From gnutls-devel at lists.gnutls.org Sat Feb 1 05:13:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 04:13:42 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dkg This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/888#note_280440681 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 05:13:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 04:13:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy (#881) In-Reply-To: References: Message-ID: GnuTLS bot commented: @xnox This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/881#note_280440691 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 05:13:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 04:13:42 +0000 Subject: [gnutls-devel] GnuTLS | OCSP stapling transmission observability (#883) In-Reply-To: References: Message-ID: GnuTLS bot commented: @j29280 This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/883#note_280440685 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 05:13:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 04:13:41 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#925) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/issues/925 The following issues require labels: - [ ] [Speed up or avoid bootstrap in CI runners](https://gitlab.com/gnutls/gnutls/issues/891) - [ ] [certtool --to-p12 seems to alway require a password](https://gitlab.com/gnutls/gnutls/issues/888) - [ ] [OCSP stapling transmission observability](https://gitlab.com/gnutls/gnutls/issues/883) - [ ] [gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy](https://gitlab.com/gnutls/gnutls/issues/881) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/925 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 05:13:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 04:13:41 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891#note_280440670 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 10:02:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 09:02:35 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 * f84d9a1a...2015e89f - 6 commits from branch `master` * a0c5f88d - nettle/gost: export gost28147_decrypt_simple for magma cipher * 18196ed1 - nettle/gost: add Magma code * cdaac4cb - nettle/gost: add Kuznyechik code * 8b3a635e - nettle/gost: add CMAC-64/Magma/Kuznyechik code * 011f0f02 - nettle/gost: add ACPKM rekeying code * 8283bbee - lib: add Magma/Kuznyechik ciphers support * d10db616 - lib: add Magma/Kuznyechik OMAC support * ab3a9deb - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * ee4f7880 - cipher/mac: enhance handlers with setkey callback * 099a2627 - crypto-api: add _gnutls_cipher_set_key wrapper() * dbecc053 - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM * 405db89d - lib: support nonce generation by addition to sequence number * ee303e8e - nettle/int: add GOST KEXP15 key export/import support * f3b2646d - nettle/int: add GOST KDF support * abbd81d3 - lib: gost KEG key export generation support * 86ef6478 - auth: add VKO_KDF_GOST support * c51509ca - nettle/int: add TLSTREE implementation * 5113471e - lib: support TLSTREE rekeying * ea913f29 - handshake: use proper data length for Finished messages * 1df08fe0 - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * a5144447 - priority: extend GOST keywords to contain MAGMA/KUZNYECHIK * d7b21e02 - cli: benchmark MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 10:02:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 09:02:37 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1161 https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 * f84d9a1a...2015e89f - 6 commits from branch `master` * a0c5f88d - nettle/gost: export gost28147_decrypt_simple for magma cipher * 18196ed1 - nettle/gost: add Magma code * cdaac4cb - nettle/gost: add Kuznyechik code * 8b3a635e - nettle/gost: add CMAC-64/Magma/Kuznyechik code * 011f0f02 - nettle/gost: add ACPKM rekeying code * 8283bbee - lib: add Magma/Kuznyechik ciphers support * d10db616 - lib: add Magma/Kuznyechik OMAC support * ab3a9deb - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * ee4f7880 - cipher/mac: enhance handlers with setkey callback * 099a2627 - crypto-api: add _gnutls_cipher_set_key wrapper() * dbecc053 - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 10:38:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 09:38:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 1 alert** when merging d7b21e02538d7e93a78e6e633d30f1537bf11d3e into 2015e89f6c36732cb468f479a94b5993dfe818aa - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-d742c852f2cc2370eaf2f5e5259bff1c325fee10) **new alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144#note_280559714 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:47:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 21:47:34 +0000 Subject: [gnutls-devel] GnuTLS | No default verification profile (#895) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/20 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/895 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:00:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:00:34 +0000 Subject: [gnutls-devel] GnuTLS | optional: provide support for x448 (#86) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/86 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:00:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:00:47 +0000 Subject: [gnutls-devel] GnuTLS | optional: provide support for x448 (#86) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closed with 3.6.12. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/86#note_280801176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:00:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:00:47 +0000 Subject: [gnutls-devel] GnuTLS | optional: provide support for x448 (#86) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #86: https://gitlab.com/gnutls/gnutls/issues/86 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/86 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:36:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 23:36:18 +0100 Subject: [gnutls-devel] gnutls 3.6.12 Message-ID: Hello, I've just released gnutls 3.6.11. This is a bug fix release on the stable 3.6.x branch. I'd like to thank everyone who contributed in this release: Dmitry Baryshkov, Tim R?hsen, Daiki Ueno, Dimitri John Ledkov, Andreas Metzler, Bjoern Jacke, Edward Stangler, Fiona Klute, Lili Quan, Ludovic Court?s, and Vitezslav Cizek. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/-/milestones/26 Changes ======= * Version 3.6.12 (released 2020-02-01) ** libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). ** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). ** libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. ** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. ** libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. ** libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time (#207, #870). ** libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). ** libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. ** libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. ** libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling (#876). ** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. ** certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. ** certtool: The add_extension template option is considered even when generating a certificate from a certificate request. ** API and ABI modifications: GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added gnutls_ocsp_req_const_t: Added Getting the Software ==================== GnuTLS may be downloaded directly from < ftp://ftp.gnutls.org/gcrypt/gnutls/>;. A list of GnuTLS mirrors can be found at < http://www.gnutls.org/download.html> Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.12.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.12.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From gnutls-devel at lists.gnutls.org Sat Feb 1 23:56:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:56:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy (#881) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Probably something similar to `is_level_acceptable()` would need to run when a certificate is loaded. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/881#note_280816151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:56:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:56:43 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:58:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:58:21 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think we should balance complexity with performance of build as well. I'm not sure we should strive for high performance with high complexity which can easily turn to unmanageable complexity. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891#note_280816755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:58:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:58:55 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#925) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #925: https://gitlab.com/gnutls/gnutls/issues/925 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/925 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 23:59:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 22:59:32 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Merge Request !1151 was unapproved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 Branches: tmp-clang-ubsan+asan to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 00:00:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 23:00:35 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I revoked the approval as it is not yet building. I'll re-review when it is ready. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_280817320 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 00:02:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 23:02:50 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #922: https://gitlab.com/gnutls/gnutls/issues/922 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 00:02:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 23:02:50 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm closing this as the issue to my understanding is in clang. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/922#note_280817855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 00:03:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 01 Feb 2020 23:03:54 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #914: https://gitlab.com/gnutls/gnutls/issues/914 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 09:18:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 08:18:13 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 Branches: tmp-keylog-hook to master Author: Daiki Ueno This supersedes !1112 after [the discussion](https://gitlab.com/gnutls/gnutls/-/merge_requests/1112#note_267665474) about not making the mechanism QUIC specific. Instead this refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Note that the code is sufficiently covered by the existing keylogfile tests. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 09:22:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 08:22:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Merge Request !1112 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1112 Branches: tmp-secret-hook to tmp-draft-ietf-quic-tls-23 Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 09:22:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 08:22:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Daiki Ueno commented: Replaced with !1184. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1112#note_280936725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 09:50:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 08:50:40 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: Reassigned Issue 813 https://gitlab.com/gnutls/gnutls/issues/813 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 11:22:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 10:22:38 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1184 https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 * ec65350a - keylogfile: generalize with a callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 11:51:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 10:51:22 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) In-Reply-To: References: Message-ID: Tim R?hsen commented: >From the observations of @lumag and myself (see #920), there is something weird with `openssl s_server` that just comes out more reliable when building gnutls with clang's ASAN. So we have to figure this out anyways to have clang ASAN runner. And when we do this, we can merge UBSAN and ASAN runner into one, reducing the number of total runners. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/922#note_280965773 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 11:51:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 10:51:22 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) In-Reply-To: References: Message-ID: Issue was reopened by Tim R?hsen Issue 922: https://gitlab.com/gnutls/gnutls/issues/922 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 11:54:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 10:54:56 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: Tim R?hsen commented: What exactly is the complexity here ? We only have to contribute to gnulib to get this done. The second paragraph was just hint what can be done thereafter, if someone likes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891#note_280966444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 15:11:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 14:11:19 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1184 https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 * 2366599c - keylogfile: generalize with a callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 16:50:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 15:50:46 +0000 Subject: [gnutls-devel] GnuTLS | session_pack: fix leak in error path (!1185) References: Message-ID: Michael Catanzaro created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/session-pack-leak to gnutls/gnutls:master Author: Michael Catanzaro If the application calls gnutls_session_get_data2() at the wrong time, then _gnutls_session_pack() allocates the buffer sb and forgets to clear it. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 16:54:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 15:54:05 +0000 Subject: [gnutls-devel] GnuTLS | session_pack: fix leak in error path (!1185) In-Reply-To: References: Message-ID: Michael Catanzaro pushed new commits to merge request !1185 https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 * 05ace838 - session_pack: fix leak in error path -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 18:07:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 17:07:25 +0000 Subject: [gnutls-devel] GnuTLS | session_pack: fix leak in error path (!1185) In-Reply-To: References: Message-ID: Merge Request !1185 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/session-pack-leak to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 18:07:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 17:07:45 +0000 Subject: [gnutls-devel] GnuTLS | session_pack: fix leak in error path (!1185) In-Reply-To: References: Message-ID: Daiki Ueno commented: Sure, good catch! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185#note_281037979 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 18:21:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 17:21:10 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/813#note_281041008 > Seeing how this is implemented in openssl and PKCS#11, such an API can get very messy and hard to use if everything needs to be handled. While they have a good reason (i.e. new API addition is not easy) to provide a single API function that handles all KDF variants, I'm not sure GnuTLS needs to impose such restriction. > Not sure if it helps, but checking what model could fit for such a demanding/extensible API, the closest I see is some function similar to gnutls_session_set_verify_cert2 with gnutls_vdata_types_t, but most likely on steroids. I'm not a big fan of this idea, because that would move the error checking to the run time. Given that GnuTLS (and nettle) currently only supports HKDF and PBKDF2, I propose to add 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation. That way, most of the necessary parameters could be checked at compile time. Of course, it would be a problem if we support Argon2 or similar, but I don't think the number of supported KDFs explode in near future. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813#note_281041008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 18:23:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 17:23:55 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 Branches: tmp-kdf-api to master Author: Daiki Ueno This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 19:16:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 18:16:16 +0000 Subject: [gnutls-devel] GnuTLS | session_pack: fix leak in error path (!1185) In-Reply-To: References: Message-ID: Merge Request !1185 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/session-pack-leak to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 19:54:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 02 Feb 2020 18:54:21 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * efc8af7e - crypto-api: add generic crypto functions for KDF * e70cdccd - secrets: refactor using gnutls_hkdf_expand * 96a667d8 - pkcs12: refactor using gnutls_pbkdf2 * 40090b58 - pkcs7-crypt: refactor using gnutls_pbkdf2 * 887b58b1 - privkey_pkcs8: remove unused #include -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 05:20:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 04:20:09 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * a8ad1759 - tests: skip pkcs12-gost under GNUTLS_FORCE_FIPS_MODE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 06:04:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 05:04:08 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * a1d43b39 - crypto-api: add generic crypto functions for KDF * 31333712 - secrets: refactor using gnutls_hkdf_{extract,expand} * 62f43a54 - pkcs12: refactor using gnutls_pbkdf2 * 1550beca - pkcs7-crypt: refactor using gnutls_pbkdf2 * ac37bf23 - privkey_pkcs8: remove unused #include * f416eeed - tests: skip pkcs12-gost under GNUTLS_FORCE_FIPS_MODE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 06:05:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 05:05:53 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Record layer separation for QUIC TLS API: Notify the key (epoch) change (!1086) In-Reply-To: References: Message-ID: Daiki Ueno commented: Closing as this is replaced with !1112 (and then !1184). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1086#note_281181057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 06:05:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 05:05:54 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Record layer separation for QUIC TLS API: Notify the key (epoch) change (!1086) In-Reply-To: References: Message-ID: Merge Request !1086 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1086 Project:Branches: Aniketh01/gnutls:Aniketh01-Record-layer-seperation to gnutls/gnutls:master Author: Aniketh Girish Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1086 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 06:07:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 05:07:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Daiki Ueno commented: Closing as this is replaced with !1186. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1115#note_281181324 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 06:07:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 05:07:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Merge Request !1115 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1115 Project:Branches: Aniketh01/gnutls:quic-expose-hkdf to gnutls/gnutls:tmp-draft-ietf-quic-tls-23 Author: Aniketh Girish Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 13:35:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 12:35:11 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: So pipeline still failed on the "nettle-master.Fedora" with openssl-compat tests failing. What should be the next steps to fix them up? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_281414928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 13:39:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 12:39:22 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 * 9ac41f0b...e825a5dd - 14 commits from branch `master` * 670b1cd3 - testcompat-openssl: improve testing against secured OpenSSL versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 14:23:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 13:23:41 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented: I believe the checkboxes need updating after https://gitlab.com/gnutls/gnutls/-/merge_requests/984 (and nettle needs a release) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/128#note_281447771 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 15:37:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 14:37:35 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_281504994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 15:38:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 14:38:18 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: It would be nice to have tests for new functions though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_281505455 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 15:49:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 14:49:03 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: ``` Error with command: "-named_curve prime192v1" 140438204389184:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:403: ``` It looks like new OpenSSL does not understand this curve, so you should mask it also. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_281513531 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 18:30:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 17:30:36 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * ac0847fc - crypto-api: add generic crypto functions for KDF * 2d6c628f - secrets: refactor using gnutls_hkdf_{extract,expand} * 22225d59 - pkcs12: refactor using gnutls_pbkdf2 * 094fcd22 - pkcs7-crypt: refactor using gnutls_pbkdf2 * 875db1e2 - privkey_pkcs8: remove unused #include * 70616eed - tests: skip pkcs12-gost under GNUTLS_FORCE_FIPS_MODE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 18:31:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 17:31:29 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_281648292 Added now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_281648292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 21:22:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 20:22:42 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 * 2c54ab39 - Check before using prime192v1 curve in tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 21:38:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 20:38:10 +0000 Subject: [gnutls-devel] GnuTLS | Clang problem with _Noreturn (#926) References: Message-ID: Paul Eggert created an issue: https://gitlab.com/gnutls/gnutls/issues/926 ## Description of problem: Jeffery Walton reported on bug-gnulib that he had problems building GnuTLS on OS X 10.9. See: https://lists.gnu.org/r/bug-gnulib/2020-02/msg00012.html https://lists.gnu.org/r/bug-gnulib/2020-02/msg00013.html https://lists.gnu.org/r/bug-gnulib/2020-02/msg00014.html [There may be other messages later.] I'd like this to get fixed in Gnulib but do not use macOS and so will need some advice as it apparently has something to do with macOS and/or Clang archeology. I'm filing a bug report here to give the GnuTLS developers a heads-up. ## Version of gnutls used: 3.6.12 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) N.A. ## How reproducible: See above. Apparently GnuTLS does not build. ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/926 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 3 23:20:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 03 Feb 2020 22:20:10 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 * d36a2eea - Check before using prime192v1 curve in tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 01:03:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 00:03:52 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: Added detection on prime192v1 curve and the pipeline IS GREEN! Please re-review/merge =) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_281804769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 04:45:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 03:45:56 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * ff59714b - pkcs12: refactor using gnutls_pbkdf2 * 24194c20 - pkcs7-crypt: refactor using gnutls_pbkdf2 * b43e0201 - privkey_pkcs8: remove unused #include * 900ed847 - tests: skip pkcs12-gost under GNUTLS_FORCE_FIPS_MODE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 09:49:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 08:49:24 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Merge Request !1186 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 Branches: tmp-kdf-api to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 09:49:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 08:49:35 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_281986383 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:29:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 09:29:48 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1186 https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 * 62305833 - crypto-api: add generic crypto functions for KDF * 0d3d86e8 - secrets: refactor using gnutls_hkdf_{extract,expand} * 0f414467 - pkcs12: refactor using gnutls_pbkdf2 * e974f713 - pkcs7-crypt: refactor using gnutls_pbkdf2 * 4f11a7ca - privkey_pkcs8: remove unused #include * e5876b03 - tests: skip pkcs12-gost under GNUTLS_FORCE_FIPS_MODE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:36:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 09:36:28 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: All discussions on Merge Request !1186 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:36:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 09:36:57 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_282019001 Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186#note_282019001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:38:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 09:38:22 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: All discussions on Merge Request !1186 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 11:39:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 10:39:06 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/128#note_282067784 Thanks, updated. Also as 3.6.12 contains a copy of the necessary code from nettle, you can play with it now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/128#note_282067784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 11:43:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 10:43:51 +0000 Subject: [gnutls-devel] GnuTLS | expose HKDF-Expand-Label to API (#851) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1186 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1186) Issue #851: https://gitlab.com/gnutls/gnutls/issues/851 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/851 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 11:43:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 10:43:50 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add generic crypto functions for KDF (!1186) In-Reply-To: References: Message-ID: Merge Request !1186 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 Branches: tmp-kdf-api to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 11:43:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 10:43:50 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1186 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1186) Issue #813: https://gitlab.com/gnutls/gnutls/issues/813 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 11:57:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 10:57:45 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/128#note_282081043 Thanks for this feature, Ueno-san. My packaging was set up to use separately built nettle which I updated to latest git for testing. I believe this separation is common in most Linux distributions, so we're now mainly looking forward to nettle 3.6 release, so it has a chance to get into distributions early (say, Ubuntu 20.04 LTS, hopefully). After [some small tweaks](https://gitlab.labs.nic.cz/knot/knot-dns/merge_requests/1105) in our code, DNSSEC validation of ed448 appeared OK on a few test cases. Probably even singing zones should just work, but I haven't tested that so far. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/128#note_282081043 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 14:10:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 13:10:12 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 * 62305833...ee43a212 - 7 commits from branch `master` * 013013c1 - testcompat-openssl: improve testing against secured OpenSSL versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 18:10:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 04 Feb 2020 17:10:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: record: add functions to intercept/inject unprotected records (!1187) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 Branches: tmp-record-write-callback to master Author: Daiki Ueno This adds a couple of functions, `gnutls_record_set_write_function()` and `gnutls_record_push_data()`, to allow QUIC implementations to directly interact with the TLS state machine. Note that this currently doesn't work with async Handshake messages. Fixes # ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 13:40:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 12:40:57 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1184 https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 * 05ace838...ee43a212 - 9 commits from branch `master` * 47c3e47c - keylogfile: generalize with a callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 13:43:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 12:43:28 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Merge Request !1168 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 Project:Branches: xnox/gnutls:openssl-min1.2 to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 14:09:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 13:09:29 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: gost28147: require calling set_param before set_key (!1188) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 Project:Branches: GostCrypt/gnutls:gost28147 to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 15:50:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 14:50:53 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on tests/suite/testcompat-main-openssl: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_282985059 > wait_server ${PID} > > echo "${PREFIX}Checking TLS 1.2 with PSK..." > - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ > + echo ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ Is this echo on purpose ? (And if so, why ?) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_282985059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 16:04:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 15:04:56 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: gost28147: require calling set_param before set_key (!1188) In-Reply-To: References: Message-ID: Merge Request !1188 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 Project:Branches: GostCrypt/gnutls:gost28147 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 16:04:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 15:04:52 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: gost28147: require calling set_param before set_key (!1188) In-Reply-To: References: Message-ID: Daiki Ueno commented: The change looks correct to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188#note_282994865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 18:34:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 17:34:19 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: gost28147: require calling set_param before set_key (!1188) In-Reply-To: References: Message-ID: Merge Request !1188 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 Project:Branches: GostCrypt/gnutls:gost28147 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 19:38:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 18:38:56 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: labnewbie commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/923#note_283114708 I just updated to 3.6.12 and the issue still exists: PS C:\GnuTLS> certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt certtool.exe : configFileLoad: Unknown error At line:1 char:1 + certtool.exe --generate-self-signed --load-privkey private.key --temp ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (configFileLoad: Unknown error:String) [], RemoteEx ception + FullyQualifiedErrorId : NativeCommandError libopts error 0 (No error) calling read for 'cert.cnf' Error loading template: cert.cnf -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/923#note_283114708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 21:13:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 05 Feb 2020 20:13:35 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 Project:Branches: airtower-luna/gnutls:wip-save-ocsp-multi to gnutls/gnutls:master Author: Airtower This is the second part of a fix for #904. I consider the feature itself complete, but there's no test yet, and I'd like some feedback on the patch, in particular: * Is the change to `--save-ocsp` acceptable (always create the file, even if empty)? It makes using the same code for both `--save-ocsp` and the new ` --save-ocsp-multi` a simpler. * @nmav, you suggested marking `--save-ocsp` as deprecated. The [Autogen documentation](https://www.gnu.org/software/autogen/manual/html_section/Option-Definitions.html#Common-Attributes) indicates that the `deprecated` flag is deprecated though, what's the preferred approach here? * Is there any test already testing `gnutls-cli` with OCSP stapling that I could base a test on? ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 03:36:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 02:36:29 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on tests/suite/testcompat-main-openssl: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283251928 > wait_server ${PID} > > echo "${PREFIX}Checking TLS 1.2 with PSK..." > - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ > + echo ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ no..... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283251928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 03:38:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 02:38:34 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 * ef04f619...1766c510 - 2 commits from branch `master` * fbd3e261 - testcompat-openssl: improve testing against secured OpenSSL versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 03:38:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 02:38:59 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on tests/suite/testcompat-main-openssl: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283252319 > wait_server ${PID} > > echo "${PREFIX}Checking TLS 1.2 with PSK..." > - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ > + echo ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ but i bet it is one of the test cases that was failing, as i was fixing them up. let's watch it fail now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283252319 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 08:38:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 07:38:11 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented: The log for the MinGW32 job says it failed because it took longer than 3h (https://gitlab.com/airtower-luna/gnutls/pipelines/115325249/failures). I double checked and my pipeline timeout is set to 6h, so I'm not sure what to do about this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_283325815 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 12:54:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 11:54:17 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on tests/suite/testcompat-main-openssl: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283538421 > wait_server ${PID} > > echo "${PREFIX}Checking TLS 1.2 with PSK..." > - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ > + echo ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ Still passed! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168#note_283538421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 12:54:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 11:54:19 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: All discussions on Merge Request !1168 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 13:21:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 12:21:28 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: All discussions on Merge Request !1168 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 15:00:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 14:00:56 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Merge Request !1168 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 Project:Branches: xnox/gnutls:openssl-min1.2 to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 15:54:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 14:54:41 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 Branches: tmp-gnulib-update to master Author: Tim R?hsen Fixes #926 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 15:55:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 14:55:24 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 Branches: tmp-gnulib-update to master Author: Tim R?hsen Fixes #926 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 16:57:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 15:57:45 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1190 https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 * 0d8a7bbe - cfg.mk: Exclude sc_prohibit_gnu_make_extensions from syntax-check -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 19:24:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 18:24:10 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: Maybe just an issue on the side of Gitlab.com. I just restarted the job, let see. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_283799858 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 20:06:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 19:06:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: I think it would be good to have error messages in case something goes wrong. Staying silent may lead to wrong assumptions and hard to find issues later. Check all calls to fwrite/fclose and also print an error message when gnutls_ocsp_status_request_get2() fails. Then why use PEM for SAVE_OCSP_MULTI and DER for SAVE_OCSP ? IMO it would be more consistent when both options use the same output format. What about checking the file extension (.pem | .der) and/or have another option to specify the output format ? Else LGTM :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_283814898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 20:16:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 19:16:44 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented: The different output formats are to preserve the behavior of the pre-existing `--save-ocsp` option, in case anyone relies on it. The new option needs to use PEM to put multiple OCSP responses in one output file with clear boundaries. I'll look into the error messages. Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_283819473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 21:09:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 20:09:21 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) References: Message-ID: Arcus Cinis created an issue: https://gitlab.com/gnutls/gnutls/issues/932 ## Description of problem: When creating key, if password is longer than 31 characters, `certtool` gives enigmatic `No PIN given.` error and exit with 1. ## Version of gnutls used: 3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian 10 ## How reproducible: Steps to Reproduce: * `certtool --pkcs8 --generate-privkey --outfile test.key` * `certtool --pkcs8 --generate-self-signed --load-privkey test.key --outfile test.cert` * Now type password longer than 31 chars. ## Actual results: `No PIN given.` error. ## Expected results: Prompt for cert details. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 21:27:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 20:27:23 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) References: Message-ID: Arcus Cinis created an issue: https://gitlab.com/gnutls/gnutls/issues/933 ## Description of problem: certtool ignores `--password` option and asks for typing it. ## Version of gnutls used: 3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian 10 ## How reproducible: Steps to Reproduce: * `certtool --pkcs8 --generate-privkey --outfile test.key --password=QWERTY` * `certtool --pkcs8 --generate-self-signed --load-privkey test.key --outfile test.cert --password=QWERTY` * Hit CTRL-C and ENTER when certtool asks for password. ## Actual results: `--password` option is ignored and certtool asks for it. ## Expected results: certtool should proceed silently from either script or command line. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 21:41:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 20:41:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower pushed new commits to merge request !1189 https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 * 73250f90 - Improved error checking for try_save_ocsp_status() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 21:43:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 20:43:19 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented: I've just pushed the error checks and hopefully clearer error messages. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_283869938 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 23:36:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 06 Feb 2020 22:36:37 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Merge Request !1190 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 Branches: tmp-gnulib-update to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:40:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 08:40:28 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Merge Request !1190 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 Branches: tmp-gnulib-update to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:40:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 08:40:28 +0000 Subject: [gnutls-devel] GnuTLS | Clang problem with _Noreturn (#926) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1190 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1190) Issue #926: https://gitlab.com/gnutls/gnutls/issues/926 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/926 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 11:08:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 10:08:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284125462 > > if (type == GNUTLS_X509_FMT_DER) { > - fwrite(oresp.data, oresp.size, 1, fp); > + /* on success the return value is equal to the > + * number of items (third parameter) */ > + if (fwrite(oresp.data, oresp.size, 1, fp) != 1) { > + fprintf(stderr, "writing to %s failed\n", path); > + exit(1); > + } > continue; > } > > gnutls_datum_t t; > - ret = gnutls_pem_base64_encode_alloc("OCSP RESPONSE", &oresp, &t); > + ret = gnutls_pem_base64_encode_alloc("OCSP RESPONSE", > + &oresp, &t); Wrong alignment here (needs 2xtab as indentation, then fill up with alignment spaces). But since the source code isn't strict about 80 columns, it's fine to not break the line at all (whatever you like better). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284125462 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 11:15:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 10:15:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284131608 > name = save-ocsp; > arg-type = string; > descrip = "Save the peer's OCSP status response in the provided file"; > - doc = ""; > + doc = ""; > + flags-cant = save-ocsp-multi; > +}; > + > +flag = { > + name = save-ocsp-multi; > + arg-type = file; The other --save... options use `arg-type = string`, please do the same here. If you think, this is wrong and should be fixed, let's open a separate issue / MR for that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284131608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 11:25:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 10:25:33 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: This option only works with stapled OCSP responses !? I tested manually some bigger websites and none of them sends any stapled OCSP responses any more. Most of them definitely did a while ago. What do I miss ? Does it make sense to save the responses from the OCSP responders as well (using --ocsp) ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284137963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 12:29:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 11:29:57 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: Want to add: - amazon.com has a stapled OCSP response - libgnutls requests OCSP stapling by default (`gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL)` is not explicitly needed. Checked with wireshark.) - RFC6961 (TLS Multiple Certificate Status Request Extension) is currently not supported by libgnutls @airtower Do you know any website that uses multi-stapling even if not requested ? Or is STATUS_REQUEST_V2 default with TLS1.3 ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284183765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 13:04:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 12:04:34 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1184 https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 * e1e72ef4 - keylogfile: generalize with a callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 16:24:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 15:24:20 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184#note_284356511 > + * @GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: the early traffic secret for the > + * client side (for TLS 1.3) > + * @GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret > + * for the client side (for TLS 1.3) > + * @GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret > + * for the server side (for TLS 1.3) > + * @GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: the application traffic secret for the > + * client side (for TLS 1.3) > + * @GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: the application traffic secret for the > + * server side (for TLS 1.3) > + * @GNUTLS_SECRET_EARLY_EXPORTER_SECRET: the early exporter secret (for TLS 1.3, > + * used for 0-RTT keys). > + * @GNUTLS_SECRET_EXPORTER_SECRET: the exporter secret (for TLS 1.3, used for > + * 1-RTT keys) > + * > + * Enumeration of different types secrets derived during handshake. `... types of secrets...` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184#note_284356511 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 16:26:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 15:26:24 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184#note_284357660 > +} gnutls_handshake_secret_type_t; > + > + /** > + * gnutls_handshake_secret_function: > + * @session: the current session > + * @type: #gnutls_handshake_secret_type_t > + * @secret: the (const) data of the derived secret. > + * > + * Function prototype for secret derivation hooks. It is set using > + * gnutls_handshake_set_secret_function(). > + * > + * Returns: Non zero on error. > + * Since: 3.6.13 > + */ > +typedef int (*gnutls_handshake_secret_func) (gnutls_session_t, > + gnutls_handshake_secret_type_t type, do the variable names add any value here ? if no -> remove them, if yes - add the var name for gnutls_session_t -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184#note_284357660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 16:30:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 15:30:50 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Merge Request !1184 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 Branches: tmp-keylog-hook to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 16:57:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 15:57:49 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: Fix --disable-documentation to --disable-doc [skip ci] (!1191) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 Branches: tmp-lgtm to master Author: Tim R?hsen Fixing the configure flags for LGTM analysis ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 18:02:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 17:02:45 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: Fix --disable-documentation to --disable-doc [skip ci] (!1191) In-Reply-To: References: Message-ID: Merge Request !1191 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 Branches: tmp-lgtm to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 18:03:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 17:03:57 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1184 https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 * 97117556 - keylogfile: generalize with a callback -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 18:12:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 17:12:44 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: All discussions on Merge Request !1184 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 18:12:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 17:12:53 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184#note_284425632 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 19:34:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 18:34:01 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This seems to fail on macosx https://travis-ci.org/gnutls/gnutls/builds/647230486 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190#note_284475710 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 19:39:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 18:39:02 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Tim R?hsen commented: Looks like some dependency in the gnulib modules is incorrect !? ``` Making all in src/gl GEN alloca.h GEN arpa/inet.h GEN inttypes.h GEN limits.h GEN netdb.h YACC parse-datetime.c /bin/sh: parse-datetime.tab.c: No such file or directory make[2]: *** [parse-datetime.c] Error 1 make[2]: *** Waiting for unfinished jobs.... make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 The command "make -j$(sysctl -n hw.ncpu)" exited with 2. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190#note_284477255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 19:52:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 18:52:44 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Tim R?hsen commented: No, it's the lexer. Maybe we should install bison. The command line to create the .c file from the .y file is ``` $(AM_V_YACC)$(PARSE_DATETIME_BISON) -d $(YFLAGS) $(AM_YFLAGS) $(srcdir)/parse-datetime.y \ && sed -e 's|".*/parse-datetime.y"|"parse-datetime.y"|' < parse-datetime.tab.c > parse-datetime.c-t \ ... ``` It is expected that the lexer creates .tab.c from .y - bison should do it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190#note_284481506 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 20:50:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 19:50:09 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Would you like to change .Travis.yml for it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190#note_284501455 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 20:54:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 19:54:35 +0000 Subject: [gnutls-devel] GnuTLS | provide a callback to be notified on secret generation (#852) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1184 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1184) Issue #852: https://gitlab.com/gnutls/gnutls/issues/852 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/852 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 20:54:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 07 Feb 2020 19:54:35 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: generalize with a callback (!1184) In-Reply-To: References: Message-ID: Merge Request !1184 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 Branches: tmp-keylog-hook to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1184 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 12:47:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 11:47:58 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented: The option is specifically intended to check OCSP stapling, so yes, recording only stapled responses is intentional. STATUS_REQUEST_V2 is obsoleted by TLS 1.3, the stapled responses are carried in extensions to the CertificateEntry ([RFC 8446, Section 4.4.2.1](https://tools.ietf.org/html/rfc8446#section-4.4.2.1)) so multi-stapling is supported by default. Unfortunately I don't know any public website that uses multi-stapling, and the only web server implementation I'm aware supports it is Apache with mod_gnutls 0.10 (which I released on Monday). Testing that is how I noticed the limitations in `gnutls-cli` described in #904. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284668243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 12:49:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 11:49:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented on a discussion on src/cli-args.def: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284668430 > name = save-ocsp; > arg-type = string; > descrip = "Save the peer's OCSP status response in the provided file"; > - doc = ""; > + doc = ""; > + flags-cant = save-ocsp-multi; > +}; > + > +flag = { > + name = save-ocsp-multi; > + arg-type = file; It might simplify things to use it in the future, but I'll change to `string` for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284668430 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 15:23:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 14:23:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: > STATUS_REQUEST_V2 is obsoleted by TLS 1.3 Thanks, good to know :-) > the only web server implementation I'm aware supports it is Apache with mod_gnutls 0.10 (which I released on Monday) Congrats ! If you have a test server where I can test multi-stapling with GNU Wget2, that would be awesome. Please merge your changes into one commit, rebase on master and `git push --force-with-lease`. Then your MR is ready to be merged :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284720752 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 17:58:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 16:58:56 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: Fix --disable-documentation to --disable-doc [skip ci] (!1191) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for 3492c47527d269a9b2176ed0a16997c456d2894e by [rockdaboot](https://gitlab.com/rockdaboot). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191#note_284743799 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 17:59:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 16:59:37 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: Fix --disable-documentation to --disable-doc [skip ci] (!1191) In-Reply-To: References: Message-ID: Merge Request !1191 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 Branches: tmp-lgtm to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 19:00:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 18:00:08 +0000 Subject: [gnutls-devel] GnuTLS | Update gnulib to fix building on OSX 10.9 (!1190) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav I am at it - very time consuming :-( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1190#note_284784818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 19:34:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 18:34:28 +0000 Subject: [gnutls-devel] GnuTLS | TravisCI: Add bison (!1192) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 Branches: tmp-travis-bison to master Author: Tim R?hsen Fix Travis CI build for OSX ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 19:35:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 08 Feb 2020 18:35:26 +0000 Subject: [gnutls-devel] GnuTLS | TravisCI: Add bison (!1192) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1192 https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 * 991828c1 - TravisCI: Add bison [skip ci] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 11:17:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 10:17:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower pushed new commits to merge request !1189 https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 * ef04f619...d9bc5bfc - 11 commits from branch `master` * dd423bcb - gnutls-cli: Add option to store all stapled OCSP responses -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 11:18:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 10:18:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284864779 > > if (type == GNUTLS_X509_FMT_DER) { > - fwrite(oresp.data, oresp.size, 1, fp); > + /* on success the return value is equal to the > + * number of items (third parameter) */ > + if (fwrite(oresp.data, oresp.size, 1, fp) != 1) { > + fprintf(stderr, "writing to %s failed\n", path); > + exit(1); > + } > continue; > } > > gnutls_datum_t t; > - ret = gnutls_pem_base64_encode_alloc("OCSP RESPONSE", &oresp, &t); > + ret = gnutls_pem_base64_encode_alloc("OCSP RESPONSE", > + &oresp, &t); Fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284864779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 11:19:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 10:19:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: All discussions on Merge Request !1189 were resolved by Airtower https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 13:18:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 12:18:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Airtower commented: Thank you, I've updated the patch. :-) For Wget2 testing, maybe you could adapt a server configuration from the mod_guntls test suite? I'd be happy to help with that, though it might be better to discuss it somewhere else. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284877246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:58:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 14:58:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Merge Request !1189 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 Project:Branches: airtower-luna/gnutls:wip-save-ocsp-multi to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:59:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 14:59:02 +0000 Subject: [gnutls-devel] GnuTLS | Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Merge Request !1189 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 Project:Branches: airtower-luna/gnutls:wip-save-ocsp-multi to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:59:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 14:59:36 +0000 Subject: [gnutls-devel] GnuTLS | Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thank you for your contribution ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284895859 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:02:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 15:02:06 +0000 Subject: [gnutls-devel] GnuTLS | Add option to store all stapled OCSP responses to gnutls-cli (!1189) In-Reply-To: References: Message-ID: Tim R?hsen commented: > For Wget2 testing, maybe you could adapt a server configuration from the mod_guntls test suite? I'd be happy to help with that, though it might be better to discuss it somewhere else. Ok, don't mind, thanks. Just thought about testing manually with an existing server. Not much time to set that up locally. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1189#note_284896110 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:09:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 15:09:11 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) In-Reply-To: References: Message-ID: Airtower commented: Solved with !1189 being merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904#note_284896913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:09:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 15:09:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) In-Reply-To: References: Message-ID: Issue was closed by Airtower Issue #904: https://gitlab.com/gnutls/gnutls/issues/904 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 20:07:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 09 Feb 2020 19:07:53 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @nmav any chance of getting this reviewed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_284943727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 11:24:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 11 Feb 2020 10:24:03 +0000 Subject: [gnutls-devel] GnuTLS | TravisCI: Add bison (!1192) In-Reply-To: References: Message-ID: Merge Request !1192 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 Branches: tmp-travis-bison to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 11:24:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 11 Feb 2020 10:24:51 +0000 Subject: [gnutls-devel] GnuTLS | TravisCI: Add bison (!1192) In-Reply-To: References: Message-ID: Merge Request !1192 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 Branches: tmp-travis-bison to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 11:03:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 14 Feb 2020 10:03:58 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Nice catch. `certtool --generate-self-signed` uses `gnutls_privkey_import_x509_raw()`, which in turn uses `pin_callback()` from `src/common.c`. Thus `pin_callback()` doesn't know that user has specified password to `certtool`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/933#note_288226769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:15 +0000 Subject: [gnutls-devel] GnuTLS | SIGSEGV when exit application (#384) In-Reply-To: References: Message-ID: GnuTLS bot commented: @JeanMorlet This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/384#note_288710461 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST PKCS#11 support (!1091) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1091#note_288710464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:15 +0000 Subject: [gnutls-devel] GnuTLS | SIGSEGV when exit application (#384) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #384: https://gitlab.com/gnutls/gnutls/issues/384 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/384 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: GnuTLS bot commented: @bmwiedemann This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1058#note_288710466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST PKCS#11 support (!1091) In-Reply-To: References: Message-ID: Merge Request !1091 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1091 Project:Branches: GostCrypt/gnutls:gost-pkcs11-2 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1091 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 05:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 04:11:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Merge Request !1058 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1058 Project:Branches: bmwiedemann/gnutls:datev2 to gnutls/gnutls:master Author: Bernhard M_ Wiedemann Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 11:53:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 15 Feb 2020 10:53:15 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) References: Message-ID: Ross Nicholson created an issue: https://gitlab.com/gnutls/gnutls/issues/939 For instance, if I download https://gitlab.com/gnutls/gnutls/-/tags/3.6.12 and https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.12.tar.xz The contents of that tarballs will differ. gl/read-file.c and src/gl/read-file.c are not there in gitlab version. Also https://gitlab.com/gnutls/gnutls/-/tree/gnutls_3_6_11_1/lib/accelerated/aarch64 will be missing macosx folder on gnupg version. Very confusing but I'm sure there is a good explanation. Discovered when trying to figure out why hw acceleration did not work for ios/tvos on gnupg version. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 09:25:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 08:25:45 +0000 Subject: [gnutls-devel] GnuTLS | Do not enable TLS 1.0 and TLS 1.1 by default (#940) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/940 TLS 1.1 and 1.0 are being phased out from the browsers: * [Chrome](https://www.ghacks.net/2019/10/02/tls-1-0-and-1-1-deprecation-chrome-to-display-your-connection-is-not-fully-secure-warnings/) * [Firefox](https://www.ghacks.net/2019/09/29/mozilla-disables-tls-1-0-and-1-1-in-firefox-nightly-in-preparation-of-deprecation/) and operating systems: * [RHEL 8](https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8) None of these remove it as it is still necessary for accessing legacy systems. We should disable it by default and allow applications that require it, to enable it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/940 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 13:24:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 12:24:03 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from rechi@kodi.tv): packaged release misses lib/accelerated/aarch64/macosx folder (#938) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, closing this as duplicate of #939. Let's continue the discussion there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/938#note_289380507 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 13:24:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 12:24:04 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from rechi@kodi.tv): packaged release misses lib/accelerated/aarch64/macosx folder (#938) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #938: https://gitlab.com/gnutls/gnutls/issues/938 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/938 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 13:25:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 12:25:04 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, The tarball made by gitlab consists from all files in the repository. The tarball released consists of files included by `make dist`. If something is missing is probably because there is a "bug" in some Makefile.am -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939#note_289381067 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 15:04:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 14:04:37 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Rechi commented: ```diff --- a/lib/accelerated/aarch64/Makefile.am +++ b/lib/accelerated/aarch64/Makefile.am @@ -44,11 +44,9 @@ hmac-sha-aarch64.c aes-cbc-aarch64.c aes-gcm-aarch64.c aes-aarch64.h aes-ccm-aarch64.c if MACOSX -ADIR=macosx +libaarch64_la_SOURCES += macosx/sha1-armv8.s macosx/sha512-armv8.s macosx/sha256-armv8.s \ + macosx/aes-aarch64.s macosx/ghash-aarch64.s else -ADIR=elf +libaarch64_la_SOURCES += elf/sha1-armv8.s elf/sha512-armv8.s elf/sha256-armv8.s \ + elf/aes-aarch64.s elf/ghash-aarch64.s endif - -libaarch64_la_SOURCES += $(ADIR)/sha1-armv8.s $(ADIR)/sha512-armv8.s $(ADIR)/sha256-armv8.s \ - $(ADIR)/aes-aarch64.s $(ADIR)/ghash-aarch64.s - ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939#note_289449083 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 17:32:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 16:32:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_function: rename from gnutls_handshake_* (!1193) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 Branches: tmp-rename-secret-hook to master Author: Daiki Ueno This is a follow-up of !1184. Although the API was merged, on second thought I found the naming of the function/callback (prefixed with `gnutls_handshake_`) are confusing, because those can be used even after handshake is completed. This is to rename them with the `gnutls_session_` prefix. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 17:51:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 16:51:58 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_function: rename from gnutls_handshake_* (!1193) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1193 https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 * d5f0a866 - gnutls_session_set_secret_function: rename from gnutls_handshake_* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 22:25:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 21:25:36 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) References: Message-ID: Andrew Aladjev created an issue: https://gitlab.com/gnutls/gnutls/issues/941 Hello. I was building gentoo test images using `qemu-user`. `aarch64` little/big endian works perfect, `arm` too. I've stopped on `armeb`, portage is not able to sync. Gentoo portage depends on gemato, gemato depends on gnupg, gnupg hard depends on gnutls. It is not possible to move to openssl. I've debugged it a bit: `_gnutls_aead_cipher_decrypt` returns `-24 GNUTLS_E_DECRYPTION_FAILED`. I've launched tests: more than 80% failed. We can see that `_gnutls_aead_cipher_decrypt` is just a wrapper for something from `lib/accelerated`. So something around this folder is broken. I will try to fix it, please let me know if you can help with that. Thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 23:16:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 17 Feb 2020 22:16:28 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Andrew Aladjev commented: `lib/nettle/cipher.c`: ``` if (gnutls_memcmp(((uint8_t*)encr)+encr_size, tag, tag_size) != 0) { fprintf(stderr, "algo: %d\n", ctx->cipher->algo); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } ``` This is the place where `GNUTLS_E_DECRYPTION_FAILED` was born. `algo` equals `11 GNUTLS_CIPHER_AES_256_GCM`. ``` static void _gcm_decrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { gcm_decrypt(GCM_CTX_GET_CTX(ctx->ctx_ptr), GCM_CTX_GET_KEY(ctx->ctx_ptr), GCM_CTX_GET_CIPHER(ctx->ctx_ptr), ctx->cipher->encrypt_block, length, dst, src); } ``` This is the function called as `ctx->cipher->decrypt(ctx, encr_size, plain, encr);` before `gnutls_memcmp` in `lib/nettle/cipher.c`. This function comes from `nettle` library and it is broken. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941#note_289743162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 12:37:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 11:37:18 +0000 Subject: [gnutls-devel] GnuTLS | lib: drop unused pbkdf2 helpers (!1194) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 Project:Branches: GostCrypt/gnutls:pbkdf2 to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 13:11:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 12:11:45 +0000 Subject: [gnutls-devel] GnuTLS | lib: drop unused pbkdf2 helpers (!1194) In-Reply-To: References: Message-ID: Merge Request !1194 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 Project:Branches: GostCrypt/gnutls:pbkdf2 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 14:03:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 13:03:49 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Could you please try rebuilding Nettle with assembly optimisations disabled? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941#note_290176068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 14:11:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 13:11:20 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and "Error: no such instruction: `xgetbv'" (#928) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Which gcc version are you using? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/928#note_290187769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 16:17:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 15:17:04 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_function: rename from gnutls_handshake_* (!1193) In-Reply-To: References: Message-ID: Merge Request !1193 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 Branches: tmp-rename-secret-hook to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 16:17:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 18 Feb 2020 15:17:04 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_function: rename from gnutls_handshake_* (!1193) In-Reply-To: References: Message-ID: Daiki Ueno commented: Hm, after third thought :-) I feel this too picky and it would be rather inconsistent with the other QUIC support functions. So withdrawing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1193#note_290309011 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 19 18:39:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 19 Feb 2020 17:39:01 +0000 Subject: [gnutls-devel] GnuTLS | WIP: record: add functions to intercept/inject unprotected records (!1187) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1187 https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 * 05ace838...8ab75b3c - 24 commits from branch `master` * fcf61cac - handshake: add functions to read/write handshake messages directly -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 19 18:41:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 19 Feb 2020 17:41:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: handshake: add functions to read/write handshake messages directly (!1187) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1187 https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 * f48d5114 - handshake: add functions to read/write handshake messages directly -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 10:42:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 09:42:13 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Andrew Aladjev commented: Yes, we discussed this issue with nettle developers and they pointed to use "--disable-assembler" for arm v5-v6. After adding this option all nettle tests passed. Now I am running rebuild on [armeb image](https://github.com/andrew-aladev/test-images/tree/master/cross/armeb-unknown-linux-gnueabi). It is long running operation, results will be on the next week. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941#note_291502273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 11:45:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 10:45:19 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) References: Message-ID: Andrew Aladjev created an issue: https://gitlab.com/gnutls/gnutls/issues/942 Hello. I was passing by `gnutls`/`nettle` code and found that [recent `gnutls` master branch](https://gitlab.com/gnutls/gnutls/-/blob/master/configure.ac#L1168) received ["gost"](https://en.wikipedia.org/wiki/GOST_(block_cipher)) support. I am living in post-USSR country and know what political question "gost" is a part of. "*Standards*" related to gost are weak and partially proprietary, you can find more information about [s-box genesis here](https://eprint.iacr.org/2016/071.pdf) for example. I won't provide more redundant information, but **protection against gost support** is a strong question for many people, not only for me. Today `gnutls` has `ENABLE_GOST` option **disabled by default** and everything is fine. But recent commits into `nettle` [breaks everything](https://gitlab.com/gnutls/nettle/-/blob/master/hmac.h#L213). Today gost is **enabled by default** in `nettle`. I am sure that russian goverenment will keep integration of gost in other software and regular users like me won't be able to fight with it tomorrow. So I want to add same `IF_GOST` flag for `nettle`. If some software won't build with `gnutls`/`nettle`/`openssl` (with gost disabled) - i won't use it before removing mandatory gost support. I've provided patch to Niels M?ller (nettle developer) and he asked to clarify plans about gost implementation in `gnutls`. > I don't know what the gnutls team's plans are for this option. From my perspective, as long as the gost ecc code in gnutls accesses nettle's ecc internals, not supported by the nettle abi, it's essentlial that gnutls' gost code isn't enabled by default and doesn't get into binary distributions. But that's not reason to keep the option if/when all the gost curves are suppported in nettle. Please clarify plans for gost implementation. Thank you. [if_gost_for_nettle.patch](/uploads/257112cc25e898ec1105f752924813a3/if_gost_for_nettle.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 20:56:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 19:56:42 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, Note that GOST support is compiled-in in gnutls but not enabled by default. No national ciphers are enabled by default in gnutls for TLS connections, so it is up to you or the application using gnutls to enable them and use them. You can disable them completely during compilation time using `--disable-gost`. PS. any kind of cipher algorithm in gnutls can be disabled system-wide using using the [gnutls configuration file](https://gnutls.org/manual/html_node/System_002dwide-configuration-of-the-library.html). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_291906060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 20:58:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 19:58:49 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 20:59:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 19:59:05 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. Would you like to send a merge request with it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939#note_291906871 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 21:31:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 20:31:40 +0000 Subject: [gnutls-devel] GnuTLS | Remove SRP support (#943) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/943 The TLS-SRP protocol ([RFC5054](https://tools.ietf.org/html/rfc5054)) is tied to TLS1.2 protocol, relies on the problematic CBC ciphers and on SHA1. Unless an updated RFC is published to bring the protocol up to today's standards we should consider removing support for it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/943 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 22:08:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 21:08:29 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Andrew Aladjev commented: Hi, yes this option in gnutls is absolutely clear and works perfect. But @lumag merged part of russian national cipher into **nettle** library which **has no such option**. Please see the following commits: 1. https://git.lysator.liu.se/nettle/nettle/commit/946d45d2aa079c0c75300edb7d2f909ae46cf7d2 2. https://git.lysator.liu.se/nettle/nettle/commit/b708992f386eeff076879b0a077d9e917925bd46 3. https://git.lysator.liu.se/nettle/nettle/commit/5c4be62a7ddc59e4c4fe8c7a3a2c39e472732e1b 4. https://git.lysator.liu.se/nettle/nettle/commit/f3c11e596656f2c637f7829f50d7611bd68a3bb4 5. https://git.lysator.liu.se/nettle/nettle/commit/233be7a0fd5297d18a0304fa7c72e20910914a01 6. https://git.lysator.liu.se/nettle/nettle/commit/76c4586596c175ff6aff9ffdbde4a091133cea8f 7. https://git.lysator.liu.se/nettle/nettle/commit/1d7bce28f88b493854810ce21468a996b4d857f1 8. https://git.lysator.liu.se/nettle/nettle/commit/9826eed6b23296eac9e496232ba1b74c1d205694 9. https://git.lysator.liu.se/nettle/nettle/commit/ee2c0aa8dcdf40901a727c6a44dfa02c8c0039b0 10. https://git.lysator.liu.se/nettle/nettle/commit/8a0a625358153724f9e3b8b9c73f4b2d1e8730c6 11. https://git.lysator.liu.se/nettle/nettle/commit/e3d54eeb6b2e01674ddcb71eefe21b55b95945b8 12. https://git.lysator.liu.se/nettle/nettle/commit/21638928596f4d0145ccb09ada6694b973cab882 13. https://git.lysator.liu.se/nettle/nettle/commit/cf4675dc7b7dcad802a47475af63ed30e07a54f6 Today **bind9** for example completely removed all gost functionality and it can come from openssl only. So bind9 removed old option `--with-gost=no` from its code. What plan do gnutls have about gost? Will gost be completely moved into nettle? Should nettle has the same option `--disable-gost` as gnutls? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_291939001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 22:32:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 20 Feb 2020 21:32:36 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Just as a reference. bind9 has removed support for legacy hash/sign algorithm (GOST R 34.10-2001 with GOST R 34.11-94). A work is ongoing on defining DNSSEC option to use contemporary algorithm [draft-belyavskiy-rfc5933-bis](https://tools.ietf.org/html/draft-belyavskiy-rfc5933-bis-01). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_291947660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 08:57:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 07:57:17 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Niels M?ller commented: About Nettle, my thinking is that there's no harm in having support for some weak/broken/untrusted algorithms. And that it's the library or application that does algorithm selection that is responsible for only using appropriate algorithms. Besides gosthash, we have MD4, single DES, ... Those should be used only when required for interop with old stuff. Gost ecc curves are perhaps a different matter, since they appear to meet current security requirements (unless one suspects parameters have been doctored in some clever way), and it therefore seems more likely that applications may want to support them by default. E.g., if you see an x.509 cert mentioning a public GOST DSA key, should you refuse to use it? If you don't trust the judgement of the CA that issues certs for GOST DSA keys, you probably shouldn't rely on that CA at all. And there may be other use cases, e.g., DH exchange using GOST curves. I don't have the full picture. But the choice is still fully under control of the library or application that uses Nettle. For Gnutls, having support for gost curves disabled by default seems like a reasonable and conservative choice to me. When are gost curves used? TLS connections to government web servers? Client certs only, or also server certs? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292097250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 12:11:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 11:11:11 +0000 Subject: [gnutls-devel] GnuTLS | Valgrind: Testsuite fails when libgnutls is built with -O2 (#944) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/944 This also affects the HTTPS tests in the Wget/Wget2 test suite. This is on Debian (unstable) with gc 9.2.1 and valgrind 3.15.0. ``` CFLAGS="-O2 -g" ./configure --disable-doc --enable-valgrind-tests make -j$(nproc) make -j$(nproc) check ``` You'll see several tests failing. Here are some examples of the valgrind output. ``` cert.log:==585577== Conditional jump or move depends on uninitialised value(s) cert.log:==585577== at 0x48EBC40: decode_complex_string.isra.0 (common.c:397) cert.log:==585577== by 0x48EBF8B: _gnutls_x509_dn_to_string (common.c:466) cert.log:==585577== by 0x48F9BA7: append_elements (dn.c:160) cert.log:==585577== by 0x48FA027: _gnutls_x509_get_dn (dn.c:236) cert.log:==585577== by 0x4903F04: print_cert (output.c:1705) cert.log:==585577== by 0x4904C34: gnutls_x509_crt_print (output.c:2190) cert.log:==585577== by 0x109755: doit (cert.c:128) cert.log:==585577== by 0x1092E4: main (utils.c:254) cert.log:==585577== cert.log:==585577== Conditional jump or move depends on uninitialised value(s) cert.log:==585577== at 0x48FE7A6: _gnutls_x509_read_pkalgo_params (mpi.c:247) cert.log:==585577== by 0x4903CF5: _gnutls_x509_crt_read_spki_params (x509_int.h:409) cert.log:==585577== by 0x4903CF5: print_crt_pubkey (output.c:1631) cert.log:==585577== by 0x4903CF5: print_cert (output.c:1782) cert.log:==585577== by 0x4904C34: gnutls_x509_crt_print (output.c:2190) cert.log:==585577== by 0x109755: doit (cert.c:128) cert.log:==585577== by 0x1092E4: main (utils.c:254) cert.log:==585577== chainverify.log:==585663== Conditional jump or move depends on uninitialised value(s) chainverify.log:==585663== at 0x48FE77B: _gnutls_x509_read_pkalgo_params (mpi.c:247) chainverify.log:==585663== by 0x491DFA9: _gnutls_x509_verify_data (verify.c:1389) chainverify.log:==585663== by 0x491E60A: verify_crt (verify.c:767) chainverify.log:==585663== by 0x491F8B5: _gnutls_verify_crt_status (verify.c:1012) chainverify.log:==585663== by 0x491FF5B: gnutls_x509_crt_list_verify (verify.c:1475) chainverify.log:==585663== by 0x10C89E: doit (chainverify.c:170) chainverify.log:==585663== by 0x10C344: main (utils.c:254) chainverify.log:==585663== dtls-etm.log:==586666== 16,801 bytes in 1 blocks are definitely lost in loss record 53 of 55 dtls-etm.log:==586666== at 0x483677F: malloc (vg_replace_malloc.c:309) dtls-etm.log:==586666== by 0x4883FD5: _mbuffer_alloc_align16 (mbuffers.c:345) dtls-etm.log:==586666== by 0x488588D: _gnutls_dgram_read (buffers.c:258) dtls-etm.log:==586666== by 0x488588D: _gnutls_read (buffers.c:424) dtls-etm.log:==586666== by 0x488588D: _gnutls_io_read_buffered (buffers.c:582) dtls-etm.log:==586666== by 0x487BCC7: recv_headers (record.c:1173) dtls-etm.log:==586666== by 0x487BCC7: _gnutls_recv_in_buffers (record.c:1307) dtls-etm.log:==586666== by 0x487E36D: _gnutls_recv_int (record.c:1773) dtls-etm.log:==586666== by 0x487E36D: _gnutls_recv_int (record.c:1752) dtls-etm.log:==586666== by 0x10AAE1: client (dtls-etm.c:146) dtls-etm.log:==586666== by 0x10AD67: start (dtls-etm.c:319) dtls-etm.log:==586666== by 0x10AE75: doit (dtls-etm.c:340) dtls-etm.log:==586666== by 0x10A434: main (utils.c:254) dtls-etm.log:==586666== pkcs7-gen.log:==586643== Conditional jump or move depends on uninitialised value(s) pkcs7-gen.log:==586643== at 0x490AD03: verify_hash_attr (pkcs7.c:799) pkcs7-gen.log:==586643== by 0x490AD03: figure_pkcs7_sigdata (pkcs7.c:873) pkcs7-gen.log:==586643== by 0x490F1E1: gnutls_pkcs7_sign (pkcs7.c:2528) pkcs7-gen.log:==586643== by 0x10A6F0: doit (pkcs7-gen.c:156) pkcs7-gen.log:==586643== by 0x10A364: main (utils.c:254) pkcs7-gen.log:==586643== resume-with-previous-stek.log:==587985== 3,072 bytes in 1 blocks are definitely lost in loss record 2 of 2 resume-with-previous-stek.log:==587985== at 0x4838D7B: realloc (vg_replace_malloc.c:836) resume-with-previous-stek.log:==587985== by 0x48A8E58: gnutls_realloc_fast (mem.c:56) resume-with-previous-stek.log:==587985== by 0x48AC522: gnutls_buffer_append_data (str.c:139) resume-with-previous-stek.log:==587985== by 0x48AD98D: _gnutls_buffer_append_data_prefix (str.c:943) resume-with-previous-stek.log:==587985== by 0x48AD98D: _gnutls_buffer_append_data_prefix (str.c:932) resume-with-previous-stek.log:==587985== by 0x4940BCB: session_ticket_pack (session_ticket.c:483) resume-with-previous-stek.log:==587985== by 0x489B962: pack_extension (hello_ext.c:496) resume-with-previous-stek.log:==587985== by 0x489B962: _gnutls_hello_ext_pack (hello_ext.c:529) resume-with-previous-stek.log:==587985== by 0x489D44B: _gnutls_session_pack (session_pack.c:171) resume-with-previous-stek.log:==587985== by 0x4898548: gnutls_session_get_data2 (session.c:172) resume-with-previous-stek.log:==587985== by 0x10AADC: client_handshake (resume-with-previous-stek.c:88) resume-with-previous-stek.log:==587985== by 0x10AADC: client (resume-with-previous-stek.c:119) resume-with-previous-stek.log:==587985== by 0x10AADC: run.constprop.0 (resume-with-previous-stek.c:235) resume-with-previous-stek.log:==587985== by 0x10AD5F: doit (resume-with-previous-stek.c:248) resume-with-previous-stek.log:==587985== by 0x10A3A4: main (utils.c:254) resume-with-previous-stek.log:==587985== resume-with-previous-stek.log:==587993== 2,048 bytes in 1 blocks are definitely lost in loss record 2 of 2 resume-with-previous-stek.log:==587993== at 0x48366AF: malloc (vg_replace_malloc.c:308) resume-with-previous-stek.log:==587993== by 0x4838DE7: realloc (vg_replace_malloc.c:836) resume-with-previous-stek.log:==587993== by 0x48A8E58: gnutls_realloc_fast (mem.c:56) resume-with-previous-stek.log:==587993== by 0x48AC522: gnutls_buffer_append_data (str.c:139) resume-with-previous-stek.log:==587993== by 0x48AD47C: _gnutls_buffer_append_prefix (str.c:765) resume-with-previous-stek.log:==587993== by 0x489CF51: _gnutls_session_pack (session_pack.c:105) resume-with-previous-stek.log:==587993== by 0x4898548: gnutls_session_get_data2 (session.c:172) resume-with-previous-stek.log:==587993== by 0x10AADC: client_handshake (resume-with-previous-stek.c:88) resume-with-previous-stek.log:==587993== by 0x10AADC: client (resume-with-previous-stek.c:119) resume-with-previous-stek.log:==587993== by 0x10AADC: run.constprop.0 (resume-with-previous-stek.c:235) resume-with-previous-stek.log:==587993== by 0x10AD7F: doit (resume-with-previous-stek.c:251) resume-with-previous-stek.log:==587993== by 0x10A3A4: main (utils.c:254) resume-with-previous-stek.log:==587993== x509sign-verify-error.log:==587824== Conditional jump or move depends on uninitialised value(s) x509sign-verify-error.log:==587824== at 0x4F4F868: _nettle_rsa_sec_compute_root_tr (in /usr/lib/x86_64-linux-gnu/libhogweed.so.5.0) x509sign-verify-error.log:==587824== by 0x4F4FC4E: nettle_rsa_compute_root_tr (in /usr/lib/x86_64-linux-gnu/libhogweed.so.5.0) x509sign-verify-error.log:==587824== by 0x4F5052B: nettle_rsa_pkcs1_sign_tr (in /usr/lib/x86_64-linux-gnu/libhogweed.so.5.0) x509sign-verify-error.log:==587824== by 0x497C4E4: _wrap_nettle_pk_sign (pk.c:1086) x509sign-verify-error.log:==587824== by 0x48B7303: privkey_sign_prehashed (privkey.c:1426) x509sign-verify-error.log:==587824== by 0x48B7612: gnutls_privkey_sign_hash (privkey.c:1384) x509sign-verify-error.log:==587824== by 0x109559: doit (x509sign-verify-error.c:186) x509sign-verify-error.log:==587824== by 0x1092B4: main (utils.c:254) x509sign-verify-error.log:==587824== ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 12:13:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 11:13:49 +0000 Subject: [gnutls-devel] GnuTLS | lib: drop unused pbkdf2 helpers (!1194) In-Reply-To: References: Message-ID: Merge Request !1194 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 Project:Branches: GostCrypt/gnutls:pbkdf2 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 13:19:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 12:19:50 +0000 Subject: [gnutls-devel] GnuTLS | Tmp gen suppressions (!1195) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 Branches: tmp-gen-suppressions to master Author: Tim R?hsen This adds --gen-suppressions=all to write suppression rules into the test logs. In case of false positives this helps to create new rules for `tests/suppressions.valgrind`. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 13:39:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 12:39:43 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Andrew Aladjev commented: > E.g., if you see an x.509 cert mentioning a public GOST DSA key, should you refuse to use it? If you don't trust the judgement of the CA that issues certs for GOST DSA keys, you probably shouldn't rely on that CA at all. I see, you are talking about [MITM on all HTTPS traffic in kazakhstan](https://bugzilla.mozilla.org/show_bug.cgi?id=1567114), it was fixed by Google and Mozilla by [blocking national CA](https://venturebeat.com/2019/08/21/google-and-mozilla-block-kazakhstan-root-ca-certificate-from-chrome-and-firefox/). After that chrome and firefox with national CA almost stopped working. It provided a **great damage**, so government quickly removed this certificate and apologized. This situation is another. I don't trust gost s-boxes because there is no information about their genesis. BTW there is a law in russia that can force any company to use another s-boxes provided by federal agency. They can provide strong or weak s-boxes. > For Gnutls, having support for gost curves disabled by default seems like a reasonable and conservative choice to me. Gnutls is not the only program depending on nettle. Why not to include same disabled by default option for nettle? I can provide patches to disable by default old abandoned algorithms like MD4, sh1, etc if required. > TLS connections to government web servers? Client certs only, or also server certs? It is a part of national internet project (cheburnet) with gost only cryptography and single national CA. All laws has already been signed. The only way to brake it is to use the power of default. If gost will be disabled by default in all software - cheburnet won't be turned on, because it will provide **great damage**. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292269234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 16:44:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 15:44:42 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: So, are you afraid of unknown S-Box origins, of rogue CAs or of cheburnet? I see FUD rather than technical arguments, sorry to say that. I really dislike this kind of conversation. Open Source Software was always about providing a possibility, rather than policy. By adding support for GOST cipher/hash/dsa into OSS projects we fill the niche of proprietary softwares for users, which do not have to use certified solution. GOST 28147-89 is getting replaced by it's variant Magma (with fixed S-BOX) and 128-bit cipher Kuznyechik. See GOST R 34.12-2015 / GOST 34.12-2018. And no, as far as I understand there is no law that you have described. Could you please point me to it? My primary target for GOST was to support pkcs#7 signatures, because they are heavily used in Russia. Next target is TLS, because more and more sites are going to use it (Yandex, Mail.ru have plans for using it). In GnuTLS there is a `--disable-gost` option that completely disables all GOST algorithms. Also one can use crypto policies to disable GOST. Next major version of GnuTLS will have GOST R 34.11-94 marked as unsuitable for signature verification. I do not think there is anything else to add, unless you can provide actual relevant research papers demonstrating vulnerabilities. For the Nettle library Niels has expressed that he would like to keep binary compatibility by not disabling any algorithms (even known to be broken). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292428584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 18:03:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 17:03:46 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Andrew Aladjev commented: > So, are you afraid of unknown S-Box origins, of rogue CAs or of cheburnet? I am answering questions about usage. Usage is awful and this is not my fault. There are nothing to be afraid of. > Open Source Software was always about providing a possibility, rather than policy. By adding support for GOST cipher/hash/dsa into OSS projects we fill the niche of proprietary softwares for users, which do not have to use certified solution. Nobody is going to break this possibility. You can merge any kind of algorithms with option for enable/disable it and everybody will be happy. But you have merged it into nettle as it is and I am sure that it is not acceptable. > GOST 28147-89 is getting replaced by it's variant Magma (with fixed S-BOX) and 128-bit cipher Kuznyechik. See GOST R 34.12-2015 / GOST 34.12-2018. And no, as far as I understand there is no law that you have described. Could you please point me to it? Licensing process of any cryptosystem by russian federal agency requires usage of completely proprietary gost system without ability to change it. Federal agency resolves what s-boxes you will use, not RFC. There is a [large list of activities](http://clsz.fsb.ru/license.htm) that requires licensing and this is not only about state secrets. > My primary target for GOST was to support pkcs#7 signatures, because they are heavily used in Russia. Next target is TLS, because more and more sites are going to use it (Yandex, Mail.ru have plans for using it). I see no problem here. Russian government already signed law about mandatory installation of russian software on any electronic device. One of the most important requirement is gost support. You will enable gost and prepare binary release for installation. Yandex already created special web browser with gost support. But yandex is not going to force enabling of gost all over the world. > In GnuTLS there is a `--disable-gost` option that completely disables all GOST algorithms. Also one can use crypto policies to disable GOST. Next major version of GnuTLS will have GOST R 34.11-94 marked as unsuitable for signature verification. I do not think there is anything else to add, unless you can provide actual relevant research papers demonstrating vulnerabilities. I have no complains about gnutls. I have complain about nettle, because not only gnutls depends on nettle. I want to be able to disable gost support in nettle in the easy way. > For the Nettle library Niels has expressed that he would like to keep binary compatibility by not disabling any algorithms (even known to be broken). Binary compatibility won't be broken without gost, because there was no nettle release with gost support yet. Nothing will be changed if gost will be disabled by default. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292475238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 18:16:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 17:16:42 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 Branches: tmp-keylog-func to master Author: Daiki Ueno The intention of the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after epoch is ready. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 18:34:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 17:34:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: add more functions necessary for QUIC (!1197) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197 Project:Branches: dueno/gnutls:tmp-draft-ietf-quic-tls-25 to gnutls/gnutls:master Author: Daiki Ueno This adds: * a new CH/EE extension `quic_transport_params` * a callback to get notified with traffic secret changes, after epoch is set up The following are still missing: * a function to get the current PRF algorithm * raw ChaCha20 interface, that allows counter setting (see [ChaCha20-Based Header Protection](https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#name-chacha20-based-header-prote)) You can play with it using [my ngtcp2 branch](https://github.com/ueno/ngtcp2/tree/wip/dueno/crypto-gnutls), though it's still very much work in progress: ```sh git clone https://github.com/ngtcp2/nghttp3 cd nghttp3 autoreconf -f -i ./configure --prefix=$HOME/.local/nghttp3 make install git clone https://github.com/tatsuhiro-t/openssl.git cd openssl git checkout OpenSSL_1_1_1d-quic-draft-25 ./config --debug enable-tls1_3 --prefix=$HOME/.local/openssl make make install_sw git clone https://github.com/ueno/ngtcp2.git git checkout wip/dueno/crypto-gnutls autoreconf -f -i PKG_CONFIG_PATH=$HOME/.local/openssl/lib/pkgconfig:$HOME/.local/nghttp3/lib/pkgconfig ./configure make # start the server LD_LIBRARY_PATH=$HOME/.local/openssl/lib examples/server -s localhost 4443 ../gnutls/doc/credentials/x509/key-rsa.pem ../gnutls/doc/credentials/x509/cert-rsa.pem # start the client GNUTLS_DEBUG_LEVEL=4177 examples-gnutls/client --disable-early-data localhost 4443 ``` ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 19:34:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 18:34:59 +0000 Subject: [gnutls-devel] GnuTLS | WIP: add more functions necessary for QUIC (!1197) In-Reply-To: References: Message-ID: Tim R?hsen commented: Off Topic: I opened an issue at LGTM (https://discuss.lgtm.com/t/gnutls-something-went-wrong-bootstrapping-makefile-fragments/2672). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197#note_292510668 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 19:47:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 18:47:26 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: So, how does certification of proprietary software correlate to open source projects? They will never be certified, believe me. Even OpenSSL's gost engine (developed by CryptoCom) can not be certified. This is the significant difference from FIPS certification (where one can certify software after it has been developed). To repeat one of my previous messages: a list of s-boxes supported for key transport, for CMS files, for TLS key exchange is fixed. They are present in RFC 4357 and RFC 7836. There is no guarantee that proprietary software will support any other S-BOX, so one can not use them to encrypt data in these cases. And strictly speaking I do not care about other users of gost28147 algorithm. If you do not believe in RFCs, you can resort to reading "recommendation for standardization", "methodical recommendations" and "technical specifications" developed together by GOST's technical committee 26, CryptoPro, InfoTeCS, CryptoCom and other proprietary software vendors. Niels was talking about binary compatibility between Nettle builds, if I got him right. On top of that support for GOST R 34.11-94 hash algorithm was added in Nettle 2.6. So Nettle contained gost28147 code for ages. So far we are discussing Nettle on GnuTLS's issue board, which does not seem logical to me. Maybe this discussion should be continued on nettle-bugs ML? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292514498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 19:49:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 18:49:12 +0000 Subject: [gnutls-devel] GnuTLS | Remove SRP support (#943) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Should SRP support be `#ifdef`'ed out or just dropped? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/943#note_292515072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 21:01:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 20:01:46 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Andrew Aladjev commented: > So, how does certification of proprietary software correlate to open source projects? They will never be certified, believe me. Even OpenSSL's gost engine (developed by CryptoCom) can not be certified. This is the significant difference from FIPS certification (where one can certify software after it has been developed). It is dangerous to start using gost. Foreign developers should know that all international cryptography standards has no power in russia. RFCs about cryptography are just funny papers. There was a [try to allow international standards](https://safe.cnews.ru/news/top/medvedev_poruchil_putinu_otkryt_dorogu) in russia, but it failed. After licensing process your gost support become a black box without access. Licensing is required for almost all activities except personal. Gost is not a good algorithm, it is just the only one allowed for national usage. There is no guarantee that russian proprietary software will support any other S-box, but there is a proven fact that there are weak S-boxes. You can use gost outside russia if unknown genesis of S-boxes from RFC is ok for you. But please let all post-USSR country users to disable it. > Niels was talking about binary compatibility between Nettle builds, if I got him right. On top of that support for GOST R 34.11-94 hash algorithm was added in Nettle 2.6. So Nettle contained gost28147 code for ages. I am completely agree with you and Niels about that. All old algorithms like MD*, SHA-1 and maybe some gost parts should not be removed and stay for historical reasons and compatibility. But please sanitize all new gost functions with `IF_GOST` and `WITH_GOST`. These functions are not a part of any existing nettle release. I've already provided a patch. Thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292541149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 21:27:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 20:27:45 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Niels M?ller commented: My questions for gnutls are: 1. Do you intend to keep the --disable-gost option, even if we get to a state where gnutls' gost code no longer accesses nettle's ecc internals? 2. Do you expect the default to stay disabled for the foreseeable future, in official gnutls releases as well as in mainstream distros? 3. In which cases do you expect users to need software with gost support, e.g., to access Russian web sites? As for Nettle details, I suggest we keep the discussion on the public nettle mailing list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292552345 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 21:53:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 21 Feb 2020 20:53:40 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: 1. I think so, because it allows users to compile out GOST support (and Andrew perfectly demonstrates that this feature is demanded by our users). 2. To clarify: GOST algorithms are enabled by default (to allow one to work with certificates, to check signatures, etc). On the other hand GOST ciphersuites are excluded from `NORMAL`, but can be easily enabled in config file. @nmav can probably better comment on his future intents. 3. For now it is working with certificates, signatures mostly (official digital documents in Russia are signed with GOST DSA). There are not so many sites requiring GOST TLS ciphersuites (mostly government, taxes, tenders, etc). But there are rumors that amount of such sites might increase. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292562468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 22 08:21:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 22 Feb 2020 07:21:12 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1196 https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 * 8da3a71b - keylogfile: simplify the callback mechanism -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 23 09:03:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 23 Feb 2020 08:03:04 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Ross Nicholson commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939#note_292846915 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 23 09:02:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 23 Feb 2020 08:02:39 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) References: Message-ID: Ross Nicholson created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 Project:Branches: phunkyfish/gnutls:macosx-aarch64-accel to gnutls/gnutls:master Author: Ross Nicholson Add a description of the new feature/bug fix. Reference any relevant bugs. MR for patch supplied in https://gitlab.com/gnutls/gnutls/issues/939. Fixes incorrect makefile for missing macosx directory for aarch64 acceleration. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 23 09:22:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 23 Feb 2020 08:22:14 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Ross Nicholson commented: Here is the patch supplied by @Rechi I'll be honest I don't see how this is different to the original code and means the macosx dir will get included. But I am no expert in makefile's. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_292865221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 15:07:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 14:07:51 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @phunkyfish could you please fix CI timeouts to 2h (Settings/CICD/General pipelines/Timeout). LGTM otherwise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_293371060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 16:02:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 15:02:47 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closing now, it's an issue in Nettle library. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941#note_293413082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 16:03:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 15:03:40 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #941: https://gitlab.com/gnutls/gnutls/issues/941 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 16:29:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 15:29:10 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Ross Nicholson commented: Setting changed and rerunning pipeline now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_293430637 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 22:21:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 21:21:19 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think the discussion is getting quite out of track, but to answer @lumag with 3.6.12 we provide the foundation to use GOST with gnutls. One can use it for PKI, and enable it for TLS for the applications that use the defaults. With that I think that we get into the wait and see how is this going to be used. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_293609944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 22:25:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 21:25:00 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, You need to add your real name in the commit and have the signoff-by header (use can use git commit -s) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_293611136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 22:29:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 21:29:22 +0000 Subject: [gnutls-devel] GnuTLS | Remove SRP support (#943) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I have not though about implementation of it. We already have an ifdef for it, and a way to disable it could be to invert `--disable-srp-authentication` option, and drop it a major release later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/943#note_293612372 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 22:30:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 21:30:46 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and Failed slow tests with --disable-full-test-suite (#929) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: We may want to treat any disablement that is not part of `tests/suite/` as bug. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/929#note_293612788 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 24 22:44:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 21:44:52 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Ross Nicholson pushed new commits to merge request !1198 https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 * 044652ad - Adding missing macosx directory for aarch64 acceleration -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 00:09:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 23:09:19 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: It looks like I have found an issue. And it looks broken since 2013 (c8adb661b59e303b18c22623b0489cc2b7d1a965). I will submit a MR soon. It looks like there are other minor bugs, so expect more MRs in that area. BTW: where is SHA512 support documented? Could not find one in my copy of padlock programming guide. BTW2: after installing bigger hdd (or sdd) it might be possible to setup a gitlab runner on the box. BTW3: hmm, I should consider getting VIA c7 in addition to nano... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/930#note_293641968 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 00:20:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 24 Feb 2020 23:20:41 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: BTW4: I got issues with `rep xsha256` with 0 length and NULL data on nano. Instruction works, but data argument should be non null. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/930#note_293644325 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 01:48:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 00:48:04 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: GitLab Support Bot commented: > > It looks like I have found an issue. And it looks broken since 2013 (c8adb661). I will submit a MR soon. > > It looks like there are other minor bugs, so expect more MRs in that area. > > BTW: where is SHA512 support documented? Could not find one in my copy of padlock programming guide. I don't believe the machine has SHA-512, but it has been a while since I did Padlock programming. I keep a copy of the docs cribbed away at https://www.cryptopp.com/wiki/VIA_Padlock#Downloads . > BTW2: after installing bigger hdd (or sdd) it might be possible to setup a gitlab runner on the box. I can provide access to my C7-D. I added a 128GB ssd, so there's plenty of room. The machine exists solely for testing. You can run your runner on it. If you want SSH access then send over your authorized_keys. noloader, gmail account. > BTW3: hmm, I should consider getting VIA c7 in addition to nano... For a while a company called Qotom was selling machines with the C7-D. I picked mine up at https://www.amazon.com/gp/product/B01AXR2KBQ . Jeff -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/930#note_293658898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 09:52:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 08:52:45 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Ross Nicholson commented: Ok, should be ready to merge now when you have the time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_293802600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 19:37:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 18:37:54 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Merge Request !1198 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 Project:Branches: phunkyfish/gnutls:macosx-aarch64-accel to gnutls/gnutls:master Author: Ross Nicholson Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 19:38:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 18:38:09 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closed by !1198 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939#note_294212418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 19:38:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 18:38:11 +0000 Subject: [gnutls-devel] GnuTLS | Why are released versions from gitlab and gnupg.org different? (#939) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #939: https://gitlab.com/gnutls/gnutls/issues/939 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 19:38:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 18:38:00 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Merge Request !1198 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 Project:Branches: phunkyfish/gnutls:macosx-aarch64-accel to gnutls/gnutls:master Author: Ross Nicholson Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 19:38:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 18:38:17 +0000 Subject: [gnutls-devel] GnuTLS | Adding missing macosx directory for aarch64 acceleration (!1198) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1198#note_294212468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 23:59:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 25 Feb 2020 22:59:37 +0000 Subject: [gnutls-devel] GnuTLS | aead_decrypt broken on armeb (#941) In-Reply-To: References: Message-ID: Andrew Aladjev commented: I've created docker image "puchuu/test_armeb-unknown-linux-gnueabi" today. Gnutls works fine if nettle was built without asm use. Tested gnutls tests - all passed except 4 seccomp tests. But seccomp is another issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/941#note_294295144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 01:40:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 00:40:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls relies on glibc-specific getpass functionality in tests (#945) References: Message-ID: Artemis Tosini created an issue: https://gitlab.com/gnutls/gnutls/issues/945 ## Description of problem: The certtool test in cert-tests does not detect any password and fails at [line 59](https://gitlab.com/gnutls/gnutls/-/blob/master/tests/cert-tests/certtool#L59) since it relies on getpass falling back to stdin and stderr if it is unable to connect to a TTY. This only occurs on glibc ([source code](https://sourceware.org/git/?p=glibc.git;a=blob;f=misc/getpass.c;h=1a9379e116ba5afb568f606ffff7b358d5d387c3;hb=HEAD#l58)), while other libcs like musl ([source code](https://git.musl-libc.org/cgit/musl/tree/src/legacy/getpass.c#n15)) do not have this behaviour. I can think of a few options to fix this * Change [getpass_copy](https://gitlab.com/gnutls/gnutls/-/blob/master/src/common.c#L1026) to directly use utility functions in `termios.h`. This would be most compatible with existing scripts. Note that according to [its man page](https://linux.die.net/man/3/getpass), getpass is obsolete. * Stop relying on this behavior and test functionality another way, such as giving another password and making sure certtool fails. * Try to make a pty so that the existing test line still works. This should be possible, but I have no idea how to do it. ## Version of gnutls used: 3.6.12 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) NixOS ## How reproducible: Steps to Reproduce: * Build gnutls with musl libc (in my case `nix-build '' -A pkgsMusl.gnutls`) * Run tests ## Actual results: The test fails with the following log: ``` Generating a 3072 bit RSA private key... Generating a self signed certificate... No PIN given. note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables cert generation failed FAIL certtool (exit status: 1) ``` ## Expected results: The test should pass -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/945 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:04:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:04:55 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294582662 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive Do you know the reason this is marked as false positive? Is it a valgrind issue? (the commit message isn't very helpful) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294582662 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:06:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:06:00 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @juaristi ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_294583333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:07:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:07:36 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #942: https://gitlab.com/gnutls/gnutls/issues/942 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:10:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:10:41 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and "Error: no such instruction: `xgetbv'" (#928) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Centos5 is too old to handle recent gnutls with all necessary bells and whistles. I'd suggest to use `--disable-hardware-acceleration` or better try a more recent versions of rhel/centos. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/928#note_294586205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:29:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:29:40 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294599688 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive I *guess* it's a false positive. I can reproduce it when building GnuTLS with -O2 (tried different version of gcc). Since Debian uses -O2, this affects testing any software linked to libgnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294599688 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:38:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:38:21 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294606103 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive Does the guess mean that you'd like me or someone else to verify? Do you have the original valgrind error? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294606103 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:41:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:41:03 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294607667 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive I couldn't find the fault in libgnutls. I don't have the original error at hand, but just rebuild with CFLAGS="-O2 -g" and `make check` should bring it out. If not let me know and I reproduce to send you the symbolized valgrind output. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294607667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 13:41:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 12:41:40 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294608089 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive It is probably new glibc optimisation of string functions. I've seen this kind of false positives in recent systems. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294608089 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 17:06:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 16:06:06 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot would it be possible to take a look at this? This is a partial reversion of !1184 which you reviewed :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_294762799 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 18:00:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 17:00:40 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294798392 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive Here is just one example from many: ``` ==592408== Conditional jump or move depends on uninitialised value(s) ==592408== at 0x48E8520: decode_complex_string.isra.0 (common.c:397) ==592408== by 0x48E886B: _gnutls_x509_dn_to_string (common.c:466) ==592408== by 0x48F6487: append_elements (dn.c:160) ==592408== by 0x48F6907: _gnutls_x509_get_dn (dn.c:236) ==592408== by 0x491F2F2: _gnutls_parse_general_name2 (x509.c:1776) ==592408== by 0x492CB5D: gnutls_x509_ext_import_subject_alt_names (x509_ext.c:244) ==592408== by 0x49224D9: cache_alt_names (x509.c:389) ==592408== by 0x49224D9: gnutls_x509_crt_import (x509.c:644) ==592408== by 0x4922903: gnutls_x509_crt_list_import (x509.c:3847) ==592408== by 0x4922BBB: gnutls_x509_crt_list_import2 (x509.c:3727) ==592408== by 0x492B931: gnutls_x509_trust_list_add_trust_mem (verify-high2.c:93) ==592408== by 0x492BD91: gnutls_x509_trust_list_add_trust_file (verify-high2.c:378) ==592408== by 0x48AB15F: add_system_trust (certs.c:131) ==592408== by 0x48AB15F: gnutls_x509_trust_list_add_system_trust (certs.c:372) ==592408== FAIL trust-store (exit status: 1) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294798392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 18:01:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 17:01:15 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294798392 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive Here is just one example from many: ``` ==592408== Conditional jump or move depends on uninitialised value(s) ==592408== at 0x48E8520: decode_complex_string.isra.0 (common.c:397) ==592408== by 0x48E886B: _gnutls_x509_dn_to_string (common.c:466) ==592408== by 0x48F6487: append_elements (dn.c:160) ==592408== by 0x48F6907: _gnutls_x509_get_dn (dn.c:236) ==592408== by 0x491F2F2: _gnutls_parse_general_name2 (x509.c:1776) ==592408== by 0x492CB5D: gnutls_x509_ext_import_subject_alt_names (x509_ext.c:244) ==592408== by 0x49224D9: cache_alt_names (x509.c:389) ==592408== by 0x49224D9: gnutls_x509_crt_import (x509.c:644) ==592408== by 0x4922903: gnutls_x509_crt_list_import (x509.c:3847) ==592408== by 0x4922BBB: gnutls_x509_crt_list_import2 (x509.c:3727) ==592408== by 0x492B931: gnutls_x509_trust_list_add_trust_mem (verify-high2.c:93) ==592408== by 0x492BD91: gnutls_x509_trust_list_add_trust_file (verify-high2.c:378) ==592408== by 0x48AB15F: add_system_trust (certs.c:131) ==592408== by 0x48AB15F: gnutls_x509_trust_list_add_system_trust (certs.c:372) ==592408== FAIL trust-store (exit status: 1) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_294798392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 18:05:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 17:05:02 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for 8da3a71b358aa4a3199d1ee72c4e0d25a4588131 by [rockdaboot](https://gitlab.com/rockdaboot). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_294800711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 18:13:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 17:13:53 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Merge Request !1196 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 Branches: tmp-keylog-func to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 26 18:17:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 26 Feb 2020 17:17:04 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Tim R?hsen commented: @dueno How can I review an expert's code when I am no so deep into the topic ? Only a rough check for obvious failures / mistakes is possible, given a short amount of time. It would not be efficient for a reviewer to become an expert in the topic just for one review. So all I can say: LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_294807201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 06:01:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 05:01:05 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295074942 @rockdaboot I didn't consider this an expert's code because the large part of the commit is basically just a revert. Maybe I should have split the new commit into the actual revert commit and extra modification. Let me try to do that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295074942 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 10:38:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 09:38:49 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295199972 No need for that. Just go ahead. I only wanted to display what reviewing means, namely that it not (necessarily) involves deep understanding of the semantics, but involves more of style, syntax, form, completeness, obvious errors, etc. Your message gave me a feeling that there *might* be misunderstandings and I wanted to make clear (citation "This is a partial reversion of !1184 (merged) which you reviewed :-)". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295199972 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 11:20:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 10:20:06 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suppressions.valgrind: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_295230515 > fun:fillin_rpath > ... > } > +{ > + gnutls-false-positive And this is what *every* usage of GnuTLS in wget produces on Debian (since several months now): ``` ==14422== Conditional jump or move depends on uninitialised value(s) ==14422== at 0x4C2BE61: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C2C1EB: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C3B38F: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C3B827: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C6664A: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C74C2D: gnutls_x509_ext_import_subject_alt_names (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C69D19: gnutls_x509_crt_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C6A193: gnutls_x509_crt_list_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C6A45B: gnutls_x509_crt_list_import2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C738B1: gnutls_x509_trust_list_add_trust_mem (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4C73D61: gnutls_x509_trust_list_add_trust_file (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== by 0x4BEC61F: gnutls_x509_trust_list_add_system_trust (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== Uninitialised value was created by a stack allocation ==14422== at 0x4C2BC7E: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.26.2) ==14422== ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195#note_295230515 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 11:47:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 10:47:39 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: All discussions on Merge Request !1196 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 11:47:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 10:47:46 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Merge Request !1196 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 Branches: tmp-keylog-func to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 11:47:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 27 Feb 2020 10:47:38 +0000 Subject: [gnutls-devel] GnuTLS | keylogfile: simplify the callback mechanism (!1196) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295254851 OK, then I'm merging this as is; thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1196#note_295254851 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 15:45:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 14:45:35 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 Branches: tmp-ephemeral-api to master Author: Daiki Ueno Background: we are currently implementing ESNI and QUIC support API in GnuTLS. The problem is that those protocols are not finalized yet and we cannot know if those API functions will be necessary in the final versions of the protocols, while we need to assure ABI stability to some degree. This adds a header trick to expose private variable through a new private function `_gnutls_ephemeral_get`, which returns an internal function symbol. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:24:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 15:24:06 +0000 Subject: [gnutls-devel] GnuTLS | Unable to use Ed25519 keys from PKCS#11 (#946) References: Message-ID: Jakub Jelen created an issue: https://gitlab.com/gnutls/gnutls/issues/946 ## Description of problem: Trying to list CK_EC_EDWARDS public key from PCKCS#11 module fails. The GnuTLS I am using is behaving like it would not know this key type (see the logs below). ## Version of gnutls used: `gnutls-3.6.11-1.fc31.x86_64` ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: deterministic Steps to Reproduce: * Build OpenSC with EdDSA support (or have different PKCS#11 module supporting ED keys -- softhsm) * Generate Ed25519 key pair in module (I used Nitrokey with GNUK applet and softhsm) * Try to list objects in the pkcs11 module ## Actual results: ``` $ PKCS11SPY=`realpath src/pkcs11/.libs/opensc-pkcs11.so` p11tool -d9999 --list-all --provider `realpath src/pkcs11/.libs/pkcs11-spy.so` "pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=fffe43245521;token=OpenPGP%20card%20%28User%20PIN%29" ... 29: C_GetAttributeValue 2020-02-26 09:54:01.479 [in] hSession = 0x558b896d8650 [in] hObject = 0x558b896d79f0 [in] pTemplate[1]: CKA_KEY_TYPE 00007ffd64a23988 / 8 [out] pTemplate[1]: CKA_KEY_TYPE CKK_EC_EDWARDS Returned: 0 CKR_OK |<2>| requested reading public key of unsupported type 64 |<3>| ASSERT: pkcs11.c[pkcs11_read_pubkey]:1902 |<3>| ASSERT: pkcs11.c[pkcs11_obj_import_pubkey]:1942 |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2165 ``` ## Expected results: The EdDSA keys should be listed as objects. If I see right, this functionality should be in since b2d81349 (~1 year ago), while my release is just 2 month old, but it does not look like working with softhsm2 nor with OpenSC (https://github.com/OpenSC/OpenSC/pull/1960). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/946 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:26:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 15:26:44 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) References: Message-ID: Jakub Jelen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 Project:Branches: jjelen/gnutls:eddsa-pkcs11 to gnutls/gnutls:master Author: Jakub Jelen Fixes #946 I will have to look into testing this later if needed. So far tested manually in OpenSC, that I am able to load EdDSA Key into gnutls and use them to create self-signed certificate: ``` Key pair generated: Private Key Object; EC_EDWARDS label: EDDSA ID: 05 Usage: decrypt, sign, unwrap, derive Access: sensitive, always sensitive, never extractable, local Public Key Object; EC_EDWARDS EC_POINT 255 bits EC_POINT: 0420aa0e50140a7f0c88f0cbcfb97a82f50814c22968f9547da18756a513b95ffbc6 EC_PARAMS: 130c656477617264733235353139 label: EDDSA ID: 05 Usage: encrypt, verify, wrap, derive Access: local Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 52200fa099f0b6dc47e0ac7edebedb27f3e9f871 Validity: Not Before: Fri Feb 28 15:16:17 UTC 2020 Not After: Sat Feb 27 15:16:17 UTC 2021 Subject: O=OpenSC Subject Public Key Algorithm: EdDSA (Ed25519) Algorithm Security Level: High (256 bits) Curve: Ed25519 X: aa:0e:50:14:0a:7f:0c:88:f0:cb:cf:b9:7a:82:f5:08 14:c2:29:68:f9:54:7d:a1:87:56:a5:13:b9:5f:fb:c6 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Alternative Name (not critical): RFC822Name: none at example.org Key Usage (critical): Digital signature. Subject Key Identifier (not critical): 09322de3f242ea5066c96ae46c1b27104ac453be Other Information: Public Key ID: sha1:09322de3f242ea5066c96ae46c1b27104ac453be sha256:60bfb7e740ca4cd3ca05fae5a6bdc2a6be51d635e998e9a8bf9f31ea70356f1a Public Key PIN: pin-sha256:YL+350DKTNPKBfrlpr3Cpr5R1jXpmOmov58x6nA1bxo= Signing certificate... Using slot 0 with a present token (0x1b840330) Created certificate: Certificate Object; type = X.509 cert label: EDDSA subject: DN: O=OpenSC ID: 05 ``` ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:48:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 15:48:01 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1199 https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 * d7540f92 - ephemeral-api: add a mechanism to define ephemeral API -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:52:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 15:52:44 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (71002bb0) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Could you please add softhsm test for these keys? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/71002bb0a681d49cbf9785f2ad2b1d97407f7c7b#note_296216767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:55:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 15:55:52 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen commented: There is already `tests/pkcs11/pkcs11-eddsa-privkey-test.c`, but from my fast re-read, it looks like it is using just private keys or something. I will certainly have a look into that (not sure if I will be able to do that just now). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_296218691 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 17:51:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 16:51:49 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1199 https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 * b0cd4a5e - ephemeral-api: add a mechanism to define ephemeral API -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 18:15:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 17:15:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: add more functions necessary for QUIC (!1197) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1197 https://gitlab.com/gnutls/gnutls/-/merge_requests/1197 * 8da3a71b...41404c6e - 4 commits from branch `master` * b0cd4a5e - ephemeral-api: add a mechanism to define ephemeral API * d9923c52 - handshake: add functions to read/write handshake messages directly * 464e5d02 - ext/quic_transport_params: new extension * 1ef72460 - handshake: add callback to get notified with traffic secret change -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 18:34:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 17:34:48 +0000 Subject: [gnutls-devel] GnuTLS | WIP: add more functions necessary for QUIC (!1197) In-Reply-To: References: Message-ID: Daiki Ueno commented: I've rebased this against !1199 so that we don't need to bother with ABI / documentation checks for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197#note_296278662 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 19:03:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 28 Feb 2020 18:03:48 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen pushed new commits to merge request !1200 https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 * 1c213550...ad5b1569 - 247 commits from branch `master` * 287f0222 - Add support for loading EdDSA keys from PKCS#11 and using them * 6bfa4220 - pkcs11_write: Copy data to avoid double-free crashes and properly encode EC_POINT attribute * d98d829c - tests: Verify writing and reading of EdDSA public keys * 49ccb9b7 - tests: Verify writing and reading of ECDSA public keys from PKCS#11 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 09:27:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 08:27:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: handshake: add functions to read/write handshake messages directly (!1187) In-Reply-To: References: Message-ID: Merge Request !1187 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 Branches: tmp-record-write-callback to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 09:27:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 08:27:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: handshake: add functions to read/write handshake messages directly (!1187) In-Reply-To: References: Message-ID: Daiki Ueno commented: Closing in favor of !1197. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1187#note_296429076 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 12:25:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 11:25:46 +0000 Subject: [gnutls-devel] GnuTLS | gnutls relies on glibc-specific getpass functionality in tests (#945) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The test checks whether the implementation of certtool while reading input is correct, whether `getpass()` is the expected or not that's not that important for the test as it runs on our CI which is based on glibc. A simple approach would be to disable the test when a non-compliant `getpass()` is found. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/945#note_296448960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 12:32:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 11:32:56 +0000 Subject: [gnutls-devel] GnuTLS | Unable to use Ed25519 keys from PKCS#11 (#946) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/946 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 12:57:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 11:57:49 +0000 Subject: [gnutls-devel] GnuTLS | support: DTLS connection ID (#801) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Given that the RFC brings many changes, including TLS1.3 packets into TLS1.2, I think it makes sense to introduce that in a minimalistic way to avoid changes that make little sense (such as TLS1.3 packet format for AES-CBC ciphersuites). A proposal is with a new `gnutls_init` flag that will enable this extension but it will prevent advertising or negotiating any non-AEAD ciphersuites. That way the new format can be implemented only for the AEAD ciphersuites under TLS1.2, which is sufficient for the main use case linked, as well as any DTLS1.2 implementation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/801#note_296452341 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 17:13:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 16:13:22 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 Branches: tmp-static-assert to master Author: Daiki Ueno We previously had checks of enum values with '#if', such as below: ```c #define GNUTLS_EXTENSION_MAX_VALUE 31 typedef enum extensions_t { ... GNUTLS_EXTENSION_MAX /* not real extension - used for iterators */ } extensions_t; /* we must provide at least 16 extensions for users to register */ #if GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX < 16 # error not enough extension types #endif ``` This doesn't work as expected; because `GNUTLS_EXTENSION_MAX` is not defined as a preprocessor macro, it always expands to 0. To properly do this check, we need to use static assert as provided as the 'verify' macro in gnulib. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 20:26:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 19:26:19 +0000 Subject: [gnutls-devel] GnuTLS | gnutls relies on glibc-specific getpass functionality in tests (#945) In-Reply-To: References: Message-ID: Artemis Tosini commented: I wasn't sure if anything relse relied on this. That is a good and relatively simple solution then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/945#note_296504377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 22:42:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 21:42:44 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 22:47:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 21:47:41 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm only seeing the description and it seems to me that the proposal introduces further complexity to build system: - we could manually run the 3 invocations of `gnulib-tool` to create `gl/`, `lib/unistring/` and `src/gl/`. We can even build the gnulib libraries in there and run the gnulib tests. - In the CI runners, we have to `cp -a` those directories into the `gnutls/` directory. Then we create ./configure with `autoreconf -fi` and go on as normal. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891#note_296517406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 29 23:17:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 29 Feb 2020 22:17:55 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for starting this discussion. Let me try to put my perspective. I think that we should answer how we treat non-standardized protocols in text as policy (e.g., in CONTRIBUTION guide) before we finalize a technical solution. Few examples of how we handled it in the past from the top of my head: 1. We have introduced ietf draft-28 from TLS 1.3 even before they were standardized but disabled by default (new APIs were defined) 2. Introduced [GOST ciphersuites](https://datatracker.ietf.org/doc/draft-smyshlyaev-tls12-gost-suites/) even on a non-final draft, but they are disabled by default. New functionality was defined - e.g., ciphers, but compatibility was broken when a cipher had a wrong s-box assigned. 3. Introduced Ed25519 signing in certificates and TLS KX from draft-ietf-tls-rfc4492bis-17. In all of these cases I believe the code was included when we had reasonable expectation that no significant changes are to be done in the standards. So if the proposal is to go beyond that, let's set the bar with amending our guide, or if the proposal is for no bar, let's define the expectations from that functionality and then we finalize the API to protect from such changes. Said that, even if decide to go for including ongoing features my concern is that even if we provide a technical solution to make certain APIs/ABIs look temporary applications that use them may expect them to continue working anyway on an ABI compatible upgrade (though I'd really like to hear more from potential consumers of such experimental features). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_296523593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: