From gnutls-devel at lists.gnutls.org Sun Mar 1 05:15:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Mar 2020 04:15:13 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_296548498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 1 05:15:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Mar 2020 04:15:13 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#947) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/issues/947 The following issues require labels: - [ ] [clang ASAN fails on testcompat-tls13-openssl.sh](https://gitlab.com/gnutls/gnutls/issues/920) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/947 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 1 08:03:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Mar 2020 07:03:34 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_296556722 Although I agree that there should be a written guidance, I think we shouldn't cover experimental 'features' in this topic; this is specifically about API/ABI, not about the behavioral changes. > In all of these cases I believe the code was included when we had reasonable expectation that no significant changes are to be done in the standards. At this point we will not have such expectation any time soon, and that is the time period I'd rather like to support. Of course, it is an option that we start the development work / public testing only after the standards are fixed, it would miss the opportunity to actively collaborate with the standard body or the application development. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_296556722 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 1 08:58:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Mar 2020 07:58:57 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1201 https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 * 2648096a - lib: use static assertion to check enum values -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 1 10:33:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Mar 2020 09:33:43 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1201 https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 * 3a9b2929 - hello_ext: use 64-bit integer to track extensions * 73a24be7 - lib: use static assertion to check enum values -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 2 09:45:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Mar 2020 08:45:22 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen commented: The failure in static analyzer looks to me like a false positive: ``` pubkey.c:1499:35: warning: Access to field 'data' results in a dereference of a null pointer (loaded from variable 'y') (&key->params.params[ECC_Y], y->data, y->size)) { ^~~~~~~ ``` This is in `gnutls_pubkey_import_ecc_raw()`, which is called only from `gnutls_pubkey_import_ecc_eddsa()` with `GNUTLS_ECC_CURVE_ED25519` curve, which is not going into this branch at all. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_296847640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 2 20:29:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Mar 2020 19:29:07 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 Project:Branches: nmav/gnutls:tmp-releases to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 2 21:38:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Mar 2020 20:38:47 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Airtower started a new discussion on RELEASES.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_297357665 > |:----:|:-----:|:--------------:| > |stable|3.6.x |bi-monthly | > |next |- | | > + > + > +# Release process > + > + 1. Verification of release notes: ensure that release notes ([NEWS](NEWS]) exist I think the last square bracket here was meant to be a round one, to put the link in parentheses? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_297357665 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 3 17:31:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Mar 2020 16:31:16 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav Looks like I've finally managed to pass the stage 1 tests (though they don't appear here, but you can see them in the pipelines page). However the LGTM tests for C/C++ are failing and I can't see why. This is what the logs say: ``` [2020-03-03 12:19:05] [build] config.status: error: in `/opt/src': [2020-03-03 12:19:05] [build] config.status: error: Something went wrong bootstrapping makefile fragments [2020-03-03 12:19:05] [build] for automatic dependency tracking. Try re-running configure with the [2020-03-03 12:19:05] [build] '--disable-dependency-tracking' option to at least be able to build [2020-03-03 12:19:05] [build] the package (albeit without support for automatic dependency tracking). [2020-03-03 12:19:05] [build] See `config.log' for more details [2020-03-03 12:19:05] [build] deptrace-server: received exit command ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_298185993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 3 17:35:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Mar 2020 16:35:22 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: I'll try later with a rebase to see if it's fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_298188529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 3 18:08:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Mar 2020 17:08:17 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for 54437864e32aaaba6d1b8e05f77cb25173866276 by [rockdaboot](https://gitlab.com/rockdaboot). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_298211239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 3 18:08:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Mar 2020 17:08:50 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Tim R?hsen commented: I opened an issue at LGTM a while ago - no reaction yet (have to ping them). Meanwhile you can click on the red LGTM button, an disable the C/C++ analysis. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_298211529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 4 12:05:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Mar 2020 11:05:55 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on RELEASES.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_298653631 > |:----:|:-----:|:--------------:| > |stable|3.6.x |bi-monthly | > |next |- | | > + > + > +# Release process > + > + 1. Verification of release notes: ensure that release notes ([NEWS](NEWS]) exist Nice catch, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_298653631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 4 12:05:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Mar 2020 11:05:59 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: All discussions on Merge Request !1202 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 4 15:02:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Mar 2020 14:02:13 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Merge Request !1202 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 Project:Branches: nmav/gnutls:tmp-releases to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:25:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:25:42 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @jjelen this also looks like a false positive. You might want to rewrite `curve_is_eddsa()` to just check for the curve id, this might help. Regarding timeouts, could you please increase Settings/CICD/General pipelines/Timeout to 2h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_300423811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:42:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:42:07 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen pushed new commits to merge request !1200 https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 * ffd60823 - pubkey: Validate input parameters in pubkey_import_ecc_raw -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:51:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:51:12 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen commented: Thanks. I reconsidered and added explicit check for the arguments in `gnutls_pubkey_import_ecc_raw()`. I also bumped the timeout so lets see the results in two hours :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_300438724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:51:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:51:56 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen pushed new commits to merge request !1200 https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 * ad8e1705 - pubkey: Validate input parameters in pubkey_import_ecc_raw -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:55:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:55:15 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 Project:Branches: GostCrypt/gnutls:fix-issuer-sign-tool to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 13:56:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 12:56:39 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1203 https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 * 8d6fb05a - lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 14:23:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 13:23:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fuzz: add simple x509 certificate requests fuzzer (!1204) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 Project:Branches: GostCrypt/gnutls:crl-crq-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 15:12:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 14:12:04 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Jakub Jelen commented: @lumag Looks green now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_300503956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 20:58:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 19:58:31 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Merge Request !1195 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 Branches: tmp-gen-suppressions to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 20:58:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 19:58:40 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: All discussions on Merge Request !1195 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 20:58:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 19:58:52 +0000 Subject: [gnutls-devel] GnuTLS | Let valgrind suggest suppression rules on any issue it finds (!1195) In-Reply-To: References: Message-ID: Merge Request !1195 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 Branches: tmp-gen-suppressions to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 23:10:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 22:10:07 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1204 https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 * ee4793ab - fuzz: add simple x509 certificate requests and revocation lists fuzzers -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 23:11:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 22:11:11 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1203 https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 * 1ccfe3b7 - lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 6 23:14:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 06 Mar 2020 22:14:16 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL and CRQ fuzzers (#903) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/903 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 09:09:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 08:09:59 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301110914 > break; > } > case GNUTLS_PK_EDDSA_ED25519: { > - gnutls_datum_t params; > + gnutls_datum_t params, ecpoint; > > + /* XXX This is wrong -- we need encode the curve name > + * not OID according to the last PKCS #11 3.0 draft */ Hmm. Quoting `pkcs11-curr-v3.0`: > Edwards EC public keys only support the use of the curveName selection to specify a curve name as defined in [RFC 8032] and the use of the oID selection to specify a curve through an EdDSA algorithm as defined in [RFC 8410]. Note that keys defined by RFC 8032 and RFC 8410 are incompatible. An example then uses `edwards25519` as `CKA_EC_PARAMS`. SoftHSM only supports OIDs for `CKA_EC_PARAMS` for EDDSA. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301110914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 09:22:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 08:22:45 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301112018 > (*a_val)++; > > + ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING, > + pubkey->params.raw_pub.data, > + pubkey->params.raw_pub.size, > + &ecpoint); > + if (ret < 0) { > + gnutls_assert(); > + return ret; > + } > + > a[*a_val].type = CKA_EC_POINT; > - a[*a_val].value = pubkey->params.raw_pub.data; > - a[*a_val].value_len = pubkey->params.raw_pub.size; > + a[*a_val].value = ecpoint.data; > + a[*a_val].value_len = ecpoint.size; Hmm, this changes a format of public key from just `X` value to `OCTET STRING` encoding of `X`. Is this intended? Is it the format used by tokens? PKCS11 says: > DER-encoding of the b-bit public key value in little endian order as defined in RFC 8032 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301112018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 09:30:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 08:30:14 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM otherwise -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301112678 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 11:09:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 10:09:51 +0000 Subject: [gnutls-devel] GnuTLS | Improving X.509 certificate validation errors (#950) References: Message-ID: Martin Ukrop created an issue: https://gitlab.com/gnutls/gnutls/-/issues/950 (an issue for discussion, moved here from the mailing list per Nikos's suggestions) I?m the lead of a university project investigating (and improving) the usability of certificate validation errors. Our goal is to simplify the ecosystem by consolidating the errors and their documentation in one place, providing replicable example certificates for all validation errors and by explaining better what the individual errors mean. The project is live at https://x509errors.org/ Now we are reaching out to library developers and users (you) to ask for feedback. Currently, we base the system on OpenSSL errors (as it?s the most common). We have example certificates for 30+ OpenSSL errors and in-progress mapping for corresponding errors error for OpenSSL, GnuTLS, Botan and MbedTLS. In the future, we plan the possibility of web reorganization based on the other libraries (currently, the web is organized by OpenSSL), adding the error frequencies based on IP-wide scans and elaborating on the consequences of individual errors. Ultimately, we want to propose better (ideally user-tested) errors and their documentation. (Just recently, we made a survey among 180 developers regarding their error documentation preference with good reception). As developers/users of TLS libraries, what do you think of the idea? * Which part(s) do you find the most/least useful? * Is there anything you see missing? * What are your thoughts on unifying the error taxonomy? (a very long-term goal, if at all possible) During spring, we would like to start creating pull requests improving the documentation and error messages in some of the libraries. Would you welcome such contributions? For transparency: My PhD is done at Masaryk University (Czech Republic) and I?m partially supported by Red Hat Czech. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 11:21:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 10:21:18 +0000 Subject: [gnutls-devel] GnuTLS | ALPN issue (#951) References: Message-ID: ASoasofoFoInLoveasorr illov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/951 Hi- I have one issue. It is related to ALPN in GNUTLS. I have a restricted firewall which allows only HTTPS connection- no other SSL connection. It checks whether ALPN present in CLIENT HELLO . ( h2.http1.1) I checked in Android using normal Java HttpsURLConnection ( which may be using OpenSSL ) and it is able to connect to HTTPS website. I found when I use HttpsURLConnection it adds ALPN in client hello. But using GNUTLS a sample C program can not connect to that website. It says SSL negotiation failed. so I added ALPN using `gnutls_alpn_set_protocols() ` Now I can see ALPN added by GNUTLS in CLIENT HELLO. h2.http1.1. But still not connecting. I compared traffic generated by GNUTLS and java HttpsURLConnection , found both are almost same , only difference is ALPN in GNUTLS added a first portion of request but in case of HttpsURLConnection ALPN is in last portion of CLENT Hello request. Can you please give me some light. ``` gnutls_init(&hostinfo->https_sess, GNUTLS_CLIENT); // SET ALPN gnutls_datum_t t[2]; t[0].data = (void *) "h2"; t[0].size = 2; t[1].data = (void *)"http/1.1"; t[1].size = 8; gnutls_alpn_set_protocols(hostinfo->https_sess, t, 2, 0); if (gtls_ver(3,2,9)/* && string_is_hostname(hostinfo->hostname)*/) gnutls_server_name_set(hostinfo->https_sess, GNUTLS_NAME_DNS, hostinfo->hostname, strlen(hostinfo->hostname)); gnutls_session_set_ptr(hostinfo->https_sess, (void *) hostinfo); #ifdef DEFAULT_PRIO default_prio = DEFAULT_PRIO ":%COMPAT"; #else if (gtls_ver(3,2,9)) { default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT"; } else if (gtls_ver(3,0,0)) { default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \ ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"; } else { default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"; } #endif snprintf(hostinfo->gnutls_prio, sizeof(hostinfo->gnutls_prio), "%s%s", default_prio, hostinfo->pfs?":-RSA":""); err = gnutls_priority_set_direct(hostinfo->https_sess, hostinfo->gnutls_prio, NULL); if (err) { host_progress(hostinfo, PRG_ERR, _("Failed to set TLS priority string (\"%s\"): %s\n"), hostinfo->gnutls_prio, gnutls_strerror(err)); gnutls_deinit(hostinfo->https_sess); hostinfo->https_sess = NULL; closesocket(ssl_sock); return -EIO; } gnutls_record_disable_padding(hostinfo->https_sess); gnutls_credentials_set(hostinfo->https_sess, GNUTLS_CRD_CERTIFICATE, hostinfo->https_cred); gnutls_transport_set_ptr(hostinfo->https_sess,(gnutls_transport_ptr_t)(intptr_t)ssl_sock); host_progress(hostinfo, PRG_INFO, _("SSL negotiation with %s\n"), hostinfo->hostname); #ifdef GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT gnutls_handshake_set_timeout(hostinfo->https_sess, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); #endif err = cstp_handshake(hostinfo, 1); if (err) return err; gnutls_free(hostinfo->cstp_cipher); hostinfo->cstp_cipher = get_gnutls_cipher(hostinfo->https_sess); hostinfo->ssl_fd = ssl_sock; hostinfo->ssl_read = openconnect_gnutls_read; hostinfo->ssl_write = openconnect_gnutls_write; hostinfo->ssl_gets = openconnect_gnutls_gets; ``` Thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 18:22:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 17:22:48 +0000 Subject: [gnutls-devel] GnuTLS | ALPN issue (#951) In-Reply-To: References: Message-ID: Airtower commented: Checking for ALPN to see if an incoming connection uses HTTPS is wrong. Many browsers do support ALPN because they also support HTTP/2, but an HTTP/1.1 client is correct in not sending ALPN (though it would be allowed to). As a matter of principle there is no reliable way to check the protocol inside a TLS connection as long as the encryption is secure. Things like ALPN, SNI, or even traffic patterns are only hints. People can also use those hints in unusual ways, in particular if someone wants to avoid your firewall, e.g. set up a server that accepts any ALPN so clients can look like HTTP clients to your firewall, and then still speak some other protocol inside TLS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951#note_301207154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 7 21:37:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Mar 2020 20:37:35 +0000 Subject: [gnutls-devel] GnuTLS | ALPN issue (#951) In-Reply-To: References: Message-ID: ASoasofoFoInLoveasorr illov commented: Thanks. Ya.. I understand . But our ISP doing it to some extent , may be for a group of IPs. I am trying to connect to a HTTPS server .. I can open it via Browser or my code using JAVA HTTPSURLConnection class . But I fail to connect SAME via GNUTLS C client because I can not properly set ALPN via GNUTLS. I think ALPN order in CLIENT HELLO message is wrong. I am attaching two PCAP files here. File -1 - Good . It can connect to server ( using CURL command) File- 2 Bad - It can not connect to SAME server ( C code using GNUTLS 3,2,9 ) ( please note if I am in different network , the C client using GNUTLS (without settings ALPN) can open the website without any problem. ) Can you please check attached PCAPs once. Only difference I see between two is - TLS Record length. Thank you [1-gnutls-alpn-GOOD.pdf](/uploads/82be864227ba0873d4260556addfc357/1-gnutls-alpn-GOOD.pdf) [2-gnutls-alpn-BAD.pdf](/uploads/82ee8f969fe436ad46d0d08688239e4c/2-gnutls-alpn-BAD.pdf)Thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951#note_301277740 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 08:37:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 07:37:51 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 was reviewed by Jakub Jelen -- Jakub Jelen commented on a discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301564436 > - a[*a_val].value_len = pubkey->params.raw_pub.size; > + a[*a_val].value = ecpoint.data; > + a[*a_val].value_len = ecpoint.size; The change is intentional, but after reading the specifications, not sure if completely correct. The current implementation is most probably wrong as it uses only the raw bytes of public key. The octet string is what is used in ECDSA keys in PKCS#11 and what is used in SoftHSM at this moment. The RFC 8410 on the other hand refers to public key as BIT STRING. -- Jakub Jelen commented on a discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301564438 > > + /* XXX This is wrong -- we need encode the curve name > + * not OID according to the last PKCS #11 3.0 draft */ My reading is that RFC 8410 defines `id-Ed25519`, which should be referenced by OID, while RFC 8032 defines what we call edwards25519 keys (and few others), but I might be reading this wrong and we could use the OIDs too. The softhsm now supports both named curves and OIDs: https://github.com/opendnssec/SoftHSMv2/pull/526 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 15:12:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 14:12:54 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Merge Request !1202 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 Project:Branches: nmav/gnutls:tmp-releases to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 15:13:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 14:13:56 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on fuzz/gnutls_x509_crl_parser_fuzzer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301815925 > +/* > +# Copyright 2016 Google Inc. Copyright seems wrong -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301815925 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 15:16:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 14:16:29 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on fuzz/gnutls_x509_crl_parser_fuzzer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301818006 > +/* > +# Copyright 2016 Google Inc. > +# > +# Licensed under the Apache License, Version 2.0 (the "License"); In the first examples we used this, but in newer tests such as `gnutls_ext_raw_parse_fuzzer.c` I used LGPL. May I suggest to use LGPL for this as well, unless you have a concern? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301818006 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:00:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:00:59 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for 73a24be780811f2e85c63c1a0d2b8be6fcce0d6c by [dueno](https://gitlab.com/dueno). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_301860908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:02:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:02:04 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot I'm skipping the LGTM analysis for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_301861853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:03:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:03:52 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) In-Reply-To: References: Message-ID: Merge Request !1203 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 Project:Branches: GostCrypt/gnutls:fix-issuer-sign-tool to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:04:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:04:27 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203#note_301863618 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:08:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:08:57 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for b0cd4a5e2d3613ee0e05940686ad17ebd3cfda1a by [dueno](https://gitlab.com/dueno). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_301866676 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:10:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:10:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: add more functions necessary for QUIC (!1197) In-Reply-To: References: Message-ID: Daiki Ueno commented: This requires !1201 to fix the test failure (the maximum extension number is currently exhausted). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1197#note_301867813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:34:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:34:57 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Merge Request !1204 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 Project:Branches: GostCrypt/gnutls:crl-crq-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 16:35:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 15:35:05 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the comments LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301886152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 18:19:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 17:19:28 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1204 https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 * 1d147fd3 - fuzz: add simple x509 certificate requests and revocation lists fuzzers -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 18:20:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 17:20:08 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/gnutls_x509_crl_parser_fuzzer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301964688 > +/* > +# Copyright 2016 Google Inc. > +# > +# Licensed under the Apache License, Version 2.0 (the "License"); done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301964688 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 18:20:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 17:20:19 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/gnutls_x509_crl_parser_fuzzer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301964953 > +/* > +# Copyright 2016 Google Inc. done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204#note_301964953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 18:20:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 17:20:19 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: All discussions on Merge Request !1204 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 18:33:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 17:33:50 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Tim R?hsen commented: Just pinged to LGTM community. If they don't help us, we have to remove LGTM analysis. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_301981754 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 19:28:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 18:28:47 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL and CRQ fuzzers (#903) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via commit 1d147fd30546d026c46470047151b2b0e80f1068 Issue #903: https://gitlab.com/gnutls/gnutls/-/issues/903 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/903 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 19:28:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 18:28:47 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL and CRQ fuzzers (#903) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1204 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1204) Issue #903: https://gitlab.com/gnutls/gnutls/-/issues/903 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/903 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 9 19:28:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 09 Mar 2020 18:28:47 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: add simple x509 certificate requests fuzzer (!1204) In-Reply-To: References: Message-ID: Merge Request !1204 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 Project:Branches: GostCrypt/gnutls:crl-crq-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 10:19:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 09:19:06 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 Project:Branches: GostCrypt/gnutls:fix-crq-ext to gnutls/gnutls:master Author: Dmitry Baryshkov Fix endless loop in print_extensions() ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 10:19:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 09:19:28 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool() (!1203) In-Reply-To: References: Message-ID: Merge Request !1203 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 Project:Branches: GostCrypt/gnutls:fix-issuer-sign-tool to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 10:24:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 09:24:28 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_302292176 > break; > } > case GNUTLS_PK_EDDSA_ED25519: { > - gnutls_datum_t params; > + gnutls_datum_t params, ecpoint; > > + /* XXX This is wrong -- we need encode the curve name > + * not OID according to the last PKCS #11 3.0 draft */ According to [PKCS#11 spec](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/cs01/pkcs11-curr-v3.0-cs01.html#_Toc30061182): > Edwards EC public keys only support the use of the curveName selection to specify a curve name as defined in [RFC 8032] and the use of the oID selection to specify a curve through an EdDSA algorithm as defined in [RFC 8410]. Note that keys defined by RFC 8032 and RFC 8410 are incompatible. So ideally we should support buth curveName and OID. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_302292176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 11:08:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 10:08:23 +0000 Subject: [gnutls-devel] GnuTLS | Add support for loading Ed25519 keys from PKCS#11 and using them (!1200) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/pkcs11_write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_302323937 > (*a_val)++; > > + ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING, > + pubkey->params.raw_pub.data, > + pubkey->params.raw_pub.size, > + &ecpoint); > + if (ret < 0) { > + gnutls_assert(); > + return ret; > + } > + > a[*a_val].type = CKA_EC_POINT; > - a[*a_val].value = pubkey->params.raw_pub.data; > - a[*a_val].value_len = pubkey->params.raw_pub.size; > + a[*a_val].value = ecpoint.data; > + a[*a_val].value_len = ecpoint.size; I have tried looking into several other PKCS#11 implementations. Neither of YubiHSM2 PKCS11, OpenSC, NSS support Edwards keys for now. I'd suggest dropping a letter to authors of respective PKCS#11 spec for their comments. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_302323937 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 15:27:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 14:27:44 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Anderson Sasaki commented: s/interoduce/introduce/ in the first commit message. Other than this, the changes look good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_302528691 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 15:30:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 14:30:37 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1201 https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 * 5937fe57 - hello_ext: use 64-bit integer to track extensions * d3ab18bb - lib: use static assertion to check enum values -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 15:31:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 14:31:45 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_302532234 Thank you; reworded it now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_302532234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 15:31:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 14:31:47 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: All discussions on Merge Request !1201 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 15:52:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 14:52:51 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for d3ab18bbbdffc5e48df2054114f222ffb82af883 by [dueno](https://gitlab.com/dueno). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201#note_302549073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 16:27:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 15:27:02 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302584308 > break; > addf(str, "error: get_extension_info: %s\n", > gnutls_strerror(err)); > + /* After addf to get error message */ > + if (err == GNUTLS_E_ASN1_DER_ERROR) Given that the loop is infinite by design do we want to break on this error only or on any error? I'm thinking that a different error could potentially reactivate the infinite loop. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302584308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 16:30:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 15:30:35 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302587044 > break; > addf(str, "error: get_extension_info: %s\n", > gnutls_strerror(err)); > + /* After addf to get error message */ > + if (err == GNUTLS_E_ASN1_DER_ERROR) This infinite loop construction seems to be used a lot in this file, however only in few cases it can lead to infinite loops. There are two other identical to this one: `gnutls_x509_crl_get_extension_info()` and `gnutls_x509_crq_get_attribute_info()` Should we handle them similarly? (if you wouldn't like as part of this MR, I can submit another one) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302587044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 20:43:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 19:43:14 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1205 https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 * a982ee66 - x509: drop endless loop in print_extensions * 70cb6599 - x509: apply same fix to print_crl * 01604f60 - x509: apply same fix to print_crq -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 20:43:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 19:43:35 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: All discussions on Merge Request !1205 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 20:43:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 19:43:35 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302732499 > break; > addf(str, "error: get_extension_info: %s\n", > gnutls_strerror(err)); > + /* After addf to get error message */ > + if (err == GNUTLS_E_ASN1_DER_ERROR) done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302732499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:14:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:14:27 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302747152 > addf(str, "error: get_extension_info: %s\n", > gnutls_strerror(err)); > - continue; isn't the break missing here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:20:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:20:01 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:29:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:29:34 +0000 Subject: [gnutls-devel] GnuTLS | ALPN issue (#951) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #951: https://gitlab.com/gnutls/gnutls/-/issues/951 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:29:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:29:33 +0000 Subject: [gnutls-devel] GnuTLS | ALPN issue (#951) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This sounds to me like a middleware bug here. The hello that works has smaller size than the hello that doesn't due to less ciphersuites being enabled. You may want to disable ciphersuites in your priority string to work-around the problem (e.g., "-DHE-RSA:-DHE-DSS" and other options based on what you see on wireshark). Not sure gnutls can do more in working around the middleware (though if you use the latest versions in 3.6.x branch they enable much less ciphersuites than earlier versions). I'm closing this but please feel free to re-open if you still believe the issue is in gnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951#note_302752913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:35:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:35:28 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1205 https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 * e04f45d0 - x509: drop endless loop in print_extensions * 283af4cd - x509: apply same fix to print_crl * 12609f4f - x509: apply same fix to print_crq -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:35:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:35:56 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302755283 > return; > } > > + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) > + break; > if (err < 0) { > - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) > - break; > addf(str, "error: get_extension_info: %s\n", > gnutls_strerror(err)); > - continue; True, fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205#note_302755283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:35:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:35:58 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: All discussions on Merge Request !1205 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:39:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:39:28 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Merge Request !1205 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 Project:Branches: GostCrypt/gnutls:fix-crq-ext to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 10 21:39:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Mar 2020 20:39:48 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 10:13:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 09:13:24 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Merge Request !1201 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 Branches: tmp-static-assert to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 10:20:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 09:20:06 +0000 Subject: [gnutls-devel] GnuTLS | lib: use static assertion to check enum values (!1201) In-Reply-To: References: Message-ID: Merge Request !1201 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 Branches: tmp-static-assert to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 10:21:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 09:21:15 +0000 Subject: [gnutls-devel] GnuTLS | x509: drop endless loop in print_extensions (!1205) In-Reply-To: References: Message-ID: Merge Request !1205 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 Project:Branches: GostCrypt/gnutls:fix-crq-ext to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 13:31:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 12:31:49 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) References: Message-ID: Anderson Sasaki created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 Project:Branches: ansasaki/gnutls:improve_fips_selftests to gnutls/gnutls:master Author: Anderson Sasaki This supersedes !1073 The goal of this patch set is to fix some bugs and clarify what are the tests actually executed for signing algorithms during the FIPS power-on self-tests. It addresses few bugs which could misguide the reader: * The ``PK_KNOWN_TEST`` and ``PK_TEST`` macros included the check for ``GNUTLS_SELF_TEST_FLAG_ALL``. If more than one test was declared in a sequence, only the first one would be executed when the flag was not set. The macros were changed to not check the ``GNUTLS_SELF_TEST_FLAG_ALL``, allowing more than one test to be executed in sequence. * The ``test_sig()`` function always uses the same key regardless the value provided in the ``bits`` parameter. The value given in the ``bits`` parameter only changes the output message. Thus, calling ``test_sig()`` multiple times for a single key type passing different values in ``bits`` would always use the same key, but print messages as if different keys were tested. The code was changed to not call ``test_sig()`` for algorithms tested with ``test_known_sig()`` and to call ``test_sig()`` only once per key type. * Previously, the ``test_known_sig()`` would generate signatures only for deterministic algorithms. For non-deterministic algorithms only the verification operation was exercised. The code was changed to call ``test_known_sig()`` only for deterministic algorithms, which can have known answer tests. Other than the bugs addressed, the following improvements were made: * Use deterministic signatures generation for ECDSA and DSA tests. This allows known answer tests to be executed for these algorithms * Use 2048 bits long key for DSA tests instead of 512 bits key Note: * The RSA-PSS signature verification fails when deterministic signature is generated (with zero salt). Thus, the test for RSA-PSS was not changed to be a known answer test. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 13:49:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 12:49:15 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207 Project:Branches: nmav/gnutls:tmp-lgtm to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This disables dependency tracking in LGTM in order to allow it functioning. ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 14:23:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 13:23:35 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Tim R?hsen commented: Does it make sense to push this to gnutls/gnutls to see if LGTM succeeds !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303193997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 16:32:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 15:32:15 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot if you approve it we can merge it. Or do you mean something different? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303303320 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 16:44:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 15:44:24 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Tim R?hsen commented: We still don't know if that change helps. The pipeline did not trigger the LGTM analysis. I think we have to push this branch to gnutls/gnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303311868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 20:41:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 19:41:53 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303445633 Strange. Previously LGTM was working for merge requests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303445633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 21:05:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 20:05:14 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 Branches: tmp-lgtm to master Author: Nikos Mavrogiannopoulos This disables dependency tracking in LGTM in order to allow it functioning. ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 21:05:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 20:05:39 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Merge Request !1207 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207 Project:Branches: nmav/gnutls:tmp-lgtm to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 21:05:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 20:05:38 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1207) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closed in favor of !1208 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1207#note_303458049 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 21:59:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 20:59:27 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1208 https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 * 1648a7d3 - .lgtm.yml: disable dependency tracking -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 22:23:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 21:23:41 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It still fails, but the failure is different now: ``` [2020-03-11 21:12:44] [build] CC vasnprintf.lo [2020-03-11 21:12:45] [build] CCLD libgnu.la [2020-03-11 21:12:45] [build] ar: `u' modifier ignored since `D' is the default (see `U') [2020-03-11 21:12:45] [build] make[4]: Leaving directory '/opt/src/gl' [2020-03-11 21:12:45] [build] Making all in tests [2020-03-11 21:12:45] [build] Makefile:5653: *** target pattern contains no '%'. Stop. [2020-03-11 21:12:45] [build] make[4]: Entering directory '/opt/src/gl/tests' [2020-03-11 21:12:45] [build] make[4]: Leaving directory '/opt/src/gl/tests' [2020-03-11 21:12:45] [build] make[3]: *** [Makefile:1960: all-recursive] Error 1 [2020-03-11 21:12:45] [build] make[3]: Leaving directory '/opt/src/gl' [2020-03-11 21:12:45] [build] make[2]: *** [Makefile:1810: all] Error 2 [2020-03-11 21:12:45] [build] make[2]: Leaving directory '/opt/src/gl' [2020-03-11 21:12:45] [build] make[1]: *** [Makefile:1744: all-recursive] Error 1 [2020-03-11 21:12:45] [build] make[1]: Leaving directory '/opt/src' [2020-03-11 21:12:45] [build] make: *** [Makefile:1671: all] Error 2 [2020-03-11 21:12:45] [ERROR] Spawned process exited abnormally (code 2; tried to run: [/opt/dist/tools/preload_tracer, /opt/out/snapshot/workspace/lgtm/index_build_command.sh]) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_303488072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 11 22:36:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Mar 2020 21:36:03 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1208 https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 * 4548a3ec - .lgtm.yml: run autoreconf before configure to work-around gnulib failure -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 10:35:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 09:35:46 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 Project:Branches: GostCrypt/gnutls:x509-version to gnutls/gnutls:master Author: Dmitry Baryshkov Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21153 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 10:54:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 09:54:52 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303760965 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) The latest asn1_read_value uses type `asn1_node_const` for the first param. Does it make sense to use the same type here as well ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303760965 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 10:55:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 09:55:50 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303761627 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) LGTM to me overall. A question, is the default in all of them the version 1? (I haven't verified) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303761627 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 10:57:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 09:57:07 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1209 https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 * ab099dea - lib/x509: use common routine for parsing data version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 11:21:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 10:21:47 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1209 https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 * 2c87dbab - lib/x509: use common routine for parsing data version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 11:23:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 10:23:28 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303781988 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) Fixed to use `ASN1_TYPE` as `gnutls_crl_int` and the rest of the structures do. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303781988 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 11:42:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 10:42:23 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303795885 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) @nmav At what point should we use the new libtasn1 const types like `asn1_node_const` ? We would force users to use a recent libtasn1 when building the latest gnutls then... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303795885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 11:53:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 10:53:57 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303806719 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) `TBSCertificate`, `TBSRequest` and `TBSResponse` definitions contain excplicit `Version DEFAULT v1` note. For CRLs it is quite different (see https://tools.ietf.org/html/rfc5280): ``` Version ::= INTEGER { v1(0), v2(1), v3(2) } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 ``` I think the problem comes from section 5.2 which specifies: ``` Conforming CAs that issue CRLs are required to include the authority key identifier (see sec. 5.2.1) and the CRL number (see sec. 5.2.3) extensions in all CRLs issued. ``` Which means that all issued CRLs MUST contain version field which should be v2. x.509 spec from 1997 contains following paragraph: ``` If any extensions included in a CertificateList are defined as critical, the version element of the CertificateList shall be present. If no extensions defined as critical are included, the version element shall be absent. This may permit an implementation that only supports version 1 CRLs to still use the CRL if in its examination of the revokedCertificates sequence in the CRL, it does not encounter an extension. An implementation that supports version 2 (or greater) CRLs may be able to optimize its processing if it can determine early in processing that no critical extensions are present in the CRL. ``` Judging from this I think that it is safe to default `v1(0)` if there is no `tbsCertList.version` field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303806719 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 11:58:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 10:58:14 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 Branches: tmp-release-script to master Author: Tim R?hsen Adding release helper script and an announcement template. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 12:42:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 11:42:08 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303837556 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) @rockdaboot what about switching to `asn1_node` and `asn1_node_const` directly and just having internally the following piece of code? ```c #if ASN1_VERSION < 0x40d00 #define asn1_node_const asn1_node #endif ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303837556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 12:43:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 11:43:09 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303838101 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) For the reference: `asn1_node_const` was defined 4.14 released 2019-07-21. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303838101 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 12:54:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 11:54:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Merge Request !1073 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073 Branches: tmp-fips-sign-post to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 12:54:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 11:54:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Daiki Ueno commented: Closing in favor of !1206. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_303844671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 12:58:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 11:58:14 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: All discussions on Merge Request !1209 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 13:05:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 12:05:19 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Daiki Ueno commented: It's a bit belated, but shouldn't it also mention how and when to update the ABI related files for a release: * `LT_CURRENT`, `LT_REVISION`, and `LT_AGE` in `m4/hooks.m4` * `devel/libgnutls-$(VERSION)-x86_64.abi` * `devel/libdane-$(VERSION)-x86_64.abi` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_303851007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 13:17:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 12:17:42 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: > The RSA-PSS signature verification fails when deterministic signature is generated (with zero salt). Thus, the test for RSA-PSS was not changed to be a known answer test. why? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_303858343 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 13:28:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 12:28:32 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303864852 > else > return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); > } > + > +int _gnutls_x509_get_version(asn1_node root, const char *name) > +{ > + uint8_t version[8]; > + int len, result; > + > + len = sizeof(version); > + result = asn1_read_value(root, name, version, &len); > + if (result != ASN1_SUCCESS) { > + if (result == ASN1_ELEMENT_NOT_FOUND) Thanks. I guess it was me who introduced the asn1_node_const :smile:. Anyways, I will prepare a commit for libtasn1 so that deprecated defines will be warned about (e.g. when used in gnutls). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303864852 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 13:28:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 12:28:35 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: All discussions on Merge Request !1209 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 14:34:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 13:34:20 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: I don't get why `ecc_key` gets different treatment than `ecdsa_secp256r1_privkey` and the rest of secp keys the ordering of the consts with keys and expected values could be more orderly too good enough otherwise -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_303928307 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 15:22:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 14:22:38 +0000 Subject: [gnutls-devel] libtasn1 | Tmp deprecation (!58) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 Branches: tmp-deprecation to master Author: Tim R?hsen Print deprecation warnings on using deprecated macros. Fix these warning for examples and fuzzers. ## Checklist * [x] Code modified for feature ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 16:00:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 15:00:15 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304018271 > why? Because there is a bug in the verification. Basically when verifying the RSA-PSS signature, it assumes the salt size is 32 and fails. I have a patch for it but I didn't include as I'm not sure it is the right way to do it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304018271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 16:46:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 15:46:02 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304058476 Is that a known bug or something you discovered as part of this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304058476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 16:49:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 15:49:13 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304060704 > Is that a known bug or something you discovered as part of this? I don't know if it was known, but I hit it when trying to use deterministic signatures for RSA-PSS. Should I open a separate issue for it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304060704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 17:48:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 16:48:33 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1209 https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 * 6ebfbda5 - lib/x509: use common routine for parsing data version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 20:18:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 19:18:12 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I've noticed, it tries to descend to `src/gl/tests` directory. I could not find it being populated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_304195979 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 20:47:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 19:47:31 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1208 https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 * eb21fe86 - bootstrap.conf: do not bring tests in gnulib clones (src/unistring) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 21:00:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 20:00:30 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Merge Request !1209 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 Project:Branches: GostCrypt/gnutls:x509-version to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 21:07:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 20:07:21 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304213969 I think it makes sense, especially since you tried it and have the reproducers or this will be never fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304213969 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 21:08:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 20:08:53 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304214656 > > int main(int argc, char **argv) > { > + > + if (gnutls_fips140_mode_enabled()) { This looks strange. Does that mean that the APIs used by this test can no longer be called in FIPS mode? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304214656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 12 21:18:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Mar 2020 20:18:26 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1208 https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 * 394a05f6 - bootstrap.conf: do not bring tests in gnulib clones (src/unistring) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 09:03:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 08:03:07 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav You forgot to remove --with-tests in L22 of bootstrap.conf. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_304389379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 10:10:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 09:10:57 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 was reviewed by Anderson Sasaki -- Anderson Sasaki commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304424012 Ok, I'll fill an issue -- Anderson Sasaki commented on a discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304424017 > { > + > + if (gnutls_fips140_mode_enabled()) { The deterministic signature API (i.e. calling the signatures with ``GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE`` flag set) can't be used in FIPS mode from the beginning (since 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77). It was written specifically to be used during the self-tests. Do you have a suggestion on how to keep running the test in FIPS mode? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 10:28:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 09:28:10 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Stephan Mueller commented: Side note on deterministic signatures: FIPS 186-5 (draft) explicitly allows deterministic signatures. When this standard update is enacted, it will be approved for FIPS as well. However until it is approved, deterministic signatures are not allowed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304434227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 10:39:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 09:39:55 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests-pk.c: Use deterministic signatures in test_known_sig() (e106439e) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304441684 > #ifdef ENABLE_NON_SUITEB_CURVES > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP192R1), > GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, > - ecdsa_secp192r1_sig); > + ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); > > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP224R1), > GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, > - ecdsa_secp224r1_sig); > + ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); Do I understand it correctly that for ECDSA and DSA only deterministic signatures are tested as part of the power-on tests? Wasn't it stated that deterministic signatures are not supported in FIPS mode? If so, would in FIPS mode any test being exectued? Also, note, deterministic signatures are not yet approved. This implies that for FIPS at the moment only self tests with non-deterministic signatures are possible, i.e. the pairwise-consistency test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304441684 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 10:49:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 09:49:28 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Stephan Mueller commented: Just a note on the basic requirement: for asym cipher operations where there the FIPS specifications only define non-deterministic operations (DSA, ECDSA, PSS) the self tests must also use those non-deterministic operations. For deterministic operations (PKCS 1.5), a deterministic self test is to be used. The use of the deterministic cipher mode for DSA, ECDSA for FIPS self-testing is not yet approved. You may leave it in the code, but you need to provide the non-deterministic self tests for each cipher. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304448283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 11:20:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 10:20:56 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) References: Message-ID: Anderson Sasaki created an issue: https://gitlab.com/gnutls/gnutls/-/issues/953 ## Description of problem: gnutls fails to verify signatures generated using ``GNUTLS_SIGN_RSA_PSS_RSAE_SHA256`` algorithm and passing the ``GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE`` flag. ## Version of gnutls used: Current master (6df0dab742b4ee5bd3fa55680657326305bde8cc) ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) n/a ## How reproducible: 100% Steps to Reproduce: Compile and run the following reproducer code: [reproducer.c](/uploads/ea67aad60c0804ea7da6bf999c145851/reproducer.c) ## Actual results: The reproducer outputs: Verification failed! ## Expected results: The reproducer outputs: Verification succeeded! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 11:33:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 10:33:02 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests-pk.c: Use deterministic signatures in test_known_sig() (e106439e) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304477131 > #ifdef ENABLE_NON_SUITEB_CURVES > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP192R1), > GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, > - ecdsa_secp192r1_sig); > + ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); > > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP224R1), > GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, > - ecdsa_secp224r1_sig); > + ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); I'm confused by this comment. This whole effort of using deterministic signatures during the self-test started with the objective of avoiding calling ``getrandom()`` during POST. In previous communication, you wrote that wouldn't be a problem to use the deterministic signatures from RFC 6979 for testing ECDSA/DSA algorithms. Note that the test also executes the pairwise-consistency test by verifying the generated signature, although the signature uses a deterministic scheme to compute k. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304477131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 11:57:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 10:57:31 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304492505 > > int main(int argc, char **argv) > { > + > + if (gnutls_fips140_mode_enabled()) { Aha, can these self tests be skipped when in FIPS mode, so that only the relevant self tests run? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304492505 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 12:00:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 11:00:31 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests-pk.c: Use deterministic signatures in test_known_sig() (e106439e) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304494312 > #ifdef ENABLE_NON_SUITEB_CURVES > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP192R1), > GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, > - ecdsa_secp192r1_sig); > + ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); > > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP224R1), > GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, > - ecdsa_secp224r1_sig); > + ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); Note Stephan that the deterministic mode is only used to avoid calling the random generator early, but it is not really tested as such. The operation tested is the ECDSA/DSA operation (e.g., previously it was tested with a fixed random number, now it is the same but with random number generated the RFC6979 way). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304494312 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 12:01:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 11:01:54 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests-pk.c: Use deterministic signatures in test_known_sig() (e106439e) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304495171 > #ifdef ENABLE_NON_SUITEB_CURVES > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP192R1), > GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, > - ecdsa_secp192r1_sig); > + ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); > > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP224R1), > GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, > - ecdsa_secp224r1_sig); > + ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); Yes, you are right, there is one provision in FIPS IG that allows deterministic even now - please disregard my comments. Note, teh provision allowing it is IG 9.4 stating that a KAT for DSA /ECDSA is permissible. I accidentally swapped that out of my memory :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304495171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 13:11:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 12:11:44 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests-pk.c: Use deterministic signatures in test_known_sig() (e106439e) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304534708 > #ifdef ENABLE_NON_SUITEB_CURVES > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP192R1), > GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, > - ecdsa_secp192r1_sig); > + ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); > > - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, > + PK_KNOWN_TEST(GNUTLS_PK_EC, > GNUTLS_CURVE_TO_BITS > (GNUTLS_ECC_CURVE_SECP224R1), > GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, > - ecdsa_secp224r1_sig); > + ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); Thank you for the clarification! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/commit/e106439ebaba996413765e3a535b6fc9d59c00d1#note_304534708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 13:34:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 12:34:17 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304546910 > > int main(int argc, char **argv) > { > + > + if (gnutls_fips140_mode_enabled()) { I suggest we introduce a flag similar to ``GNUTLS_SELF_TEST_FLAG_NO_COMPAT`` to be able to skip the tests when in FIPS mode (and test the APIs without ``GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE``). What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304546910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 20:36:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 19:36:37 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot that is intentional as I think it is good to keep this test suite. However what I wonder is, whether there is some cache in lgtm.com that you can reset? I do not always see the changes in this commit reflected in the run. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_304806966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 20:57:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 19:57:22 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: To my understanding the RSA-PSS signature does not contain the salt size thus the salt size needs to be provided somehow. The verification functions will read the parameters from the certificate (see `fixup_spki_params()`) or assume some defaults. That's the case here, the verification function has no way to be told that this is a key with zero salt. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953#note_304814097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 21:21:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 20:21:30 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 21:21:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 20:21:17 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: A potential fix could be to have a verification flag for it. A quick and dirty one is attached, but for some reason the unit test fails during verification. [patch.txt](/uploads/45f9838ae3c01ba193663d8dd0c57c0b/patch.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953#note_304821372 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 22:26:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 21:26:12 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM just reacted on my issue. Can you answer this question ? ``` Sorry about the delayed response. It looks like the last successful analysis was the day before we upgraded the build machines to Ubuntu 19.10 - do you know if the custom configuration to build nettle locally is still necessary on 19.10? ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_304840263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 13 22:28:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 13 Mar 2020 21:28:52 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Tim R?hsen commented: > that is intentional as I think it is good to keep this test suite. Sorry, surely yes. Can we drop test suite just for LGTM (in case they can't fix the issue on their side) ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_304840915 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 05:33:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 04:33:08 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Peter Dettman commented: Currently Ed448 peer certificates don't pass (TLS peer) verification. The underlying reason is that the Ed448 hash is SHAKE-256: `{.name = "EdDSA-Ed448", ..., .hash = GNUTLS_DIG_SHAKE_256, ...}` but SHAKE-256 has no output_size specified: `{.name = "SHAKE-256", .oid = HASH_OID_SHAKE_256, .id = GNUTLS_MAC_SHAKE_256, .block_size = 136}` so I assume output_size is defaulting to 0, which leads to (gnutls-serv 3.6.12 when Ed448 client cert presented, verification enabled): > |<2>| GNUTLS_SEC_PARAM_LOW: certificate's signature hash strength is unacceptable (is 0 bits, needed 80) Incidentally, I also noticed that tests/sign-is-secure.c is not covering Ed448 because the loop bound is off-by-1: `for (i=1;i From gnutls-devel at lists.gnutls.org Sat Mar 14 08:15:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 07:15:05 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/954 When adding a new API function, one biggest pain point is updating `lib{gnutls,dane}-latest-x86_64.abi` files, because the output of `abidw` is not stable and information that relies on the current build environment is emitted, e.g., `comp-dir-path='/home/nmav/cvs/gnutls-mine/lib'`. Interestingly, `abidiff` only takes into account of the existence of `elf-symbol` (ignores type changes). So one can cheat `abi-check` by manually adding an `elf-symbol` entry for the new function: [example 2](623058337490b847d27b736c67b6e710efb980a7), [example 1](6037706541616cfd2d4b49f6f5939ce6dddd1a53). That means, there is not much sense to maintain `lib{gnutls,dane}-latest-x86_64.abi`, as we already have `devel/symbols.last`. Therefore I propose: - drop `lib{gnutls,dane}-latest-x86_64.abi` and check against it (keep `lib{gnutls,dane}-$(VERSION)-x86_64.abi` - maintain the output of `abidiff` from the previous `lib{gnutls,dane}-$(VERSION)-x86_64.abi` in the repository, say `lib{gnutls,dane}-x86_64.abidiff` - add an instruction to update `lib{gnutls,dane}-$(VERSION)-x86_64.abi` and clear `lib{gnutls,dane}-x86_64.abidiff` at release time This not only makes `make file-updates` reliable, but also tightens the check as it covers type changes. Thoughts? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 08:30:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 07:30:10 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 Branches: tmp-chacha to master Author: Daiki Ueno See the [discussion](https://marc.info/?l=nettle-bugs&m=158272496327102&w=2) on the nettle list. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 09:17:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 08:17:35 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304908336 > > int main(int argc, char **argv) > { > + > + if (gnutls_fips140_mode_enabled()) { I'm not sure the suggestion is clear to me. How would this work for existing applications using this API in FIPS or non FIPS mode? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_304908336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 09:23:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 08:23:38 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: maintain abidiff output instead of abidw (!1211) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1211 Branches: tmp-abidiff to master Author: Daiki Ueno This implements the proposal in #954. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1211 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 15:05:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 14:05:54 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Daiki Ueno commented: Since the salt size is always controlled through spki, why not just set it manually, before calling `gnutls_pubkey_verify_data2`: ```c if (tests[i].pk == GNUTLS_PK_RSA_PSS) { gnutls_x509_spki_t spki; gnutls_x509_spki_init(&spki); gnutls_x509_spki_set_rsa_pss_params(spki, tests[i].digest, 0); gnutls_pubkey_set_spki(pubkey, spki, 0); gnutls_x509_spki_deinit(spki); } ``` A fun fact is that, even if we use the reproducible construction, `getrandom` is always called for RSA blinding; so if the purpose of doing this is to avoid access to the random source, it wouldn't work out I'm afraid. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953#note_304965161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 15:24:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 14:24:03 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for 3cacfe68f9f670a10db60db3abec9859432a3381 by [dueno](https://gitlab.com/dueno). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_304967273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 22:37:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 21:37:38 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The nettle question I think is unrelated to the issue. I will push a commit but what I see is that updating .lgtm.yml doesn't change the tests. The old commands are seen there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_305046128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 22:41:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 21:41:24 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: remove nettle download (!1212) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1212 Branches: tmp-lgtm-fix2 to master Author: Nikos Mavrogiannopoulos This updates .lgtm.yml to remove download of nettle. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 22:59:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 21:59:32 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_305048034 I'm not arguing here for not doing that, my point is about setting the rules of the game, so it is clear when we are introducing unstable APIs, how are applications are supposed to use them (if they are). For example, my expectation from the "when we introduce such APIs", would be to allow such APIs when used in collaboration with other applications (curl, wget?) to test a new TLS feature. Should we bring unstable APIs when it is not clear who is the actual user of them? I looks risky to me as it looks hard to manage variable expectations. If these APIs are broken after the standard is published, then I'd also expect not to keep compatibility with the old ones (i.e., this instability should not be accumulating technical debt) and the applications these APIs that were targeting should take this into account. Without setting by documenting these expections, this API although it allows to break the ABI as defined by the .map file, it may not necessary allow us to break that ABI if applications in popular distributions depend on the features introduced by it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_305048034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 23:13:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 22:13:37 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > because the output of `abidw` is a complete serialization of ABI data, which is not stable and may contain information depending on the current build environment is emitted, e.g., `comp-dir-path='/home/nmav/cvs/gnutls-mine/lib'` Why do you think that this serialization is not stable? I understand that some env paths are there, but to my understanding this is a stable format that is intended to be used for our purpose of taking a snapshot of the ABI. > The drawback is that `abidiff` output is a human readable format which may change between libabigail releases. Ideally, it would be nice if it supports the workflow below: Would this prevent us from updating our CI except for the release milestones? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305049191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 14 23:16:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Mar 2020 22:16:11 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Merge Request !1208 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 Branches: tmp-lgtm to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 04:34:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 03:34:18 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305067089 > Why do you think that this serialization is not stable? I understand that some env paths are there, but to my understanding this is a stable format that is intended to be used for our purpose of taking a snapshot of the ABI. Have you ever looked at the actual diff (or perhaps it might be stable on _your_ environment)? I'm attaching it for reference, which was taken by just running `make files-update` on master: ``` libdane-latest-x86_64.abi | 2638 ++-- libgnutls-latest-x86_64.abi |25847 ++++++++++++++++++-------------------------- 2 files changed, 12258 insertions(+), 16227 deletions(-) ``` [abi.diff.gz](https://people.gnome.org/~dueno/abi.diff.gz) Most of the changes are due to different `type-id` assigned to the same type, e.g.: ``` - + ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305067089 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 05:14:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 04:14:16 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: GnuTLS bot commented: @labnewbie This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/923#note_305068879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 05:14:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 04:14:15 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: GnuTLS bot commented: @acinis This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932#note_305068873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 05:14:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 04:14:15 +0000 Subject: [gnutls-devel] GnuTLS | Support ciphersuites with matching mac/cipher(/KX) (#924) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/924#note_305068878 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 05:14:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 04:14:14 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#955) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/955 The following issues require labels: - [ ] [Key passphrase longer than 31 chars give 'No PIN given' error](https://gitlab.com/gnutls/gnutls/-/issues/932) - [ ] [Support ciphersuites with matching mac/cipher(/KX)](https://gitlab.com/gnutls/gnutls/-/issues/924) - [ ] [Can't generate public.crt on Windows 2016](https://gitlab.com/gnutls/gnutls/-/issues/923) - [ ] [Merge CI clang UBSAN + ASAN runners](https://gitlab.com/gnutls/gnutls/-/issues/922) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/955 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 05:14:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 04:14:16 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/922#note_305068880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 09:48:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 08:48:16 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_305086468 Although I share your concern (as I see `P11_KIT_FUTURE_UNSTABLE_API` defined almost everywhere), I don't think it would cause further problems if we provide a proper deprecation mechanism for old functions: - if we remove an API (the macro definition in the header), the application wouldn't compile; so they will notice the API is not available and maybe deprecated - if we remove an underlying implementation, the application _can_ get a dedicated error code upon lookup (not implemented yet); so the user could notice that the application is using an unavailable/deprecated API in a safe manner If we add a new API, we can always choose a new name, so not to break the existing convention; it would probably be sensible that the initial function name is chosen to be obscure, so it doesn't clash with the final function name -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199#note_305086468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 15 11:03:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Mar 2020 10:03:12 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209) In-Reply-To: References: Message-ID: Merge Request !1209 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 Project:Branches: GostCrypt/gnutls:x509-version to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 10:46:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 09:46:36 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305392867 Ok, we may be using different definition of stable here. What I mean that this file is stable to be used for future comparison and detect deviations from the ABI (in the past the output of abi-compliance-checker wasn't stable in that sense). I believe you are referring to, is that this file may change significantly on a minor ABI update (e.g., a new function is added), right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305392867 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 10:56:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 09:56:37 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305399623 Yes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305399623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 11:12:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 10:12:50 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 Branches: tmp-ed448-fixes to master Author: Daiki Ueno As pointed out in: https://gitlab.com/gnutls/gnutls/-/issues/128#note_304892538 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 11:13:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 10:13:42 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/128#note_305411879 Good catch, I've filed !1213 to fix it. Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/128#note_305411879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 11:27:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 10:27:30 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Merge Request !1213 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 Branches: tmp-ed448-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 11:51:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 10:51:19 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks, but I realized that FIPS-202 also mentions that the SHAKE strengths against collisions depend on the desired output length, i.e., `min(d/2,256)` for SHAKE256. An update of the patches will follow. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213#note_305437426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 13:45:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 12:45:55 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on tests/slow/cipher-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_305520603 > > int main(int argc, char **argv) > { > + > + if (gnutls_fips140_mode_enabled()) { I take back my suggestion. Existing applications using the API wouldn't know about the introduced flag and could fail. I suggest the test to detect if FIPS mode is enabled and the library state to know if it is running the POST. This way we can make it to fall back to use the pairwise-consistency test when called explicitly in FIPS mode. In other cases, the known answer test would be used. This would make the tests to run using the right methods transparently. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_305520603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 13:51:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 12:51:28 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Anderson Sasaki commented: I changed the ``test_sig()`` to use the ``bits`` parameter to select the key to use. I also made several changes to the code to improve readability. I dropped the commit skipping the self-tests in FIPS mode. It should use the right methods transparently (KAT when possible; pairwise-consistency test otherwise). @nmav Could you please check this version? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_305524379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 16:30:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 15:30:03 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 16:30:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 15:30:41 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 16:33:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 15:33:08 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#947) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #947: https://gitlab.com/gnutls/gnutls/-/issues/947 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/947 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 16:56:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 15:56:30 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206#note_305685327 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 17:38:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 16:38:59 +0000 Subject: [gnutls-devel] GnuTLS | devel: provide external git diff driver for *.abi files (!1214) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214 Branches: tmp-abi-check to master Author: Daiki Ueno Minor tooling improvement related to #954. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 18:57:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 17:57:47 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #954: https://gitlab.com/gnutls/gnutls/-/issues/954 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 18:57:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 17:57:47 +0000 Subject: [gnutls-devel] GnuTLS | Drop lib{gnutls, dane}-latest-x86_64.abi from the repo (#954) In-Reply-To: References: Message-ID: Daiki Ueno commented: The libabigail maintainer told me that there is some work that has been done in this regard. So let's defer this for now. We can either continue the current practice - modify the files manually, or ignore the textual diffs. I've filed !1214 to make it a bit easier. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/954#note_305759879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 18:58:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 17:58:52 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: maintain abidiff output instead of abidw (!1211) In-Reply-To: References: Message-ID: Daiki Ueno commented: Closing; see the latest comment on #954 for the rationale. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1211#note_305760339 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 18:58:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 17:58:53 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: maintain abidiff output instead of abidw (!1211) In-Reply-To: References: Message-ID: Merge Request !1211 was closed by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1211 Branches: tmp-abidiff to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1211 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 18:59:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 17:59:21 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM pull request analysis was skipped for e671633cf32616401b3cdb04e4285f5dc37fbc65 by [dueno](https://gitlab.com/dueno). Analysis of future commits will happen as normal. --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213#note_305760559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 21:11:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 20:11:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: lgtm.com work-around (!1215) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1215 Branches: tmp-lgtm to master Author: Nikos Mavrogiannopoulos A different approach in working around lgtm.com issues. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 21:46:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 20:46:22 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: remove nettle download (!1212) In-Reply-To: References: Message-ID: Merge Request !1212 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1212 Branches: tmp-lgtm-fix2 to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 21:46:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 20:46:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: lgtm.com work-around (!1215) In-Reply-To: References: Message-ID: Merge Request !1215 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1215 Branches: tmp-lgtm to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 21:49:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 20:49:58 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from srivathsan.kr@vortexindia.co.in): Reg: TLS1_3 support on gnutls_3.6.12 (#952) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: tldr yes. For compatibility with previous version please check the manual https://www.gnutls.org/manual/gnutls.html#Upgrading-from-previous-versions -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/952#note_305831450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 21:49:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 20:49:59 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from srivathsan.kr@vortexindia.co.in): Reg: TLS1_3 support on gnutls_3.6.12 (#952) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #952: https://gitlab.com/gnutls/gnutls/-/issues/952 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/952 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 22:34:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 21:34:22 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Merge Request !1206 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 Project:Branches: ansasaki/gnutls:improve_fips_selftests to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 22:46:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 21:46:04 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on devel/release: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_305856037 > +echo > +while true; do > + echo -n "Alpha or Regular release ? [r/A] " Do we need this? We don't have alpha releases. -- Nikos Mavrogiannopoulos started a new discussion on devel/release: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_305856038 > +done > + > +x=$(gpg --list-secret-keys 2>/dev/null|grep ^sec|awk '{ print $2 }') The following code seems to be reimplementing gnupload. It seems equivalent to: `build-aux/gnupload --to ftp.gnu.org:libtasn1 ${app_tarball}` -- Nikos Mavrogiannopoulos started a new discussion on devel/announcement_template.txt: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_305856039 > +GNU Libtasn1 is a standalone library written in C for manipulating ASN.1 > +objects including DER/BER encoding/decoding. GNU Libtasn1 is used by > +GnuTLS to handle X.509 structures and by GNU Shishi to handle Kerberos GNU Shishi is long dead as far as I know. I do not think there is any reason to mention it here. -- Nikos Mavrogiannopoulos started a new discussion on devel/announcement_template.txt: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_305856040 > +V5 structures. > + > +* Noteworthy changes in release 2.12 (2012-03-19) [stable] This doesn't seem like a template to me. -- Nikos Mavrogiannopoulos started a new discussion on devel/announcement_template.txt: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_305856042 > + http://ftp.gnu.org/gnu/libtasn1/libtasn1-2.12.tar.gz.sig > + > +We publish Windows binaries for this release (32 and 64 bits): Maybe I stop here the review of the template. What's the reason of going back in time? Why not use the latest release template (if we want to use a template) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 22:50:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 21:50:07 +0000 Subject: [gnutls-devel] libtasn1 | Tmp deprecation (!58) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Shouldn't this be documented in the NEWS? It may break projects that compile with no warnings -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58#note_305857045 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 16 22:50:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Mar 2020 21:50:19 +0000 Subject: [gnutls-devel] libtasn1 | Tmp deprecation (!58) In-Reply-To: References: Message-ID: Merge Request !58 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 Branches: tmp-deprecation to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 17 03:21:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Mar 2020 02:21:42 +0000 Subject: [gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26) References: Message-ID: whzhe51 created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/26 ## Description of problem: Indirect leak of 912 byte(s) in 6 object(s) allocated from: #0 0x5216a2 in calloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3 #1 0x56fb06 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:72:10 #2 0x554557 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11 #3 0x553cc0 in LLVMFuzzerTestOneInput /src/libtasn1/fuzz/libtasn1_array2tree_fuzzer.c:84:3 #4 0x459d01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #5 0x459425 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #6 0x45b7c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #7 0x45c555 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #8 0x44a6d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #9 0x474752 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #10 0x7fb87930482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Indirect leak of 20 byte(s) in 1 object(s) allocated from: #0 0x52152d in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x570591 in _asn1_set_value /src/libtasn1/lib/parser_aux.c:274:21 #2 0x5545d9 in asn1_array2tree /src/libtasn1/lib/structure.c:203:2 #3 0x553cc0 in LLVMFuzzerTestOneInput /src/libtasn1/fuzz/libtasn1_array2tree_fuzzer.c:84:3 #4 0x459d01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #5 0x459425 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #6 0x45b7c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #7 0x45c555 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #8 0x44a6d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #9 0x474752 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #10 0x7fb87930482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) ## Version of libtasn1 used: 4.16 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: fuzz-test Steps to Reproduce: * one * two * three ## Actual results: memoryleak ## Expected results: fuzz-test pass -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 17 03:23:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Mar 2020 02:23:58 +0000 Subject: [gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26) In-Reply-To: References: Message-ID: whzhe51 commented: We found a memory leak problem in the fuzzy test. I saw that there was a similar problem before, but commit didn't fix it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26#note_305919748 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 17 09:19:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Mar 2020 08:19:46 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Tim R?hsen commented: Updated the issue at LGTM, included a link to here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_306039153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 17 09:39:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Mar 2020 08:39:23 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: All discussions on Merge Request !1206 were resolved by Anderson Sasaki https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 08:48:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 07:48:26 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot could you take a look at the new patches? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213#note_306834834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 09:20:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 08:20:56 +0000 Subject: [gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26) In-Reply-To: References: Message-ID: whzhe51 commented: diff --git a/lib/structure.c b/lib/structure.c index 8189c56..4a4ce44 100644 --- a/lib/structure.c +++ b/lib/structure.c @@ -359,7 +359,7 @@ _asn1_delete_structure (list_type *e_list, asn1_node * structure, unsigned int f if (e_list) _asn1_delete_node_from_list (e_list, p); _asn1_remove_node (p, flags); - p = NULL; + p = p2; } } } -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26#note_306852759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 10:51:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 09:51:54 +0000 Subject: [gnutls-devel] GnuTLS | Improve FIPS signatures self-tests (!1206) In-Reply-To: References: Message-ID: Merge Request !1206 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 Project:Branches: ansasaki/gnutls:improve_fips_selftests to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 10:54:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 09:54:37 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Merge Request !1213 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 Branches: tmp-ed448-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 10:54:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 09:54:43 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213#note_306919241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:07:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:07:44 +0000 Subject: [gnutls-devel] GnuTLS | ed448: fix certificate signature verification (!1213) In-Reply-To: References: Message-ID: Merge Request !1213 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 Branches: tmp-ed448-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:12:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:12:46 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/handshake-checks.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306933300 > return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > > if (session->internals.saved_username_set) { > - if (strcmp(session->internals.saved_username, username) != 0) { > + if (username_length == strlen(session->internals.saved_username) && > + strncmp(session->internals.saved_username, username, username_length) != 0) { > _gnutls_debug_log("Session's PSK username changed during rehandshake; aborting!\n"); > return gnutls_assert_val(GNUTLS_E_SESSION_USER_ID_CHANGED); > } > } else { > - size_t len = strlen(username); > - > - memcpy(session->internals.saved_username, username, len); > - session->internals.saved_username[len] = 0; > + memcpy(session->internals.saved_username, username, username_length); I did an "enhancement" here to check the username length match before checking with `strncmp`, but I think it is wrong, because we cannot save the username in a null terminated way. We would have to save the username length as well. Maybe we can re-use `saved_username_set` to hold the length (assuming we only allow non-zero usernames). What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306933300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:24:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:24:53 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306941921 @juaristi is that resolved now? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306941921 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:25:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:25:47 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/handshake-checks.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306942523 > return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > > if (session->internals.saved_username_set) { > - if (strcmp(session->internals.saved_username, username) != 0) { > + if (username_length == strlen(session->internals.saved_username) && > + strncmp(session->internals.saved_username, username, username_length) != 0) { > _gnutls_debug_log("Session's PSK username changed during rehandshake; aborting!\n"); > return gnutls_assert_val(GNUTLS_E_SESSION_USER_ID_CHANGED); > } > } else { > - size_t len = strlen(username); > - > - memcpy(session->internals.saved_username, username, len); > - session->internals.saved_username[len] = 0; > + memcpy(session->internals.saved_username, username, username_length); I added a proposed fix in the branch. @juaristi could you check it and confirm you're ok with that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306942523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:26:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:26:21 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/pskself2.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306942913 > + close(sockets[1]); > + server(sockets[0], prio); > + wait(&status); > + check_wait_status(status); > + } else { > + close(sockets[0]); > + client(sockets[1], prio, exp_hint); > + exit(0); > + } > +} > + > +void doit(void) > +{ > + generate_dh_params(); > + > + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", 1); @juaristi is that resolved now? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_306942913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 11:33:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 10:33:18 +0000 Subject: [gnutls-devel] GnuTLS | optional: Add support for ed448 (#128) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #128: https://gitlab.com/gnutls/gnutls/-/issues/128 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 13:26:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 12:26:30 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot I've merged it manually and it seems to be working now. However I see that LGTM pipelines only work for people that use branches inside the gnutls project. For other people sending MRs through their project it is now doing anything. Example: https://gitlab.com/jjelen/gnutls/pipelines/127321170 Given this, I think it makes it quite limited. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_307033811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 13:37:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 12:37:54 +0000 Subject: [gnutls-devel] GnuTLS | .lgtm.yml: disable dependency tracking (!1208) In-Reply-To: References: Message-ID: Tim R?hsen commented: Good you solved it. Bad that it doesn't work within forks. Not sure if that is intentional by LGTM (e.g. to save resources). Just realized that LGTM doesn't appear in Wget2 pipelines since a long time... hmmm. I'll talk with the support. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1208#note_307041354 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 16:16:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 15:16:29 +0000 Subject: [gnutls-devel] GnuTLS | FIPS self-tests fail for algorithms disabled by configuration files (#956) References: Message-ID: Anderson Sasaki created an issue: https://gitlab.com/gnutls/gnutls/-/issues/956 ## Description of problem: This bug was originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1813384 When an algorithm tested during FIPS power-on self-tests is disabled by the used configuration file (e.g through crypto-policies in Fedora), the FIPS self-tests fail. The suggested way to fix this issue is to postpone the loading of the configuration file during the library initialization ## Version of gnutls used: 3.6.12 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 31 ## How reproducible: 100% Steps to Reproduce: * Create a configuration file which disables one of the tested algorithms. For example containing: ``` [overrides] insecure-sig = DSA-SHA256 [priorities] SYSTEM=NORMAL ``` * Use that configuration and run an application forcing FIPS mode: ``` $ GNUTLS_SYSTEM_PRIORITY_FILE=config.cfg GNUTLS_FORCE_FIPS_MODE=1 certtool ``` ## Actual results: ``` Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. ``` ## Expected results: No error -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 18:17:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 17:17:44 +0000 Subject: [gnutls-devel] GnuTLS | global: Load configuration after FIPS POST (!1216) References: Message-ID: Anderson Sasaki created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 Project:Branches: ansasaki/gnutls:postpone_config_loading to gnutls/gnutls:master Author: Anderson Sasaki Add a description of the new feature/bug fix. Reference any relevant bugs. Load the configuration file after FIPS-140 power-on self-tests is finished. This prevents failures during the self-tests due to algorithms disabled by the configuration file. As a result, any algorithm can be tested during FIPS-140 POST regardless of the configuration file. Thanks to @dueno for the suggestion. Fixes #956 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 21:21:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 20:21:36 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307376512 > #include > #include > #include > -#include > +#include "int/chacha.h" > +#include "int/chacha-poly1305.h" Since it is the only user, it might be b easier to have `#ifdef`s here, rather than introducing another wrapping header. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307376512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 18 21:22:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Mar 2020 20:22:13 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM otherwise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307376727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 07:23:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 06:23:32 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307541622 > #include > #include > #include > -#include > +#include "int/chacha.h" > +#include "int/chacha-poly1305.h" Good point, fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307541622 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 07:23:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 06:23:34 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: All discussions on Merge Request !1210 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 08:46:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 07:46:08 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/nettle/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307588246 > curve448/ed448-shake256.c curve448/ed448-shake256-pubkey.c \ > curve448/ed448-shake256-sign.c curve448/ed448-shake256-verify.c > endif > + > +if NEED_CHACHA > +libcrypto_la_SOURCES += \ > + chacha/chacha-core-internal.c chacha/chacha-crypt.c \ > + chacha/chacha-internal.h chacha/chacha-poly1305.c \ > + chacha/chacha-poly1305.h chacha/chacha-set-key.c \ > + chacha/chacha-set-nonce.c chacha/chacha.h \ > + int/chacha.h int/chacha-poly1305.h Last two items should be removed,shan't they? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307588246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 09:19:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 08:19:51 +0000 Subject: [gnutls-devel] GnuTLS | Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens (#957) References: Message-ID: Dmitry Baryshkov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/957 The following discussion from !1200 should be addressed: - [ ] @lumag started a [discussion](https://gitlab.com/gnutls/gnutls/-/merge_requests/1200#note_301112018): (+6 comments) > Hmm, this changes a format of public key from just `X` value to `OCTET STRING` encoding of `X`. Is this intended? Is it the format used by tokens? > > PKCS11 says: > > > DER-encoding of the b-bit public key value in little endian order as defined in RFC 8032 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/957 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 09:42:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 08:42:50 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: All discussions on Merge Request !1210 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 09:42:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 08:42:49 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307626352 > curve448/ed448-shake256.c curve448/ed448-shake256-pubkey.c \ > curve448/ed448-shake256-sign.c curve448/ed448-shake256-verify.c > endif > + > +if NEED_CHACHA > +libcrypto_la_SOURCES += \ > + chacha/chacha-core-internal.c chacha/chacha-crypt.c \ > + chacha/chacha-internal.h chacha/chacha-poly1305.c \ > + chacha/chacha-poly1305.h chacha/chacha-set-key.c \ > + chacha/chacha-set-nonce.c chacha/chacha.h \ > + int/chacha.h int/chacha-poly1305.h Oops, should be fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307626352 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 09:53:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 08:53:14 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Merge Request !1210 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 Branches: tmp-chacha to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 13:49:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 12:49:10 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Merge Request !1210 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 Branches: tmp-chacha to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 13:49:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 12:49:21 +0000 Subject: [gnutls-devel] GnuTLS | cipher: expose raw ChaCha20 cipher (!1210) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1210#note_307817794 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 16:28:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 15:28:30 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 Branches: tmp-prf-get to master Author: Daiki Ueno This is split from !1199. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 16:32:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 15:32:54 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 was reviewed by Tim R?hsen -- Tim R?hsen started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217#note_307967847 > gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session); > gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session); > +gnutls_digest_algorithm_t gnutls_prf_hash_get(gnutls_session_t session); Does it make sense to start using 'const' for the param ? It hasn't been done much so far, but in the long term we should use it where possible. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 16:58:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 15:58:37 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217#note_307986103 > gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session); > gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session); > gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session); > +gnutls_digest_algorithm_t gnutls_prf_hash_get(gnutls_session_t session); For this `_get` function, that makes perfect sense. Let me try to add it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217#note_307986103 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 17:38:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 16:38:43 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: Merge Request !1217 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 Branches: tmp-prf-get to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 17:38:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 16:38:50 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: All discussions on Merge Request !1217 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 19 17:50:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Mar 2020 16:50:50 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 Branches: tmp-fuzz-readme to master Author: Tim R?hsen Update the fuzzing instructions. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 07:09:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 06:09:20 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review. I think this is the last piece of QUIC support that can safely land at this point (other parts are still moving so let's keep them in a separate branch until they settle). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217#note_308275779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 07:09:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 06:09:37 +0000 Subject: [gnutls-devel] GnuTLS | state: add function to get the current hash algorithm (!1217) In-Reply-To: References: Message-ID: Merge Request !1217 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 Branches: tmp-prf-get to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:06:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:06:46 +0000 Subject: [gnutls-devel] libtasn1 | Tmp deprecation (!58) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thanks, NEWS entry added. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58#note_308474502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:09:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:09:03 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on devel/release: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308475848 > + > +echo "Current version of $app_name is $app_ver" > +echo > +echo -n "Enter Y if that is OK, else enter N and edit configure.ac: " > +read x > +[ "$x" != "y" -a "$x" != "Y" ] && exit 0 > + > +echo > +grep -i "Changes in $app_name" NEWS|head -1 > +echo -n "Did you edit the NEWS file ? [y/N] " > +read x > +[ "$x" != "y" -a "$x" != "Y" ] && exit 0 > + > +echo > +while true; do > + echo -n "Alpha or Regular release ? [r/A] " Right, there is no internationalization (po/ dir), so we can drop this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308475848 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:15:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:15:58 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on devel/release: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308479823 > + > +echo "* Make" > +make -s -j$(nproc) clean > +make -s -j$(nproc) > + > +echo "* Make distcheck" > +make -s -j$(nproc) distcheck >/dev/null > + > +echo "* Make dist" > +for ext in $extensions; do > + [[ $ext = 'gz' ]] && ext="gzip" > +# [[ $ext = 'lz' ]] && ext="lzip" > + make -s -j$(nproc) dist-$ext >/dev/null > +done > + > +x=$(gpg --list-secret-keys 2>/dev/null|grep ^sec|awk '{ print $2 }') Hmmm, I have several GPG keys and can't see how I can specify the right one with `gnupload`. Please let me know how to do that and I'll replace that code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308479823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:17:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:17:33 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on devel/announcement_template.txt: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308480835 > +GNU Libtasn1 is a standalone library written in C for manipulating ASN.1 > +objects including DER/BER encoding/decoding. GNU Libtasn1 is used by > +GnuTLS to handle X.509 structures and by GNU Shishi to handle Kerberos Sorry, it was the latest announcement I could find on the libtasn1 ML archive. Please point me to a newer one and I'll replace it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308480835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:20:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:20:12 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Tim R?hsen commented: I see how this MR wasn't a good idea. Thanks for looking into it and sorry for your wasted time :-( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57#note_308482374 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:20:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:20:13 +0000 Subject: [gnutls-devel] libtasn1 | Add release script and announcement template [skip ci] (!57) In-Reply-To: References: Message-ID: Merge Request !57 was closed by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 Branches: tmp-release-script to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/57 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:33:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:33:57 +0000 Subject: [gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26) In-Reply-To: References: Message-ID: Tim R?hsen commented: >From my last inspection I remember that some leaks are not fixable without introducing reference counters. Introducing that is not trivial and a lot of work. In reality, I only know uses of static input syntax which don't trigger these memory leaks. Do you have an example from a real project that triggers this ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26#note_308492305 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:37:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:37:18 +0000 Subject: [gnutls-devel] GnuTLS | Unable to use Ed25519 keys from PKCS#11 (#946) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1200 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1200) Issue #946: https://gitlab.com/gnutls/gnutls/-/issues/946 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/946 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 13:54:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 12:54:19 +0000 Subject: [gnutls-devel] libtasn1 | Tmp deprecation (!58) In-Reply-To: References: Message-ID: Merge Request !58 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 Branches: tmp-deprecation to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/58 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 15:48:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 14:48:48 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Tim R?hsen commented: This is basically due to ``` ./lib/includes/gnutls/pkcs11.h:#define GNUTLS_PKCS11_MAX_PIN_LEN 32 ./src/common.h:#define MAX_PIN_LEN GNUTLS_PKCS11_MAX_PIN_LEN ``` @nmav Is there a reason why we should not increase this to e.g. 1024 ? I am against 'unlimited' password / PIN lengths as this might introduce new attack vectors. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932#note_308586614 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 20 16:51:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Mar 2020 15:51:21 +0000 Subject: [gnutls-devel] GnuTLS | global: Load configuration after FIPS POST (!1216) In-Reply-To: References: Message-ID: Merge Request !1216 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 Project:Branches: ansasaki/gnutls:postpone_config_loading to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 21 23:04:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Mar 2020 22:04:55 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 was reviewed by Dmitry Baryshkov -- Dmitry Baryshkov started a new discussion on fuzz/README.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309016600 > cd fuzz > > # build and run gnutls_base64_decode_fuzzer (change ASAN path if not using clang-8) clang-9 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 10:39:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 09:39:34 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on fuzz/README.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309082183 > Use the following commands on top dir: > ``` > export CC=clang > -export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp" > +export CXX=clang++ > +export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" I have a question about using `-DDFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION`. We already define this when using `--enable-fuzzer-target` (defined in `config.h`), however all scripts check for the flag in `Makefile`s rather than `config.h`. Should we point scripts to config.h file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309082183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 11:07:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 10:07:35 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/README.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309085473 > Use the following commands on top dir: > ``` > export CC=clang > -export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp" > +export CXX=clang++ > +export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" > +export CXXFLAGS="$CFLAGS" > ./configure --disable-guile --enable-fuzzer-target --enable-static --disable-doc --disable-gcc-warnings --disable-hardware-acceleration > make clean > make > cd fuzz > > # build and run gnutls_base64_decode_fuzzer (change ASAN path if not using clang-8) Thanks, now removed completely as the symbolizer path now is version independent. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309085473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 11:18:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 10:18:07 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/README.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309087134 > Use the following commands on top dir: > ``` > export CC=clang > -export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp" > +export CXX=clang++ > +export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" I don't see any advantages. Since FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION always appears in config.h, it even makes grepping slightly more complicated. For me, it doesn't matter. If you have a strong opinion about it, feel free to change it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309087134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 12:33:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 11:33:27 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/README.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309108890 > Use the following commands on top dir: > ``` > export CC=clang > -export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp" > +export CXX=clang++ > +export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" No strong opinion. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218#note_309108890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 12:33:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 11:33:27 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: All discussions on Merge Request !1218 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 12:33:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 11:33:42 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Merge Request !1218 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 Branches: tmp-fuzz-readme to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 13:34:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 12:34:41 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: Update README.md for clang-9 [skip ci] (!1218) In-Reply-To: References: Message-ID: Merge Request !1218 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 Branches: tmp-fuzz-readme to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 14:09:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 13:09:09 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 Project:Branches: GostCrypt/gnutls:fix-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 14:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 13:11:17 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on fuzz/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309138274 > for ccfile in *_fuzzer.c; do \ > fuzzer=$$(basename $$ccfile .c); \ > XLIBS="-lhogweed -lnettle -ltasn1 -lgmp -lidn2 -lunistring"; \ > - $$CXX $$CXXFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ > + $$CC $$CFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ Not sure if that works on the oss-fuzz platform. It didn't do in the past, but if it does now, that would be cool ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309138274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 14:23:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 13:23:46 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309140167 > for ccfile in *_fuzzer.c; do \ > fuzzer=$$(basename $$ccfile .c); \ > XLIBS="-lhogweed -lnettle -ltasn1 -lgmp -lidn2 -lunistring"; \ > - $$CXX $$CXXFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ > + $$CC $$CFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ Updated to use CC to compile and CXX to link -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309140167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 14:47:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 13:47:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220 Branches: tmp-get-keylog-func to master Author: Daiki Ueno This complements !1184 to allow applications to implement custom logging facility: https://github.com/ngtcp2/ngtcp2/blob/master/examples/keylog.cc#L36 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 20:42:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 19:42:06 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: To increase `GNUTLS_PKCS11_MAX_PIN_LEN` we may want to check if it is part of the ABI. However that's for PKCS#11 PINs which are mostly short. What we may want to fix here is `certtool` as it should have no limits for non-PKCS#11 passwords. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932#note_309204963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 22 20:49:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Mar 2020 19:49:20 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Actually it is only a definition and it affects internal code only. Increasing it makes sense. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932#note_309205945 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 02:56:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 01:56:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) References: Message-ID: Daniel Lenski created an issue: https://gitlab.com/gnutls/gnutls/-/issues/958 I have access to a very old Cisco VPN server. (Some of the front-end HTTP suggests that it was last updated in 2007.) It's definitely insecure, but I'm just an end-user and can't do much about it: Recent versions of `gnutls-cli-debug` report that it doesn't support SSL 3.0. With latest version from `master` (7fa4d8efcaecac06ebd38f3a4aa392ab76c721e4): ``` $ src/gnutls-cli-debug vpn.company.com GnuTLS debug client 3.6.12 Checking vpn.company.com:443 whether the server accepts default record size (512 bytes)... no whether %ALLOW_SMALL_RECORDS is required... no for SSL 3.0 (RFC6101) support... no whether we need to disable TLS 1.2... yes whether we need to disable TLS 1.1... yes whether we need to disable TLS 1.0... yes whether %NO_EXTENSIONS is required... yes whether %COMPAT is required... yes for TLS 1.0 (RFC2246) support... no for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no for TLS 1.1 (RFC4346) support... no fallback from TLS 1.1 to... failed for TLS 1.2 (RFC5246) support... no for TLS 1.3 (RFC8446) support... no for known TLS or SSL protocols support... no ``` However, this isn't actually true. It *does* support SSL 3.0 (and _only_ SSL 3.0), but only with extensions disabled: ``` $ src/gnutls-cli --insecure --priority 'NORMAL:-VERS-ALL:+VERS-SSL3.0:%NO_EXTENSIONS' vpn.company.com ... *** PKI verification of server certificate failed... - Description: (SSL3.0-X.509)-(RSA)-(3DES-CBC)-(SHA1) - Session ID: ... - Options: - Handshake was completed ... ``` The output of `gnutls-cli` seems a bit misleading to me: `Checking [hostname] for SSL 3.0 (RFC6101) support... no`. As far as I can tell, SSL 3.0 as described in [RFC6101](https://tools.ietf.org/html/rfc6101) _does not_ require any support for TLS extensions. I realize that this server is using ~25 year old insecure technology, but I know that there are plenty of similar examples out there, and `gnutls-cli-debug` is a very useful for figuring out how to connect to a buggy/ancient server. (I had to turn to [testssl.sh](https://github.com/drwetter/testssl.sh) instead.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 03:14:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 02:14:46 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) References: Message-ID: Daniel Lenski created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski As far as I can tell, SSL 3.0 as described in [RFC6101](https://tools.ietf.org/html/rfc6101) *does not* require any support for TLS extensions. This MR modifies `gnutls-cli-debug` to test servers for SSL 3.0 without extensions, and without including any newer-than-SSL 3.0 ciphersuites, before testing _with_ extensions enabled, and _with_ newer-than-SSL 3.0 ciphersuites enabled. This prevents `gnutls-cli-debug` from incorrectly reporting a lack of SSL 3.0 support in some very old, but seemingly standards-compliant, servers. (See #958 for an example.) # Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 03:55:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 02:55:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Daniel Lenski commented: This particular server will actually kinda-sorta work with TLS 1.0 as well, but only with SSL SSL 3.0 with only SSL 3.0 cipher suites, works: ``` $ src/gnutls-cli --insecure --priority "NORMAL:-VERS-ALL:+VERS-SSL3.0:%NO_EXTENSIONS:%SSL3_RECORD_VERSION" ``` TLS 1.0 with **SSL 3.0** cipher suites, both record versions work: ``` $ src/gnutls-cli --insecure --priority "NORMAL:-VERS-ALL:+VERS-TLS1.0:+3DES-CBC:%NO_EXTENSIONS:%SSL3_RECORD_VERSION" $ src/gnutls-cli --insecure --priority "NORMAL:-VERS-ALL:+VERS-TLS1.0:+3DES-CBC:%NO_EXTENSIONS:%LATEST_RECORD_VERSION" ``` TLS 1.1 or newer enabled? Hangs up immediately. As far as I can tell, GNUTLS_RSA_3DES_EDE_CBC_SHA1 and GNUTLS_RSA_ARCFOUR_128_MD5 are the only cipher suites it supports (not even GNUTLS_RSA_ARCFOUR_128_SHA1 is accepted). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 08:13:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 07:13:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks for reporting this. I didn't know that such servers still existed. The request makes sense, but to provide more background RFC6101 (final SSL3.0 draft - draft-freier-ssl-version3-01 if I remember well) servers are expected to ignore TLS extensions (fields that come after the client hello). A previous draft of SSL 3.0 was not requiring that. So this server is implementing a draft SSL3.0 version, rather than the final protocol. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_309329257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 13:45:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 12:45:05 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: All discussions on Merge Request !1219 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 13:45:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 12:45:05 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309649964 > for ccfile in *_fuzzer.c; do \ > fuzzer=$$(basename $$ccfile .c); \ > XLIBS="-lhogweed -lnettle -ltasn1 -lgmp -lidn2 -lunistring"; \ > - $$CXX $$CXXFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ > + $$CC $$CFLAGS -I$(top_srcdir)/lib/includes/ -I$(top_srcdir) \ Tested with the oss-fuzz docker image, LGTM :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219#note_309649964 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 13:45:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 12:45:15 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: Merge Request !1219 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 Project:Branches: GostCrypt/gnutls:fix-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 13:45:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 12:45:23 +0000 Subject: [gnutls-devel] GnuTLS | Two fixes for oss-fuzz build target (!1219) In-Reply-To: References: Message-ID: Merge Request !1219 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 Project:Branches: GostCrypt/gnutls:fix-fuzz to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 15:09:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 14:09:57 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Please set your project clone's CI timeout to 2h (see Settings/CICD/General pipelines/Timeout) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221#note_309747658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 15:11:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 14:11:39 +0000 Subject: [gnutls-devel] GnuTLS | Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens (#957) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi @lumag is that something that should block the next release? What should we verify against? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/957#note_309749096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 15:12:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 14:12:09 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @juaristi could you confirm this is ready for merging? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309749497 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 16:00:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 15:00:59 +0000 Subject: [gnutls-devel] GnuTLS | Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens (#957) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Probably @jjelen can comment better on this. Mailing list discussion: https://lists.oasis-open.org/archives/pkcs11/202003/msg00013.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/957#note_309794276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 16:37:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 15:37:12 +0000 Subject: [gnutls-devel] GnuTLS | Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens (#957) In-Reply-To: References: Message-ID: Jakub Jelen commented: Right. I did not get conclusive answer on this topic as some of the participants believe it should be OCTET STRING and others that it should be BIT STRING. I am still waiting for the authoritative answer and hopefully improvement of the specs or authoritative clarification. But none of the contributors believed that the encoding should be just raw value without the tag (which is what was in gnutls in previous releases). But since nobody cared before, it is not used very much and we did our best guess what is meant by specs and implement it. Given that, I don't think this should block a release, but it is indeed good to keep track of that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/957#note_309823392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 16:38:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 15:38:55 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309824542 Yes, this was resolved with !1090. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309824542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 16:56:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 15:56:57 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on tests/pskself2.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309838321 > + close(sockets[1]); > + server(sockets[0], prio); > + wait(&status); > + check_wait_status(status); > + } else { > + close(sockets[0]); > + client(sockets[1], prio, exp_hint); > + exit(0); > + } > +} > + > +void doit(void) > +{ > + generate_dh_params(); > + > + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", 1); I've repeated this set of tests with TLS 1.2 as well. The tests above, which have `exp_hint` == 1 (expect a hint to be sent from server) don't make sense with TLS 1.3 as there is no hint. ``` run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:+PSK", 0); run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0); run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0); run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", 0); run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0); run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0); ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309838321 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 16:56:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 15:56:57 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: All discussions on Merge Request !917 were resolved by Ander Juaristi https://gitlab.com/gnutls/gnutls/-/merge_requests/917 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 17:10:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 16:10:51 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Daniel Lenski commented: > Thanks for reporting this. I didn't know that such servers still existed. I believe it's a Cisco VPN Concentrator 3000? I suspect that there are more than a few still in use. > The request makes sense, but to provide more background RFC6101 (final SSL3.0 draft - draft-freier-ssl-version3-01 if I remember well) servers are expected to ignore TLS extensions (fields that come after the client hello). Aha, I see now, thanks. Per [5.6.1.3](https://tools.ietf.org/html/rfc6101#section-5.6.1): ``` Forward compatibility note: In the interests of forward compatibility, it is permitted for a client hello message to include extra data after the compression methods. This data must be included in the handshake hashes, but must otherwise be ignored. ``` > So this server is implementing a draft SSL3.0 version, rather than the final protocol. Do you have a suggestion for how this draft SSL 3.0 version ought to be described in testing? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_309848127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 17:30:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 16:30:33 +0000 Subject: [gnutls-devel] GnuTLS | global: Load configuration after FIPS POST (!1216) In-Reply-To: References: Message-ID: Merge Request !1216 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 Project:Branches: ansasaki/gnutls:postpone_config_loading to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 17:31:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 16:31:03 +0000 Subject: [gnutls-devel] GnuTLS | global: Load configuration after FIPS POST (!1216) In-Reply-To: References: Message-ID: Merge Request !1216 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 Project:Branches: ansasaki/gnutls:postpone_config_loading to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 17:31:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 16:31:01 +0000 Subject: [gnutls-devel] GnuTLS | FIPS self-tests fail for algorithms disabled by configuration files (#956) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit 783fa7f82ee1d7db52b27c1ed24141d861e36110 Issue #956: https://gitlab.com/gnutls/gnutls/-/issues/956 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 23 17:48:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Mar 2020 16:48:36 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav Your changes look good to me. I fixed indentation, rebased and pushed yesterday. I was waiting to see if the tests passed. I have just rebased again. Hopefully all the tests will pass now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_309874460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 07:46:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 06:46:46 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!59) References: Message-ID: whzhe51 created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59 Project:Branches: whzhe51/libtasn1:host to gnutls/libtasn1:master Author: whzhe51 Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 07:56:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 06:56:18 +0000 Subject: [gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26) In-Reply-To: References: Message-ID: whzhe51 commented: sorry, i dont have an real project that triggers this. And i pull a request to fix this probelm. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26#note_310153154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 08:14:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 07:14:51 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/953#note_310160486 Given (1) there is a more flexible way to achieve this using spki and (2) reproducible RSA-PSS signatures don't help with the original intention to avoid `getrandom` call in self-tests, I'd suggest closing this issue and possibly removing the effect of `GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE` flag in RSA-PSS case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953#note_310160486 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 08:18:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 07:18:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot, could you take a quick look at this? I'd like to squeeze this in the next release, so I can rebase the `tmp-quic` branch. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220#note_310161841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 09:25:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 08:25:34 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Merge Request !917 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 Branches: ajuaristi-issue-586 to master Author: Ander Juaristi Assignee: Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 09:26:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 08:26:03 +0000 Subject: [gnutls-devel] GnuTLS | Allow non null terminated usernames for psk (#586) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !917 (https://gitlab.com/gnutls/gnutls/-/merge_requests/917) Issue #586: https://gitlab.com/gnutls/gnutls/-/issues/586 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/586 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 09:26:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 08:26:04 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Merge Request !917 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 Branches: ajuaristi-issue-586 to master Author: Ander Juaristi Assignee: Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 09:32:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 08:32:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The history is, rfc6101 and draft-ietf-tls-ssl-version3-00 contain this note, while draft-freier-ssl-version3-01 doesn't. What about pre-SSL3.0? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_310202913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 10:08:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 09:08:35 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!59) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/structure.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_310228877 > _asn1_delete_structure (list_type *e_list, asn1_node * structure, unsigned int flags) > { > asn1_node p, p2, p3; > + int flag_t = 0; Thanks for working on it ! This code currently doesn't compile. Please try not to use _t as a suffix, as this is reserved by C99. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_310228877 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 11:24:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 10:24:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv --echo exits when a message is received (#959) References: Message-ID: Anderson Sasaki created an issue: https://gitlab.com/gnutls/gnutls/-/issues/959 ## Description of problem: The bug was initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=1816583 When ``gnutls-serv`` is executed with the ``--echo`` option, it exits when a message to be echoed is received. It outputs ``` Memory error ``` ## Version of gnutls used: gnutls-3.6.12 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 32 ## How reproducible: 100% Steps to Reproduce: * Generate server private key and certificate * Run the server with ``--echo`` option. For example: ``` $ gnutls-serv --echo --x509certfile=cert.pem --x509keyfile=key.pem -p 4433 ``` * Connect using a client and send a message to be echoed. For example, run: ``` $ gnutls-cli --insecure localhost:4433 ``` Type the message to be echoed. ## Actual results: Server closes connection and outputs: ``` Memory error ``` ## Expected results: Server sends a copy of the received message to the client without closing the connection. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 11:30:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 10:30:23 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) References: Message-ID: Anderson Sasaki created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 Project:Branches: ansasaki/gnutls:fix_echo_serv to gnutls/gnutls:master Author: Anderson Sasaki This fixes a bug which made ``gnutls-serv --echo`` to exit when a message was received. Fixes #959 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 13:28:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 12:28:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222#note_310396186 > *response_length = strlen(*response); > return 1; > } else if (ret == 0) { > + *response = strdup(request); > if (*response == NULL) { > fprintf(stderr, "Memory error\n"); > return 0; > } > - *response = strdup(request); > *response_length = ((*response) ? strlen(*response) : 0); This could be simplified as `*response == NULL` is already checked? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222#note_310396186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 13:43:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 12:43:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on src/serv.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222#note_310407981 > *response_length = strlen(*response); > return 1; > } else if (ret == 0) { > + *response = strdup(request); > if (*response == NULL) { > fprintf(stderr, "Memory error\n"); > return 0; > } > - *response = strdup(request); > *response_length = ((*response) ? strlen(*response) : 0); Yes, you are right, it is not necessary to check it twice. I'll fix it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222#note_310407981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 14:19:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 13:19:05 +0000 Subject: [gnutls-devel] GnuTLS | Valid cert fails to verify due to different DN encodings (#553) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: We've gotten a user request for this as well, where the case is simply differing types. > A simple but inefficient solution to address the tag issue, is for `_gnutls_x509_compare_raw_dn` comparison is to compare the textual form of the DNs (output of `gnutls_x509_rdn_get2`) for the DNs given using memcmp. As far as I can tell this is what OpenSSL does as well. However it maintains a cache of the output to speed things up. See `x509_name_canon()` in `x_name.c`. I have not dug out if they also suffer from issues accessing PKCS#11 stuff (or the system store). Any more insights gathered around this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/553#note_310438059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 14:37:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 13:37:47 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for driving this! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_310453973 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 14:54:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 13:54:19 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: All discussions on Merge Request !1222 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 14:54:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 13:54:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: Merge Request !1222 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 Project:Branches: ansasaki/gnutls:fix_echo_serv to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 14:54:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 13:54:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222#note_310468608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 15:16:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 14:16:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: Do not exit when a message to be echoed is received (!1222) In-Reply-To: References: Message-ID: Merge Request !1222 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 Project:Branches: ansasaki/gnutls:fix_echo_serv to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 15:16:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 14:16:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv --echo exits when a message is received (#959) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1222 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1222) Issue #959: https://gitlab.com/gnutls/gnutls/-/issues/959 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 15:50:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 14:50:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) References: Message-ID: Pierre Ossman (Work account) created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223 Project:Branches: CendioOssman/gnutls:compare_dn to gnutls/gnutls:master Author: Pierre Ossman (Work account) A binary comparison will not work in case the contents is the same but the ASN.1 type differ (e.g. PrintableString vs UTF8String). Such variations are permitted so we need to handle them. An attempt at fixing #553. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 16:19:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 15:19:30 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 2 alerts** when merging e388d6b128f04851425b5a5dbae1e6c6d22b12e5 into c78665483dd7b6a222ec071df99ee7333b1e295a - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-68b8fd08dfa4322f1e7e3634d6b5832b84108f58) **new alerts:** * 2 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310551726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 17:22:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 16:22:40 +0000 Subject: [gnutls-devel] GnuTLS | TLS1.3 PSK: support PSK with SHA384 (#386) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav I have already started working on this one. Do you think it should be done by milestone 3.6.13 (April 4), or can it wait a bit longer? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/386#note_310604495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 20:03:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 19:03:44 +0000 Subject: [gnutls-devel] GnuTLS | TLS1.3 PSK: support PSK with SHA384 (#386) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: There are only few days for the release, I think it makes sense to wait after that. btw. have you seen the new proposals from TLS WG on PSK importer? https://datatracker.ietf.org/doc/draft-ietf-tls-external-psk-importer/ Do you think it would change the interface for sha384? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/386#note_310734882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 20:13:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 19:13:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310739012 > _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, > const gnutls_datum_t * dn2) > { > + int ret; > + gnutls_datum_t str1, str2; > Here most likely you don't catch the case DNs are of zero size and matching. `gnutls_x509_rdn_get2()` seem to no accept a zero size DN. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310739012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 20:14:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 19:14:04 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310739373 > a_vals++; > } > > + // FIXME: Same problem as for priv->dn I do not think FIXME means anything. Having a comment that documents the issue is fine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310739373 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 20:15:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 19:15:35 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310740001 > } > - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { > + > + ret = gnutls_x509_rdn_get2(dn2, &str2, 0); > + if (ret < 0) { > gnutls_assert(); > + _gnutls_free_datum(&str1); > return 0; > } > - return 1; /* they match */ > + > + if (str1.size != str2.size) { > + ret = 0; > + goto cleanup; > + } > + if (memcmp(str1.data, str2.data, str2.size) != 0) { I think few unit tests that check this comparison should be necessary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310740001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 24 20:19:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Mar 2020 19:19:07 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310741486 > _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, > const gnutls_datum_t * dn2) > { > + int ret; > + gnutls_datum_t str1, str2; > > - if (dn1->size != dn2->size) { > + ret = gnutls_x509_rdn_get2(dn1, &str1, 0); I wonder if there can be cases where `gnutls_x509_rdn_get2` can fail (e.g., on some incorrect DER format, or a DN format we may not support). I think we should have the raw matching in addition to this, so certificates that today passes this matching, continues to do so. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_310741486 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 07:43:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 06:43:54 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!59) In-Reply-To: References: Message-ID: All discussions on Merge Request !59 were resolved by whzhe51 https://gitlab.com/gnutls/libtasn1/-/merge_requests/59 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 09:10:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 08:10:04 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!59) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/structure.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_310972303 > _asn1_delete_structure (list_type *e_list, asn1_node * structure, unsigned int flags) > { > asn1_node p, p2, p3; > + int flag_t = 0; Please push your changes with `git push --force-with-lease`. By that, the MR becomes automatically updated and the CI starts again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_310972303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 12:01:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 11:01:07 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: I take your response as an approval of the general idea? If so, I'll have a look at fixing your comments and the merge request check list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311110377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 15:25:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 14:25:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 15:28:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 14:28:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220#note_311286139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 15:29:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 14:29:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for checking! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220#note_311287194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 25 15:29:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Mar 2020 14:29:38 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_get_keylog_function: new function (!1220) In-Reply-To: References: Message-ID: Merge Request !1220 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220 Branches: tmp-get-keylog-func to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 03:03:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 02:03:05 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!60) References: Message-ID: whzhe51 created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/60 Project:Branches: whzhe51/libtasn1:test1 to gnutls/libtasn1:master Author: whzhe51 Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/60 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 09:43:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 08:43:24 +0000 Subject: [gnutls-devel] libtasn1 | asn1_array2tree: fix memleaks in asn1_array2tree, free the unused child (!59) In-Reply-To: References: Message-ID: whzhe51 commented on a discussion on lib/structure.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_311760729 > _asn1_delete_structure (list_type *e_list, asn1_node * structure, unsigned int flags) > { > asn1_node p, p2, p3; > + int flag_t = 0; ok!But there still were some failure in the new commit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/59#note_311760729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 10:55:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 09:55:05 +0000 Subject: [gnutls-devel] GnuTLS | TLS1.3 PSK: support PSK with SHA384 (#386) In-Reply-To: References: Message-ID: Ander Juaristi commented: It would probably require some changes, yes. I'll have a look. Thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/386#note_311816872 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 12:15:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 11:15:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311882418 > a_vals++; > } > > + // FIXME: Same problem as for priv->dn My goal was to make it stand out a bit more as a known bug. But I'm fine with removing the prefix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311882418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 12:20:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 11:20:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311885518 > } > - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { > + > + ret = gnutls_x509_rdn_get2(dn2, &str2, 0); > + if (ret < 0) { > gnutls_assert(); > + _gnutls_free_datum(&str1); > return 0; > } > - return 1; /* they match */ > + > + if (str1.size != str2.size) { > + ret = 0; > + goto cleanup; > + } > + if (memcmp(str1.data, str2.data, str2.size) != 0) { I've added a unit test for the case discussed. Is that sufficient? I used #809 for getting some test certificates. Unfortunately those instructions generate a slightly broken certificate that triggers an assert. The test still passes though. Is that okay? I'm not sure how to generate better certificates right now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311885518 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 14:39:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 13:39:10 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > I take your response as an approval of the general idea? Let's say I do not have a better idea and this is an issue we see relatively often (reports once per few years) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311984464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 14:42:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 13:42:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311986671 > _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, > const gnutls_datum_t * dn2) > { > + int ret; > + gnutls_datum_t str1, str2; > + Something else that comes to mind. It may be a good idea to document what parts of DN comparison we are implementing here. To my understanding we are not using the full RFC5280 comparison, but instead we compare whether there is a raw match, or there is a match one the textual contents irrespective of tags. Correct? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_311986671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 14:58:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 13:58:25 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: describe the release process [ci skip] (!1202) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I missed that. The `m4/hooks.m4` update is mentioned in step 2 (maybe added later?). The VERSION`.abi` files should not be updated during the release. If there are missing steps I notice during the next release I'll update that file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1202#note_312002832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 15:13:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 14:13:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312015550 I don't know. I don't know how often such comparisons are made in normal scenarios. You'd be the expert here. I can probably synthesize a test to compare `_gnutls_x509_compare_raw_dn()` before and after, but that doesn't necessarily translate to real world numbers. As for a cache, where would we store it? We just get a `gnutls_datum_t` and not something high level. So wait and see if anyone complains? I could also reverse the logic. I.e. do a binary comparison first (most cases), and do the slow comparison as a fallback. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312015550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 26 15:15:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Mar 2020 14:15:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312016833 > _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, > const gnutls_datum_t * dn2) > { > + int ret; > + gnutls_datum_t str1, str2; > + I have no idea TBH. I haven't read RFC 5280 in such detail, and I have not studied what `gnutls_x509_rdn_get2()` does either. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312016833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 08:27:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 07:27:40 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Merge Request !1221 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 08:27:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 07:27:51 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 08:28:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 07:28:14 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM, do you plan any further update or is it ready? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221#note_312494658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 08:33:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 07:33:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312497425 I was thinking about it and I think this would improve performance in the hash table lookup of CA certificates, but would have no effect on the chain verification itself. Maybe a benchmark on `x509cert-tl.c` when performed multiple times before and after the changes would give us a good estimate on the performance cost and give us a hint on whether we need to optimize further. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312497425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:07:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:07:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312516311 Alright, so some testing by changing the test to loop 10000 times and running it through `perf`: a) Old code: * 3.9 seconds runtime * 0.06% spent in `_gnutls_x509_compare_raw_dn()` b) Current suggestion: * 5.1 seconds runtime (30% worse) * 22% spent in `_gnutls_x509_compare_raw_dn()` c) Doing binary comparison before string comparison: * 4.2 seconds runtime (8% worse) * 7.4% spent in `_gnutls_x509_compare_raw_dn()` So is c) good enough? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312516311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:17:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:17:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312523457 > _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, > const gnutls_datum_t * dn2) > { > + int ret; > + gnutls_datum_t str1, str2; > + Something like: ``` RFC5280 (https://tools.ietf.org/html/rfc5280#section-7.1) requires that the LDAP StringPrep profile and caseIgnoreMatch must be used for this comparison. We do not use that but instead we do a simpler comparison that ignores the tags used such as `UTF8String` and `PrintableString`. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312523457 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:18:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:18:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/x509cert-dntypes.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312524055 > + > +#ifdef HAVE_CONFIG_H > +#include > +#endif > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "utils.h" > + > +/* gnutls_trust_list_*(). Is that intentional? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312524055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:19:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:19:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312524661 Thanks for this, I also think that (c) is good enough. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312524661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:20:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:20:36 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/dn.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312525144 > } > - if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { > + > + ret = gnutls_x509_rdn_get2(dn2, &str2, 0); > + if (ret < 0) { > gnutls_assert(); > + _gnutls_free_datum(&str1); > return 0; > } > - return 1; /* they match */ > + > + if (str1.size != str2.size) { > + ret = 0; > + goto cleanup; > + } > + if (memcmp(str1.data, str2.data, str2.size) != 0) { LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312525144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:30:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:30:52 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Daniel Lenski commented: Unless there's something you want me to add, I'd consider this complete. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221#note_312532556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:37:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:37:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented on a discussion on tests/x509cert-dntypes.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312536386 > + > +#ifdef HAVE_CONFIG_H > +#include > +#endif > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "utils.h" > + > +/* gnutls_trust_list_*(). Nope. Just remnants from the test I used as the base. :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312536386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:40:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:40:53 +0000 Subject: [gnutls-devel] GnuTLS | Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: New version pushed. That should be it hopefully. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_312538203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:54:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:54:27 +0000 Subject: [gnutls-devel] GnuTLS | improve gnutls-cli-debug testing of old SSL 3.0 servers (!1221) In-Reply-To: References: Message-ID: Merge Request !1221 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:54:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:54:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #958: https://gitlab.com/gnutls/gnutls/-/issues/958 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 09:57:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 08:57:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_ext_register: keep track of extension name (!1224) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1224 Branches: tmp-ext-name to master Author: Daiki Ueno Previously it discarded the name argument, and that was making the debug output awkward, e.g., running `tests/tls-session-ext-register -v`: ``` client|<4>| EXT[0x9cdc20]: Preparing extension ((null)/242) for 'client hello' client|<4>| EXT[0x9cdc20]: Preparing extension ((null)/241) for 'client hello' client|<4>| EXT[0x9cdc20]: Sending extension (null)/241 (2 bytes) ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1224 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 13:36:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 12:36:16 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi @lumag I want to, but I see the additional nettle code pulled and hoped we are going resolve the 3.7 situation before we get it in. I would really like to have a solution for the nettle bundled code being growing before we bring more inside. Should we discuss options here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_312751769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 14:13:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 13:13:57 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @nmav unfortunately this code is not present in Nettle yet (not even sent). Niels seems to be lagging on patch review again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_312775565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 16:05:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 15:05:45 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) References: Message-ID: Pieter Hameete created an issue: https://gitlab.com/gnutls/gnutls/-/issues/960 ## Description of problem: When using libcoap example client built with GnuTLS against a Californium + Scandium COAP Server the DTLS handshake can not be completed. We are using one-way authentication with x509 certificates (issued by Lets Encrypt via DNS01 ACME). Investigation of the Wireshark logs [showed several issues](https://github.com/eclipse/californium/issues/1260#issuecomment-604958705) on the client side (backed by GnuTLS): * the first CLIENT_HELLO use a Random of 32 \0 bytes, Cookie field MUST be empty. * CLIENT_HELLO should be retransmitted using same parameters + the cookie in HELLO_VERIFY, in the capture Random change all the time. (see https://tools.ietf.org/html/rfc6347#section-4.2.1) Note that the libcoap example client with openssl as DTLS library can complete the handshake, as do the Californium Java client, and the go-coap client. ## Version of gnutls used: GnuTLS: 3.6.9 libcoap: 4.2.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Build libcoap with GnuTLS following the instructions here: https://libcoap.net/install.html Run: `./examples/coap-client -m get -v 9 "coaps://coap.blockbax.com"` Alternatively, inspect my Wireshark pcaps: * [Example failure libcoap-oneway-x509-gnutls.pcap](/uploads/d22f5aac77278a2e1e5adf26bef00b2a/libcoap-oneway-x509-gnutls.pcap) * [Example success libcoap-oneway-x509-openssl-working.pcap](/uploads/6cb1711722be37b90109ab1368301e41/libcoap-oneway-x509-openssl-working.pcap) ## Actual results: libcoap example client with GnuTLS as DTLS library ignores Hello Verify Requests from Server and keeps retrying. ## Expected results: libcoap example client iwth GnuTLS as DTLS library completes DTLS handshake succesfully similar to other clients. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 16:49:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 15:49:38 +0000 Subject: [gnutls-devel] GnuTLS | multiple remote PKCS#11 modules not working (#961) References: Message-ID: Marc Kleine-Budde created an issue: https://gitlab.com/gnutls/gnutls/-/issues/961 Hello, I have two almost identical smartcards (just the serial numbers are different), each one attached via an USB based smart card reader, on the hosts `certos` and `certos2`. To access them I have these config files in my home: ``` ? (pts/58) mkl at dude02:~ (master) ? cat ~/.config/pkcs11/modules/certos.module remote: |ssh certos.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so #log-calls: yes ? (pts/58) mkl at dude02:~ (master) ? cat ~/.config/pkcs11/modules/certos2.module remote: |ssh certos2.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so #log-calls: yes ``` When I access them via `p11-kit-proxy.so` both are properly detected: ``` ? (pts/58) mkl at dude02:~ (master) ? pkcs11-tool --module /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so -L Available slots: Slot 0 (0x10): SCM Microsystems Inc. SPR 532 [Vendor Interface] (60206024) 0... token label : CycurCard (User PIN) token manufacturer : xxx token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 244f8b131a1e pin min/max : 6/8 Slot 1 (0x11): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface... (empty) Slot 2 (0x12): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface... (empty) Slot 3 (0x13): Gemalto USB GemPCPinpad SmartCard Reader 01 00 token label : CycurCard (User PIN) token manufacturer : xxx token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 24c8c609160f pin min/max : 4/8 ``` However when using `p11tool`, not. ``` ? (pts/58) mkl at dude02:~ (master) ? p11tool --list-token-urls pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust pkcs11:model=PKCS%2315;manufacturer=xxx;serial=244f8b131a1e;token=CycurCard%20%20%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00%00 ``` I found out that `lib/pkcs11.c` refuses to load two modules with the same info :( ``` /* initially check if this module is a duplicate */ for (i = 0; i < active_providers; i++) { /* already loaded, skip the rest */ if (module == providers[i].module || memcmp(&info, &providers[i].info, sizeof(info)) == 0) { _gnutls_debug_log("p11: module %s is already loaded.\n", name); return GNUTLS_E_INT_RET_0; } } ``` In my use case the `module` pointers are not the same, but the info is: ``` $14 = {cryptoki_version = {major = 2 '\002', minor = 20 '\024'}, manufacturer_id = "OpenSC Project", ' ' , flags = 0, library_description = "OpenSC smartcard framework ", library_version = {major = 0 '\000', minor = 20 '\024'}} ``` as both hosts use the same version of p11-kit. The `memcmp()` on the `info` was added in 12f4abc02e718e2ab0f7ae80b3026a29028536e7 by @nmav, any idea how to work around this check. regards, Marc -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/961 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 17:14:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 16:14:37 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Stefan B?hler commented: Wtf. I "just" (13:25 UTC :) ) noticed the zeroed random when watching openconnect, and though about opening a private issue - seems security relevant. Attached patch should fix the zero random, and also prevent creating a new random on retry. [0001-dtls-client-hello-fix-zeroed-random.patch](/uploads/0eb6f33a4592089b75b7f91a7800d359/0001-dtls-client-hello-fix-zeroed-random.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960#note_312917741 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 17:28:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 16:28:55 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) References: Message-ID: Stefan B?hler created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 Project:Branches: stbuehler/gnutls:fix-dlts-client-zero-random to gnutls/gnutls:master Author: Stefan B?hler dtls client hello: fix zeroed random (fixes #960). Relates to #299. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 20:22:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 19:22:11 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Pieter Hameete commented: Hi @stbuehler. What a coincidence. Thank you for the patch! It seems this is a regression bug. Libcoap contributor mrdeep1 confirmed that this issue was not present in GnuTLS 3.5.19: see https://github.com/obgm/libcoap/issues/477#issuecomment-605211046 I can try to build libcoap with the patched GnuTLS on monday to see if that resolves this issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960#note_313024949 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 20:26:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 19:26:06 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Pieter Hameete commented: @stbuehler im not an expert at TLS - do you think we should make this private? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960#note_313027074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 21:27:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 20:27:05 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Stefan B?hler commented: As it is already public I don't think it is needed now. It broke in bcf4de0371efbdf0846388e2df0cb14b5db09954 aka `gnutls_3_6_2-140-gbcf4de037` (i.e. with 3.6.3). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960#note_313050207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 27 22:43:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 21:43:19 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: mrdeep1 commented: Just tested this patched fix in gnutls and libcoap now works as expected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960#note_313076183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 28 00:35:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 23:35:07 +0000 Subject: [gnutls-devel] GnuTLS | Fix padlock accelerated code (!1226) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 Project:Branches: GostCrypt/gnutls:fix-padlock to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 28 00:35:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 23:35:25 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Reassigned Issue 930 https://gitlab.com/gnutls/gnutls/-/issues/930 Assignee changed to Dmitry Baryshkov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 28 00:38:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Mar 2020 23:38:51 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: It took a while, but I've finally opened !1226 . With these changes GnuTLS testsuite passes on my VIA Nano. Could you please test it on your C7-D board? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/930#note_313098369 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 12:31:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 10:31:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix padlock accelerated code (!1226) In-Reply-To: References: Message-ID: Merge Request !1226 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 Project:Branches: GostCrypt/gnutls:fix-padlock to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:42:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:42:55 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Reassigned Merge Request 1225 https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:42:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:42:57 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:43:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:43:11 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:43:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:43:20 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Merge Request !1225 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 Project:Branches: stbuehler/gnutls:fix-dlts-client-zero-random to gnutls/gnutls:master Author: Stefan B?hler Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:44:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:44:05 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks it looks good to me, and the issue looks quite serious. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225#note_313459030 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:44:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:44:27 +0000 Subject: [gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via commit c01011c2d8533dbbbe754e49e256c109cb848d0d Issue #960: https://gitlab.com/gnutls/gnutls/-/issues/960 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:44:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:44:29 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Merge Request !1225 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 Project:Branches: stbuehler/gnutls:fix-dlts-client-zero-random to gnutls/gnutls:master Author: Stefan B?hler Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:45:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:45:50 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 Branches: tmp-added-reproducer-for-960 to master Author: Nikos Mavrogiannopoulos This adds a reproducer for DTLS issue in !1225 as well as an equivalent for TLS. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:46:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:46:01 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Apr 4, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 29 21:50:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Mar 2020 19:50:51 +0000 Subject: [gnutls-devel] GnuTLS | dtls client hello: fix zeroed random (fixes #960) (!1225) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for the investigation and fix! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1225#note_313460072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 09:02:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 07:02:02 +0000 Subject: [gnutls-devel] GnuTLS | Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Is this okay to merge now or is there something more we should do? Mostly so we know if we can proceed with this patch on our end or not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_313615523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:01:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:01:43 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:01:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:01:08 +0000 Subject: [gnutls-devel] GnuTLS | Verification of deterministic RSA-PSS signature fails (#953) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #953: https://gitlab.com/gnutls/gnutls/-/issues/953 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:01:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:01:35 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:01:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:01:29 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:01:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:01:50 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:03:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:03:57 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1226 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1226) Issue #930: https://gitlab.com/gnutls/gnutls/-/issues/930 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:03:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:03:58 +0000 Subject: [gnutls-devel] GnuTLS | Fix padlock accelerated code (!1226) In-Reply-To: References: Message-ID: Merge Request !1226 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 Project:Branches: GostCrypt/gnutls:fix-padlock to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:04:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:04:03 +0000 Subject: [gnutls-devel] GnuTLS | Fix padlock accelerated code (!1226) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Mar 31, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 10:04:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 08:04:12 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and failed self tests when using Padlock engine (#930) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Mar 31, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 12:44:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 10:44:43 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Fixing this on the global header may cause crashes in not carefully written pin readers. I think it makes sense to address it in a major release. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932#note_313786660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 12:44:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 10:44:47 +0000 Subject: [gnutls-devel] GnuTLS | Key passphrase longer than 31 chars give 'No PIN given' error (#932) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/20 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 16:45:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 14:45:52 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) In-Reply-To: References: Message-ID: Merge Request !1227 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 Branches: tmp-added-reproducer-for-960 to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 16:50:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 14:50:28 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: mikhailnov commented: > I see no problem here. Russian government already signed law about mandatory installation of russian software on any electronic device. > One of the most important requirement is gost support. Can you please point to the requirement of gost support for pre-installed software? I did not find abything about GOST support in pre-installed software in the law: http://publication.pravo.gov.ru/Document/View/0001201912020057?index=1&rangeSize=1 > I am living in post-USSR country and know what political question "gost" is a part of. Why do other people living there do not know this? Yes, the way S-Boxes were created is not known, what next? There is no working exploit which would prove that GOST cryptography is insecure for daily usage. Why are you trying to make GOST disabled by default based only of your fantasies and assumptions and do not fight against other algorithms? Why must people who need GOST support in open source software (like me, for example) suffer from your not healthy fantasies? I have written this because you are fighting against GOST support in various open source software. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/942#note_313999721 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 16:53:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 14:53:56 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) In-Reply-To: References: Message-ID: Daiki Ueno commented: By the way, it might make sense to mark memory regions that need prior initialization with valgrind client request, so this kind of errors can be caught in the CI? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227#note_314003494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 16:54:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 14:54:53 +0000 Subject: [gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942) In-Reply-To: References: Message-ID: mikhailnov commented: Please keep GOST in the same enabled/disabled state as other algorithms. If we will want to add GOST support to other software using GNUTLS, GOST being disabled by default will make it much more difficult because in different configurations GOST in that software will either work or do not work. Some people are suggesting to treat GOST _specially_, but their opinions do not seem to be arguemented well enough. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/942#note_314004296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 20:49:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 18:49:41 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Seems like a good idea. If you are familiar with it, would you like to propose it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227#note_314167138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 20:49:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 18:49:55 +0000 Subject: [gnutls-devel] GnuTLS | Added reproducer for fix in !1225 (!1227) In-Reply-To: References: Message-ID: Merge Request !1227 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 Branches: tmp-added-reproducer-for-960 to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 21:46:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 19:46:11 +0000 Subject: [gnutls-devel] GnuTLS | multiple remote PKCS#11 modules not working (#961) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The idea is that if you have two drivers that give you access to the same smart card reader gnutls will detect only one so you don't have duplicate objects which are impossible to distinguish. In practice this was to avoid drivers like coolkey and opensc giving you duplicate objects. @dueno some idea here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/961#note_314196984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 22:05:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 20:05:11 +0000 Subject: [gnutls-devel] GnuTLS | Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Reassigned Merge Request 1223 https://gitlab.com/gnutls/gnutls/-/merge_requests/1223 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 30 22:05:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Mar 2020 20:05:09 +0000 Subject: [gnutls-devel] GnuTLS | Compare DNs by comparing their string representations (!1223) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think we should merge it, but not on the upcoming release. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1223#note_314205755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 07:50:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 05:50:23 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Mar 31, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 07:50:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 05:50:39 +0000 Subject: [gnutls-devel] GnuTLS | Allow non null terminated usernames for psk (#586) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.13 (Feb 2, 2020?Mar 31, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/27 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/586 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 07:55:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 07:55:02 +0200 Subject: [gnutls-devel] gnutls 3.6.13 Message-ID: Hello, I've just released gnutls 3.6.13. This is a security and bug fix release on the stable 3.6.x branch. I'd like to thank everyone who contributed in this release: Daiki Ueno, Dmitry Baryshkov, Tim R?hsen, Anderson Toshiyuki Sasaki, Jakub Jelen, Daniel Lenski, Ander Juaristi, Dimitri John Ledkov, Fiona Klute, Michael Catanzaro, Ross Nicholson, and Stefan B?hler. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/-/milestones/27 * Version 3.6.13 (released 2020-03-31) ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol (#960) [GNUTLS-SA-2020-03-31, CVSS: high] ** libgnutls: Added new APIs to access KDF algorithms (#813). ** libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality. ** libgnutls: Added support for non-null terminated usernames in PSK negotiation (#586). ** gnutls-cli-debug: Improved support for old servers that only support SSL 3.0. ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added gnutls_session_get_keylog_function: Added gnutls_session_set_keylog_function: Added gnutls_prf_hash_get: Added gnutls_psk_server_get_username2: Added gnutls_psk_set_client_credentials2: Added gnutls_psk_set_client_credentials_function2: Added gnutls_psk_set_server_credentials_function2: Added Getting the Software ==================== GnuTLS may be downloaded directly from < ftp://ftp.gnutls.org/gcrypt/gnutls/>;. A list of GnuTLS mirrors can be found at < http://www.gnutls.org/download.html> Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.13.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.13.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From gnutls-devel at lists.gnutls.org Tue Mar 31 09:43:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 07:43:18 +0000 Subject: [gnutls-devel] GnuTLS | multiple remote PKCS#11 modules not working (#961) In-Reply-To: References: Message-ID: Marc Kleine-Budde commented: Is it an option to look at the actual smart cards detected by the driver(s) instead of the providers? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/961#note_314463287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 16:19:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 14:19:16 +0000 Subject: [gnutls-devel] GnuTLS | build: use valgrind client request to detect undefined memory use (!1228) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1228 Branches: tmp-valgrind-memcheck to master Author: Daiki Ueno See !1227. This tightens the check introduced in ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client request to explicitly mark the "uninitialized but initialization is needed before use" regions. With this patch and the fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see the following error when running dtls_hello_random_value under valgrind: ``` $ valgrind ./dtls_hello_random_value testing: default ==520145== Conditional jump or move depends on uninitialised value(s) ==520145== at 0x4025F5: hello_callback (dtls_hello_random_value.c:90) ==520145== by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215) ==520145== by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332) ==520145== by 0x488FC7E: send_client_hello (handshake.c:2290) ==520145== by 0x48902A1: handshake_client (handshake.c:2908) ==520145== by 0x48902A1: gnutls_handshake (handshake.c:2740) ==520145== by 0x402CB3: client (dtls_hello_random_value.c:153) ==520145== by 0x402CB3: start (dtls_hello_random_value.c:317) ==520145== by 0x402EFE: doit (dtls_hello_random_value.c:331) ==520145== by 0x4023D4: main (utils.c:254) ==520145== ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1228 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 18:03:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 16:03:37 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229 Project:Branches: nmav/gnutls:tmp-libidn-simplify to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This addresses #832 by requiring a modern libidn2. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 18:03:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 16:03:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Reassigned Issue 832 https://gitlab.com/gnutls/gnutls/-/issues/832 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 18:04:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 16:04:30 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot should we bring this to 3.6.x branch? The problems caused by this compatibility code seem more than the actual benefit (IDNA). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229#note_314891232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 18:24:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 16:24:19 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) In-Reply-To: References: Message-ID: Merge Request !1229 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229 Project:Branches: nmav/gnutls:tmp-libidn-simplify to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 18:24:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 16:24:15 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) In-Reply-To: References: Message-ID: Tim R?hsen commented: I am absolutely pro removing all IDNA2003 stuff. There is still one (little) caveat... some projects need stringprep functionality, which is coupled with libidn and which is missing in libidn2. Simon once said he started on working on the successor of stringprep called PRECIS. But likely there is nothing currently. I have no overview about which projects use stringprep and gnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229#note_314912243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 20:03:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 18:03:30 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > I am absolutely pro removing all IDNA2003 stuff. Note that this doesn't remove IDNA2003, it just removes support for libidn2 < 2.0.0. The reason is that we were relying on undocumented internal APIs of the previous libraries which were removed in later releases. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229#note_314977400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 31 21:37:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Mar 2020 19:37:05 +0000 Subject: [gnutls-devel] GnuTLS | IDNA: require libidn2 2.0.0 (!1229) In-Reply-To: References: Message-ID: Neustradamus commented: Linked to: https://gitlab.com/libidn/libidn2/issues/28 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1229#note_315021935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: