From gnutls-devel at lists.gnutls.org Sat Aug 1 06:08:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Aug 2020 04:08:59 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1056) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1056 The following issues require labels: - [ ] [static build: multiple definition of 'nettle_ecc_scalar_random'](https://gitlab.com/gnutls/gnutls/-/issues/1045) - [ ] [Please update OpenSSL / cryptograms to 3.0.0-alpha1 or higher](https://gitlab.com/gnutls/gnutls/-/issues/1043) - [ ] [gnutls_session_channel_binding returns empty binding data for TLS1.3](https://gitlab.com/gnutls/gnutls/-/issues/1041) - [ ] [gnutls-cli does not report failed handshake when debug level < 3](https://gitlab.com/gnutls/gnutls/-/issues/1040) - [ ] [FIPS restrictions are not as comprehensive as one might infer from the documentation](https://gitlab.com/gnutls/gnutls/-/issues/1039) - [ ] [tests/cert-tests/pem-decoding fails after build with --disable-gost](https://gitlab.com/gnutls/gnutls/-/issues/1038) - [ ] [gnutls-cli in pipes messes up the i/o stream](https://gitlab.com/gnutls/gnutls/-/issues/1037) - [ ] [The official page with binaries for Windows is returning 404](https://gitlab.com/gnutls/gnutls/-/issues/1036) - [ ] [Too small MAX_SEED_SIZE for PRF functions](https://gitlab.com/gnutls/gnutls/-/issues/1013) - [ ] [Cannot connect to github.com, download.mono-project.com](https://gitlab.com/gnutls/gnutls/-/issues/990) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 1 07:11:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Aug 2020 05:11:12 +0000 Subject: [gnutls-devel] GnuTLS | static build: multiple definition of 'nettle_ecc_scalar_random' (#1045) In-Reply-To: References: Message-ID: jj jaquan rice commented: Yes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1045#note_389275163 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 1 07:12:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Aug 2020 05:12:24 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: jj jaquan rice commented: Hi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_389275237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 4 16:56:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Aug 2020 14:56:36 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) In-Reply-To: References: Message-ID: Sahana Prasad commented: I have started working on this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012#note_390484824 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 5 15:20:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Aug 2020 13:20:16 +0000 Subject: [gnutls-devel] GnuTLS | The official page with binaries for Windows is returning 404 (#1036) In-Reply-To: References: Message-ID: Luis Henrique commented: Same, if you go to https://gitlab.com/gnutls/gnutls/builds it redirects to https://gitlab.com/gnutls/gnutls/-/jobs but i cant find where to download the artifacts. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1036#note_391286251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 5 18:28:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Aug 2020 16:28:15 +0000 Subject: [gnutls-devel] GnuTLS | The official page with binaries for Windows is returning 404 (#1036) In-Reply-To: References: Message-ID: Daiki Ueno commented: Yeah, I mistakenly marked the release commit as "[ci skip]" because it only contained documentation changes. Let me check if I can trigger the CI to produce the build. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1036#note_391404815 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 00:11:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Aug 2020 22:11:37 +0000 Subject: [gnutls-devel] GnuTLS | Uninitialized lock when using pkcs11 private key for signing (#1060) References: Message-ID: Stefan Berger created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1060 I am running into a locking issue when building my `swtpm` with the gnutls version in Rawhide. It's a single-threaded app that seems to run into an uninitialized lock that it doesn't get out of. Here's the backtrace: ``` (gdb) thread apply all bt Thread 1 (Thread 0x7fe6d4f54940 (LWP 214219)): #0 0x00007fe6d46e0ea0 in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x00007fe6d46d9763 in pthread_mutex_lock () from /lib64/libpthread.so.0 #2 0x00007fe6d55a2f7e in gnutls_system_mutex_lock (priv=) at system/threads.c:119 #3 0x00007fe6d55dc674 in _gnutls_pkcs11_privkey_sign (key=0x1d62b80, se=, hash=0x7ffc17f0c040, signature=0x7ffc17f0c0c0, spki_params=0x7ffc17f0c100) at pkcs11_privkey.c:368 #4 0x00007fe6d55b054e in privkey_sign_and_hash_data (signer=0x1d62b10, se=0x7fe6d5709f80 , data=, signature=0x7ffc17f0c0c0, params=0x7ffc17f0c100) at privkey.c:1296 #5 0x00007fe6d561d215 in _gnutls_x509_pkix_sign (src=0x1e065d0, src_name=src_name at entry=0x7fe6d569c78c "tbsCertificate", dig=GNUTLS_DIG_SHA256, flags=flags at entry=0, issuer=issuer at entry=0x1e02fd0, issuer_key=issuer_key at entry=0x1d62b10) at sign.c:183 #6 0x00007fe6d562bfa4 in gnutls_x509_crt_privkey_sign (crt=0x1e032b0, issuer=0x1e02fd0, issuer_key=0x1d62b10, dig=, flags=0) at x509_write.c:1831 #7 0x0000000000403f25 in main (argc=, argv=) at ek-cert.c:1661 (gdb) # rpm -q -a | grep gnutls gnutls-3.6.14-2.fc33.x86_64 gnutls-dane-3.6.14-2.fc33.x86_64 gnutls-c++-3.6.14-2.fc33.x86_64 gnutls-devel-3.6.14-2.fc33.x86_64 gnutls-utils-3.6.14-2.fc33.x86_64 gnutls-debugsource-3.6.14-2.fc33.x86_64 gnutls-debuginfo-3.6.14-2.fc33.x86_64 ``` The program I am using is this one here: https://github.com/stefanberger/swtpm/blob/stable-0.3.0/src/swtpm_cert/ek-cert.c#L1662 Cheers! Stefan -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 09:28:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 07:28:29 +0000 Subject: [gnutls-devel] GnuTLS | Uninitialized lock when using pkcs11 private key for signing (#1060) In-Reply-To: References: Message-ID: Daiki Ueno commented: This can be the same cause as #1044. I've ported the patch to Fedora package, but the build is currently failing due to a [toolchain issue](https://bugzilla.redhat.com/show_bug.cgi?id=1863737). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1060#note_392260362 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 12:43:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 10:43:16 +0000 Subject: [gnutls-devel] GnuTLS | Uninitialized lock when using pkcs11 private key for signing (#1060) In-Reply-To: References: Message-ID: Stefan Berger commented: Ha, James ran into this problem. The world is small. I had the toolchain issue a while ago also when binutils's ar crashed on my package. Ok, will try again in a few days then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1060#note_392364570 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 20:02:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 18:02:42 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in API docs (!1302) References: Message-ID: Michael Catanzaro created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 20:08:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 18:08:47 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in API docs (!1302) In-Reply-To: References: Message-ID: Merge Request !1302 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 20:09:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 18:09:44 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in API docs (!1302) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; I guess we should add spell-checking like codespell in our CI some day... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302#note_392576838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 20:58:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 18:58:28 +0000 Subject: [gnutls-devel] GnuTLS | Fix invalid free in missing issuer test case error path (!1303) References: Message-ID: Michael Catanzaro created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/test-missingissuer to gnutls/gnutls:master Author: Michael Catanzaro Fix invalid free in missing issuer test case error path ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 21:29:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 19:29:30 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in API docs (!1302) In-Reply-To: References: Message-ID: Merge Request !1302 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 7 21:39:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 19:39:20 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: OK, I found some time to work on this today. The API is mostly good, but I notice there's no user data parameter for the callback function, so no way to access application state inside the callback. I think I'll be OK without it, but it probably merits having a gnutls_x509_trust_list_set_ptr() akin to the existing gnutls_session_set_ptr() to set some pointer that gets passed to the callbacks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_392636701 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 01:33:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 23:33:56 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: OK, *it works!* Amazing, thanks Sahana! I've verified against https://complaint.consumerfinance.gov/, https://investors.centene.com/, https://speedqueen.com/, https://covid19risk.biosci.gatech.edu/, and https://linuxone.cloud.marist.edu/ and I'm now able to load all of the above. TODO: * Add some way to get user data in the callback. gnutls_x509_trust_list_set_ptr() is my best idea. @dueno would that API be accepted? * Probably want to support this in gnutls-cli since it's important for debugging. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_392681841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 01:47:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Aug 2020 23:47:37 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: glib-net commit (WIP because I haven't yet decided if it's worth making the testsuite run an HTTP server to be able to test if it works): https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/135/diffs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_392683189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 14:40:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Aug 2020 12:40:51 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented: > Add some way to get user data in the callback. gnutls_x509_trust_list_set_ptr() is my best idea. @dueno would that API be accepted? Yes, we actually discussed this during the review, and postponed it until any application need arises. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_392753104 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 17:48:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Aug 2020 15:48:33 +0000 Subject: [gnutls-devel] GnuTLS | Fix invalid free in missing issuer test case error path (!1303) In-Reply-To: References: Message-ID: Merge Request !1303 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/test-missingissuer to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 17:48:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Aug 2020 15:48:21 +0000 Subject: [gnutls-devel] GnuTLS | Fix invalid free in missing issuer test case error path (!1303) In-Reply-To: References: Message-ID: Merge Request !1303 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/test-missingissuer to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 8 17:48:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Aug 2020 15:48:30 +0000 Subject: [gnutls-devel] GnuTLS | Fix invalid free in missing issuer test case error path (!1303) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1303#note_392772197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 10 10:43:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 10 Aug 2020 08:43:16 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_393107273 Great, thanks for trying it Michael! Yes, I'll work on the TODOs you have mentioned. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_393107273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 10 10:43:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 10 Aug 2020 08:43:56 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_393107693 @dueno I'll work on it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_393107693 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 07:47:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 05:47:22 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 Branches: tmp-cert-invalid to master Author: Daiki Ueno According to the documentation, the `GNUTLS_CERT_INVALID` flag must always be set in case of verification failure, together with the flag indicating the actual error cause. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 08:12:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 06:12:34 +0000 Subject: [gnutls-devel] GnuTLS | doc: assorted typo fixes (!1305) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1305 Branches: tmp-typo-fixes to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1305 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 09:32:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 07:32:51 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled (!1306) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 Branches: tmp-fips-enabled to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 09:41:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 07:41:49 +0000 Subject: [gnutls-devel] GnuTLS | doc: assorted typo fixes (!1305) In-Reply-To: References: Message-ID: Sahana Prasad commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1305#note_394613292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 10:04:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 08:04:59 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) In-Reply-To: References: Message-ID: Sahana Prasad started a new discussion on src/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304#note_394625405 > > gnutls_free(out.data); > > - if (status) > + if (status) { > + if (!(status & GNUTLS_CERT_INVALID)) So when anything other than `GNUTLS_CERT_INVALID` is set in status, you would like to abort? Could you clarify why this would be needed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304#note_394625405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 10:08:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 08:08:01 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304#note_394626917 > > gnutls_free(out.data); > > - if (status) > + if (status) { > + if (!(status & GNUTLS_CERT_INVALID)) This is to ensure the [documented](https://www.gnutls.org/manual/html_node/Verifying-X_002e509-certificate-paths.html#Verifying-X_002e509-certificate-paths) behavior: "The GNUTLS_CERT_INVALID flag is always set on a verification error and more detailed flags will also be set when appropriate." IMO this is redundant, but some applications rely on it and we can't break them by removing the invariant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304#note_394626917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 10:12:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 08:12:51 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled (!1306) In-Reply-To: References: Message-ID: Sahana Prasad started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306#note_394629816 > #ifdef ENABLE_FIPS140 > unsigned ret = _gnutls_fips_mode_enabled(); > > - if (ret > GNUTLS_FIPS140_DISABLED) > + if (ret > GNUTLS_FIPS140_DISABLED) { > + /* If the previous run of selftests has failed, return as if > + * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if could we also add something like "caller must check the macro HAVE_LIB_ERROR() after the operation" updated in the function description? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306#note_394629816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 10:16:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 08:16:39 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) In-Reply-To: References: Message-ID: All discussions on Merge Request !1304 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 12 12:33:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 12 Aug 2020 10:33:07 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: Hi all, probably one of the last updates to this issue. In the last few days I've seen a few reports that China is now blocking TLS1.3 connections that use ESNI: https://www.theregister.com/2020/08/11/china_blocking_tls_1_3_esni/ I strongly suspect that this same blocking is happening in the UAE, which is probably causing my issue. If so, there's nothing to do about it from my end except the system-wide block on using TLS1.3 that I've now configured on my workstation. This could become a real problem once more and more web sites are going to *require* TLS1.3 + ESNI... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_394715499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 11:59:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 09:59:53 +0000 Subject: [gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062) References: Message-ID: Giovanni Biscuolo created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1062 ## Description of problem: Programs using GnuTLS - tested with curl - cannot access actorws.epa.gov ## Version of gnutls used: 3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) GNU Guix ## How reproducible: ``` shell user at host: gnutls-cli --save-ocsp /tmp/actorws-ocsp.der --save-cert /tmp/actorws-certs.pem actorws.epa.gov Processed 128 CA certificate(s). Resolving 'actorws.epa.gov:443'... Connecting to '134.67.99.60:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=" Public Key ID: sha1:884a27ada33cc533411036cde08f7c83bee2580e sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29 Public Key PIN: pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk= - Certificate[1] info: - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" |<1>| Got OCSP response with an unrelated certificate. - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. [~]- ``` Please see the attached files from the above mentioned command: [actorws-ocsp.der](/uploads/c71b07d68b4a87acedc53b66dc1ccaf0/actorws-ocsp.der) [actorws-certs.pem](/uploads/557a5033d59afc3dae1ec7d00b9d21cd/actorws-certs.pem) ## Expected results: Using a web browser (tested with chromium and firefox) the certificate is valid: not sure if the browser behaviour is correct or not -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 12:07:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 10:07:37 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on devel/import-ecc-from-nettle.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300#note_395423261 > ;; > */ecc-random.c ) > sed \ > - -e 's/"nettle-internal\.h"/"nettle-alloca.h"/' \ > + -e 's/"nettle-internal\.h"/"nettle-alloca.h"\nvoid ecc_scalar_random(struct ecc_scalar \*, void \*, nettle_random_func \*);/' \ Using a backslash escape (`\n`) in replacement is not portable, for example: ```console ueno at gcc-solaris10:~$ echo a > a ueno at gcc-solaris10:~$ sed 's/a/"bar"\n"foo"/' a "bar"n"foo" ``` I'd suggest using `i` and `d` combination as in: https://gitlab.com/gnutls/gnutls/-/blob/master/devel/import-from-nettle.sh#L134 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300#note_395423261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 12:08:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 10:08:17 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Daiki Ueno commented: Other than that, it looks good to me. Thanks for looking into it! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300#note_395423690 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 15:21:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 13:21:10 +0000 Subject: [gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report. The reason seems to be that the server reports `OCSPResponseStatus.tryLater` status while the check is missing in the `gnutls_certificate_verify_peers` code path. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062#note_395538717 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 15:25:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 13:25:28 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_395541498 > However since it's not yet adopted we cannot put it into public api. I suppose it's no harm to add it with a new `gnutls_channel_binding_t` enum value, explicitly stating that the spec is not finalized yet. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_395541498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 15:59:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 13:59:17 +0000 Subject: [gnutls-devel] GnuTLS | minitasn1: move WARN_CFLAGS setting to configure.ac (!1307) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1307 Branches: tmp-type-limits to master Author: Daiki Ueno Fixes #1022 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1307 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 16:56:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 14:56:20 +0000 Subject: [gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062) In-Reply-To: References: Message-ID: Giovanni Biscuolo commented: Hello, Giovanni Biscuolo writes: [...] > ## Version of gnutls used: > > 3.6.7 > > ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) > > GNU Guix No sorry, I was wrong: the correct version used in Guix is 3.6.14 In my tests with gnutls-cli I was using the Debian installed version (I use Guix on top of Debian) I've tested with the binary packaged in Guix (3.6.14) and the error is the same > ## How reproducible: > > ``` shell > user at host: gnutls-cli --save-ocsp /tmp/actorws-ocsp.der --save-cert /tmp/actorws-certs.pem actorws.epa.gov > > Processed 128 CA certificate(s). > Resolving 'actorws.epa.gov:443'... > Connecting to '134.67.99.60:443'... > - Certificate type: X.509 > - Got a certificate list of 2 certificates. > - Certificate[0] info: > - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=" > Public Key ID: > sha1:884a27ada33cc533411036cde08f7c83bee2580e > sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29 > Public Key PIN: > pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk= > > - Certificate[1] info: > - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" > |<1>| Got OCSP response with an unrelated certificate. > - Status: The certificate is NOT trusted. The received OCSP status response is invalid. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > [~]- > ``` Best regards, Gio' -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062#note_395603359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 18:27:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 16:27:50 +0000 Subject: [gnutls-devel] GnuTLS | Rework TLS handshake state machine (#1063) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1063 The current implementation of the TLS handshake state machine consists of huge chunks of `switch` statements. This is making it difficult to enhance the code, in particular when any corner case handling is needed. It would be helpful if that part is rewritten using the [State pattern](https://en.wikipedia.org/wiki/State_pattern) or alike. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 13 18:34:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 13 Aug 2020 16:34:02 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) In-Reply-To: References: Message-ID: Ruslan Marchenko commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_395659441 Yes, which we did (although slightly differently, as a hidden/undocumented enum value). But that doesn't change the fact that currently tls-uqnique is completely broken in GnuTLS for TLS1.3 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_395659441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 08:28:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 06:28:18 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: All discussions on Merge Request !1300 were resolved by Steve Lhomme https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 08:28:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 06:28:18 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 was reviewed by Steve Lhomme -- Steve Lhomme commented on a discussion on devel/import-ecc-from-nettle.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300#note_395925388 > sed \ > - -e 's/"nettle-internal\.h"/"nettle-alloca.h"/' \ > + -e 's/"nettle-internal\.h"/"nettle-alloca.h"\nvoid ecc_scalar_random(struct ecc_scalar \*, void \*, nettle_random_func \*);/' \ I updated the MR with your suggestion, it's much more readable. Thanks for the hint ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 09:58:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 07:58:14 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: check OCSP error responses (!1308) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308 Branches: tmp-ocsp-resp-status to master Author: Daiki Ueno If the OCSP responder returns an error code, such as `tryLater`, we can't proceed to examine the response bytes. In that case, just skip the check unless the stapling is mandatory on this certificate. Fixes #1062. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:12:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:12:07 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Merge Request !1300 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 Project:Branches: robUx4/gnutls:mangle-ecc_scalar_random to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:12:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:12:11 +0000 Subject: [gnutls-devel] GnuTLS | ecc_scalar_random in nettle is public but not mangled in GnuTLS (#1016) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1300 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1300) Issue #1016: https://gitlab.com/gnutls/gnutls/-/issues/1016 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:12:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:12:20 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300#note_396003213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:12:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:12:11 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) In-Reply-To: References: Message-ID: Merge Request !1300 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 Project:Branches: robUx4/gnutls:mangle-ecc_scalar_random to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:18:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:18:34 +0000 Subject: [gnutls-devel] GnuTLS | Port shell-script tests to init.sh (#1064) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1064 Gnulib provides a test harness called [init.sh](https://git.savannah.gnu.org/cgit/gnulib.git/tree/tests/init.sh), which takes care of temporary file creation and removal, etc. Porting to it would make the existing tests simpler. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:22:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:22:24 +0000 Subject: [gnutls-devel] GnuTLS | Reduce macro usage in the library (#1065) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1065 The current code base uses preprocessor macros excessively, though some of them can be better written as an inline function (maybe with `__always_inline`) without any additional cost. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:32:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:32:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/cert-tests/pem-decoding fails after build with --disable-gost (#1038) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks like `data/gost-cert-nogost.pem` (the fallback cert used when GOST is disabled) has the same content as `data/gost-cert.pem` (the proper GOST cert). Would you like to update it perhaps? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1038#note_396014216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:29 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: All discussions on Merge Request !1268 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:29 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268#note_396023072 Let's add a test later as a separate MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268#note_396023072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:39 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1268 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1268) Issue #888: https://gitlab.com/gnutls/gnutls/-/issues/888 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:39 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1268 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1268) Issue #933: https://gitlab.com/gnutls/gnutls/-/issues/933 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:39 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: Merge Request !1268 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 Branches: tmp-fix-cert-pass to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 10:48:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Aug 2020 08:48:39 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via commit 5fca5aaf137eeaa9058847f5390fdc3d89926ade Issue #888: https://gitlab.com/gnutls/gnutls/-/issues/888 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 12:14:42 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 10:14:42 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled (!1306) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306#note_396070323 > #ifdef ENABLE_FIPS140 > unsigned ret = _gnutls_fips_mode_enabled(); > > - if (ret > GNUTLS_FIPS140_DISABLED) > + if (ret > GNUTLS_FIPS140_DISABLED) { > + /* If the previous run of selftests has failed, return as if > + * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if Well the library state is maintained internally, and the only way for the application to know the state is that it aborts the function call if the library is in an error state. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306#note_396070323 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 12:21:44 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 10:21:44 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled (!1306) In-Reply-To: References: Message-ID: All discussions on Merge Request !1306 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 15:33:11 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 13:33:11 +0000 Subject: [gnutls-devel] GnuTLS | Add or clean header guards in lib/includes/gnutls/ (!993) In-Reply-To: References: Message-ID: Daiki Ueno commented: I think this is a good change (especially the removal of `__` prefix), not sure why it's been hanging for one year. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/993#note_396175743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 15:33:19 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 13:33:19 +0000 Subject: [gnutls-devel] GnuTLS | Add or clean header guards in lib/includes/gnutls/ (!993) In-Reply-To: References: Message-ID: Merge Request !993 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/993 Branches: tmp-public-header-guards to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 15:33:18 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 13:33:18 +0000 Subject: [gnutls-devel] GnuTLS | Add or clean header guards in lib/includes/gnutls/ (!993) In-Reply-To: References: Message-ID: Merge Request !993 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/993 Branches: tmp-public-header-guards to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 15:35:54 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 13:35:54 +0000 Subject: [gnutls-devel] GnuTLS | static build: multiple definition of 'nettle_ecc_scalar_random' (#1045) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1045: https://gitlab.com/gnutls/gnutls/-/issues/1045 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1045 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 15:35:54 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 13:35:54 +0000 Subject: [gnutls-devel] GnuTLS | static build: multiple definition of 'nettle_ecc_scalar_random' (#1045) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report. I believe this is a duplicate of #1016, which was fixed by !1300 (thanks Steve). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1045#note_396177388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 19:20:18 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 17:20:18 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) In-Reply-To: References: Message-ID: Merge Request !1304 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 Branches: tmp-cert-invalid to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 19:20:34 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 17:20:34 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: ensure that invalid flag is always set (!1304) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1304#note_396309821 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 19:21:15 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 17:21:15 +0000 Subject: [gnutls-devel] GnuTLS | doc: assorted typo fixes (!1305) In-Reply-To: References: Message-ID: Merge Request !1305 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1305 Branches: tmp-typo-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1305 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 19:22:39 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 17:22:39 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled (!1306) In-Reply-To: References: Message-ID: Merge Request !1306 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 Branches: tmp-fips-enabled to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 21:42:11 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 19:42:11 +0000 Subject: [gnutls-devel] GnuTLS | The official page with binaries for Windows is returning 404 (#1036) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1036#note_396351088 Sorry for the delay. As it turned out that we can't trigger the CI for the "[ci skip]" commit, I pushed an empty commit for that. You can download the binaries from: - MinGW32: https://gitlab.com/gnutls/gnutls/builds/artifacts/3.6.14-windows/download?job=MinGW32.DLLs - MinGW64: https://gitlab.com/gnutls/gnutls/builds/artifacts/3.6.14-windows/download?job=MinGW64.DLLs The official links will be updated shortly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1036#note_396351088 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 14 21:42:24 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GNU's TLS library development activities) Date: Fri, 14 Aug 2020 19:42:24 +0000 Subject: [gnutls-devel] GnuTLS | The official page with binaries for Windows is returning 404 (#1036) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1036: https://gitlab.com/gnutls/gnutls/-/issues/1036 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1036 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 15 06:08:27 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Aug 2020 04:08:27 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1066) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1066 The following issues require labels: - [ ] [How can I lock gnutls_record_get_state or pending when receiving data? (Maybe bug?)](https://gitlab.com/gnutls/gnutls/-/issues/1052) - [ ] [Timing sidechannel in RSA decryption](https://gitlab.com/gnutls/gnutls/-/issues/1050) - [ ] [Service Desk (from perez.adams7567 at gmail.com): Best Keyword Placement: gnutls.org](https://gitlab.com/gnutls/gnutls/-/issues/1048) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 15 22:43:14 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Aug 2020 20:43:14 +0000 Subject: [gnutls-devel] GnuTLS | Detect Python interpreter for tests instead of assuming "python" (!1292) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292#note_396499421 I'd say so, if there will be more 3.6 releases. Otherwise distros that use `python3` will see test failures and either have to port the patches themselves or (worse) deactivate the affected tests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292#note_396499421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:36:21 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:36:21 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from Jens.Schleusener@t-online.de): GnuTLS Windows binaries on GitLab not available? (#1014) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report; it should be fixed in #1036. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1014#note_396522020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:36:21 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:36:21 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from Jens.Schleusener@t-online.de): GnuTLS Windows binaries on GitLab not available? (#1014) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1014: https://gitlab.com/gnutls/gnutls/-/issues/1014 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1014 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:41:35 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:41:35 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Daiki Ueno commented: @civodul @teknokatze do you have any idea how other guile packages work around this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_396522661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:43:04 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:43:04 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #985: https://gitlab.com/gnutls/gnutls/-/issues/985 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:43:03 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:43:03 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Daiki Ueno commented: I think this is already fixed with !1261, utilizing the `fopen-gnu` module. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_396522741 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:44:23 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:44:23 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Support AIA (downloading intermediate certs) (#968) In-Reply-To: References: Message-ID: Reassigned Issue 968 https://gitlab.com/gnutls/gnutls/-/issues/968 Assignee changed to Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/968 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:45:02 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:45:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Support AIA (downloading intermediate certs) (#968) In-Reply-To: References: Message-ID: Daiki Ueno commented: @sahprasa I think this can be closed once the support in gnutls-cli has been merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/968#note_396522853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 07:49:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 05:49:22 +0000 Subject: [gnutls-devel] GnuTLS | ocsptool: only write the OCSP response to outfile when --outpem is used (#975) In-Reply-To: References: Message-ID: Daiki Ueno commented: This behavior is consistent with other tools (e.g., `certtool --generate-certificate --outfile ...`), and your work around is pretty straightforward. I'm not sure if we want special support for it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/975#note_396523852 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 08:01:16 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 06:01:16 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'd say in order to make such tests reliable, gnutls-serv should have an option to control where the socket is bound. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_396534567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 08:01:56 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 06:01:56 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1009) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1009: https://gitlab.com/gnutls/gnutls/-/issues/1009 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 08:06:01 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 06:06:01 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1047) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1047: https://gitlab.com/gnutls/gnutls/-/issues/1047 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 08:09:59 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 06:09:59 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1051) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1051: https://gitlab.com/gnutls/gnutls/-/issues/1051 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 08:10:29 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 06:10:29 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1056) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1056: https://gitlab.com/gnutls/gnutls/-/issues/1056 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 09:33:35 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 07:33:35 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Nikita Gillmann commented: I keep a patch in pkgsrc for lang/guile22 which works. I don't have much time to help, maybe within the next 2 - 3 months again (flat and job searching), sorry. I'd suggest to use http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/lang/guile22/patches/patch-modules_system_base_target.scm?rev=1.2&content-type=text/x-cvsweb-markup or improve upon that. If you'd like to use the patch as it is, I can send a patch against guile as I am the author. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_396561101 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 11:51:11 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 09:51:11 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 Branches: tmp-tls12-version-checks to master Author: Daiki Ueno The server needs to take into account of multiple factors when determining the TLS protocol version actually being used: - the legacy version - "supported_versions" extension - user_hello_func that may modify the server's priorities Only after that it can check whether the TLS version is enabled in the server's priorities. Fixes #1054. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 13:32:27 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 11:32:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli does not report failed handshake when debug level < 3 (#1040) In-Reply-To: References: Message-ID: Daiki Ueno commented: > Please see this issue: https://github.com/NixOS/nixpkgs/issues/84507 for details, which also links to runs with different versions of gnutls-cli that demonstrate the introduction of this regression and the workaround proposed here: https://github.com/NixOS/nixpkgs/pull/90718 I looked, but the script is too archaic for me to understand the actual server setup. Would you be able to provide a standalone reproducer, e.g., using gnutls-serv or OpenSSL's s_server? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1040#note_396582759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 13:33:27 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 11:33:27 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1035) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1035: https://gitlab.com/gnutls/gnutls/-/issues/1035 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1035 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 14:49:42 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 12:49:42 +0000 Subject: [gnutls-devel] GnuTLS | Fix parser output in tests/cert-tests/data/gost-cert-nogost.pem (!1310) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 Project:Branches: airtower-luna/gnutls:tmp-fix-gost-cert-nogost to gnutls/gnutls:master Author: Airtower When building without GOST support parsing a GOST certificate must return an "error importing public key" message instead of key details. This change makes `tests/cert-tests/pem-decoding` pass for builds with `--disable-gost`. Closes #1038. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 14:52:00 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 12:52:00 +0000 Subject: [gnutls-devel] GnuTLS | tests/cert-tests/pem-decoding fails after build with --disable-gost (#1038) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1038#note_396590434 Thanks for the analysis, I just submitted a fix for `data/gost-cert-nogost.pem` in !1310. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1038#note_396590434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 16:09:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 14:09:22 +0000 Subject: [gnutls-devel] GnuTLS | Outdated information on SSL 3.0 in documentation (#1068) References: Message-ID: gandaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1068 In the documentation, in Chapter 3.8 "On SSL 2 and older protocols", it says (highlighted by me): > [...] the SSL 3.0 protocol was implemented since it is still the only protocol supported by several servers and **there are no serious security vulnerabilities known.** The first half of the sentence is probably false nowadays, and the statement regarding the security of SSL 3.0 should surely be removed. Maybe the chapter could be replaced by a short paragraph explaining that SSL 2.0 and 3.0 have been deprecated and that 3.0 support is planned to be dropped entirely from GnuTLS in the future. Maybe the elaborate information on SSL 2.0 is also not needed anymore. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 16:10:44 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 14:10:44 +0000 Subject: [gnutls-devel] GnuTLS | Fix parser output in tests/cert-tests/data/gost-cert-nogost.pem (!1310) In-Reply-To: References: Message-ID: Merge Request !1310 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 Project:Branches: airtower-luna/gnutls:tmp-fix-gost-cert-nogost to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 16:10:55 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 14:10:55 +0000 Subject: [gnutls-devel] GnuTLS | Fix parser output in tests/cert-tests/data/gost-cert-nogost.pem (!1310) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310#note_396598982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 16:18:57 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 14:18:57 +0000 Subject: [gnutls-devel] GnuTLS | Fix parser output in tests/cert-tests/data/gost-cert-nogost.pem (!1310) In-Reply-To: References: Message-ID: Merge Request !1310 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 Project:Branches: airtower-luna/gnutls:tmp-fix-gost-cert-nogost to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 16:18:56 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 14:18:56 +0000 Subject: [gnutls-devel] GnuTLS | tests/cert-tests/pem-decoding fails after build with --disable-gost (#1038) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1310 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1310) Issue #1038: https://gitlab.com/gnutls/gnutls/-/issues/1038 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 17:56:38 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 15:56:38 +0000 Subject: [gnutls-devel] GnuTLS | ocsptool: only write the OCSP response to outfile when --outpem is used (#975) In-Reply-To: References: Message-ID: Airtower commented: PEM implies the presence of headers around the base64 encoded block. Also, wouldn't removing the headers also break GnuTLS functions for loading multiple responses, e.g. [gnutls_certificate_set_ocsp_status_request_file2()](https://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fcertificate_005fset_005focsp_005fstatus_005frequest_005ffile2)? If you need plain base64 the simplest solution would be to use the default DER output and pipe that through `base64`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/975#note_396610018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 18:25:05 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 16:25:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2: return 0 instead of the length (!1311) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 Branches: tmp-crt-export2 to master Author: Daiki Ueno Fixes #1025. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 16 20:22:25 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Aug 2020 18:22:25 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Airtower commented: Would this support changing priorities in a post client hello function (set via `gnutls_handshake_set_post_client_hello_function()`)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396622105 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 07:02:46 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 05:02:46 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396691112 I think it should, but we definitely need a test case for that; let me add it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396691112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 09:03:56 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 07:03:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_decrypt: check output buffer size before writing (!1312) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 Branches: tmp-cipher-check-length to master Author: Daiki Ueno While the documentation of `gnutls_aead_cipher_decrypt` indicates that the inout argument `ptext_len` initially holds the size that sufficiently fits the expected output size, there was no runtime check on that. This makes the interface robuster against misuses. Fixes #1049. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 09:35:44 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 07:35:44 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396737183 Thank you! :slight_smile: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396737183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 10:39:16 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 08:39:16 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396770009 @airtower-luna would you mind if I add you to the reviewers list? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_396770009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 13:39:12 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 11:39:12 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1066) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1066: https://gitlab.com/gnutls/gnutls/-/issues/1066 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 19:33:38 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 17:33:38 +0000 Subject: [gnutls-devel] GnuTLS | Outdated information on SSL 3.0 in documentation (#1068) In-Reply-To: References: Message-ID: Daiki Ueno commented: Indeed. I thought it was a confusion in tense, but it would be good to clarify. If you are willing to propose a documentation change as a patch, that would be awesome. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1068#note_397252344 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 20:12:21 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 18:12:21 +0000 Subject: [gnutls-devel] GnuTLS | Outdated information on SSL 3.0 in documentation (#1068) In-Reply-To: References: Message-ID: gandaro commented: I am not sure what the best option would be, therefore I am not submitting a patch yet, and rather suggest something. Possibly you could delete chapter 3.8 and replace it by a footnote in chapter 2, where it says: > Technically GnuTLS is a portable ANSI C based library which implements the protocols ranging from SSL 3.0 to TLS 1.3 (see Introduction to TLS, for a detailed description of the protocols), accompanied with the required framework for authentication and public key infrastructure. Important features of the GnuTLS library include: > > * Support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and optionally SSL 3.0 protocols. The footnote could be: > SSL 2.0 and SSL 3.0 are considered broken [RFC6176] [RFC7568]. Therefore these should not be used. SSL 3.0 support is expected to be completely removed from GnuTLS in the near future. I am not sure if you would like that. Alternatively, one could rewrite chapter 3.8 to be a chapter on the "History of GnuTLS." Or a general chapter on the different protocol versions there are. Then it would fit in with the rest of chapter 3 (Introduction to TLS). I wouldn't feel qualified to write either of these, though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1068#note_397279426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 17 22:12:57 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Aug 2020 20:12:57 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_397347205 @dueno You're welcome to, I probably won't get to take a closer look before tomorrow though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_397347205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 09:27:14 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 07:27:14 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_397548782 Thanks, assigned it to you for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_397548782 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 09:26:47 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 07:26:47 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Reassigned Merge Request 1309 https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 Assignee changed to Airtower -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 09:38:14 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 07:38:14 +0000 Subject: [gnutls-devel] GnuTLS | minitasn1: move WARN_CFLAGS setting to configure.ac (!1307) In-Reply-To: References: Message-ID: Sahana Prasad commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1307#note_397554553 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:01:51 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:01:51 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 build regression due to -Wno-type-limits (#1022) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1307 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1307) Issue #1022: https://gitlab.com/gnutls/gnutls/-/issues/1022 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1022 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:01:52 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:01:52 +0000 Subject: [gnutls-devel] GnuTLS | minitasn1: move WARN_CFLAGS setting to configure.ac (!1307) In-Reply-To: References: Message-ID: Merge Request !1307 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1307 Branches: tmp-type-limits to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1307 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:40:39 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:40:39 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2: return 0 instead of the length (!1311) In-Reply-To: References: Message-ID: Sahana Prasad commented: LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311#note_397593619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:40:20 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:40:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2: return 0 instead of the length (!1311) In-Reply-To: References: Message-ID: Merge Request !1311 was approved by Sahana Prasad Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 Branches: tmp-crt-export2 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:42:59 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:42:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2: return 0 instead of the length (!1311) In-Reply-To: References: Message-ID: Merge Request !1311 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 Branches: tmp-crt-export2 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 10:42:59 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 08:42:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2 can return values greater than 0 (#1025) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1311 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1311) Issue #1025: https://gitlab.com/gnutls/gnutls/-/issues/1025 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1025 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 11:37:09 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 09:37:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_decrypt: check output buffer size before writing (!1312) In-Reply-To: References: Message-ID: Merge Request !1312 was approved by Sahana Prasad Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 Branches: tmp-cipher-check-length to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 11:50:14 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 09:50:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_decrypt() doesn't check plaintext length (#1049) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1312 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1312) Issue #1049: https://gitlab.com/gnutls/gnutls/-/issues/1049 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1049 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 18 11:50:13 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Aug 2020 09:50:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_decrypt: check output buffer size before writing (!1312) In-Reply-To: References: Message-ID: Merge Request !1312 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 Branches: tmp-cipher-check-length to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1312 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 19 17:31:20 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 19 Aug 2020 15:31:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_global_deinit() doesn't free all memory after loading system trusted CAs (#1070) References: Message-ID: Miroslav Lichvar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1070 ## Description of problem: According to the documentation, calling `gnutls_global_deinit()` in an environment with `GNUTLS_NO_EXPLICIT_INIT=1` (or program compiled with `GNUTLS_SKIP_GLOBAL_INIT`) is supposed to free all memory used by gnutls. This doesn't seem to happen in my application, which is normally expected to make a few TLS sessions on start and then run for a long time without TLS. Maybe my program is buggy (see the reproducer), or there is a way to force gnutls to deallocate the memory, but I couldn't find it. ## Version of gnutls used: gnutls-3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 32 ## How reproducible: Always Steps to Reproduce: * compile and run the following program in valgrind: ``` #include GNUTLS_SKIP_GLOBAL_INIT int main() { gnutls_certificate_credentials_t credentials = NULL; gnutls_global_init(); gnutls_certificate_allocate_credentials(&credentials); gnutls_certificate_set_x509_system_trust(credentials); gnutls_certificate_free_credentials(credentials); gnutls_global_deinit(); return 0; } ``` ## Actual results: ``` ... ==2640878== by 0x5CDE3F6: ??? (in /usr/lib64/pkcs11/p11-kit-trust.so) ==2640878== by 0x5CD9CE4: ??? (in /usr/lib64/pkcs11/p11-kit-trust.so) ==2640878== by 0x490DDD1: ??? (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x490FE3E: ??? (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x4910BFF: gnutls_pkcs11_obj_list_import_url4 (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x4910D59: gnutls_pkcs11_obj_list_import_url3 (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x49686C3: gnutls_x509_trust_list_add_trust_file (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x48D9E70: gnutls_x509_trust_list_add_system_trust (in /usr/lib64/libgnutls.so.30.28.0) ==2640878== by 0x4010A5: main (in /home/miros/a.out) ==2640878== ==2640878== LEAK SUMMARY: ==2640878== definitely lost: 0 bytes in 0 blocks ==2640878== indirectly lost: 0 bytes in 0 blocks ==2640878== possibly lost: 0 bytes in 0 blocks ==2640878== still reachable: 5,408,309 bytes in 44,429 blocks ==2640878== suppressed: 0 bytes in 0 blocks ==2640878== ==2640878== For lists of detected and suppressed errors, rerun with: -s ==2640878== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ``` ## Expected results: All memory freed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 05:21:15 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 03:21:15 +0000 Subject: [gnutls-devel] GnuTLS | memleak found by fuzz (#1071) References: Message-ID: lutianxiong created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1071 ## Description of problem: I got a heap-buffer-overflow while fuzzing gnutls-master ``` ==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000000 at pc 0x000000ba4514 bp 0x7ffe4031ba00 sp 0x7ffe4031b9f8 READ of size 4 at 0x602000000000 thread T0 SCARINESS: 17 (4-byte-read-heap-buffer-overflow) #0 0xba4513 in __gmpz_clear /src/gmp/mpz/clear.c:38:7 #1 0x7be127 in wrap_nettle_mpi_release /src/gnutls/lib/nettle/mpi.c:212:2 #2 0x80a21f in _gnutls_mpi_release /src/gnutls/lib/./mpi.h:71:2 #3 0x80dea3 in gnutls_pk_params_release /src/gnutls/lib/pk.c:536:3 #4 0x673445 in deinit_keys /src/gnutls/lib/state.c:380:3 #5 0x672b86 in _gnutls_handshake_internal_state_clear /src/gnutls/lib/state.c:444:2 #6 0x676a57 in gnutls_deinit /src/gnutls/lib/state.c:669:2 #7 0x55475e in LLVMFuzzerTestOneInput /src/gnutls/fuzz/gnutls_psk_client_fuzzer.c:86:2 #8 0x45a1c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #9 0x444de1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6 #10 0x44aa9e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9 #11 0x474c12 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #12 0x7f1470de882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x41e198 in _start (/out/gnutls_psk_client_fuzzer+0x41e198) 0x602000000000 is located 16 bytes to the left of 16-byte region [0x602000000010,0x602000000020) freed by thread T0 here: #0 0x52176d in __interceptor_free /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3 #1 0xb8de31 in _asn1_delete_list /src/libtasn1/lib/parser_aux.c:590:7 #2 0xb947c8 in asn1_array2tree /src/libtasn1/lib/structure.c:278:5 #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8 #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9 #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2 #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c) previously allocated by thread T0 here: #0 0x5219ed in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0xb8a993 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:76:7 #2 0xb93d03 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11 #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8 #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9 #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2 #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gmp/mpz/clear.c:38:7 in __gmpz_clear ``` ## Version of gnutls used: master ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 16.04 ## How reproducible: run oss-fuzz locally Steps to Reproduce: use attach file as the corpus to reproduce, like: python infra/helper.py reproduce gnutls gnutls_psk_client_fuzzer gnutls_psk_client_fuzzer-heap-buffer-overflow [gnutls_psk_client_fuzzer-heap-buffer-overflow](/uploads/aa77b510adb163e3890c7dfcc40083a7/gnutls_psk_client_fuzzer-heap-buffer-overflow) ## Actual results: as description, ASAN report a heap-buffer-overflow bug ## Expected results: no error report -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1071 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 05:41:10 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 03:41:10 +0000 Subject: [gnutls-devel] GnuTLS | memleak found by fuzz (#1071) In-Reply-To: References: Message-ID: lutianxiong commented: i found heap-memory address stored in session->key.proto.tls12 was overwrite by read_server_hello(handshake.c,line 1947) ``` if (!vers->tls13_sem) { gnutls_memset(&session->key.proto.tls13, 0, sizeof(session->key.proto.tls13)); reset_binders(session); } ``` following is debuginfo: ``` 1947 if (!vers->tls13_sem) { (gdb) p session->key.proto.tls12.dh $7 = {params = {params = {0x602000004d10, 0x0, 0x602000004cd0, 0x0 }, params_nr = 3, pkflags = 0, qbits = 0, curve = GNUTLS_ECC_CURVE_INVALID, dh_group = GNUTLS_GROUP_INVALID, gost_params = GNUTLS_GOST_PARAMSET_UNKNOWN, raw_pub = {data = 0x0, size = 0}, raw_priv = {data = 0x0, size = 0}, seed_size = 0, seed = '\000' , palgo = GNUTLS_DIG_UNKNOWN, spki = {pk = GNUTLS_PK_UNKNOWN, rsa_pss_dig = GNUTLS_DIG_UNKNOWN, salt_size = 0, legacy = 0, dsa_dig = GNUTLS_DIG_UNKNOWN, flags = 0}, algo = GNUTLS_PK_DH}, client_Y = 0x602000004cb0} (gdb) n 1948 gnutls_memset(&session->key.proto.tls13, 0, (gdb) n 1950 reset_binders(session); (gdb) n 1956 if (!vers->tls13_sem && (gdb) p session->key.proto.tls12.dh $8 = {params = {params = {0x602000000000, 0x0, 0x602000004cd0, 0x0 }, params_nr = 3, pkflags = 0, qbits = 0, curve = GNUTLS_ECC_CURVE_INVALID, dh_group = GNUTLS_GROUP_INVALID, gost_params = GNUTLS_GOST_PARAMSET_UNKNOWN, raw_pub = {data = 0x0, size = 0}, raw_priv = {data = 0x0, size = 0}, seed_size = 0, seed = '\000' , palgo = GNUTLS_DIG_UNKNOWN, spki = {pk = GNUTLS_PK_UNKNOWN, rsa_pss_dig = GNUTLS_DIG_UNKNOWN, salt_size = 0, legacy = 0, dsa_dig = GNUTLS_DIG_UNKNOWN, flags = 0}, algo = GNUTLS_PK_DH}, client_Y = 0x602000004cb0} (gdb) ``` later, while gnutls_deinit the session: gnutls_pk_params_release(&session->key.proto.tls12.dh.params) trigger the read-heap-buffer-overflow -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1071#note_399141602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 05:52:19 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 03:52:19 +0000 Subject: [gnutls-devel] GnuTLS | memleak found by fuzz (#1071) In-Reply-To: References: Message-ID: lutianxiong commented: I also get some other ASAN/MSAN error reports while fuzzing gnutls_psk_client_fuzzer, like memleak?use-of-uninitialized-value, same reason as this issue. session->key.proto is a union, clear session->key.proto.tls13 in read_server_hello will lead to overwrite of session->key.proto.tls12 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1071#note_399143575 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 13:13:29 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 11:13:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_global_deinit() doesn't free all memory after loading system trusted CAs (#1070) In-Reply-To: References: Message-ID: Daiki Ueno commented: It's a bit tricky because of p11-kit, which also does cleanup in ELF destructor (and there is no way to explicitly do that), as well as PKCS#11 modules installed on the system, such as SoftHSM, which relies on the OpenSSL's cleanup logic (i.e. atexit). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1070#note_399341210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 14:36:28 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 12:36:28 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: check OCSP error responses (!1308) In-Reply-To: References: Message-ID: Sahana Prasad commented: @dueno LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308#note_399395919 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 15:20:50 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 13:20:50 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: check OCSP error responses (!1308) In-Reply-To: References: Message-ID: Merge Request !1308 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308 Branches: tmp-ocsp-resp-status to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 15:20:50 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 13:20:50 +0000 Subject: [gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit e77ac722063385d7c92ae1c6a0c1473b92cab682 Issue #1062: https://gitlab.com/gnutls/gnutls/-/issues/1062 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 15:20:47 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 13:20:47 +0000 Subject: [gnutls-devel] GnuTLS | cert-session: check OCSP error responses (!1308) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1308#note_399431708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 21:05:02 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 19:05:02 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_399646132 Looks good to me, and mod_gnutls works as well. :slight_smile: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_399646132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 20 21:05:02 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Aug 2020 19:05:02 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: All discussions on Merge Request !1309 were resolved by Airtower https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 05:42:29 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 03:42:29 +0000 Subject: [gnutls-devel] GnuTLS | Update README.md for *** libev4 was not found *** added package to install in ubuntu 18.04 (!1313) References: Message-ID: Satya kommula created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 Project:Branches: kommula/gnutls:patch-1 to gnutls/gnutls:master Author: Satya kommula Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 05:44:17 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 03:44:17 +0000 Subject: [gnutls-devel] GnuTLS | Update README.md for *** libev4 was not found *** added package to install in ubuntu 18.04 (!1313) In-Reply-To: References: Message-ID: Merge Request !1313 was closed by Satya kommula Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 Project:Branches: kommula/gnutls:patch-1 to gnutls/gnutls:master Author: Satya kommula Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 08:58:43 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 06:58:43 +0000 Subject: [gnutls-devel] GnuTLS | DTLS priority enables TLS1.2 (#1054) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1309 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1309) Issue #1054: https://gitlab.com/gnutls/gnutls/-/issues/1054 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 08:58:44 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 06:58:44 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Merge Request !1309 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 Branches: tmp-tls12-version-checks to master Author: Daiki Ueno Assignee: Airtower -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 08:58:38 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 06:58:38 +0000 Subject: [gnutls-devel] GnuTLS | handshake: check TLS version against modified server priorities (!1309) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1309#note_399818987 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 12:20:13 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 10:20:13 +0000 Subject: [gnutls-devel] GnuTLS | Update README.md for *** libev4 was not found *** added package to install in ubuntu 18.04 (!1313) In-Reply-To: References: Message-ID: Merge Request !1313 was reopened by Satya kommula Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 Project:Branches: kommula/gnutls:patch-1 to gnutls/gnutls:master Author: Satya kommula Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 13:40:23 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 11:40:23 +0000 Subject: [gnutls-devel] GnuTLS | Update README.md for *** libev4 was not found *** added package to install in ubuntu 18.04 (!1313) In-Reply-To: References: Message-ID: Merge Request !1313 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 Project:Branches: kommula/gnutls:patch-1 to gnutls/gnutls:master Author: Satya kommula Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 21 13:43:14 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Aug 2020 11:43:14 +0000 Subject: [gnutls-devel] GnuTLS | Update README.md for *** libev4 was not found *** added package to install in ubuntu 18.04 (!1313) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you; looks good to me. Looks like all the CI failures are timeout. I guess you could retrigger them after prolonging the limit in "Settings" ? "CI / CD" ? "General pipelines". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1313#note_400012316 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 22 19:55:28 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 22 Aug 2020 17:55:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) References: Message-ID: Albrecht Dre? created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1073 ## Description of the feature: In ?Echo? mode, `gnutls-serv` always replaces CRLF line endings by LF by [unconditionally calling `strip()`](https://gitlab.com/gnutls/gnutls/-/blob/master/src/serv.c#L1061). It would be nice to have an option to switch this off, similar to the cli's `--crlf` option. ## Applications that this feature may be relevant to: I use the Echo server for testing libraries and applications, implementing, inter alia, protocols like SMTP or POP3 which *rely* upon CRLF line endings according to the standards. If the CRLF-terminated message sent to the Echo server is returned *without* the CR, the tests fail. I hacked `gnutls-serv` by just commenting out the aforementioned call, but this is no ?real? solution IMHO? ## Is this feature implemented in other libraries (and which) IIRC, older versions of `gnutls-serv` (e.g. in Ubuntu 18.04) did *not* replace the CRLF by LF. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 09:02:29 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 07:02:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Daiki Ueno commented: I agree that it would be useful. Would you like to propose a patch as MR? > IIRC, older versions of gnutls-serv (e.g. in Ubuntu 18.04) did not replace the CRLF by LF. Looks like it was a bug fixed in 11b6c098647596f62e621d1d9a6f54995be9e22b. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400440364 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 15:07:50 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 13:07:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Albrecht Dre? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400473087 > Would you like to propose a patch as MR? Apparently, I'm not allowed to mail merge requests, so I add a (trivial) proposal below ? fixes the issue for me (using the new `--crlf` option), without breaking the previous behavior? Thanks, Albrecht. [gnutls-srv-crlf-option.patch](/uploads/e88939897bd99782b99d1594202bdea0/gnutls-srv-crlf-option.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400473087 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 17:16:15 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 15:16:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400489141 Thank you. It would be good if you file MR through the [web interface](https://gitlab.com/gnutls/gnutls/-/merge_requests), but I can do it for you if it is too much burden. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400489141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 18:06:29 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 16:06:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Albrecht Dre? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400493977 I have no option to add a Merge request through the web interface, and the merge request E-Mail has been rejected, maybe because I'm not listed as project member (which may or may not be sufficient anyway; granting these permissions to me in the GNOME gitlab turned out to be a real PITA?): > Unfortunately, your email message to GitLab could not be processed. > > You are not allowed to perform this action. If you believe this is in error, contact a staff member. So I guess the options are either adding me as a project member (with unclear additional efforts the *really* enable creating the MR for me), or add the MR yourself. I'm open for both approaches (but as I'm a user of GnuTLS in first place, it's somewhat unlikely I'll have more patches I can contribute, though?). Thanks, Albrecht. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400493977 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 18:36:19 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 16:36:19 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400496705 Albrecht Dre? @albrechtd wrote > I have no option to add a Merge request through the web interface, and the merge request E-Mail has been rejected, maybe because I'm not listed as project member [...] Afaik the usual way to submit a merge request is to 1. fork the project and then 2. submit a merge request from the fork. That should work for non-project members. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073#note_400496705 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 23 21:59:03 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 23 Aug 2020 19:59:03 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: civodul commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400515545 Hi Nikita, and apologies for the late reply! I think if you want to ignore the "vendor" part of the triplet, you can use `unknown`, as in `x86_64-unknown-netbsd` (or `pc` in this case). An empty "vendor", as in `x86_64--netbsd` is incorrect and going to lead to issues, not just with Guile I guess. Perhaps as a stopgap you can adjust the pkgsrc to configure GnuTLS with `--with-host=x86_64-pc-netbsd`? HTH, Ludo'. PS: gitlab.com has become hard to impossible to use for me over Tor, which is a real bummer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400515545 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 24 09:57:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 24 Aug 2020 07:57:22 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Nikita Gillmann commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400864585 I'm closing this because I choose to invest my energy in other topics. Your proposal doesn't align with reality, as I tried to explain before, in Linux, MingW, as well as some BSD systems. It aligns with what some do, but it doesn't match what everyone does. I'd be happy to point to a more thorough explanation than this: > Configuration Name Definition > >This is a string of the form cpu-manufacturer-operating_system. In some cases, this is extended to a four part form: cpu-manufacturer-kernel-operating_system. > > When using a configuration name in a configure option, it is normally not necessary to specify an entire name. In particular, the manufacturer field is often omitted, leading to strings such as i386-linux or sparc-sunos. The shell script config.sub will translate these shortened strings into the canonical form. autoconf will arrange for config.sub to be run automatically when it is needed. source: https://www.rpi.edu/dept/cis/software/g77-mingw32/info-html/configure.html (1998) Similar quotes are found in the 2012 version. What I provided before was knowledge we work with for a very long time. 'Unknown' would simply be wrong, NetBSD has no vendors. 'Unknown' has been selected default by some distributors, but as explained before in practice you also see no vendor (field omitted) more often. So I don't really understand why you are trying to explain my explanation to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400864585 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 24 09:57:26 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 24 Aug 2020 07:57:26 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Issue was closed by Nikita Gillmann Issue #996: https://gitlab.com/gnutls/gnutls/-/issues/996 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 24 10:19:44 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 24 Aug 2020 08:19:44 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Nikita Gillmann commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400881360 Most guile packages I've dealt with do not check for the vendor string or any part of the triplet outside of their main configure scripts (gnutls guile picks it up from somewhere in guile itself comparing to a previous saved string (sorry, I'm fuzzy on the details since this was reported 3+ months ago)). In my opinion there's nothing GnuTLS can do, all I could is send a patch to Guile itself with a more thorough argumentation why vendor in practice is omitted for a long time on some systems. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_400881360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 25 11:14:26 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Aug 2020 09:14:26 +0000 Subject: [gnutls-devel] GnuTLS | ClientHello.legacy_session_id is not set even if middlebox compat mode is enabled in TLS 1.3 (#1074) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1074 The RFC suggests that ClientHello.legacy_session_id should be non-empty if TLS 1.3 client supports the middlebox compatibility mode, though GnuTLS client always sends empty session ID while `TLS13_APPENDIX_D4` is defined as 1. This is because, while the session id is generated in `send_client_hello`, it is not copied to the ClientHello: ```c #ifdef TLS13_APPENDIX_D4 if (max_ver->tls13_sem && session->security_parameters.session_id_size == 0) { /* Under TLS1.3 we generate a random session ID to make * the TLS1.3 session look like a resumed TLS1.2 session */ ret = _gnutls_generate_session_id(session->security_parameters. session_id, &session->security_parameters. session_id_size); if (ret < 0) { gnutls_assert(); goto cleanup; } } #endif /* Copy the Session ID - if any */ ret = _gnutls_buffer_append_data_prefix(&extdata, 8, session->internals.resumed_security_parameters.session_id, session_id_len); if (ret < 0) { gnutls_assert(); goto cleanup; } ``` We probably should set the local variable `session_id_len` and also point to `security_parameters.session_id` rather than `resumed_security_parameters.session_id`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 25 11:48:15 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Aug 2020 09:48:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls doesn't fallback to TLS1.2 automatically (#1053) In-Reply-To: References: Message-ID: Daiki Ueno commented: Apologies for the delay. It seems that the GnuTLS client is sending TLSPlaintext with the legacy_record_version set to TLS 1.0. This is okay for the first Client Hello, but after Hello Retry Request the field must be set to TLS 1.2, according to the RFC: ``` legacy_record_version: MUST be set to 0x0303 for all records generated by a TLS 1.3 implementation other than an initial ClientHello (i.e., one not generated after a HelloRetryRequest), where it MAY also be 0x0301 for compatibility purposes. ``` If I manually modify the version in a GDB session (in `copy_record_version` in record.c), the command works as expected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1053#note_401589913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 25 14:35:33 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Aug 2020 12:35:33 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) In-Reply-To: References: Message-ID: Sahana Prasad commented: @codesquid Hi Tim, could you elaborate on the specific usecase for this feature? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012#note_401700153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 26 03:37:52 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 Aug 2020 01:37:52 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwee?= =?utf-8?q?n_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= References: Message-ID: zzjianhui created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1075 When i see x86-common.c, There are two branches under padlock phe. I found that the difference is whether the function in the structure is set to NULL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 26 11:48:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 Aug 2020 09:48:22 +0000 Subject: [gnutls-devel] GnuTLS | Unintended use of sizeof() on pointer (#1076) References: Message-ID: Antonio de la Piedra created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1076 Hello, I found two places in GnuTLS were sizeof() is used on a pointer: 1. lib/accelerated/x86/x86-common.c, line 315 ``` static int check_phe_partial(void) { const char *text = "test and test"; uint32_t iv[5] = { 0x67452301UL, 0xEFCDAB89UL, 0x98BADCFEUL, 0x10325476UL, 0xC3D2E1F0UL }; padlock_sha1_blocks(iv, text, sizeof(text) - 1); padlock_sha1_blocks(iv, text, sizeof(text) - 1); if (iv[0] == 0x9096E2D8UL && iv[1] == 0xA33074EEUL && iv[2] == 0xCDBEE447UL && iv[3] == 0xEC7979D2UL && iv[4] == 0x9D3FF5CFUL) return 1; else return 0; } ``` The sizeof of the pointer text is taken in padlock_sha1_blocks (it is always 7). 2. tests/suite/mini-record-timing.c, line 235 ``` ret = gnutls_record_send(session, text, sizeof(text)); ``` where text is a pointer. Best regards, Antonio -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 26 15:58:53 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 Aug 2020 13:58:53 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: Daiki Ueno commented: I have no experience with padlock, but according to the comment, the _nano variant supports incremental update of hashes, while the original one only supports one-shot calculation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_402495014 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 26 16:01:32 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 Aug 2020 14:01:32 +0000 Subject: [gnutls-devel] GnuTLS | Unintended use of sizeof() on pointer (#1076) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report; indeed. On the other hand, it would be hard to test that code given the current availability of the VIA processors. Do you know if there is any emulator or compilation farm that supports Padlock? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1076#note_402497165 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 26 19:19:35 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 Aug 2020 17:19:35 +0000 Subject: [gnutls-devel] GnuTLS | Unintended use of sizeof() on pointer (#1076) In-Reply-To: References: Message-ID: Antonio de la Piedra commented: I checked the GCC farm (https://cfarm.tetaneutral.net/machines/list/) but I did not see any machine with the padlock extensions. Indeed this particular hardware is needed to check this issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1076#note_402624918 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 04:45:59 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 02:45:59 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: zzjianhui commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_402778261 I found check_phe_partial() function in x86-common.c, it only calculate sha1 and compare the obtained value with a constant. What does it mean? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_402778261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 09:25:43 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 07:25:43 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_402994716 It is to check if the CPU is capable of handling incremental update. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_402994716 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 10:04:21 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 08:04:21 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: zzjianhui commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403017532 But i read this code and found that one branch runs padlock to accelerate, and the other branch calls nettle library, without using extended instruction set to accelerate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403017532 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 10:52:00 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 08:52:00 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403046821 Why do you think so? The check is here: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/accelerated/x86/x86-common.c#L394 and the other branch is: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/accelerated/x86/x86-common.c#L474 Both registers either `_gnutls_*_padlock` or `_gnutls_*_padlock_nano`, which are backed by the optimized implementation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403046821 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 11:02:05 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 09:02:05 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: zzjianhui commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403053082 In _gnutls_hmac_sha_padlock, Its variables init, setkey, setnonce, hash, output, deinit are NULL -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403053082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 11:03:49 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 09:03:49 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: zzjianhui commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403054151 and _gnutls_sha_padlock is the same -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403054151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 27 11:13:23 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Aug 2020 09:13:23 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403060054 As I said in the initial comment, if the support for incremental update is not available, those methods cannot be implemented. In that case, only oneshot version (i.e. `.fast`) is optimized and other methods are delegated to the unoptimized implementation using nettle. Is it still unclear to you? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_403060054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 28 18:09:34 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 Aug 2020 16:09:34 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS connection get slow and fragmented (#1072) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm afraid I can't spot any problematic part in the log; there could be something that causes your router, ISP, or other middle boxes to use such a small MTU, though I can't reproduce it even after explicitly specifying the same destination host. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1072#note_403994768 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 09:13:27 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 07:13:27 +0000 Subject: [gnutls-devel] GnuTLS | Unintended use of sizeof() on pointer (#1076) In-Reply-To: References: Message-ID: Daiki Ueno commented: After digging it further, I'm in doubt with the `padlock_sha1_blocks` call itself. In the actual use of it in `sha-padlock.c` is the following: ```c #define SHA1_COMPRESS(ctx, data) (padlock_sha1_blocks((void*)(ctx)->state, data, 1)) void padlock_sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t * data) { MD_UPDATE(ctx, length, data, SHA1_COMPRESS, MD1_INCR(ctx)); } ``` where `MD_UPDATE` (defined in ``) takes a "compress" function as the 4th argument, which should have the following singature: ```c void nettle_sha1_compress(uint32_t *state, const uint8_t *input); ``` which assumes that `input` contains a complete SHA-1 block (64 bytes). Back to the `SHA1_COMPRESS` definition above, it calls `padlock_sha1_blocks` with the last argument 1. That indicates that, `padlock_sha1_blocks` takes the number of blocks rather than the number of characters. Therefore, I conclude that the logic in `check_phe_partial` is completely wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1076#note_404150382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 13:32:47 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 11:32:47 +0000 Subject: [gnutls-devel] GnuTLS | DH RFC7919 negotiation not enabled automatically (#1077) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1077 ## Description of problem: Docs for gnutls_certificate_set_dh_params() say: ~~~ gnutls_certificate_set_dh_params is deprecated and should not be used in newly-written code. This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 3.6.0, DH parameters are negotiated following RFC7919. ~~~ Which I would read as "when upgrading code to (only) work with gnutls 3.6.0 one should delete any gnutls_certificate_set_dh_params()-invocations since they are unnecessary because GnuTLS will automatically do RFC7919 negotiation." However it looks like (see below) that is not true, there is no automation but gnutls_certificate_set_dh_params needs to be replaced with gnutls_certificate_set_known_dh_params (). ## Version of gnutls used: 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: always Steps to Reproduce: Take ex-serv-x509 and remove gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); After this change > openssl s_client -connect localhost:5556 -cipher DHE-RSA-AES256-GCM-SHA384-tls1_2 will fail. This originally came up in https://github.com/rbsec/sslscan/issues/214 https://bugs.debian.org/968145 (Exim: no TLS1.2 DHE ciphers from openssl client). I have asked first on gnutls-help list, where Daiki Ueno responded with ~~~ That was also my expectation, though I suspect that it's saying that it only works when the client advertises the "supported_groups" extension according to the RFC, which is not sent with the above command. In the OpenSSL git master, s_client provides the -groups option for that, and you will be able to connect to the server with: $ openssl s_client -connect localhost:5556 -tls1_3 -groups ffdhe2048 though the option doesn't seem to work with -tls1_2 ~~~ I think this qualifies as a bug, the documentation does not clearly describe the actual behavior. While it could be fixed by updating the docs I would prefer to fix the behavior instead, since third party software (exim) has been coded to match the docs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1077 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 14:40:21 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 12:40:21 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) References: Message-ID: Albrecht Dre? created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 Project:Branches: albrechtd/gnutls:master to gnutls/gnutls:master Author: Albrecht Dre? Add a description of the new feature/bug fix. Reference any relevant bugs.. Fixes: #1073 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 17:44:19 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 15:44:19 +0000 Subject: [gnutls-devel] GnuTLS | DH RFC7919 negotiation not enabled automatically (#1077) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'd say this is purely a documentation issue, given: - `gnutls_certificate_set_known_dh_params` is deprecated as well - there is no way for the server to determine which FFDHE params they should use without hint from external (either by `gnutls_certificate_set_known_dh_params` or the "supported_groups" extension sent by the client) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404195888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 17:46:09 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 15:46:09 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Merge Request !1314 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 Project:Branches: albrechtd/gnutls:master to gnutls/gnutls:master Author: Albrecht Dre? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 17:49:33 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 15:49:33 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for taking time to file an MR. It looks good to me. The CI failures are due to timeout; could you retrigger it after prolonging the limit from: "Settings" ? "CI/CD" ? "General pipelines" ? "Timeout"? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404196293 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 18:01:41 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 16:01:41 +0000 Subject: [gnutls-devel] GnuTLS | DH RFC7919 negotiation not enabled automatically (#1077) In-Reply-To: References: Message-ID: Andreas Metzler commented: On 2020-08-29 Daiki Ueno @dueno commented: > I'd say this is purely a documentation issue, given: > - `gnutls_certificate_set_known_dh_params` is deprecated as well > - there is no way for the server to determine which FFDHE params they should use without hint from external (either by `gnutls_certificate_set_known_dh_params` or the "supported_groups" extension sent by the client) Hello, do you think it is preferable to not offer TLS1.2 DHE ciphers suites than doing something equal to gnutls_certificate_set_known_dh_params() by default? If so, why? Could you perhaps try to explain this a little bit? - TIA (The reasons given above afaict do not answer this question but sidestep it.) cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404197315 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 18:56:49 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 16:56:49 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Airtower started a new discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404202013 > *response = peer_print_data(session, response_length); > } else { > int ret; > - strip(request); > + if (strip_crlf != 0) > + strip(request); > fprintf(stderr, "received cmd: %s\n", request); Not calling `strip()` will effectively add a newline here, same in https://gitlab.com/gnutls/gnutls/-/blob/ae13377fb15c21705041f6e41cf8a5b9e449edbb/src/common.c#L977-978, possibly elsewhere. Not sure if that's going to be a problem. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404202013 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 19:21:23 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 17:21:23 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Albrecht Dre? commented on a discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404203938 > *response = peer_print_data(session, response_length); > } else { > int ret; > - strip(request); > + if (strip_crlf != 0) > + strip(request); > fprintf(stderr, "received cmd: %s\n", request); @airtower-luna noted: > Not calling strip() will effectively add a newline here I don't think so? `strip(request)` replaces the first occurrence of the sequence `\r\n\0` in `request` by `\n\0\0`. When running in echo mode, this breaks peers which expect the transmitted message being bounced back *without* modification. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404203938 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 19:47:50 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 17:47:50 +0000 Subject: [gnutls-devel] GnuTLS | DH RFC7919 negotiation not enabled automatically (#1077) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404205950 > do you think it is preferable to not offer TLS1.2 DHE ciphers suites than doing something equal to gnutls_certificate_set_known_dh_params() by default? No. I'm only saying that, if none of `gnutls_certificate_set_known_dh_params` nor `gnutls_certificate_set_known_dh_params` is called, the server can only accept DHE through the RFC7919 way, that requires the client to advertise "supported_groups". If the server wants to support clients that don't send "supported_groups" in TLS 1.2, the server still needs to call `gnutls_certificate_set_known_dh_params`, whose documentation should be updated accordingly I think. But yes, I'm not the one who designed this deprecation, so the actual intention might be to make this fully automatic. I don't know. Perhaps @dkg might have an opinion on that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404205950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 20:32:38 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 18:32:38 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Airtower commented on a discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404209653 > *response = peer_print_data(session, response_length); > } else { > int ret; > - strip(request); > + if (strip_crlf != 0) > + strip(request); > fprintf(stderr, "received cmd: %s\n", request); You're right, sorry. I took only a brief glance at the `strip()` function and assumed it'd completely remove the newline as most functions named like that do. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314#note_404209653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 20:32:37 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 18:32:37 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: All discussions on Merge Request !1314 were resolved by Airtower https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 20:45:42 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 18:45:42 +0000 Subject: [gnutls-devel] GnuTLS | Update .gitlab-ci.yml (!1315) References: Message-ID: Alberto Sanchez created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1315 Project:Branches: alberto.sanchez2/gnutls:patch-1 to gnutls/gnutls:master Author: Alberto Sanchez Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1315 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 22:01:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 20:01:22 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-serv EOL processing (!1314) In-Reply-To: References: Message-ID: Merge Request !1314 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 Project:Branches: albrechtd/gnutls:master to gnutls/gnutls:master Author: Albrecht Dre? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 29 22:01:22 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 20:01:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Echo mode and line endings (#1073) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1314 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1314) Issue #1073: https://gitlab.com/gnutls/gnutls/-/issues/1073 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 00:20:19 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 22:20:19 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) References: Message-ID: CurtisVillamizar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1078 ## Description of problem: Attached is a fix/workaround to _gnutls_x509_der_encode (in lib/x509/common.c) that should not work but does. The change provides a buffer to asn1_der_coding rather than zero when only the size is needed. The suspected reason that this works is without the buffer asn1_der_coding is doing some inplace modification affecting later calls. That reason is not proven. A test case (c++ program) to reproduce the problem and shell output giving limited debug output is (or will be shortly) provided. A prior version of gnutls worked. ## Version of gnutls used: 3.6.14 (on FreeBSD 12.1-STABLE #0 r363326M) ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) FreeBSD ports collection (revision 542586) compiled with FreeBSD clang version 10.0.0 ## How reproducible: 100% of the time with provided c++ program. Fix works 100% of the time in cases where it should work. Steps to Reproduce: * one - read instructions in first few comment lines of provided test program * two - follow directions to compile and run testcase 0 to 5 (only 1 and 5 *should not* produce core dump) * three - apply patch to gnutls and relink - testcase 1 and 5 now produce success ## Actual results: Testcase 0-5 produce core dump without patch to gnutls. Testcase 1 and 5 succeed with patch. ## Expected results: Testcase 1 and 5 should succeed. Other testcases exist to provide information and are OK to core dump. But it would be nice (tm) if a few didn't fail. [patch-common.c](/uploads/bda48bf8693ed2ae1655a4306d0349a2/patch-common.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 00:23:59 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 22:23:59 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: CurtisVillamizar commented: [testcase.cc](/uploads/e32e4e66dd20143ff31c41891cdf8c4c/testcase.cc) This is the test case c++ file. Instructions are in the comments at the top. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078#note_404226145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 00:26:00 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 22:26:00 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: CurtisVillamizar commented: [trace-1-gnutls-orig](/uploads/efc004cb577a8435e3f44eb4e79d12bf/trace-1-gnutls-orig) This is the set of testcase results shell output without the gnutls (3.6.14 as distributed). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078#note_404226227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 00:30:50 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 Aug 2020 22:30:50 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: CurtisVillamizar commented: [trace-1-gnutls-fix](/uploads/b44f5cfa2fb195f314a9562e85325b78/trace-1-gnutls-fix) This is the set of testcase results shell output with the patch to gnutls 3.6.14 applied. Note that testcase 1 and testcase 5 succeed as expected where they fail withouth the patch. Obvious this is not enough to debug anything so compile the c++ test program and look at the core dumps and perform whatever magic is needed. The patch is intended only to further isolate the problem. Though the patch to gnutls is an effective workaround the underlying problem may be biting elsewhere. Your call. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078#note_404226454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 08:46:58 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 30 Aug 2020 06:46:58 +0000 Subject: [gnutls-devel] GnuTLS | Update .gitlab-ci.yml (!1315) In-Reply-To: References: Message-ID: Daiki Ueno commented: @alberto.sanchez2 this might be an accidental MR? It only contains an empty commit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1315#note_404248767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 08:57:33 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 30 Aug 2020 06:57:33 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for taking time to create a test case; much appreciated! On my environment (Fedora 32, with gnutls 3.6.14), however, both 1 and 5 succeed without patch. I'll try on FreeBSD later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078#note_404249477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 14:42:42 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 30 Aug 2020 12:42:42 +0000 Subject: [gnutls-devel] GnuTLS | Fix padlock partial PHE detection and sizeof usage (!1316) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1316 Branches: tmp-sizeof to master Author: Daiki Ueno Fixes #1076. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1316 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 14:59:45 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 30 Aug 2020 12:59:45 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_What_is_the_difference_betwe?= =?utf-8?q?en_SHA512_=28partial=29_accelerator_and_Original_padlock_PHE?= =?utf-8?b?77yfICgjMTA3NSk=?= In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_404278439 @zzjianhui I'm not sure what is your actual problem, but if the performance is your concern it turned out that `check_phe_partial` is buggy and cannot detect partial PHE correctly (see #1076). The patch in !1316 may fix the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1075#note_404278439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 30 23:02:55 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 30 Aug 2020 21:02:55 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS connection get slow and fragmented (#1072) In-Reply-To: References: Message-ID: An0nl!br3 commented: I see, so we cant know why openssl or nss working and make the improvement to gnutls? Daiki Ueno: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1072#note_404326743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 31 08:17:36 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 Aug 2020 06:17:36 +0000 Subject: [gnutls-devel] GnuTLS | Backport bug fixes from master to gnutls_3_6_x (!1317) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1317 Branches: tmp-backport-3.6 to gnutls_3_6_x Author: Daiki Ueno This backports the following MRs: !1309, !1308, !1312, !1311, !1307, !1306, !1305, !1304, !1268, !1300, !1301, !1299, !1296, !1291, !1298, !1294, !1297, !1295, !1289, !1285, !1292, !1287, !1251, !1288, !1284, !1286, !1276, !1274, !1273 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 31 12:39:15 2020 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 Aug 2020 10:39:15 +0000 Subject: [gnutls-devel] GnuTLS | Backport bug fixes from master to gnutls_3_6_x (!1317) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Went through the list, my thoughts: FIPS DH changes warrant a changelog entry, but are limited to FIPS-aware scenarios, and are a future compliance issue so that's OK to backport them. Out of the rest, the following has caught my attention: `5ec267d2 p12: do not encrypt encrypt certificate bag with empty password` \ `47714178 certtool: do not ask for private key password if it was provided` \ change the certool behaviour while not bringing new possibilities to the table. \ Not sure what's the expected stability of certool's interface though, maybe it's fine. `b4bfe1a8 pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig()` \ is unlikely to break someone's setup, but still might be worth mentioning in the changelog. `022d36a8 cert-session: fail hard if mandatory stapling is not honored` \ `9b2732d4 serv, cli: ensure that invalid flag is always set` \ are definitely worth documenting. `29c3e00b gnutls_x509_crt_export2: return 0 instead of the length` \ should be documented. `dea420fa cert-session: check OCSP error responses` \ I don't like this one, guess I don't understand OCSP. Does this make OCSP-responder validation best-effort? `4e2571b7 handshake: check TLS version against modified server priorities` \ should be documented The others are unlikely to pose any issue to an updating user. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1317#note_404560288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: