ID: Merge Request !1064 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1064 Project:Branches: GostCrypt/gnutls:fix-priority-setting to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 21:20:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 19:20:01 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * f141ab11...bcd95a1a - 10 commits from branch `master` * 9b508d98 - lib: define TC26 GOST curves * 46b4e429 - nettle/gost: provide GOST 28147-89 CNT mode * bf5006db - nettle/gost: provide GOST 28147-89 IMIT MAC mode * fc9a03c6 - lib: provide GOST 28147-89 CNT mode support * cc8302e3 - lib: provide GOST 28147-89 IMIT MAC support * 7082204f - nettle: provide GOST 28147-89 CNT mode support * abbbe65e - nettle: provide GOST 28147-89 IMIT MAC support * 01a3d83b - nettle/gost: provide GOST keywrapping support * 299249e8 - nettle/gost: add support for GOST VKO algorithm * c88f11a0 - _gnutls_pk_derive: add argument for nonce * adc58a99 - nettle: add support for GOST key derivation * aeacf100 - mpi: add _gnutls_mpi_bprint_size_le() * 1b0a78d4 - Allow using implicit IV for stream ciphers with TLS * 537ce695 - Support GOST certificate request values * f93f8bb4 - Add GOST key transport support * 7565f4ac - groups: add function to return group by curve * 870e6d0a - Add support for VKO GOST key exchange * ea32aff6 - Support GOST cipher suite MAC calculation * 854bc508 - Add GOST cipher suites * d32c753d - Declare groups corresponding to GOST curves * 70a6118b - Add GOST values to cipher suites priorities * 09d2f416 - prf: add GOST R 34.11-94 and Streebog PRF support * c8c54f3c - tests: add tests for KX-GOST-VKO using different key variants * 81466394 - lib: fix group selection in case of GOST cipher suites * ad480e6a - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 5c6b9ffb - lib/algorithms: add AID values assigned by IANA * 88a0c4ca - lib: pubkey vs TLS signature compatibility for GOST algorithms * fc2c77d9 - cli-debug: include GOST VKO into KX list * 66ce19df - priority: add GROUP-GOST-ALL keyword * 0c687ea5 - nettle/pk: add support for "new" TC26 256 B curve * 69e837bb - ecc: define curve->group relationship * c3898eb2 - ext/supported_groups: don't consider non-EC groups for EC * bb82d693 - ext/signature: use GOST signatures for GOST ciphersiuites * 0d4d8f46 - tests: correct gost server certificates * f46f28f7 - tests: add verbose logging to server-kx-neg tests * 490e610c - Swap TLS signatures in case we are signing them with GOST keys * d008d006 - crypto-selftests: add CNT and IMIT self tests * 98a03510 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * f2eb50e7 - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 21:27:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 19:27:18 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav this MR should now contain necessary support and tests for `GOST-CNT` suites from `draft-smyshlyaev-tls12-gost-suites` up to current version. Could you please re-review it again (in the hope of getting it merged). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_213677662 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 6 22:52:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Sep 2019 20:52:17 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * aab998d6 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 2226bc13 - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 11:50:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 09:50:21 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Now assume misconfigured client which sends TLS 1.3 + TLS 1.2 + GOST ciphersuite. Should they be able to interoperate? Let's write the use cases we are interested to handle. As you write above we have: 1. client which sends TLS 1.3 + TLS 1.2 + GOST ciphersuite 2. client which sets up `-VER-TLS-ALL:+VER-TLS1.3:+KX-ALL` For (1) the current behavior would be fine, as it will disable TLS1.3 and use GOST. For (2) all is ok if GOST is not in the `KX-ALL` (current situation). If at some point GOST gets into the `NORMAL` priority then effectively `-VER-TLS-ALL:+VER-TLS1.3:+KX-ALL` will be synonymous to NONE. So as it is now, to my understanding, the problem with our handling of priority strings is that TLS-1.2 only key exchange (or even ciphers?) cannot be added in the default set. Do we agree on the problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_213864490 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 11:56:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 09:56:29 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I am marking it as backlog item, but I do see more harm than good done from a fix in behavior. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828#note_213864971 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 12:00:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:00:46 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213865331 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; I am not sure that without any test to check `gnutls-cli`'s behavior with raw public keys we can claim that it can handle them confidently. Nevertheless, I find it a regression for the tool to suddenly starting negotiating raw public keys with an existing server where previously it would negotiate pkix. It should be up to the user to enable that behavior explictly (especially given that gnutls-cli is mainly used as a testing tool, such a regression can break test cases). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213865331 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 12:02:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:02:52 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213865513 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; Why do you think we need to distinguish these using a name? Consider the server which has an ECDSA key and an RSA key. The `id` of the key is the key type, and the subject key identifier (hash of the key). Would we need anything else? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213865513 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 12:08:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:08:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1056#note_213866862 > > #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) > > -#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) > +#define DECR_LEN(len, x) do { if (len From gnutls-devel at lists.gnutls.org Sun Sep 8 12:13:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:13:05 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: All discussions on Merge Request !1054 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1054 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 12:18:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:18:29 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @tomato42 what you raised in private email regarding the text of rfc5246: ``` record_overflow A TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. This message is always fatal and should never be observed in communication between proper implementations (except when messages were corrupted in the network). ``` This is a description of the alert, with some informal? way how to apply it. The actual behavior the RFC mandates is: ``` length The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14. ``` That's what gnutls enforces, and it does it by calculating in `_gnutls_epoch_set_keys` what's the maximum overhead required by this particular ciphersuite. It does not use the number 1024, as this looks like an arbitrary max limit. This change relaxes the strict calculation of the ciphersuite overhead for the cbc ciphersuites, by allowing 256 bytes of additional data as in TLS1.3. That's in accordance with the guidance but smaller than 1024. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_213867791 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 12:25:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 10:25:08 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_213868416 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, Note that by TLS1.3-enabled, I meant one that enables both TLS1.3 and TLS1.2. Is that also not possible? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_213868416 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 8 19:02:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 08 Sep 2019 17:02:55 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) References: Message-ID: jgh created an issue: https://gitlab.com/gnutls/gnutls/issues/829 The current docs at https://www.gnutls.org/manual/gnutls.html#OCSP-stapling list gnutls_ocsp_status_request_is_checked() as being usable server-side. However, the function description at https://www.gnutls.org/manual/gnutls.html#gnutls_005focsp_005fstatus_005frequest_005fis_005fchecked reads as if it is aimed at client-side support. The implementation calls gnutls_ocsp_status_request_get() for the _SR_IS_AVAIL case, which is documented as "response received from the TLS server" - ie. client-side only. Also, there appears to be no interface for observability of stapling request and presented response status, server side -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 10:31:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 08:31:47 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1056#note_214038901 > > #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) > > -#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) > +#define DECR_LEN(len, x) do { if (len From gnutls-devel at lists.gnutls.org Mon Sep 9 13:35:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 11:35:29 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: so the "maximum" in the below ``` ciphers to ensure we interoperate with gnutls 2.12.x which could add padding data exceeding the maximum ``` is the maximum that GnuTLS supports/expects? If so, I think it should be indicated as such in the comment. so I guess we need `test-atypical-padding.py` and `test-SSLv3-padding.py` to generate those "max padding" records together with ciphers that use SHA256, SHA384 and application data that is 2**14 bytes long? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_214131523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 14:21:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 12:21:31 +0000 Subject: [gnutls-devel] libtasn1 | doc/reference: don't add empty object hierarchy chapter (!49) References: Message-ID: Ross Burton created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/49 Project:Branches: rossburton/libtasn1:gtkdoc to gnutls/libtasn1:master Author: Ross Burton The object hierarchy section is empty because there are no GObjects in the libtasn1 API. With gtk-doc 1.30 onwards if there are no objects then the object hierarchy file won't exist, resulting in a failure when building the documentation: ``` ../libtasn1-docs.xml:39: element include: XInclude error : could not load ../xml/tree_index.sgml, and no fallback was found ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/49 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 14:41:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 12:41:30 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214167349 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; I will create a test for that. > Nevertheless, I find it a regression for the tool to suddenly starting negotiating raw public keys with an existing server where previously it would negotiate pkix. This does not happen. Default behaviour is guaranteed unless a user explicitly sets the raw pk certificate type to be negotiated (via the priority strings). The `GNUTLS_ENABLE_RAWPK` flag is for the application developer to enable this functionality in the library. The application developer is responsible for implementing / handling the raw pk functionality in the application. That would be me / us in this case. The user is then responsible for actually using raw pk stuff by 1) setting the raw pk credentials, 2) telling the application via the priority strings (`CTYPE-*` flags) that raw public keys are to be negotiated with the peer. If 2) is not done by the user then the application just behaves as if it only knows x509. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214167349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:14:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:14:47 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214185266 > } > } > > - load_keys(); > + load_x509_keys(); I've looked at that approach and found that splitting into two distinct functions would produce clearer code. The certificate handling code is far more complex than the rawpk code. I could not reuse it, and merging the two would cause more complex branching in the original function (which is already quite long). Currently the only commonality between `load_x509_keys` and `load_rawpk_keys` is the handling of the private keys. What I could do, given you earlier comment above, is that I extract the shared privkey handling functionality from these functions and create a separate function for that. That way we have two clean functions that serve a clear purpose (i.e. load an x509 key pair and rawpk key pair respectively) without code duplication between them. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214185266 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:22:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:22:15 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214192580 > flags-must = x509keyfile; > }; > > +flag = { > + name = rawpkkeyfile; Can we, in that case, express a constraint like `flags-must = rawpkkeyfile;` for `rawpkfile`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214192580 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:23:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:23:05 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214193822 > } > } > > +/* Load the raw public key and corresponding private key. > + */ > +static void load_rawpk_keys(void) I can extract the private key handling functionality yes. Also see my comment below on splitting the original function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214193822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:24:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:24:00 +0000 Subject: [gnutls-devel] libtasn1 | doc/reference: don't add empty object hierarchy chapter (!49) In-Reply-To: References: Message-ID: Merge Request !49 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/49 Project:Branches: rossburton/libtasn1:gtkdoc to gnutls/libtasn1:master Author: Ross Burton Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/49 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:24:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:24:05 +0000 Subject: [gnutls-devel] libtasn1 | doc/reference: don't add empty object hierarchy chapter (!49) In-Reply-To: References: Message-ID: Merge Request !49 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/49 Project:Branches: rossburton/libtasn1:gtkdoc to gnutls/libtasn1:master Author: Ross Burton Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/49 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:24:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:24:18 +0000 Subject: [gnutls-devel] libtasn1 | doc/reference: don't add empty object hierarchy chapter (!49) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thank you ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/49#note_214196080 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 15:57:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 13:57:44 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214218832 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; After investigating I think we can indeed select a raw pk based on the algorithm type. So I will update the application such that we use stack-args. I just realized however that we might need to be able to specify key usage flags because this info is not contained in the certificate (because there is none). Currently I set the key usage flags to 0 (i.e. an all is fine wildcard) when I import the public key. What do you think is good to do here? Should I add an extra parameter for the key usage flags? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_214218832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 16:34:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 14:34:34 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: could you check https://github.com/tomato42/tlsfuzzer/pull/585 ? It should implement the above-mentioned tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_214255017 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 23:38:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 21:38:08 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Yes, this is the correct description of the problem. For now I have removed TLS 1.3-disablement code for GOST KX. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_214459120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 9 23:45:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Sep 2019 21:45:38 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_214460807 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, Not really possible. I either have to remove `VKO-GOST` from `NORMAL`, or face that `-VERS-ALL:+VERS-1.3:+KX-ALL` will become `NONE`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_214460807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 10 19:56:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Sep 2019 17:56:36 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: when running current master (bcd95a1a0f8) the tlsfuzzer#585 does get `record_overflow` alerts, so I think it should get introduced as a test case in the MR -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_215007102 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:15:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:15:05 +0000 Subject: [gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831) References: Message-ID: Pierre Ossman (Work account) created an issue: https://gitlab.com/gnutls/gnutls/issues/831 ## Description of problem: Current versions of GnuTLS no longer advertise HMAC-SHA256 support unless very explicitly told to do so. This change was introduced in 62248b6adf0c11d469b04b4bf58aa97deff5a813, but the rationale doesn't match what's actually out there. Two issues: * Currently still supported versions of Windows has disabled HMAC-SHA1, but never got support for AEAD. This means that GnuTLS cannot connect to the RDP server on Windows 2012 R2. * The documentation states that `NORMAL` (and derived values such as `MAC-ALL`) should enable all currently secure ciphersuites. This is quite obviously not the case, and very confusing when trying to debug this issue. ## Version of gnutls used: 3.6.8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Tested on Fedora, but the cause is upstream. ## How reproducible: 100% Steps to Reproduce: ``` $ gnutls rds2012r2.example.com -p 3389 ``` ## Actual results: Server drops the connection and logs that it could not find a supported ciphersuite. ## Expected results: TLS handshake succeeds. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:30:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:30:01 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Daiki Ueno commented: The CI is still failing because of configure prefers the value from the cache: ``` Checking cache for doc-dist.Fedora-ver9... Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/12731181/doc-dist.Fedora-ver9 [...] $ GUILE=/usr/bin/guile2.2 GUILD=/usr/bin/guild2.2 guile_snarf=/usr/bin/guile-snarf2.2 CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode [...] *** Detecting GNU Guile... checking for guile-snarf... (cached) /usr/bin/guile-snarf checking for guild... (cached) /usr/bin/guild checking for pkg-config... (cached) /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes configure: checking for guile 2.2 configure: found guile 2.2 checking for guile-2.2... (cached) /usr/bin/guile ``` I don't think this is a problem of this MR, but of the CI configuration that fetches the cache. If I explicitly override the cache with `ac_cv_path_VARIABLE` as below, [it works](https://gitlab.com/gnutls/gnutls/pipelines/81479035): ``` - GUILE=/usr/bin/guile2.2 - GUILD=/usr/bin/guild2.2 - guile_snarf=/usr/bin/guile-snarf2.2 - export GUILE GUILD guile_snarf - ac_cv_path_GUILE=$GUILE - ac_cv_path_GUILD=$GUILD - ac_cv_path_guile_snarf=$guile_snarf - export ac_cv_path_GUILE ac_cv_path_GUILD ac_cv_path_guile_snarf ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_215333838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:32:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:32:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/832 gnutls when compiled with an older to 2.0 libidn2 will use `_idn2_punycode_decode` which is not an exported symbol of the library and has been dropped in the later versions. Relates to https://gitlab.com/libidn/libidn2/issues/74 I'm proposing to no longer use this symbol in gnutls, and drop compatibility with older libidn2 versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:32:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:32:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:39:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:39:30 +0000 Subject: [gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The rationale for the removal is: ``` These ciphersuites are deprecated since the introduction of AEAD ciphersuites, and are only necessary for compatibility with older servers. Since older servers already support hmac-sha1 there is no reason to keep these ciphersuites enabled by default, as they increase our attack surface. ``` The longer version is that these ciphersuites are harder to secure in terms of lucky13-type of attacks, and thus significantly increase the attack surface. Their security is no better than HMAC-SHA1 (SHA1 is a weak signature algorithm but still a very strong hmac algorithm), thus there is no reason to enable them. Would it be reasonable for software which really needs to connect to windows RDP servers to enable these algorithms explicitly? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831#note_215339646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 10:44:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 08:44:43 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If it is a cache problem then just bump the version of the `cache: key:` value in `.gitlab-ci.yml`. It would ignore the older values. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_215342382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 11:11:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 09:11:39 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Tim R?hsen commented: You can also press the 'Clear runner caches' button on the [Pipeline page](https://gitlab.com/gnutls/gnutls/pipelines) and start a new pipeline. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_215356638 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 11:15:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 09:15:42 +0000 Subject: [gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Possibly. The problem is that `gnutls_set_default_priority_append()` is a fairly recent addition so we can't rely on that. And we can't get the default priority string out of GnuTLS, so we'll just have to assume it is `NORMAL`. Or do you have some other ideas? PS. I'm seeing some more handshake issues with Windows. Let me debug things more and get back to you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831#note_215358892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 12:48:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 10:48:04 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Daiki Ueno commented: @nmav @rockdaboot thanks, updating `cache: key` works: https://gitlab.com/gnutls/gnutls/pipelines/81525569 @civodul would you incorporate the changes to this MR so we can merge? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_215422382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 13:55:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 11:55:57 +0000 Subject: [gnutls-devel] GnuTLS | Resumption and renegotiation with extended master secret is not RFC compliant (#69) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It has been too long and I have lost the context here. Would you like to try? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/69#note_215502111 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 15:51:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 13:51:07 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1056#note_215623057 > > #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) > > -#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) > +#define DECR_LEN(len, x) do { if (len From gnutls-devel at lists.gnutls.org Wed Sep 11 16:04:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 14:04:08 +0000 Subject: [gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Argh. It seems something has gone very wrong with our RDS farm. It has now decided to not accept TLS 1.2 at all. I'm not sure this is representative for Windows 2012 R2 in general. In fact, I have an independent 2012 R2 machine here which gladly handshakes TLS 1.2 with ECDHE_RSA_AES_256_CBC_SHA384. So it might not be an issue to pursue here. Some clarification in the documentation would be good though why SHA1 is included in NORMAL but SHA256 is not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831#note_215644065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 17:42:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 15:42:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 * e7bd5dbf - gnutls_int.h: make DECR_LEN neutral to signedness * 84c99656 - lib/*: remove unnecessary cast to ssize_t -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 17:43:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 15:43:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1056#note_215765092 > > #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) > > -#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) > +#define DECR_LEN(len, x) do { if (len From gnutls-devel at lists.gnutls.org Wed Sep 11 17:43:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 15:43:10 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: All discussions on Merge Request !1056 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/1056 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 19:56:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 17:56:34 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Tim R?hsen commented: Why not changing the call to `_idn2_punycode_decode()` into `idn2_to_unicode_...()` which also exists since before 2.0 ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832#note_215851126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 20:39:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 18:39:38 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Merge Request !1056 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1056 Branches: tmp-decr-len to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 20:39:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 18:39:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Reassigned Merge Request 1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 20:40:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 18:40:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056#note_215875701 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 22:05:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 20:05:11 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I have a patch [patch.txt](/uploads/ef91fcf930e8bb7812c2698c20e09133/patch.txt) that adds it, but there seems to be a regression in few other tests in tlsfuzzer. The atypical-padding though it passes. I think I have pinpointed the issue [on an unrelated fix](https://github.com/tomato42/tlsfuzzer/pull/552#issuecomment-530537531). Nevertheless, we already have a test for this functionality, so we can create a new issue for integrating the tlsfuzzer test case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_215907831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 22:05:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 20:05:23 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @tomato42 ^^^^ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_215907887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 22:57:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 20:57:52 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Tim R?hsen commented: Sorry, we introduced the to_unicode functions in 2.0.0. They didn't exist in 0.16. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832#note_215932684 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 11 23:47:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Sep 2019 21:47:10 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented: Sounds great! I'd love to start working on this right away. Though I might take some time initially to learn the gnuTLS codebase, as well as the QUIC TLS, needs. Since you are free to mentor me with this project, I think I would be easier :D. Meanwhile digging into what you just said, do you think I should write all these functions/code in a seprate file within src as `quic_crypto.c` file or integrate in some existing file? Feel free to let me know if the file name should be something else :D, this is just a quick suggestion. Next, does gnutls have some IRC channel or something which I could use to have a online quick chats with you while hacking into this project? :D, I personally feel like I would spend lesser amount of time on this if we are able to communicate properly atleast through some mean like this :D. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_215949234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 09:23:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 07:23:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 * e94ab6b7...bcd95a1a - 23 commits from branch `master` * e0fe31f1 - gnutls_int.h: make DECR_LEN neutral to signedness * f36834df - lib/*: remove unnecessary cast to ssize_t -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 09:58:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 07:58:03 +0000 Subject: [gnutls-devel] GnuTLS | Renegotiation with both renegotiation_info and SCSV at once is allowed (#828) In-Reply-To: References: Message-ID: t184256 commented: Wait, seems like I wasn't paying enough attention to the RFC =( (https://tools.ietf.org/html/rfc5746#section-3.7, Server Behavior: Secure Renegotiation) * When a ClientHello is received, the server MUST verify that it does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort the handshake. Seems like not aborting on receiving both is non-compliant after all. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/828#note_216101220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 10:50:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 08:50:45 +0000 Subject: [gnutls-devel] libtasn1 | function "asn1_der_decoding" potentially causes infinite memory allocation (#24) References: Message-ID: carblue created an issue: https://gitlab.com/gnutls/libtasn1/issues/24 ## Description of problem: function "asn1_der_decoding" causes infinite memory allocation when structure and input DER data are incongruent. I'm referring here to PKCS#15 TokenInfo from ASN.1 module e.g. at https://github.com/carblue/tasn1/blob/master/PKCS15.asn. Excerpt: TokenInfo ::= SEQUENCE { version INTEGER { v1(0), v2(1) }, -- (v1,...), serialNumber OCTET STRING, manufacturerID Label OPTIONAL, label [0] Label OPTIONAL, tokenflags TokenFlags, ...more fields It happened, that my smart card's PKCS#15 EF.TokenInfo file 0x5032 got corrupted (i.e. not PKCS#15 compliant content any more: "tokenflags" were misplaced before "manufacturerID" instead correctly behind "label"), thus forming incrongruent input DER data. ## Version of libtasn1 used: 4.13 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Ubuntu (package libtasn1-6, installs Version 4.13-2) ## How reproducible: Steps to Reproduce: (the following is D language code, slightly different from C; there is no problem referring to D code as such, it works well with the "congruent buf DER input data"): asn1_node PKCS15; string errorDescription; ubyte[] buf = new ubyte[length_of_input_data_in_bytes; 65 for my example DER input data]; * 1. asn1_parser2tree ("PKCS15.asn", &PKCS15, errorDescription); * 2. asn1_create_element(PKCS15, "PKCS15.TokenInfoChoice", &structure); * 3. asn1_der_decoding(&structure, buf, errorDescription); Example for congruent buf DER input data: 303F0201010406C0C6406881C70C1A416476616E63656420436172642053797374656D73204C74642E801243544D36345F43304336343036383831433703020420 Example for incongruent buf DER input data: 3032020101040400000000030204200C1A416476616E63656420436172642053797374656D73204C74642EA0070C05626162616E36343036383831433703020420 ## Actual results: Memory allocation failed, because I "jailed" memory usage with ulimit -d -m -v : 5000000; otherwise it would crash my OS system by infinitely allocating memory ! ## Expected results: Successful DER data decoding into structure based on the provided .asn module file -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/24 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 11:33:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 09:33:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 * 5e9b2ec2 - lib/*: remove unnecessary cast to ssize_t -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 12:56:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 10:56:00 +0000 Subject: [gnutls-devel] libtasn1 | function "asn1_der_decoding" potentially causes infinite memory allocation (#24) In-Reply-To: References: Message-ID: carblue commented: Sorry, my fault, the error reported has another origin, thus closing this issue -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/24#note_216193635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 12:56:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 10:56:19 +0000 Subject: [gnutls-devel] libtasn1 | function "asn1_der_decoding" potentially causes infinite memory allocation (#24) In-Reply-To: References: Message-ID: Issue was closed by carblue Issue #24: https://gitlab.com/gnutls/libtasn1/issues/24 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/24 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 13:00:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 11:00:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Merge Request !1056 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1056 Branches: tmp-decr-len to master Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 13:31:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 11:31:43 +0000 Subject: [gnutls-devel] GnuTLS | Memcheck:Cond valgrind error in gnutls_x509_crt_print() (#833) References: Message-ID: Martin Pitt created an issue: https://gitlab.com/gnutls/gnutls/issues/833 valgrind detects some code in `gnutls_x509_crt_print()` that depends on uninitialized data: ``` $ gcc -o /tmp/t -Wall gnutls-crt-print.c -lgnutls $ valgrind /tmp/t ==10529== Memcheck, a memory error detector ==10529== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==10529== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==10529== Command: /tmp/t ==10529== ==10529== Conditional jump or move depends on uninitialised value(s) ==10529== at 0x48FA861: decode_complex_string.isra.0 (common.c:395) ==10529== by 0x48FABEE: _gnutls_x509_dn_to_string (common.c:464) ==10529== by 0x4909F37: append_elements (dn.c:160) ==10529== by 0x490A3B7: _gnutls_x509_get_dn (dn.c:236) ==10529== by 0x491040B: print_oneline (output.c:1881) ==10529== by 0x491597F: gnutls_x509_crt_print (output.c:2076) ==10529== by 0x40125D: main (in /tmp/t) ==10529== cert: subject `CN=localhost', issuer `CN=localhost', serial 0x00ec5dca0f931ef8ab, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-05-15 19:54:08 UTC', expires `2115-04-21 19:54:08 UTC', pin-sha256="p5szU3vH77RKSNI7ciu7Gtqa9TUJv23iYQGeyejBMYc="==10529== ==10529== HEAP SUMMARY: ==10529== in use at exit: 0 bytes in 0 blocks ==10529== total heap usage: 1,586 allocs, 1,586 frees, 162,017 bytes allocated ==10529== ==10529== All heap blocks were freed -- no leaks are possible ==10529== ==10529== Use --track-origins=yes to see where uninitialised values come from ==10529== For lists of detected and suppressed errors, rerun with: -s ==10529== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0) ``` The reproducer is so simple that I don't see how I should have introduced uninitialized data into it myself. This happens at least with GnuTLS 3.6.8 (in Fedora 30) and 3.6.9 (in rawhide). Reproducer: [gnutls-crt-print.c](/uploads/ff8f3d85fd5e74f529e5396b3010104f/gnutls-crt-print.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 13:35:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 11:35:34 +0000 Subject: [gnutls-devel] GnuTLS | Memcheck:Cond valgrind error in gnutls_x509_crt_print() (#833) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm pretty sure that this is the same issue as https://gitlab.com/gnutls/libtasn1/issues/9, i.e., false-positive caused by strcmp optimization in GCC 9. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/833#note_216212221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 14:14:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 12:14:26 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_216237651 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, @nmav there are several tests for TLS 1.2 + TLS 1.3 connection using GOST in `tls13-server-kx-neg`. Do they cover usecases you were thinking about? For now I think those usecases represent lesser evil. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_216237651 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 14:55:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 12:55:29 +0000 Subject: [gnutls-devel] GnuTLS | Memcheck:Cond valgrind error in gnutls_x509_crt_print() (#833) In-Reply-To: References: Message-ID: Martin Pitt commented: Thanks @dueno! I just checked that on Ubuntu 19.04, which has GnuTLS 3.6.8 as well, and it does not happen there. That would explain why. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/833#note_216263659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 14:55:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 12:55:58 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @tomato42 the regression in the test is because of the 1/n-1 requirement. I've created https://github.com/tomato42/tlsfuzzer/pull/588 so if it is merged, I could include these tests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_216263907 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 14:57:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 12:57:59 +0000 Subject: [gnutls-devel] GnuTLS | Memcheck:Cond valgrind error in gnutls_x509_crt_print() (#833) In-Reply-To: References: Message-ID: Issue was closed by Martin Pitt Issue #833: https://gitlab.com/gnutls/gnutls/issues/833 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 12 18:44:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Sep 2019 16:44:45 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: https://github.com/tomato42/tlsfuzzer/pull/588 is merged (while the test introduced in this MR does test it, as far as I can tell it's not as comprehensive as the one in tlsfuzzer) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_216397573 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 08:31:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 06:31:36 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 5fac5af9 - tlsfuzzer: enable atypical padding check -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 13:28:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 11:28:08 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Merge Request !1054 was approved by Hubert Kario (@mention me if you need reply) Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1054 Project:Branches: nmav/gnutls:tmp-interop-old-gnutls to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 13:28:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 11:28:15 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_216781420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 14:14:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 12:14:44 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1054 (https://gitlab.com/gnutls/gnutls/merge_requests/1054) Issue #811: https://gitlab.com/gnutls/gnutls/issues/811 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 14:14:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 12:14:44 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Merge Request !1054 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1054 Project:Branches: nmav/gnutls:tmp-interop-old-gnutls to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 13 16:54:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Sep 2019 14:54:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) References: Message-ID: Richard W_M_ Jones created an issue: https://gitlab.com/gnutls/gnutls/issues/834 base64("") = "", see https://tools.ietf.org/html/rfc4648#section-10 However gnutls_base64_decode2 doesn't believe this. It returns an error when given empty input. The error is "Base64 decoding error" (GNUTLS_E_BASE64_DECODING_ERROR). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 14 18:02:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Sep 2019 16:02:08 +0000 Subject: [gnutls-devel] GnuTLS | nettle 3.5 issues/warnings (#835) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/issues/835 Hello, I have just give nettle 3.5.1 a spin and built gnutls 3.6.9 against it. ``` checking for nettle_secp_192r1 in -lhogweed... no [...] Non-SuiteB curves: no ``` >From nettle changelog: > 2018-03-17 Niels M?ller > Discourage direct access to data symbols with non-public size. > Direct references to these symbols may result in copy-relocations > like R_X86_64_COPY, which make the symbol size leak into the ABI. > * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) > (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add > leading underscore on these data symbols. ``` gcc -DHAVE_CONFIG_H -I. -I../../tests -I.. -I/usr/include/p11-kit-1 -I../../lib/includes -I../lib/includes -I../../libdane/includes -I../libdane/includes -I../../extra/includes -I../extra/includes -I../../lib -I../../doc/examples -Wdate-time -D_FORTIFY_SOURCE=2 -fno-common -W -Wabsolute-value -Waddress -Waddress-of-packed-member -Waggressive-loop-optimizations -Wall -Wattribute-warning -Wattributes -Wbad-function-cast -Wbool-compare -Wbool-operation -Wbuiltin-declaration-mismatch -Wbuiltin-macro-redefined -Wcannot-profile -Wcast-align -Wcast-align=strict -Wcast-function-type -Wchar-subscripts -Wclobbered -Wcomment -Wcomments -Wcoverage-mismatch -Wcpp -Wdangling-else -Wdate-time -Wdeprecated -Wdeprecated-declarations -Wdesignated-init -Wdisabled-optimization -Wdiscarded-array-qualifiers -Wdiscarded-qualifiers -Wdiv-by-zero -Wdouble-promotion -Wduplicated-branches -Wduplicated-cond -Wduplicate-decl-specifier -Wempty-body -Wendif-labels -Wenum-compare -Wexpansion-to-defined -Wextra -Wformat-contains-nul -Wformat-extra-args -Wformat-security -Wformat-zero-length -Wframe-address -Wfree-nonheap-object -Whsa -Wif-not-aligned -Wignored-attributes -Wignored-qualifiers -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wincompatible-pointer-types -Winit-self -Wint-conversion -Wint-in-bool-context -Wint-to-pointer-cast -Winvalid-memory-model -Winvalid-pch -Wlogical-not-parentheses -Wlogical-op -Wmain -Wmaybe-uninitialized -Wmemset-elt-size -Wmemset-transposed-args -Wmisleading-indentation -Wmissing-attributes -Wmissing-braces -Wmissing-declarations -Wmissing-field-initializers -Wmissing-include-dirs -Wmissing-parameter-type -Wmissing-profile -Wmissing-prototypes -Wmultichar -Wmultistatement-macros -Wnarrowing -Wnested-externs -Wnonnull -Wnonnull-compare -Wnull-dereference -Wodr -Wold-style-declaration -Wold-style-definition -Wopenmp-simd -Woverflow -Woverride-init -Wpacked -Wpacked-bitfield-compat -Wpacked-not-aligned -Wparentheses -Wpointer-arith -Wpointer-compare -Wpointer-sign -Wpointer-to-int-cast -Wpragmas -Wpsabi -Wrestrict -Wreturn-local-addr -Wreturn-type -Wscalar-storage-order -Wsequence-point -Wshadow -Wshift-count-negative -Wshift-count-overflow -Wshift-negative-value -Wsizeof-array-argument -Wsizeof-pointer-div -Wsizeof-pointer-memaccess -Wstrict-aliasing -Wstrict-prototypes -Wstringop-truncation -Wsuggest-attribute=cold -Wsuggest-attribute=format -Wsuggest-attribute=malloc -Wsuggest-final-methods -Wsuggest-final-types -Wswitch -Wswitch-bool -Wswitch-unreachable -Wsync-nand -Wtautological-compare -Wtrampolines -Wtrigraphs -Wtype-limits -Wuninitialized -Wunknown-pragmas -Wunused -Wunused-but-set-parameter -Wunused-but-set-variable -Wunused-function -Wunused-label -Wunused-local-typedefs -Wunused-macros -Wunused-parameter -Wunused-result -Wunused-value -Wunused-variable -Wvarargs -Wvariadic-macros -Wvector-operation-performance -Wvolatile-register-var -Wwrite-strings -Walloc-size-larger-than=9223372036854775807 -Warray-bounds=2 -Wattribute-alias=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wimplicit-fallthrough=5 -Wnormalized=nfc -Wshift-overflow=2 -Wstringop-overflow=2 -Wunused-const-variable=2 -Wvla-larger-than=4031 -Wno-missing-field-initializers -Wno-unused-parameter -Wno-format-truncation -Wimplicit-fallthrough=2 -Wabi=11 -fdiagnostics-show-option -g -O2 -fdebug-prefix-map=/dev/shm/GNUTLS/gnutls-3.6.9=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -o mini_alignment-mini-alignment.o `test -f 'mini-alignment.c' || echo '../../tests/'`mini-alignment.c ../../tests/mini-alignment.c: In function 'myaes_setkey': ../../tests/mini-alignment.c:158:3: warning: 'nettle_aes_set_encrypt_key' is deprecated [-Wdeprecated-declarations] [multiple similar warnings] ``` > * Functions using the old struct aes_ctx have been marked as > deprecated. Use the fixed key size interface instead, e.g., > struct aes256_ctx, introduced in Nettle-3.0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 11:36:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 09:36:42 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: civodul pushed new commits to merge request !1061 https://gitlab.com/gnutls/gnutls/merge_requests/1061 * 34cef154 - .gitlab-ci.yml: export guile related envvars for doc-dist.Fedora * 8aa729ec - .gitlab-ci.yml: bump configure cache version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 11:38:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 09:38:02 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: civodul commented: Thanks @dueno, I've now merged these two commits of yours so we should be all set! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_217474581 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 11:42:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 09:42:58 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Merge Request !1061 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1061 Project:Branches: civodul/gnutls:wip-guile-include-m4-macros to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 13:17:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 11:17:43 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: Merge Request !1061 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1061 Project:Branches: civodul/gnutls:wip-guile-include-m4-macros to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 15:07:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 13:07:15 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1065 Project:Branches: nmav/gnutls:tmp-pkcs11-mock to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Based on the relicense of the original project: https://github.com/Pkcs11Interop/pkcs11-mock Applied in commit: [8751256956e414c1b0a30414831f5083afbf64bf](https://github.com/Pkcs11Interop/pkcs11-mock/commit/8751256956e414c1b0a30414831f5083afbf64bf) ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 15:38:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 13:38:34 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented: Hi @dueno I started working on the implementation and a few pointers from you would be really helpful: (1) Should we also wrap the callbacks within a struct as how OpenSSL has done it? Or is there something specific that we wish to follow? If yes, please share a few example code within our gnuTLS source code that I can refer to. (2) Is there is specific place within our source code where I can retrieve TLS 1.3 data's like client early traffic secret, client handshake traffic secret, server handshake traffic secret etc? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_217638154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 16 16:04:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Sep 2019 14:04:44 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_217655808 For (1) I think there are two approaches: put all callbacks in a struct, or define each callback separately. The former makes it clear that the caller must set all callbacks to use QUIC functionality, while the latter would provide future extensibility if more callbacks are needed. Since QUIC is not yet finalized, I am leaning towards the latter approach: for secret retrieval, maybe something like: ```c typedef void (*gnutls_secret_hook_func)(gnutls_session_t session, unsigned int epoch, unsigned int incoming, const gnutls_datum_t *secret); void gnutls_set_secret_hook_function(gnutls_session_t session, gnutls_secret_hook_func func); ``` For (2), as GnuTLS supports keylog file: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format you could `git grep` with the label in the source code, e.g., "CLIENT_EARLY_TRAFFIC_SECRET". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_217655808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 17 15:48:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Sep 2019 13:48:55 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 17 15:50:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Sep 2019 13:50:32 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This analysis seem to be correct. The function seems to be non-usable in server side. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_218249327 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 17 15:55:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Sep 2019 13:55:47 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: A way to know whether the client has requested the status request (ocsp) extension, is by checking whether this extension is part of the client hello, similarly [similarly to this](https://www.gnutls.org/manual/gnutls.html#Virtual-hosts-and-credentials). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_218260716 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 18 00:43:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Sep 2019 22:43:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_ocsp_status_request_file2: wrong success return value documentaion (#836) References: Message-ID: jgh created an issue: https://gitlab.com/gnutls/gnutls/issues/836 ## Description of problem: gnutls_certificate_set_ocsp_status_request_file2() is documented as returning 0 on success. It actually returns the number of responses loaded (from calling gnutls_certificate_set_ocsp_status_request_mem() (eg. 1) on success. ## Version of gnutls used: On test: 3.6.8 Looking at docs: 3.6.9 Looking at sourcecode: 4416da13f0975476d83452c9d6d093aec9ebb27e ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: Only tried once. Steps to Reproduce: if ((rc = gnutls_certificate_set_ocsp_status_request_file2( state->x509_cred, CCS ofile, gnutls_cert_index, GNUTLS_X509_FMT_DER))) { debug_printf("rc = %d\n", rc); return tls_error_gnu( US"gnutls_certificate_set_ocsp_status_request_file2", rc, host, errstr); } ## Actual results: 23:28:48 4883 TLS: cert/key 0 /home/jgh/git/exim/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem registered 23:28:48 4883 OCSP response file = /home/jgh/git/exim/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp 23:28:48 4883 GnuTLS<3>: ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1650 23:28:48 4883 GnuTLS<2>: associating OCSP response with chain 0 on pos 0 23:28:48 4883 rc = 1 23:28:48 4883 LOG: MAIN 23:28:48 4883 TLS error on connection from localhost (server1.example.com) [127.0.0.1] (gnutls_certificate_set_ocsp_status_request_file2): (unknown error code) ## Expected results: Documentation matches library code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 18 00:46:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Sep 2019 22:46:34 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: jgh commented: Thanks; that works. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_218543890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 19 11:44:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Sep 2019 09:44:48 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219242602 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; ok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219242602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 19 11:46:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Sep 2019 09:46:03 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219243377 > flags-must = x509keyfile; > }; > > +flag = { > + name = rawpkkeyfile; I do not know. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219243377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 19 11:48:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Sep 2019 09:48:43 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219244885 > } > } > > - load_keys(); > + load_x509_keys(); I am for the most code re-use and simplicity, so it makes sense to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219244885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 19 11:51:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Sep 2019 09:51:10 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219246215 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; That's an interesting problem. I am not sure I have a good suggestion. Would it work if we ignore the problem until we have a use for that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219246215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 19 11:53:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Sep 2019 09:53:04 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219247197 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; We would need though to amend the documentation in cli-args.def and serv to say that. Otherwise it will not be apparent to someone using these tools how to enable raw public keys. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_219247197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 16:36:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 14:36:19 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on tests/pkcs11/pkcs11-mock.c: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219951992 > /* > - * PKCS11-MOCK - PKCS#11 mock module > - * Copyright (c) 2015 JWC s.r.o. > - * Author: Jaroslav Imrich > + * Copyright 2015-2017 The Pkcs11Interop Project >From the upstream commit, shouldn't this be 2011-2016 ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219951992 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 16:38:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 14:38:25 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Tim R?hsen commented: If we include software under apache2.0, shouldn't we ship a copy of the license ? I am not sure if mentioning is enough (I am just clueless at this point). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219952993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 16:38:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 14:38:42 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Tim R?hsen commented: Else LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219953134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 16:38:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 14:38:46 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Merge Request !1065 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1065 Project:Branches: nmav/gnutls:tmp-pkcs11-mock to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:22:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:22:59 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/pkcs11/pkcs11-mock.c: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219972679 > /* > - * PKCS11-MOCK - PKCS#11 mock module > - * Copyright (c) 2015 JWC s.r.o. > - * Author: Jaroslav Imrich > + * Copyright 2015-2017 The Pkcs11Interop Project I copied-pasted from the latest code. Most likely it should be as in the original commit. I'll update. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219972679 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:31:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:31:03 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1065 https://gitlab.com/gnutls/gnutls/merge_requests/1065 * f51ae6b9 - pkcs11-mock: updated license based on upstream project [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:31:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:31:19 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: All discussions on Merge Request !1065 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1065 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:32:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:32:57 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I do not think it is necessary. The license is referred by the short text, and we don't follow that for any other licenses than the main ones (lgpl and gpl). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065#note_219976687 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:33:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:33:12 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Merge Request !1065 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1065 Project:Branches: nmav/gnutls:tmp-pkcs11-mock to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 17:33:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 15:33:16 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11-mock: updated license based on upstream project [ci skip] (!1065) In-Reply-To: References: Message-ID: Reassigned Merge Request 1065 https://gitlab.com/gnutls/gnutls/merge_requests/1065 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 21:08:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 19:08:16 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Also, there appears to be no interface for observability of stapling request and presented response status, server side @jgh reading the docs what I get is that this function is usable when the server verifies the client certificate, e.g., using `gnutls_certificate_verify_peers2`. In that case a TLS1.3 server may want to see whether an OCSP response was included, and that's my understanding of the use of this function by reading the docs. Were you using it in that case, or your goal was the observation of the stapling request only and that mislead you? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_220060151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:09:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:09:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_ocsp_status_request_file2: wrong success return value documentaion (#836) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:09:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:09:45 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_ocsp_status_request_file2: wrong success return value documentaion (#836) In-Reply-To: References: Message-ID: Reassigned Issue 836 https://gitlab.com/gnutls/gnutls/issues/836 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:12:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:12:59 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and other improvements (!1066) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1066 Project:Branches: nmav/gnutls:tmp-ocsp-fixes to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This introduces tests for `gnutls_ocsp_status_request_is_checked` both in client and server side, a test for certificate verification in server side `gnutls_certificate_verify_peers2` and corrects the documentation of `gnutls_certificate_set_ocsp_status_request_file2`. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:14:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:14:56 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and other improvements (!1066) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1066 https://gitlab.com/gnutls/gnutls/merge_requests/1066 * ecd4a5b2 - gnutls_ocsp_status_request_is_checked: added tests in client side * c5e9a63a - tests: added server-side verification test * 63cdcc9e - tests: check server side OCSP check * a8ea8390 - gnutls_certificate_set_ocsp_status_request_file2: corrected documentation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:16:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:16:32 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and doc improvements (!1066) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1066 https://gitlab.com/gnutls/gnutls/merge_requests/1066 * 18dcd3d1 - tests: added server side OCSP check * fc8bee5c - gnutls_certificate_set_ocsp_status_request_file2: corrected documentation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 20 22:32:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Sep 2019 20:32:36 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 21 06:30:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Sep 2019 04:30:14 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and doc improvements (!1066) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1066 https://gitlab.com/gnutls/gnutls/merge_requests/1066 * c6a30f50 - Updates in OCSP status response related documentation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 21 13:31:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Sep 2019 11:31:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) References: Message-ID: Richard Frith-Macdonald created an issue: https://gitlab.com/gnutls/gnutls/issues/837 ## Description of problem: If a client attempts to connect to a server with 1.2 and 1.3 in the priority string, it fails with the error 'Detected downgrade to TLS 1.2 from TLS 1.3' I think this is because the priority string specifies 1.2 before 1.3, so while the client advertises itself as supporting both versions, the server picks the first one and responds using 1.2, which the client then thinks is an illegal downgrade. It's possible to work-around this by changing the client priority string to have 1.3 first (ie as the preferred version), but that means that the connection will be established using the oldest version that client and server support, ot the newest/best, which seems undesirable. If this is the case, there may be various ways to address the issue: a. the server could ignore offers of older versions and select the highest one the client says it supports b. the client could always offer higher versions before lower versions c. the client could recognise that, if it offered 1.2 to the server, then a response of 1.2 is not a downgrade ## Version of gnutls used: 3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Built from source ## How reproducible: Steps to Reproduce: set gnutls-serv using --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" connect to it with gnutls-cli using --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" ## Actual results: |<1>| Detected downgrade to TLS 1.2 from TLS 1.3 *** Fatal error: An illegal parameter has been received. ## Expected results: Connection established. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 21 13:36:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Sep 2019 11:36:51 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: Oops, I realise I just realised I got part of that the wrong way round: > but that means that the connection will be established using the oldest version > that client and server support, not the newest/best, which seems undesirable. So the 'workaround' is to specify the versions in the more natural/desirable order, which makes this a minor usability issue rather than a serious bug. NB. connecting with the same priority string to an openssl server works, which suggests they implemented a 'fix' at the server and to improve usability. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220191783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 22 14:23:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Sep 2019 12:23:20 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/issues/838 Hello, when building gnutls 3.6.9 with e.g. ```./configure [...] --prefix=/usr [...] --libdir=\${prefix}/lib/x86_64-linux-gnu--libexecdir=\${prefix}/lib/x86_64-linux-gnu``` one ends up with essentially the following list of files: ``` /usr/share/guile/site/2.2/gnutls.scm /usr/lib/x86_64-linux-gnu/guile/2.2/site-ccache/gnutls.go /usr/lib/x86_64-linux-gnu/guile/2.2/extensions/guile-gnutls-v-2.so.0 /usr/lib/x86_64-linux-gnu/guile/2.2/extensions/guile-gnutls-v-2.so /usr/lib/x86_64-linux-gnu/guile/2.2/extensions/guile-gnutls-v-2.so.0.0.0 ``` and /usr/share/guile/site/2.2/gnutls.scm contains ```scheme (eval-when (expand load eval) (define %libdir (or (getenv "GNUTLS_GUILE_EXTENSION_DIR") "/usr/lib/x86_64-linux-gnu/guile/2.2/extensions")) (load-extension (string-append %libdir "/guile-gnutls-v-2") "scm_init_gnutls")) ``` i.e. we have a file in /usr/share ("architecture independent data") whose contents are not identical on different architectures. This is a long-standing issue (see https://bugs.debian.org/658110) but is supposed to be fixable in guile-2.0 and later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 15:44:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 13:44:46 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Reassigned Issue 837 https://gitlab.com/gnutls/gnutls/issues/837 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 16:01:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 14:01:36 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Reassigned Issue 837 https://gitlab.com/gnutls/gnutls/issues/837 Assignee changed from Daiki Ueno to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 16:11:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 14:11:37 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Daiki Ueno commented: I would say this is the correct behavior according to the [spec](https://tools.ietf.org/html/rfc8446#section-4.1.3): ``` TLS 1.3 has a downgrade protection mechanism embedded in the server's random value. TLS 1.3 servers which negotiate TLS 1.2 or below in response to a ClientHello MUST set the last 8 bytes of their Random value specially in their ServerHello. If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 01 [...] TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of these values. [...] If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. ``` If you enable TLS 1.3 in the priority string, the peer behaves as a TLS 1.3 server or client so the downgrade protection will be in effect. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220687404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 16:30:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 14:30:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: I kind of came to the same conclusion (the code is not wrong according to the spec). However, it's not clear to me that the server *must* select the version in accordance with the client's preferred order, and it makes some sense from a security point of view for the server to select the newest/best version if the client offers more than one (as well as avoiding a situation where the user at the client end can accidentally configure a priority string which prevents client and server establishing a connection). It appears that openssl servers select 1.3 in preference to 1.2 even when the client puts 1.2 before 1.3, and it may be no bad thing to behave in a compatible way. Perhaps this could be viewed as a suggested possible improvement rather than a bug report? If you think otherwise, I'll not complain should you decide to simply close the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220699740 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 17:08:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 15:08:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/837#note_220722425 Perhaps, but I think it is quite unnatural that the client gives TLS 1.2 a higher priority than TLS 1.3 while it also supports TLS 1.3. Is there any use-case for that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220722425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 17:19:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 15:19:57 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: I would class it as a configuration error, but one that people in my company referred to me as a GNUTLS bug, because they had successfully used our client software to connect to external openssl based servers, but had found that the same client software (configured the same way) had failed to establish a connection to our internal (gnutls based) servers. So the real issue is not that there is a use case (we don't specifically want to configure 1.2 before 1.3 in the client), but that if it's done accidentally the connection attempt fails and it's not obvious why. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_220728160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:13:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:13:58 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1067 Project:Branches: nmav/gnutls:tmp-update-nettle-compat to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This patch set addresses warnings and issues found from using nettle 3.5. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:14:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:14:07 +0000 Subject: [gnutls-devel] GnuTLS | nettle 3.5 issues/warnings (#835) In-Reply-To: References: Message-ID: Reassigned Issue 835 https://gitlab.com/gnutls/gnutls/issues/835 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:14:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:14:35 +0000 Subject: [gnutls-devel] GnuTLS | nettle 3.5 issues/warnings (#835) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've tried to fix that in !1067. If it passes CI would you like to review it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/835#note_220826683 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:14:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:14:45 +0000 Subject: [gnutls-devel] GnuTLS | nettle 3.5 issues/warnings (#835) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:26:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:26:22 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on tests/cipher-alignment.c: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220830443 > myaes_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) > { > /* we use key size to distinguish */ The comment is wrong then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220830443 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:28:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:28:25 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Does this break compatibility with Nettle 3.4.1? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220831047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:35:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:35:42 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1067 https://gitlab.com/gnutls/gnutls/merge_requests/1067 * f63f0e48 - tests: mini-alignment moved to modern nettle API -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:35:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:35:45 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/cipher-alignment.c: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220833415 > myaes_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) > { > /* we use key size to distinguish */ Right, removed it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220833415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:37:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:37:30 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It shouldn't as the `_get_` functions were introduced in nettle 3.4. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220833815 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:38:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:38:56 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Merge Request !1067 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1067 Project:Branches: nmav/gnutls:tmp-update-nettle-compat to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:39:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:39:02 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: All discussions on Merge Request !1067 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1067 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:39:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:39:20 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220834329 Good, fine with me then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220834329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:39:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:39:21 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: All discussions on Merge Request !1067 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1067 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:40:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:40:24 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: What may be an issue is that this test is using `gnutls_crypto_register_cipher` which is also marked as deprecated (from gnutls' side). Once made a no-op as it is the plan this test will silently do nothing. I will add a commit to catch this too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220834608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:43:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:43:33 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1067 https://gitlab.com/gnutls/gnutls/merge_requests/1067 * 49bbfcde - tests: cipher-alignment: ensure cipher registration -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 21:46:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 19:46:38 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067#note_220836349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 23:23:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 21:23:28 +0000 Subject: [gnutls-devel] GnuTLS | nettle 3.5 issues/warnings (#835) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1067 (https://gitlab.com/gnutls/gnutls/merge_requests/1067) Issue #835: https://gitlab.com/gnutls/gnutls/issues/835 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 23 23:23:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Sep 2019 21:23:28 +0000 Subject: [gnutls-devel] GnuTLS | fix nettle 3.5 issues/warnings (!1067) In-Reply-To: References: Message-ID: Merge Request !1067 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1067 Project:Branches: nmav/gnutls:tmp-update-nettle-compat to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 11:16:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 09:16:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/837#note_221087855 The more I think about it, the more I realize that your suggestion is plausible. Maybe also gnutls-cli should error if the versions in priority string are not in the newest-first order if TLS 1.3 is supported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_221087855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 11:16:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 09:16:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Reassigned Issue 837 https://gitlab.com/gnutls/gnutls/issues/837 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 11:54:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 09:54:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: I use gnutls-cli purely as a diagnostic tool, so the idea of having it error in that situation certainly makes sense for me. I guess that if people use it as a scripting tool, having it error might be a problem though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837#note_221109075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 18:33:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 16:33:23 +0000 Subject: [gnutls-devel] GnuTLS | Minor inaccuracy in gnutls_record_send() documentation? (#806) In-Reply-To: References: Message-ID: Michael Catanzaro commented: I tried actually using this, hoping it would solve https://gitlab.gnome.org/GNOME/glib-networking/issues/15 for me, but it didn't work as expected. Problem is that some data queued from the previous gnutls_record_send() could have actually been sent already and is no longer in the send queue. So using gnutls_record_discard_queued() does not "negate" an interrupted/cancelled gnutls_record_send(). i.e. I think gnutls_record_send() actually sends data even when it returns a negative error code. As long as applications follow the old rule to always resend the same data, it was fine. But any application using gnutls_record_discard_queued() surely needs to know how much was actually sent. I'm not sure what you would consider the intended API behavior to be. Do you think this is worth a new issue report? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/806#note_221366456 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 18:34:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 16:34:58 +0000 Subject: [gnutls-devel] GnuTLS | Minor inaccuracy in gnutls_record_send() documentation? (#806) In-Reply-To: References: Message-ID: Michael Catanzaro commented: The most important comment in that issue is https://gitlab.gnome.org/GNOME/glib-networking/issues/15#note_595943, which shows the specific failure case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/806#note_221367354 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 24 19:00:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Sep 2019 17:00:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Michael Catanzaro commented: > Has this been reported to the software that breaks? Nope... that'd be glib-networking, you know us by now. :) I just noticed this issue report now by chance. I agree it probably should have been reported to glib-networking first, especially since the error GNUTLS_E_INVALID_REQUEST indicates API misuse, but in this case it might be good to start here anyway, since I don't see the problem and wouldn't know what to do with it if it was on our issue tracker. :P > The log simply indicates the call of `gnutls_record_send()` to an already closed session. So: how do you know the session is closed? I don't see any evidence of this in the logs? If that's happening, I suspect the peer has closed the session and the client hasn't noticed (since GTlsConnection has no API to indicate when the peer has closed the session; attempts to write will just fail). Does that sound plausible? In which case, maybe glib-networking should massage the error a bit so that a nicer error gets presented to the application. (The request may be invalid at the GnuTLS level, but it's not at the GTlsConnection level.) In any case, the real problem is that the session is closed during the handshake. If github.com is indeed closing the connection during what should be a routine handshake, we should try to figure out why. What's surprising to me is that the good log uses TLS 1.2 but the bad log uses TLS 1.3, which is pretty suspicious. It seems weird that github.com ever negotiates TLS 1.2 when it usually offers 1.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_221380838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:17:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:17:38 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi Michael. There is no such function to check for a closed session, as a session can close only explicitly (bye), or by a fatal error during send or recv. Going through the log again I think I see a more detailed pattern: 1. `gnutls_session_get_data2()` is called 2. error is printed: `GTLS: The pull function has been replaced but not the pull timeout` 3. send is called and it considers the session as closed So it must be (2) that causes the error. A change in TLS1.3 was that a session ticket arrives asynchronously, and that's why session_get_data2(), now tries to read with a timeout. That the pull timeout was not required before except for DTLS and in the case you were using a receiving function that explicitly set a timeout. As many applications set `gnutls_transport_set_pull_timeout_function` anyway, an issue like that may not have been noticed. Could that be the case here? (does glib-networking set the pull timeout?) If it is not calling it what we can do in gnutls is make sure that `gnutls_session_get_data2()` does not require a timeout if a callback is not set instead of invalidating the session. A better fix would be to set the callback of course. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_221631821 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:44:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:44:26 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1068 Project:Branches: nmav/gnutls:tmp-fix-session-get2 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos When TLS1.3 was introduced, gnutls_session_get_data2 was modified to assume that the callbacks set included the timeout one which was not previously necessary except for some special cases. This corrects that issue and makes sure that gnutls_session_get_data2() does not fail (but not necessarily succeed), if that timeout callback is not set. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:45:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:45:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Reassigned Issue 823 https://gitlab.com/gnutls/gnutls/issues/823 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:54:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:54:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1068 https://gitlab.com/gnutls/gnutls/merge_requests/1068 * 294e4037 - gnutls_session_get_data2: fix operation without a timeout callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:55:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:55:26 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've proposed a fix in !1068 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_221638627 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 06:55:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 04:55:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 07:01:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 05:01:01 +0000 Subject: [gnutls-devel] GnuTLS | Minor inaccuracy in gnutls_record_send() documentation? (#806) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > I'm not sure what you would consider the intended API behavior to be. Do you think this is worth a new issue report? You are right here. It was intended for DTLS where send is an all or nothing operation. Under TCP indeed, it is very hard for that to work correctly. I think we should document that as a DTLS/UDP only function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/806#note_221639618 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 07:05:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 05:05:01 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1069 Project:Branches: nmav/gnutls:tmp-fix-doc3 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Relates: #806 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 14:43:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 12:43:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Guido Trentalancia commented: I have tested the following commit that you proposed: https://gitlab.com/gnutls/gnutls/commit/294e4037bccfb163b2af06189d47d2409554cf92?merge_request_iid=1068 But unfortunately, it fixes loading https://github.com but not https://www.google.com While trying to load Google, the browser gets stuck without actually loading the page or producing an error (as without the patch applied). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221852089 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 14:44:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 12:44:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Guido Trentalancia commented: The above mentioned test has been carried out on latest version 3.6.9 (not development tree). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221852719 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 15:22:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 13:22:43 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Guido Trentalancia commented: I have tested the latest git version with the patch applied and the result is the same: it gets stuck loading Google.com There is actually an error being produced but not immediately and only after a sort of timeout: Error writing data to TLS socket: The specified session has been invalidated for some reason. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221874653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:26:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:26:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That can be a different issue. Would you like to send the logs possibly in a new issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221918437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:30:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:30:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1068 https://gitlab.com/gnutls/gnutls/merge_requests/1068 * 9b134f2e - gnutls_session_get_data2: fix operation without a timeout callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:33:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:33:33 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1068 https://gitlab.com/gnutls/gnutls/merge_requests/1068 * 4f09ff2d - gnutls_session_get_data2: fix operation without a timeout callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:34:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:34:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Or maybe that's an omission from my part. Could you try the latest version of the fix? https://gitlab.com/gnutls/gnutls/merge_requests/1068.patch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221923164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:44:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:44:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Guido Trentalancia commented: 4f09ff2d (latest patch version) works fine and seems to resolve https://gitlab.com/gnutls/gnutls/issues/823 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_221928685 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:54:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:54:52 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_221934850 > const char *x509_cafile = NULL; > const char *x509_crlfile = NULL; > static int x509ctype; > +const char *rawpk_keyfile = NULL; > +const char *rawpk_file = NULL; > static int disable_extensions; > static int disable_sni; > -static unsigned int init_flags = GNUTLS_CLIENT; > +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; I'll update that -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_221934850 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 16:56:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 14:56:52 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/serv-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_221935936 > }; > > +flag = { > + name = rawpkkeyfile; > + arg-type = string; > + descrip = "PKCS #8 or PKCS #12 key file to use"; > + doc = ""; > + max = 1; > +}; > + > +flag = { > + name = rawpkfile; > + arg-type = string; > + descrip = "Raw public-key file to use"; > + doc = ""; > + max = 1; > Would it work if we ignore the problem until we have a need for that? Yes, we can just leave the flags to `0` as it is now and wait until someone comes up with a scenario where the flags need to be set explicitly.. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_221935936 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 17:17:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 15:17:57 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1070 Project:Branches: GostCrypt/gnutls:new-gost-x509 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 17:18:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 15:18:39 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1070 https://gitlab.com/gnutls/gnutls/merge_requests/1070 * 673352ab - nettle/pk: add support for "new" TC26 256 B curve -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:16:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:16:13 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) In-Reply-To: References: Message-ID: Michael Catanzaro started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_221997388 > * gnutls_record_discard_queued: > * @session: is a #gnutls_session_t type. > * > - * This function discards all queued to be sent packets in a TLS or DTLS session. > + * This function discards all queued to be sent packets in a DTLS session. > * These are the packets queued after an interrupted gnutls_record_send(). > * > + * This function cannot only be used with transports where send() is cannot -> can -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_221997388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:16:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:16:29 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) In-Reply-To: References: Message-ID: Michael Catanzaro started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_221997560 > * %NULL pointer for @data and 0 for @data_size, in order to write the > * same data as before. If you wish to discard the previous data instead > * of retrying, you must call gnutls_record_discard_queued() before > - * calling this function with different parameters. > + * calling this function with different parameters. Note that the latter latter -> later -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_221997560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:29:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:29:11 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I went through it and have few comments, but what I miss here is test cases for the newly added curves. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222062944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:29:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:29:17 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1070 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222063269 > + .name = "GOST-256-TEST", > + .oid = "1.2.643.2.2.35.0", > + .id = GNUTLS_ECC_CURVE_GOST256TEST, Do we need a curve marked as test? Why this number of curves in the gost side? -- Nikos Mavrogiannopoulos started a new discussion on lib/x509/key_encode.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222063299 > - } > + else > + oid = NULL; When the digest is not set what is there some default implied? -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222063353 > case GNUTLS_ECC_CURVE_GOST512A: > return nettle_get_gost_512a(); > + case GNUTLS_ECC_CURVE_GOST256B: What about the other added curves? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:34:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:34:35 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think it is very big to review as it is. Would it make sense to split it into multiple self contained MRs? Alternatively squash commits that bring a single as self contained as possible functionality (e.g., nettle/lib/tests) to a single commit so the number of commits is manageable on this MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_222092527 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:39:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:39:49 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222110801 > * %NULL pointer for @data and 0 for @data_size, in order to write the > * same data as before. If you wish to discard the previous data instead > * of retrying, you must call gnutls_record_discard_queued() before > - * calling this function with different parameters. > + * calling this function with different parameters. Note that the latter It is actually 'latter' I meant here. Did you understand something different? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222110801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 19:59:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 17:59:08 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222127382 Hi @dueno I have implemented the initial version of how `gnutls_set_secret_hook_function` should look like with `gnutls_secret_hook_func` callback. If possible, do let me know your reviews :). I have followed how the implementation of boringssl does the QUIC TLS API. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222127382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 20:14:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 18:14:49 +0000 Subject: [gnutls-devel] GnuTLS | P11tool improvements (!1071) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1071 Project:Branches: GostCrypt/gnutls:gost-pkcs11 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov * Print mechanism information in list-mechanisms * Decode GOST mechanisms names ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1071 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 20:28:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 18:28:58 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1070 https://gitlab.com/gnutls/gnutls/merge_requests/1070 * 29eb3e4c - nettle/pk: add support for "new" TC26 256 B curve * 2eb8b2a2 - lib: implement support for updated GOST PublicKeyParameters -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:00:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:00:34 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222162996 Yep, this is why I did not remove the check. Partially the changes are handled by `cert-tests/gost` check, because it generates I'm going probably to extend gost cert checks to verify that parsing new paramset works as expected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222162996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:04:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:04:30 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222164376 > .gost_curve = 1, > .supported = 1, > }, > + { > + .name = "TC26-512-C", > + .oid = "1.2.643.7.1.2.1.2.3", > + .id = GNUTLS_ECC_CURVE_GOST512C, > + .pk = GNUTLS_PK_GOST_12_512, > + .size = 64, > + .gost_curve = 1, > + .supported = 1, > + }, > + { > + .name = "GOST-256-TEST", > + .oid = "1.2.643.2.2.35.0", > + .id = GNUTLS_ECC_CURVE_GOST256TEST, It is not used in the field, but it is used in examples. I guess I'd remove this patch, especially since it's not supported by nettle backend (yet). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222164376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:05:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:05:51 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/x509/key_encode.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222164783 > + (params->curve == GNUTLS_ECC_CURVE_GOST256TEST || > + params->curve == GNUTLS_ECC_CURVE_GOST256CPA || > + params->curve == GNUTLS_ECC_CURVE_GOST256CPB || > + params->curve == GNUTLS_ECC_CURVE_GOST256CPC || > + params->curve == GNUTLS_ECC_CURVE_GOST256CPXA || > + params->curve == GNUTLS_ECC_CURVE_GOST256CPXB)) > oid = HASH_OID_STREEBOG_256; > - else if (params->algo == GNUTLS_PK_GOST_12_512) > - oid = HASH_OID_STREEBOG_512; > - else { > - gnutls_assert(); > - result = GNUTLS_E_INVALID_REQUEST; > - goto cleanup; > - } > + else > + oid = NULL; The digest has 1:1 correspondence with pk algorithm. So historically it was a duplicate information. Now it is getting removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222164783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:06:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:06:48 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1070 was reviewed by Dmitry Eremin-Solenikov -- Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_222165041 > case GNUTLS_ECC_CURVE_GOST512A: > return nettle_get_gost_512a(); > + case GNUTLS_ECC_CURVE_GOST256B: Not suppored w/o changing nettle code. See [this thread](https://lists.lysator.liu.se/pipermail/nettle-bugs/2019/thread.html#7499). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:11:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:11:18 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Sure, I will try to -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_222166288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:11:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:11:56 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) In-Reply-To: References: Message-ID: Michael Catanzaro commented on a discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222166491 > * %NULL pointer for @data and 0 for @data_size, in order to write the > * same data as before. If you wish to discard the previous data instead > * of retrying, you must call gnutls_record_discard_queued() before > - * calling this function with different parameters. > + * calling this function with different parameters. Note that the latter No, but apparently I've been misspelling this word for a long time.... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222166491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:18:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:18:56 +0000 Subject: [gnutls-devel] GnuTLS | P11tool improvements (!1071) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1071 https://gitlab.com/gnutls/gnutls/merge_requests/1071 * fcf460b3 - p11tool: print GOST vendor-private mechanisms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1071 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:20:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:20:25 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1072 Project:Branches: GostCrypt/gnutls:gost-split-1 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Cryptography-related changes to lib/nettle ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 21:46:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 19:46:14 +0000 Subject: [gnutls-devel] GnuTLS | document limitations of gnutls_record_discard_queued() [ci skip] (!1069) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222178842 > * %NULL pointer for @data and 0 for @data_size, in order to write the > * same data as before. If you wish to discard the previous data instead > * of retrying, you must call gnutls_record_discard_queued() before > - * calling this function with different parameters. > + * calling this function with different parameters. Note that the latter :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1069#note_222178842 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 23:37:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 21:37:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Michael Catanzaro started a new discussion on lib/session.c: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_222210138 > * received, will return session resumption data corresponding to the last > * received ticket. > * > + * Note that this function under TLS1.3 it requires a callback to be set with Drop the word "it" here -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_222210138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 25 23:45:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Sep 2019 21:45:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Michael Catanzaro commented: > As many applications set `gnutls_transport_set_pull_timeout_function` anyway, an issue like that may not have been noticed. Could that be the case here? (does glib-networking set the pull timeout?) Hm, this is really weird, because we do set the pull timeout func, always, since glib-networking 2.56. We do it right after setting the normal pull func, in g_tls_connection_gnutls_initable_init(). The only way they could ever not be set is if initialization fails, in which case g_tls_connection_new() will actually return NULL instead of a GTlsConnection, so there's no way applications could try to use it. And there's no way one but not the other could ever be set, because they're always set immediately after the other. The code looks like this: ``` gnutls_transport_set_push_function (priv->session, g_tls_connection_gnutls_push_func); gnutls_transport_set_pull_function (priv->session, g_tls_connection_gnutls_pull_func); gnutls_transport_set_pull_timeout_function (priv->session, g_tls_connection_gnutls_pull_timeout_func); ``` So something strange must be going wrong for GnuTLS to think we haven't set that func. @gtrentalancia is it possible you're using glib-networking older than 2.56? That would be really weird if you have GnuTLS 3.6, but that's my only guess here. GnuTLS 3.6 is not compatible with older versions of glib-networking. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_222212337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:14:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:14:07 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1068 https://gitlab.com/gnutls/gnutls/merge_requests/1068 * af4e4edc - gnutls_session_get_data2: fix operation without a timeout callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:14:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:14:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_222308565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:14:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:14:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: All discussions on Merge Request !1068 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1068 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:28:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:28:52 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:29:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:29:23 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @ametzler would you like to send a patch for it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_222311278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:29:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:29:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:30:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:30:01 +0000 Subject: [gnutls-devel] GnuTLS | Certtool doesn't add CDP from the template (#765) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 07:30:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 05:30:05 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 08:56:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 06:56:35 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222334154 You can always file a merge request with a "WIP:" prefix so people can review and discuss. However, after a brief look at your branch, I would suggest: - read CONTRIBUTING.md; we use "linux" indentation style and there is a naming guideline of functions and data types - please organize your commits in logical units (with git rebase -i) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222334154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 09:03:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 07:03:27 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222336616 Sure, I can sent in WIP pull request. About (1), sure thanks for pointing it out. I will look into it straight away :) (2) sure, since it was just a personal repo, I thought I will do rebase it once I was to sent a pull request. Anyways, will do it soon! Btw, did you get a chance to review the code? Looks good enough? I'm just starting out with TLS related implementation as well, so it would be great if you would give me few pointers on the same :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222336616 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 09:20:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 07:20:16 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222343065 > Btw, did you get a chance to review the code? Yes. > Looks good enough? Sorry, I'm afraid not. I expect at least a test case that tells what you are trying to achieve (and I don't think the current code does anything meaningful: for example, `gnutls_quic_secret_hook_exchange` would only work after the handshake is complete, which is useless in QUIC). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222343065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 09:41:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 07:41:09 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Aniketh Girish commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222353674 Yes very true. I was trying to figure out which function in gnutls would help me to do so? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222353674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 12:32:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 10:32:25 +0000 Subject: [gnutls-devel] GnuTLS | fips: Improve signatures self-tests (!1073) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1073 Branches: tmp-fips-sign-post to master Author: Daiki Ueno Patches are from @ansasaki. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:19:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:19:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Merge Request !1068 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1068 Project:Branches: nmav/gnutls:tmp-fix-session-get2 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:20:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:20:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_222487637 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:37:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:37:11 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1068 (https://gitlab.com/gnutls/gnutls/merge_requests/1068) Issue #823: https://gitlab.com/gnutls/gnutls/issues/823 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:37:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:37:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Reassigned Merge Request 1068 https://gitlab.com/gnutls/gnutls/merge_requests/1068 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:37:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:37:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068#note_222502173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 13:37:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 11:37:11 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_data2: fix operation without a timeout callback (!1068) In-Reply-To: References: Message-ID: Merge Request !1068 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1068 Project:Branches: nmav/gnutls:tmp-fix-session-get2 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 14:54:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 12:54:46 +0000 Subject: [gnutls-devel] GnuTLS | fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1073 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1073#note_222543001 > } > > + /* Compare with a stored known signature */ What is the difference of this with `PK_KNOWN_TEST(GNUTLS_PK_RSA, ...)`? -- Nikos Mavrogiannopoulos started a new discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1073#note_222543004 > > - /* Test if the signature we generate matches the stored */ > + ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig); I see two tests in that file: - `PK_KNOWN_TEST` which tests the deterministic sigs with comparison - `PK_TEST` for other cases It is not clear to me what is the purpose here. This patch seems to be making PK_KNOWN_TEST behave like PK_TEST? -- Nikos Mavrogiannopoulos started a new discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1073#note_222543008 > return 0; > > + PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); Why do we do that? Why not keep a consistent behavior in the number of tests we run? Is it to make FIPS mode startup faster? I think this may be hard to follow due to hidden context. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 15:12:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 13:12:48 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Andreas Metzler commented: Nikos wrote > @ametzler would you like to send a patch for it? I'm planning to get the release in the next few days. I would, but I won't have time before the weekend. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_222554099 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 15:53:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 13:53:46 +0000 Subject: [gnutls-devel] GnuTLS | Support QUIC TLS API (#826) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/826#note_222581054 Are you asking how to write tests, or how to hook key scheduling? The former is well explained in CONTRIBUTING.md, and for the latter see the last paragraph of [my previous comment](https://gitlab.com/gnutls/gnutls/issues/826#note_217655808). If you need any realtime assistance I will be available on the matrix room mentioned on https://www.gnutls.org/support.html. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/826#note_222581054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 16:54:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 14:54:27 +0000 Subject: [gnutls-devel] GnuTLS | ext/supported_versions: reorder client precedence if necessary (!1074) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1074 Branches: tmp-supported-versions to master Author: Daiki Ueno If the client advertises TLS < 1.2 before TLS 1.3 and the server is configured with TLS 1.3 enabled, the server should select TLS 1.3; otherwise the client will disconnect when seeing downgrade sentinel. Fixes #837. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 17:26:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 15:26:56 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I could delay release for Sunday. Would it help? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_222633680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 17:41:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 15:41:04 +0000 Subject: [gnutls-devel] GnuTLS | ext/supported_versions: reorder client precedence if necessary (!1074) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Looks good to me. Would you like to add a NEWS entry as well? As it is a behavioral change I think it should be there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1074#note_222641231 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 17:41:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 15:41:08 +0000 Subject: [gnutls-devel] GnuTLS | ext/supported_versions: reorder client precedence if necessary (!1074) In-Reply-To: References: Message-ID: Merge Request !1074 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1074 Branches: tmp-supported-versions to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 26 17:41:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Sep 2019 15:41:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 10:15:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 08:15:11 +0000 Subject: [gnutls-devel] GnuTLS | ext/supported_versions: reorder client precedence if necessary (!1074) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1074 https://gitlab.com/gnutls/gnutls/merge_requests/1074 * 3fd28f9a - ext/supported_versions: reorder client precedence if necessary -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 11:58:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 09:58:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1074 (https://gitlab.com/gnutls/gnutls/merge_requests/1074) Issue #837: https://gitlab.com/gnutls/gnutls/issues/837 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 11:58:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 09:58:35 +0000 Subject: [gnutls-devel] GnuTLS | ext/supported_versions: reorder client precedence if necessary (!1074) In-Reply-To: References: Message-ID: Merge Request !1074 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1074 Branches: tmp-supported-versions to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 12:22:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 10:22:09 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-verify does not mention expired certificates (#839) References: Message-ID: Dmitry Eremin-Solenikov created an issue: https://gitlab.com/gnutls/gnutls/issues/839 ## Description of problem: If one of certificates in a chain is expired `certtool --p7-verify` will just print that ``` Signature status: verification failed: Public key signature verification has failed. ``` without any additional information. Compare this with `certtool --verify` output: ``` Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain uses expired certificate. ``` Which gives more precise information. ## Version of gnutls used: 3.6.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Steps to Reproduce: * `certtool --p7-verify --infile outdated-data.sig --load-data outdated-data --inder -d 99 --load-ca-cert ../grfc.crt -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 16:32:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 14:32:15 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1075 Project:Branches: GostCrypt/gnutls:gost-attrs to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 27 19:21:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Sep 2019 17:21:11 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1075 https://gitlab.com/gnutls/gnutls/merge_requests/1075 * 0f9960bc - x509: add support for Russian extensions defined for qualified certificate -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 12:49:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 10:49:44 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1076 Project:Branches: nmav/gnutls:tmp-no-pkcs8-text to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This makes sure that no textual description of keys is prepended on encrypted PKCS#8 files. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 12:52:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 10:52:15 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-verify does not mention expired certificates (#839) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 12:59:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 10:59:01 +0000 Subject: [gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #831: https://gitlab.com/gnutls/gnutls/issues/831 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:09:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:09:07 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on src/certtool.c: https://gitlab.com/gnutls/gnutls/merge_requests/1076#note_223408639 > cinfo.outcert_format = outcert_format; > cinfo.outtext = ENABLED_OPT(TEXT) && outcert_format == GNUTLS_X509_FMT_PEM; > > + if (cinfo.pkcs8 && cinfo.outtext) What about checking for `cinfo.password` here rather than `cinfo.pkcs8`? There are valid usecases when a user will output PKCS#8 key without encryption. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076#note_223408639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:12:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:12:50 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: In my opinion that's ready for the CNT and IMIT, but the VKO and keywrapping do not really make much sense. If that's the last gost MR, we have added dead code which is neither used internally nor can be used externally. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223408944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:12:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:12:53 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1072 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/gost/gost28147.h: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223408949 > > +void > +gost28147_kdf_cryptopro(const struct gost28147_param *param, This doesn't seem to be used by this patch set, nor has any tests (unit or higher level). -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/gost/gostdsa.h: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223408950 > > +int > +gostdsa_vko(const struct ecc_scalar *key, Same as the other one. It doesn't seem to be used by this patch set, nor has any tests (unit or higher level). -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223408951 > .set_decrypt_key = _gost28147_set_key_cpd, > }, > + { Not sure it makes sense to separate the commits of lib and nettle because they are kind of interdependent for the functionality. -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/ciphers.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223408952 > .explicit_iv = 16, > .cipher_iv = 16}, > + { .name = "GOST28147-TC26Z-CNT", Same here about the interdependency. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:16:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:16:59 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409294 This MR is a first part split from !920 . So there might be loose ends. I'll try checking if I can tie them somehow. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:17:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:17:41 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409352 > .set_encrypt_key = _gost28147_set_key_cpd, > .set_decrypt_key = _gost28147_set_key_cpd, > }, > + { ok, I'll merge them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409352 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:19:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:19:13 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1075 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/gnutls.asn: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223409445 > +-- GOST x509 Extensions > +IssuerSignTool ::= SEQUENCE { > + signTool UTF8String (SIZE (1..200)), libtasn1 doesn't support the SIZE directive. If we need to adhere to this limit we need to check it internally. This doesn't apply here as you are only reading the value, but is applicable for the writing. We may want to remove this SIZE directive as it takes more memory for the asn module (without it having any benefit) -- Nikos Mavrogiannopoulos started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223409447 > idx->tlsfeatures++; > + } else if (strcmp(oid, "1.2.643.100.111") == 0) { > + addf(str, _("%s\t\tSubject Signing Tool(%s):\n"), Is this the software name of the tool? e.g., certtool? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:19:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:19:44 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Apart from one comment that LGTM. Just for confirmation that brings support to read these values, not write them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223409488 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:20:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:20:50 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/ciphers.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409610 > .type = CIPHER_BLOCK, > .explicit_iv = 16, > .cipher_iv = 16}, > + { .name = "GOST28147-TC26Z-CNT", merged -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409610 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:21:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:21:03 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/gost/gostdsa.h: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409631 > gostdsa_unmask_key (const struct ecc_curve *ecc, > mpz_t key); > > +int > +gostdsa_vko(const struct ecc_scalar *key, dropped for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:21:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:21:53 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/gost/gost28147.h: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409680 > size_t length, uint8_t *dst, > const uint8_t *src); > > +void > +gost28147_kdf_cryptopro(const struct gost28147_param *param, dropped for now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:21:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:21:59 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: All discussions on Merge Request !1072 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1072 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:22:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:22:11 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1072 https://gitlab.com/gnutls/gnutls/merge_requests/1072 * a17ffe20...907c6ffd - 5 commits from branch `master` * ea536f9f - nettle: provide GOST 28147-89 CNT mode support * c589e198 - nettle: provide GOST 28147-89 IMIT MAC support * b2694067 - crypto-selftests: add CNT and IMIT self tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:22:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:22:22 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav reworked to have just CNT and IMIT -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223409711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:24:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:24:56 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223409921 > print_tlsfeatures(str, prefix, der); > > idx->tlsfeatures++; > + } else if (strcmp(oid, "1.2.643.100.111") == 0) { > + addf(str, _("%s\t\tSubject Signing Tool(%s):\n"), Yes, more or less. Like "CryptoPro CSP (Version 3.6)" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223409921 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:26:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:26:25 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1075 https://gitlab.com/gnutls/gnutls/merge_requests/1075 * dbd92887 - x509: add support for Russian extensions defined for qualified certificate -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:26:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:26:54 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/gnutls.asn: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223410072 > GOSTPrivateKey ::= OCTET STRING > GOSTPrivateKeyOld ::= INTEGER > > +-- GOST x509 Extensions > +IssuerSignTool ::= SEQUENCE { > + signTool UTF8String (SIZE (1..200)), Moved to comments. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223410072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:29:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:29:46 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Yes, this is fine from my point of view. If one needs to write those values, he will do that on his own. Especially since those values should come from 'certified software instance' and we definitely are not :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223410325 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:31:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:31:48 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Another option would be to write data values related to certified PKCS#11 tokens. But I've just started testing them anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075#note_223410479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:41:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:41:48 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223411197 > }, > }; > > +const struct cipher_vectors_st gost28147_tc26z_cnt_vectors[] = { One last question. Are these from the standard, or from some other implementation? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223411197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:52:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:52:29 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223412948 > }, > }; > > +const struct cipher_vectors_st gost28147_tc26z_cnt_vectors[] = { No, standards are quite poor in the terms of gost28147 with different S-Boxes. So this one is generated manually and cross-tested with OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223412948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:58:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:58:08 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and doc improvements (!1066) In-Reply-To: References: Message-ID: Merge Request !1066 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1066 Project:Branches: nmav/gnutls:tmp-ocsp-fixes to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 13:58:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 11:58:27 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and doc improvements (!1066) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066#note_223414356 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 14:05:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 12:05:35 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 5074fb7f...907c6ffd - 28 commits from branch `master` * ac3891ec - lib: define TC26 GOST curves * 260f3a27 - nettle/gost: provide GOST 28147-89 CNT mode * 26531208 - nettle/gost: provide GOST 28147-89 IMIT MAC mode * b92a8e1f - lib: provide GOST 28147-89 CNT mode support * 20543614 - lib: provide GOST 28147-89 IMIT MAC support * 5608814c - nettle: provide GOST 28147-89 CNT mode support * 559fb377 - nettle: provide GOST 28147-89 IMIT MAC support * aa1be338 - nettle/gost: provide GOST keywrapping support * 72f084f0 - nettle/gost: add support for GOST VKO algorithm * aaacc758 - _gnutls_pk_derive: add argument for nonce * 41cb4abe - nettle: add support for GOST key derivation * 99d887e6 - mpi: add _gnutls_mpi_bprint_size_le() * 4cb377ed - Allow using implicit IV for stream ciphers with TLS * 14e1f9db - Support GOST certificate request values * 9e918972 - Add GOST key transport support * 4930053e - groups: add function to return group by curve * 00f043bf - Add support for VKO GOST key exchange * 307853f4 - Support GOST cipher suite MAC calculation * ab00da02 - Add GOST cipher suites * cfe0f768 - Declare groups corresponding to GOST curves * c5535b58 - Add GOST values to cipher suites priorities * 74f09f35 - prf: add GOST R 34.11-94 and Streebog PRF support * 54dc3e2c - tests: add tests for KX-GOST-VKO using different key variants * 4d64b010 - lib: fix group selection in case of GOST cipher suites * 4daa96a6 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 18941492 - lib/algorithms: add AID values assigned by IANA * ec691f2d - lib: pubkey vs TLS signature compatibility for GOST algorithms * a01dd52c - cli-debug: include GOST VKO into KX list * 55ab5f5a - priority: add GROUP-GOST-ALL keyword * 7cd387bd - nettle/pk: add support for "new" TC26 256 B curve * b5e1a1de - ecc: define curve->group relationship * d0a9b52f - ext/supported_groups: don't consider non-EC groups for EC * 3699699d - ext/signature: use GOST signatures for GOST ciphersiuites * b2edae6f - tests: correct gost server certificates * 08db90f6 - tests: add verbose logging to server-kx-neg tests * e7cb714f - Swap TLS signatures in case we are signing them with GOST keys * c8facacc - crypto-selftests: add CNT and IMIT self tests * f05f73a2 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 1de2f507 - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 14:40:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 12:40:09 +0000 Subject: [gnutls-devel] GnuTLS | lib/algorithms: add AID values assigned by IANA (!1077) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1077 Project:Branches: GostCrypt/gnutls:gost-iana to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1077 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 14:40:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 12:40:25 +0000 Subject: [gnutls-devel] GnuTLS | tests: add verbose logging to server-kx-neg tests (!1078) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1078 Project:Branches: GostCrypt/gnutls:kx-neg-verbose to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:27:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:27:20 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: test suite and doc improvements (!1066) In-Reply-To: References: Message-ID: Merge Request !1066 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1066 Project:Branches: nmav/gnutls:tmp-ocsp-fixes to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:27:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:27:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_ocsp_status_request_file2: wrong success return value documentaion (#836) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1066 (https://gitlab.com/gnutls/gnutls/merge_requests/1066) Issue #836: https://gitlab.com/gnutls/gnutls/issues/836 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:35:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:35:31 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/certtool.c: https://gitlab.com/gnutls/gnutls/merge_requests/1076#note_223437545 > cinfo.outcert_format = outcert_format; > cinfo.outtext = ENABLED_OPT(TEXT) && outcert_format == GNUTLS_X509_FMT_PEM; > > + if (cinfo.pkcs8 && cinfo.outtext) Good idea. Let me try such an approach. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076#note_223437545 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:36:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:36:12 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1076 https://gitlab.com/gnutls/gnutls/merge_requests/1076 * d0eb4253 - certtool: ensure that PKCS#8 file does not contain key description -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:38:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:38:28 +0000 Subject: [gnutls-devel] GnuTLS | tests: add verbose logging to server-kx-neg tests (!1078) In-Reply-To: References: Message-ID: Merge Request !1078 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1078 Project:Branches: GostCrypt/gnutls:kx-neg-verbose to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:38:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:38:31 +0000 Subject: [gnutls-devel] GnuTLS | tests: add verbose logging to server-kx-neg tests (!1078) In-Reply-To: References: Message-ID: Merge Request !1078 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1078 Project:Branches: GostCrypt/gnutls:kx-neg-verbose to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:38:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:38:41 +0000 Subject: [gnutls-devel] GnuTLS | tests: add verbose logging to server-kx-neg tests (!1078) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1078#note_223437827 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:39:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:39:12 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Merge Request !1072 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1072 Project:Branches: GostCrypt/gnutls:gost-split-1 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:39:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:39:09 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: All discussions on Merge Request !1072 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1072 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:40:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:40:46 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Should we add a news entry for these algorithms? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223438005 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:41:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:41:20 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: All discussions on Merge Request !1075 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1075 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 17:42:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 15:42:09 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Merge Request !1075 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1075 Project:Branches: GostCrypt/gnutls:gost-attrs to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 18:17:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 16:17:15 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (if necessary) (!1079) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1079 Project:Branches: ametzler/gnutls:tmp-201909-818-perlasm-pic-generation to gnutls/gnutls:master Author: Andreas Metzler Fix regeneration of asm files from .pl sources, pass -fPIC selectively ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code If this merged **and** the asm sources are rebuilt (make -f cfg.mk asm-sources) then #818 should be fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 19:41:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 17:41:53 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Merge Request !1076 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1076 Project:Branches: nmav/gnutls:tmp-no-pkcs8-text to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 19:43:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 17:43:06 +0000 Subject: [gnutls-devel] GnuTLS | x509: add support for Russian extensions defined for qualified certificate (!1075) In-Reply-To: References: Message-ID: Merge Request !1075 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1075 Project:Branches: GostCrypt/gnutls:gost-attrs to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 19:43:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 17:43:36 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I'll add news entry to this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072#note_223454048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:24:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:24:40 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1072 https://gitlab.com/gnutls/gnutls/merge_requests/1072 * 2902a436 - NEWS: document previous changes [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:24:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:24:57 +0000 Subject: [gnutls-devel] GnuTLS | GOST-CNT split, part 1 (!1072) In-Reply-To: References: Message-ID: Merge Request !1072 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1072 Project:Branches: GostCrypt/gnutls:gost-split-1 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:44:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:44:29 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: All discussions on Merge Request !1076 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1076 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:46:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:46:32 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (if necessary) (!1079) In-Reply-To: References: Message-ID: Merge Request !1079 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1079 Project:Branches: ametzler/gnutls:tmp-201909-818-perlasm-pic-generation to gnutls/gnutls:master Author: Andreas Metzler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:49:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:49:15 +0000 Subject: [gnutls-devel] GnuTLS | tests: correct gost server certificates (!1080) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1080 Project:Branches: GostCrypt/gnutls:fix-cert-keys to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1080 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 20:50:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 18:50:07 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1070 https://gitlab.com/gnutls/gnutls/merge_requests/1070 * ecd4a5b2...477d44b3 - 19 commits from branch `master` * 61460d09 - lib: define more GOST curves * c8d8e7d7 - lib/ecc: add documentation for GOST-related curves * b4836de2 - nettle/pk: add support for "new" TC26 256 B curve * 0b1f3476 - lib: implement support for updated GOST PublicKeyParameters -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:03:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:03:17 +0000 Subject: [gnutls-devel] GnuTLS | Implement new requirements for GOST PublicKeyParameters (!1070) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav updated -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1070#note_223464403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:03:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:03:33 +0000 Subject: [gnutls-devel] GnuTLS | tests: correct gost server certificates (!1080) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Quite interesting. Gitlab shows an error for this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1080#note_223465853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:04:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:04:17 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * ecd4a5b2...477d44b3 - 14 commits from branch `master` * ce6b8c45 - lib: define TC26 GOST curves * e21f5ab3 - nettle/gost: provide GOST keywrapping support * 848728ae - nettle/gost: add support for GOST VKO algorithm * afc5ecc1 - _gnutls_pk_derive: add argument for nonce * 35485c11 - nettle: add support for GOST key derivation * 1c9ee422 - mpi: add _gnutls_mpi_bprint_size_le() * 06e3786b - Allow using implicit IV for stream ciphers with TLS * 7786d756 - Support GOST certificate request values * 3b99ad01 - Add GOST key transport support * 0675dd53 - groups: add function to return group by curve * a403ae58 - Add support for VKO GOST key exchange * 3bba25c0 - Support GOST cipher suite MAC calculation * 1c1e8d37 - Add GOST cipher suites * 555eea0f - Declare groups corresponding to GOST curves * f6e849d1 - Add GOST values to cipher suites priorities * 7c328812 - prf: add GOST R 34.11-94 and Streebog PRF support * a66c1ee1 - tests: add tests for KX-GOST-VKO using different key variants * 414a0071 - lib: fix group selection in case of GOST cipher suites * 4cae07dc - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 6bf697ca - lib/algorithms: add AID values assigned by IANA * ac242503 - lib: pubkey vs TLS signature compatibility for GOST algorithms * 0f7737bf - cli-debug: include GOST VKO into KX list * 1abe9586 - priority: add GROUP-GOST-ALL keyword * 3b3aee0b - nettle/pk: add support for "new" TC26 256 B curve * 42a655ff - ecc: define curve->group relationship * 6a28ba43 - ext/supported_groups: don't consider non-EC groups for EC * d2767442 - ext/signature: use GOST signatures for GOST ciphersiuites * 3d003ee8 - tests: correct gost server certificates * 71585a7a - Swap TLS signatures in case we are signing them with GOST keys * aa26d6ee - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * ac91c2fa - tls13-server-kx-neg: add test for GOST-enabled server and client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:09:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:09:02 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) References: Message-ID: IBBoard created an issue: https://gitlab.com/gnutls/gnutls/issues/841 ## Description of problem: I *think* I might be having a similar bug to #822, but it's from Twitter and it's happening the opposite way around for the expected/received types. Also, it can happen as soon as the app loads rather than after a prolonged period of not being used. My Twitter client currently errors at irregular intervals when accessing the Twitter API because it gets an out of sequence packet for its current state. ## Version of gnutls used: 3.6.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) openSUSE Tumbleweed ## How reproducible: Steps to Reproduce: * Install Cawbird (https://ibboard.co.uk/cawbird/) * Run `cawbird` from a terminal to see the logging * Login to your Twitter account * Load individual tweet by double-clicking on it, click back * Go back to previous step (Sorry, I don't have a smaller test case yet, but tweet loading is passive) ## Actual results: Eventually, it will fail to load a tweet and something a bit like: ``` (cawbird:14730): cawbird-WARNING **: 11:43:55.926: Could not send tweet: Error performing TLS handshake: An unexpected TLS packet was received. (cawbird:14730): cawbird-WARNING **: 11:43:55.926: ComposeTweetWindow.vala:310: Error 5151.4 (ComposeTweetWindow.vala.310): Error performing TLS handshake: An unexpected TLS packet was received. ``` will be printed to the terminal (but that specific error is from trying to send a tweet). If you're unlucky then the timeline will have failed to load when you started and it will have shown a similar error. Based on packet capture, it happens when "New Session Ticket" and "Change Cipher Spec" are set on the Sever Hello, but not on just "Change Cipher Spec". When running with `GNUTLS_DEBUG_LEVEL` set then I see: ``` gnutls[5]: REC[0x55bf5cb1e6b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 85 gnutls[5]: REC[0x55bf5cb1e6b0]: Expected Packet Handshake(22) gnutls[5]: REC[0x55bf5cb1e6b0]: Received Packet Handshake(22) with length: 85 gnutls[5]: REC[0x55bf5cb1e6b0]: Decrypted Packet[0] Handshake(22) with length: 85 gnutls[4]: HSK[0x55bf5cb1e6b0]: SERVER HELLO (2) was received. Length 81[81], frag offset 0, frag length: 81, sequence: 0 gnutls[3]: ASSERT: buffers.c[get_last_packet]:1161 gnutls[3]: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 gnutls[4]: HSK[0x55bf5cb1e6b0]: Server's version: 3.3 gnutls[4]: HSK[0x55bf5cb1e6b0]: SessionID length: 32 gnutls[4]: HSK[0x55bf5cb1e6b0]: SessionID: ? gnutls[4]: EXT[0x55bf5cb1e6b0]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) gnutls[4]: HSK[0x55bf5cb1e6b0]: Safe renegotiation succeeded gnutls[5]: REC[0x55bf5cb1e6b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 186 gnutls[5]: REC[0x55bf5cb1e6b0]: Expected Packet ChangeCipherSpec(20) gnutls[5]: REC[0x55bf5cb1e6b0]: Received Packet Handshake(22) with length: 186 gnutls[5]: REC[0x55bf5cb1e6b0]: Decrypted Packet[1] Handshake(22) with length: 186 gnutls[3]: ASSERT: record.c[recv_hello_request]:774 gnutls[3]: ASSERT: record.c[_gnutls_recv_in_buffers]:1579 gnutls[3]: ASSERT: record.c[_gnutls_recv_int]:1777 gnutls[3]: ASSERT: handshake.c[recv_handshake_final]:3272 gnutls[3]: ASSERT: handshake.c[handshake_client]:3074 gnutls[3]: ASSERT: buffers.c[_gnutls_io_read_buffered]:589 gnutls[3]: ASSERT: record.c[_gnutls_recv_int]:1777 ``` Compared to #822 I get the "Parsing extension 'Safe Renegotiation'", which succeeds, but then I get "Expected Packet ChangeCipherSpec(20)" and "Received Packet Handshake(22)" and a different set of asserts. ## Expected results: GnuTLS handles the New Session Ticket packet and doesn't treat it as "unexpected". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:11:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:11:36 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1076 https://gitlab.com/gnutls/gnutls/merge_requests/1076 * ecd4a5b2...477d44b3 - 14 commits from branch `master` * a3ec822a - certtool: ensure that PKCS#8 file does not contain key description -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:19:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:19:46 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1081 Project:Branches: nmav/gnutls:tmp-asm-update-32 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Fix regeneration of asm files from .pl sources, pass -fPIC selectively ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:31:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:31:34 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1081 https://gitlab.com/gnutls/gnutls/merge_requests/1081 * b1898059 - 1 commit from branch `master` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:36:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:36:01 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) In-Reply-To: References: Message-ID: Merge Request !1081 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1081 Project:Branches: nmav/gnutls:tmp-asm-update-32 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:36:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:36:57 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1081 https://gitlab.com/gnutls/gnutls/merge_requests/1081 * 56b333df - Regenerate asm files with -fPIC -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:48:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:48:33 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (if necessary) (!1079) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! I think we should merge it together with the generated files so that we can be assured that the generated files pass CI. I've opened !1081 which combines the commits, and I've also added one to run pic-check in i686 to prevent future regressions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1079#note_223469918 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 21:49:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 19:49:42 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1081 https://gitlab.com/gnutls/gnutls/merge_requests/1081 * b1690881 - .gitlab-ci.yml: run pic-check on i686-linux-gnu to catch wrong assembly -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 22:11:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 20:11:29 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (if necessary) (!1079) In-Reply-To: References: Message-ID: Merge Request !1079 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1079 Project:Branches: ametzler/gnutls:tmp-201909-818-perlasm-pic-generation to gnutls/gnutls:master Author: Andreas Metzler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 23:14:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 21:14:06 +0000 Subject: [gnutls-devel] GnuTLS | certtool: ensure that PKCS#8 file does not contain key description (!1076) In-Reply-To: References: Message-ID: Merge Request !1076 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1076 Project:Branches: nmav/gnutls:tmp-no-pkcs8-text to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 23:48:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 21:48:45 +0000 Subject: [gnutls-devel] GnuTLS | Regenerate asm files with -fPIC (!1081) In-Reply-To: References: Message-ID: Merge Request !1081 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1081 Project:Branches: nmav/gnutls:tmp-asm-update-32 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 28 23:49:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Sep 2019 21:49:29 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1081 (https://gitlab.com/gnutls/gnutls/merge_requests/1081) Issue #818: https://gitlab.com/gnutls/gnutls/issues/818 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 13:13:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 11:13:53 +0000 Subject: [gnutls-devel] GnuTLS | ocsp status request docs misleading (#829) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.11 (Oct 1, 2019?Dec 1, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/25 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 13:09:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 13:09:50 +0200 Subject: [gnutls-devel] gnutls 3.6.10 Message-ID: Hello, I've just released gnutls 3.6.10. This is a bug fix release on the stable 3.6.x branch. I'd like to thank everyone who contributed in this release: Daiki Ueno, Dmitry Eremin-Solenikov, Ludovic Court?s, Tom Vrancken, Andreas Metzler, Karsten Ohme, Michael Catanzaro and Tim R?hsen. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/-/milestones/24 Changes ======= * Version 3.6.10 (released 2019-09-29) ** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979) Deterministic signing can be enabled by setting GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*() functions (#94). ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2 functions that will perform in-place encryption/decryption on data buffers (#718). ** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function() (#823). ** libgnutls: added interoperability tests with gnutls 2.12.x; addressed issue with large record handling due to random padding (#811). ** libgnutls: the server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first (#837). ** libgnutls: fix non-PIC assembly on i386 (#818). ** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT). For description of the modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in RFC 7836. ** certtool: when outputting an encrypted private key do not insert the textual description of it. This fixes a regression since 3.6.5 (#840). ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added Getting the Software ==================== GnuTLS may be downloaded directly from ;;;. A list of GnuTLS mirrors can be found at ;;;. Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.10.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.10.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From gnutls-devel at lists.gnutls.org Sun Sep 29 14:36:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 12:36:45 +0000 Subject: [gnutls-devel] GnuTLS | handle OID 1.3.6.1.4.1.11129.2.4.2 (x.509 extension for certificate transparency SCTs) (#232) In-Reply-To: References: Message-ID: Tim R?hsen commented: I am getting interested in this for use in Wget/Wget2. Debian has an open bug for shipping a CT log file, regularly updated. Maybe we should use the same format as OpenSSL does (but not sure yet). Here are some Links https://github.com/nextgis-borsch/lib_openssl/blob/master/apps/ct_log_list.cnf https://www.certificate-transparency.org/certificate-transparency-in-openssl https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876403 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/232#note_223543704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 17:55:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 15:55:59 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: Tim R?hsen commented: Is there a chance to find out how to reproduce the issue with `gnutls-cli` ? Is there a certain order of requests within a single TLS connection to reproduce ? That would help to track it down. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_223563738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 19:03:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 17:03:10 +0000 Subject: [gnutls-devel] GnuTLS | Delete orphaned settings of renamed test mini-alignment (!1082) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1082 Project:Branches: ametzler/gnutls:tmp-20190929-junk-from-renamed-test to gnutls/gnutls:master Author: Andreas Metzler mini-alignment was updated and renamed to cipher alignment in f63f0e4866c8e7955162caa075b1d253647b36a4 ```mini_alignment_CPPFLAGS``` and ```mini_alignment_LDFLAGS``` were left behind, causing the following automake warning: > tests/Makefile.am:415: warning: variable 'mini_alignment_LDADD' is defined but no program or > tests/Makefile.am:415: library has 'mini_alignment' as canonical name (possible typo) ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 19:41:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 17:41:38 +0000 Subject: [gnutls-devel] GnuTLS | Delete orphaned settings of renamed test mini-alignment (!1082) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on tests/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223572910 > > rsa_illegal_import_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) > > -mini_alignment_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) Wouldn't it be correct to rename `mini_` to `cipher_` instead of removing them ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223572910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 20:18:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 18:18:29 +0000 Subject: [gnutls-devel] GnuTLS | Delete orphaned settings of renamed test mini-alignment (!1082) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion on tests/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223576920 > > rsa_illegal_import_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) > > -mini_alignment_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) Tim R?hsen ? @rockdaboot > Wouldn't it be correct to rename mini_ to cipher_ instead of removing them ? Hello, I guess LDADD is unnecessary, the test seems to be linked against -lnettle -lhogweed even without. I think you are right about CFLAGS, though. (Did not trigger an error here, since NETTLE_CFLAGS was empty in my build. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223576920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 20:56:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 18:56:59 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: IBBoard commented: I'll see what I can do. I don't believe there's a simple pattern of requests that trigger it, though. The only thing that identifies it is the `New Session Ticket` record in the Server Hello packet. It can happen on any of a number of different requests, but never the same one (so never a request to a certain URL, or the fifth request to the server, or anything like that) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_223580601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 21:05:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 19:05:27 +0000 Subject: [gnutls-devel] GnuTLS | Delete orphaned settings of renamed test mini-alignment (!1082) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223581288 > > rsa_illegal_import_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) > > -mini_alignment_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) I still would think to keep LDADD would be good. If it turns out to be unneeded, we can have another MR for that. Technically, these are two independent changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_223581288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 21:11:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 19:11:26 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: Tim R?hsen commented: >From the man page: ``` DESCRIPTION Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and for? wards data from the standard input to the secured socket and vice versa. ``` So it's possibly not the right tool for the job (sending several requests in one connection). But not sure, maybe you can send HTTP requests vid stdin, but you have to hand-craft them. Better, you take a tool like Wget or Curl and just give them a bunch of twitter URLs. Make sure they have been linked with GnuTLS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_223581745 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 21:15:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 19:15:39 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: Tim R?hsen commented: Just a recursive download of https://twitter.com doesn't show any error with GnuTLS 3.6.9 here. So I assume some special URLs or some oddities in libsoup (which cawbird is using under the hood). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_223582054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 21:20:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 19:20:31 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: IBBoard commented: I was trying to send HTTP commands, but it kept dumping me out. I got it working after checking the Wireshark dump for a real request. ``` GET /1.1/statuses/mentions_timeline.json?count=28&tweet_mode=extended&include_entities=true HTTP/1.1 Host: api.twitter.com ``` I'll see what I can do with curl, and maybe poke libsoup. Thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_223582455 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 29 21:39:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Sep 2019 19:39:02 +0000 Subject: [gnutls-devel] GnuTLS | lib/algorithms: add AID values assigned by IANA (!1077) In-Reply-To: References: Message-ID: Merge Request !1077 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1077 Project:Branches: GostCrypt/gnutls:gost-iana to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1077 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 08:41:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 06:41:17 +0000 Subject: [gnutls-devel] GnuTLS | handle OID 1.3.6.1.4.1.11129.2.4.2 (x.509 extension for certificate transparency SCTs) (#232) In-Reply-To: References: Message-ID: Patrick Mevzek commented: I have begun to write code to parse the SCTs and display them by certtool (and the next steps would be to write them and then to handle the parsing of the TLS handshake). No promises for ETA, because I'm a beginner with gnutls source code, and very rusty with C. As for the display, I am mimicking the openssl output, but adding the log name, besides its ID. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/232#note_223659436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 09:33:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 07:33:47 +0000 Subject: [gnutls-devel] GnuTLS | handle OID 1.3.6.1.4.1.11129.2.4.2 (x.509 extension for certificate transparency SCTs) (#232) In-Reply-To: References: Message-ID: Tim R?hsen commented: @pmevzek That's great to hear indeed ! Let me know if you need any help / review. You can also ask questions in the GnuTLS chatroom (https://matrix.to/#/!FPOzScOSeUMHcdcVrM:matrix.org?via=matrix.org). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/232#note_223678645 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 17:23:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 15:23:28 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented on a discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_223988732 > flags-must = x509keyfile; > }; > > +flag = { > + name = rawpkkeyfile; I realized that we need the `rawpkkeyfile` flag because there are scenario's where you want to set both an x509 key pair and an raw pk key pair. In that case we need a way to tell which private key belongs to which public key. If we make `rawpkkeyfile` an alias for `x509keyfile` then that's not possible. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_223988732 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 18:19:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 16:19:14 +0000 Subject: [gnutls-devel] GnuTLS | Delete orphaned settings of renamed test mini-alignment (!1082) In-Reply-To: References: Message-ID: Andreas Metzler pushed new commits to merge request !1082 https://gitlab.com/gnutls/gnutls/merge_requests/1082 * 30fb1948 - cipher-alignment: migrate LDADD/CFLAGS after rename -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 18:21:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 16:21:58 +0000 Subject: [gnutls-devel] GnuTLS | cipher-alignment: migrate LDADD/CFLAGS after rename (!1082) In-Reply-To: References: Message-ID: All discussions on Merge Request !1082 were resolved by Andreas Metzler https://gitlab.com/gnutls/gnutls/merge_requests/1082 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 18:21:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 16:21:58 +0000 Subject: [gnutls-devel] GnuTLS | cipher-alignment: migrate LDADD/CFLAGS after rename (!1082) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion on tests/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_224025578 > > rsa_illegal_import_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) > > -mini_alignment_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) Okay. Updated and (force-)pushed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1082#note_224025578 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 18:48:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 16:48:16 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: All discussions on Merge Request !1059 were resolved by Tom https://gitlab.com/gnutls/gnutls/merge_requests/1059 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 21:29:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 19:29:34 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: IBBoard commented: I'm trying to recreate this in a simple code example, but I'm struggling to get it to handshake multiple times. Currently my test keeps the connection open and I'm not yet familiar enough with C/Vala/librest/caring about individual SSL connections to know how to make it behave differently (even though the code I'm using is just taken from elsewhere in the main app's code base, where I see multiple handshakes). There's nothing special about the URLs (that I know of) - just standard Twitter API URLs. All the requests are going to api.twitter.com and a good action can come just after a bad action (when it isn't likely to have done a new DNS lookup), so it seems unlikely that it's an oddball server with different behaviour. I don't know what libsoup might do, but is it possible for it to call GnuTLS in such a way that it triggers a New Session Ticket in a handshake from the server that GnuTLS isn't expecting? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_224112854 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 21:29:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 19:29:58 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom pushed new commits to merge request !1059 https://gitlab.com/gnutls/gnutls/merge_requests/1059 * b9dbe80d - Implemented raw public key support for gnutls-cli application. * be17111d - Implemented raw public key support for gnutls-serv application. * 1f53b13b - Added functional regression test for rawpk functionality in gnutls-cli and gnutls-srv. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 22:11:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 20:11:14 +0000 Subject: [gnutls-devel] GnuTLS | Unexpected TLS packet during handshake with Twitter.com (#841) In-Reply-To: References: Message-ID: IBBoard commented: Okay, I've got a "minimal" Vala and [librest](https://github.com/GNOME/librest) case (plus the necessary vapi files) that will intermittently error. No Twitter credentials required (because it's an SSL error and so we don't have to have a valid user) ``` async void ssl_test () { for (int i = 0; i < 60; i++) { var proxy = new Rest.OAuthProxy ("a", "b", "https://api.twitter.com/", false); var call = proxy.new_call (); call.set_method ("GET"); call.set_function ("1.1/statuses/home_timeline.json"); call.add_param ("since_id", "1173176929995907072"); call.add_param ("count", "200"); call.add_param ("contributor_details", "true"); call.add_param ("tweet_mode", "extended"); call.add_param ("include_my_retweet", "true"); call.invoke_async.begin (null, (obj, res) => { try { call.invoke_async.end (res); } catch (GLib.Error e) { if (e.code < 400) warning(e.message); } ssl_test.callback(); }); yield; GLib.Thread.usleep(1000000 * 2); } } int main (string[] args) { var loop = new MainLoop(); ssl_test.begin ((obj, res) => { loop.quit(); }); loop.run(); return 0; } ``` I saw about 15 out of the 60 requests return `Error performing TLS handshake: An unexpected TLS packet was received` when I just ran it. I'll try to strip it down from there on another night. I had to put the proxy creation in the loop so that it didn't keep re-using the connection. I suspect other background tasks are consuming the connection pool in the app, which is why I saw different behaviour when reusing the proxy (as the app does). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/841#note_224130264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 30 22:25:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Sep 2019 20:25:53 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) In-Reply-To: References: Message-ID: Tom commented: All done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_224134442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: