From gnutls-devel at lists.gnutls.org Fri May 1 06:09:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 04:09:47 +0000 Subject: [gnutls-devel] GnuTLS | Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens (#957) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/957#note_334821089 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 06:09:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 04:09:47 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#982) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/982 The following issues require labels: - [ ] [Verify that Edwards public keys should use OCTET STRING encoding on pkcs11 tokens](https://gitlab.com/gnutls/gnutls/-/issues/957) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 07:59:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 05:59:38 +0000 Subject: [gnutls-devel] GnuTLS | New make target 'update-copyright-year' (!1241) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on cfg.mk: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241#note_334838330 > echo "If everything looks well, commit the gnulib update with:" > echo " git commit -m "Update gnulib submodule" gnulib" > > +# Update Copyright year in tools and docs > + > +update-copyright-year: > + $(AM_V_at)$(SED) -i "s/\"2000-....\"/\"2000-`date +%Y`\"/g" src/args-std.def.in > + $(AM_V_at)$(SED) -i "s/ 2001-.... / 2001-`date +%Y` /g" doc/gnutls.texi Updated with your very first suggestion. If we make the rule too tight, it might even break on reformatting. If we make too wide, we change stuff that wasnt meant to be changed. So I think that now is a good compromise. And the whole thing is a highly manual process, so whoever updates the year will `git diff` before committing/pushing and likely catch (an unlikely) mistake. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241#note_334838330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 07:59:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 05:59:38 +0000 Subject: [gnutls-devel] GnuTLS | New make target 'update-copyright-year' (!1241) In-Reply-To: References: Message-ID: All discussions on Merge Request !1241 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 08:48:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 06:48:46 +0000 Subject: [gnutls-devel] web-pages | win_version: update tag convention after 3.6.13 release (!1) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/web-pages/-/merge_requests/1 Branches: tmp-win-version to master Author: Daiki Ueno We switched to using the version number as the tag, instead of mangling it to "gnutls_X_Y_Z". This fixes the links to Windows binaries. Fixes https://gitlab.com/gnutls/gnutls/-/issues/978. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 08:52:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 06:52:13 +0000 Subject: [gnutls-devel] web-pages | win_version: update tag convention after 3.6.13 release (!1) In-Reply-To: References: Message-ID: Merge Request !1 was merged Merge Request url: https://gitlab.com/gnutls/web-pages/-/merge_requests/1 Branches: tmp-win-version to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 08:52:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 06:52:13 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from spencerwestmusic@gmail.com): Broken links on download page (#978) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1 (https://gitlab.com/gnutls/web-pages/-/merge_requests/1) Issue #978: https://gitlab.com/gnutls/gnutls/-/issues/978 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/978 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 1 22:54:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 May 2020 20:54:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Inconsistent OCSP behavior regarding intermediate depending on stapling (#981) In-Reply-To: References: Message-ID: Airtower commented: That inconsistency does sound problematic, but stapling for intermediate certificates is actually possible since TLS 1.3, or with the obsolete Multiple Certificate Status Request Extension (RFC 6961). Unfortunately few webservers support it (Apache with mod_gnutls does). Any fix should take multiple stapled responses into account. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/981#note_335194802 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 2 23:16:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 May 2020 21:16:52 +0000 Subject: [gnutls-devel] GnuTLS | doc: expand GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE description on RSA-PSS [ci skip] (!1242) In-Reply-To: References: Message-ID: Merge Request !1242 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1242 Branches: tmp-reproducible-sig-doc to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1242 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 2 23:20:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 May 2020 21:20:00 +0000 Subject: [gnutls-devel] GnuTLS | nettle: expose SIV-CMAC through the AEAD interface (!1238) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238#note_335388372 > * @GNUTLS_CIPHER_AES192_PGP_CFB: AES in CFB mode with 192-bit keys (placeholder - unsupported). > * @GNUTLS_CIPHER_AES256_PGP_CFB: AES in CFB mode with 256-bit keys (placeholder - unsupported). > * @GNUTLS_CIPHER_TWOFISH_PGP_CFB: Twofish in CFB mode (placeholder - unsupported). > + * @GNUTLS_CIPHER_AES_128_SIV: AES in SIV mode with 128-bit key. > + * @GNUTLS_CIPHER_AES_256_XTS: AES in SIV mode with 256-bit key. I'd suggest describing AEAD/tag semantics here. LGTM otherwise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238#note_335388372 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 3 20:00:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 May 2020 18:00:30 +0000 Subject: [gnutls-devel] libtasn1 | coding.c: fix undefined behavior with pointer arithmetics (!63) References: Message-ID: Alexander Us created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/63 Project:Branches: alexander-us/libtasn1:clang_10_ptr_arith_ub to gnutls/libtasn1:master Author: Alexander Us `asn1_der_coding` contained unchecked pointer arithmetics. As source code shows, `ider` can be `NULL` pointer. C standard states that arithmetic using `NULL` pointers gives undefined behavior (C99, 6.5.6, clause 8). LLVM (beginning from version 10) started to optimize pointer arithmetic in comparisons with `NULL` with assumptions that addition of `NULL` and non-zero value will produce undefined behavior (https://reviews.llvm.org/D66608). This means that code like `ptr + x == NULL` will be turned to `ptr == NULL` because if ptr is `NULL` then `NULL + x` will be UB. Short summary of what happened in `asn1_der_coding` is in this code: https://godbolt.org/z/DAo0Bt. Without my patch clang UBSan reports problems in **copynode** and **Test_tree** tests and these tests fail with `-O2` flag (`CC=clang-10 CFLAGS="-O2 -fsanitize=undefined"`): ``` ../../libtasn1/lib/coding.c:1207:56: runtime error: applying non-zero offset 7 to null pointer SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../libtasn1/lib/coding.c:1207:56 in ../../libtasn1/lib/coding.c:1225:54: runtime error: applying non-zero offset 287 to null pointer SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../libtasn1/lib/coding.c:1225:54 in LIBTASN1 ERROR: VALUE_NOT_VALID Cannot copy node FAIL copynode (exit status: 1) ``` ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/63 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 12:12:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 10:12:26 +0000 Subject: [gnutls-devel] libtasn1 | coding.c: fix undefined behavior with pointer arithmetics (!63) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thanks for the fix. The CI currently mourns about your changes, can you fix that ? ``` coding.c:291:5: warning: Null pointer passed as an argument to a 'nonnull' parameter memcpy (der + len_len, str, str_len); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ coding.c:437:7: warning: Null pointer passed as an argument to a 'nonnull' parameter memmove (der + len_len, der, *der_len); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``` Or is that unrelated ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/63#note_335802420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 14:23:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 12:23:52 +0000 Subject: [gnutls-devel] GnuTLS | New make target 'update-copyright-year' (!1241) In-Reply-To: References: Message-ID: Merge Request !1241 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 Branches: tmp-reproducible-build to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 14:24:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 12:24:12 +0000 Subject: [gnutls-devel] GnuTLS | doc: expand GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE description on RSA-PSS [ci skip] (!1242) In-Reply-To: References: Message-ID: Merge Request !1242 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1242 Branches: tmp-reproducible-sig-doc to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1242 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 15:03:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 13:03:59 +0000 Subject: [gnutls-devel] GnuTLS | New make target 'update-copyright-year' (!1241) In-Reply-To: References: Message-ID: Merge Request !1241 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 Branches: tmp-reproducible-build to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 15:04:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 13:04:00 +0000 Subject: [gnutls-devel] GnuTLS | Copyright year is updated on build (#980) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1241 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1241) Issue #980: https://gitlab.com/gnutls/gnutls/-/issues/980 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/980 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 16:40:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 14:40:09 +0000 Subject: [gnutls-devel] GnuTLS | nettle: expose SIV-CMAC through the AEAD interface (!1238) In-Reply-To: References: Message-ID: Merge Request !1238 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 Branches: tmp-siv to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 17:48:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 15:48:18 +0000 Subject: [gnutls-devel] GnuTLS | nettle: expose SIV-CMAC through the AEAD interface (!1238) In-Reply-To: References: Message-ID: Merge Request !1238 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 Branches: tmp-siv to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 4 17:48:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 May 2020 15:48:34 +0000 Subject: [gnutls-devel] GnuTLS | nettle: expose SIV-CMAC through the AEAD interface (!1238) In-Reply-To: References: Message-ID: All discussions on Merge Request !1238 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 04:12:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 02:12:08 +0000 Subject: [gnutls-devel] GnuTLS | There is no 'signature' in the part of 'tbsCertificate' (#983) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/983 ## Description of problem: In the parsed certificate, there is no 'signature' in the part of tbsCertificate. 'signature' is a field of tbsCertificate in RFC 5280. ``` 4.1.2.3. Signature This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate. This field MUST contain the same algorithm identifier as the signatureAlgorithm field in the sequence Certificate (Section Cooper, et al. Standards Track [Page 19] RFC 5280 PKIX Certificate and CRL Profile May 2008 4.1.1.2). The contents of the optional parameters field will vary according to the algorithm identified. [RFC3279], [RFC4055], and [RFC4491] list supported signature algorithms, but other signature algorithms MAY also be supported. ``` ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 x64 ## How reproducible: Steps to Reproduce: * certtool -i -infile path/to/cert_file ## Actual results: [cert-example-ie-cer48.zip](/uploads/d00ae05f13d9a2b054a3e7facf72e71e/cert-example-ie-cer48.zip) [cert-example-ie-cer48.gnutls](/uploads/00a6cde44c6406d63ffa8966cb5447bf/cert-example-ie-cer48.gnutls) ## Expected results: As RFC 5280, 'signature' in 'tbsCertificate' is parsed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 14:45:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 12:45:01 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 Branches: tmp-fips-leftover to master Author: Daiki Ueno I realized that I didn't upstream these couple of changes. cc @smuellerDD. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 15:07:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 13:07:14 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243#note_336653998 > goto error; > } > > + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); I surely miss a point here, but why do you call the CBC self test twice here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243#note_336653998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 15:08:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 13:08:54 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: Stephan Mueller commented: I have no comments to the RSA changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243#note_336655197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 16:00:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 14:00:00 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243#note_336696605 > goto error; > } > > + ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); Sorry, it was already applied as facea2b7659e11efce7014bda8800574d35dd05d. I wonder why git didn't complain :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243#note_336696605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 5 16:00:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 14:00:00 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: All discussions on Merge Request !1243 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 6 01:14:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 May 2020 23:14:04 +0000 Subject: [gnutls-devel] libtasn1 | Update testing routines (!64) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 Branches: tmp-tests to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 6 03:16:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 May 2020 01:16:34 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 Branches: tmp-length-fuzz to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 6 14:10:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 May 2020 12:10:39 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) References: Message-ID: Anderson Sasaki created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 Project:Branches: ansasaki/gnutls:aesni-xts to gnutls/gnutls:master Author: Anderson Sasaki Add a wrapper for the optimized CRYPTOGAMS AES-XTS implementation already present in the generated assembly code. It also enables AES-XTS in `gnutls-cli --benchmark-ciphers`. Running the benchmark locally (Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz) before the changes, these are the results: ``` $ ./src/gnutls-cli --benchmark-ciphers | grep AES-.*-XTS AES-128-XTS 0.79 GB/sec AES-256-XTS 0.66 GB/sec ``` And after applying the changes: ``` $ ./src/gnutls-cli --benchmark-ciphers | grep AES-.*-XTS AES-128-XTS 5.69 GB/sec AES-256-XTS 4.14 GB/sec ``` Which gives approximately 7 times increased performance. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 6 19:16:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 May 2020 17:16:30 +0000 Subject: [gnutls-devel] libtasn1 | Misc fixes for documentation (!66) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 Branches: tmp-fix-docs to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 16:29:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 14:29:01 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) References: Message-ID: P H created an issue: https://gitlab.com/gnutls/gnutls/-/issues/984 ## Description of problem: Neither gnutls-cli nor applications linked against gnutls can connect to https://www.openbsd.org. ## Version of gnutls used: 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Arch Linux, Ubuntu 20.04 ## How reproducible: $ gnutls-cli openbsd.org ## Actual results: $ gnutls-cli openbsd.org Processed 150 CA certificate(s). Resolving 'openbsd.org:443'... Connecting to '129.128.5.194:443'... *** Fatal error: An illegal parameter has been received. See attachments for debug output: - [debug-arch.log](/uploads/ab6998c302967cd7867f438f37458e6f/debug-arch.log) - [debug-ubuntu-2004.log](/uploads/b0f5621b87df041ad125e796e5bfecbf/debug-ubuntu-2004.log) IIUC, this is the culprit: Signature algorithm RSA-SHA256 is not enabled ## Expected results: Connection established. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 16:52:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 14:52:23 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Daiki Ueno commented: This looks like an issue in the server side (LibreSSL). In TLS 1.3, non-PSS RSA signature schemes are removed, while the server seems to sign the Certificate Verify message with RSA-SHA256, which is not permitted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_338365439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 16:55:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 14:55:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Add option to wait longer for resumption data (!1232) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232#note_338367388 > gnutls_datum_t edata = {NULL, 0}; > > if (gnutls_session_is_resumed(hd->session) == 0) { > - /* not resumed - obtain the session data */ > - ret = gnutls_session_get_data2(hd->session, &rdata); > - if (ret < 0) { > - rdata.data = NULL; > - } > + do { > + /* not resumed - obtain the session data */ > + ret = gnutls_session_get_data2(hd->session, &rdata); Other than the unnecessary wait, it looks good to me. Could you update the patch? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232#note_338367388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 16:59:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 14:59:41 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/accelerated/x86/aes-xts-x86-aesni.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244#note_338371044 > + /* Size in bits of each half for block and tweak (=keysize * 8 / 2) */ > + keybits = keysize * 4; > + Should this also have the same check as !1233? -- Daiki Ueno started a new discussion on lib/accelerated/x86/aes-xts-x86-aesni.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244#note_338371048 > + * > + * Author: Nikos Mavrogiannopoulos > + * Author: Anderson Toshiyuki Sasaki nit: we usually use the single ["Authors:"](https://www.gnu.org/prep/maintain/maintain.html#Crediting-Authors) (plural) line per file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 17:00:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 15:00:17 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Daiki Ueno commented: > Which gives approximately 7 times increased performance. Looks like a great improvement, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244#note_338371560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 17:33:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 15:33:02 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) References: Message-ID: Remi Denis-Courmont created an issue: https://gitlab.com/gnutls/gnutls/-/issues/985 ## Description of problem: A program using GnuTLS might (outside GnuTLS) spawn a child process. With POSIX systems, a multithread application can do this either via `fork()` then an `exec*()` family function, or via a `posix_spawn*()` family function. First (at fork time), the child process is created and inherits all the file descriptors of the parent. Then (at exec time), the file descriptors marked with the close-on-exec flag are closed; others are left open in the new executed program. To avoid leaks, all file descriptors should be marked close-on-exec (unless explicitly intended to be inherited). The program cannot know what file descriptors GnuTLS has opened, so GnuTLS has to set the flag. Furthermore because the application might have one thread using GnuTLS while another is forking, the flag must be set "atomically" while file descriptor is being allocated. Consequences of not closing the file descriptors vary with the type. For regular files, this can prevent un-mounting a file system. In the worst case, it might lead to privilege escalation if the child process has different privileges than the parent. POSIX.next specifies the "e" open flag for the `fopen()`, for instance `fopen(file, "re")`, and the `SOCK_CLOEXEC` socket type mask for `socket()`, for instance. POSIX.2008 already specifies `O_CLOEXEC` for the `open()` call. This is not a problem for the tests and sample programs in GnuTLS, but it is a problem for the few `fopen()` calls within the library itself. ## Version of gnutls used: 3.6.13-49-gd51399272 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) upstream -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:09:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:09:25 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Add option to wait longer for resumption data (!1232) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232#note_338419060 > gnutls_datum_t edata = {NULL, 0}; > > if (gnutls_session_is_resumed(hd->session) == 0) { > - /* not resumed - obtain the session data */ > - ret = gnutls_session_get_data2(hd->session, &rdata); > - if (ret < 0) { > - rdata.data = NULL; > - } > + do { > + /* not resumed - obtain the session data */ > + ret = gnutls_session_get_data2(hd->session, &rdata); Sure, I'll remove the wait. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232#note_338419060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:10:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:10:33 +0000 Subject: [gnutls-devel] libtasn1 | parser: fix parser2tree memory leak (and parsing error) (!67) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 Branches: tmp-fix-16159 to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:15:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:15:52 +0000 Subject: [gnutls-devel] libtasn1 | parser: fix parser2tree memory leak (and parsing error) (!67) In-Reply-To: References: Message-ID: Merge Request !67 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 Branches: tmp-fix-16159 to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:15:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:15:55 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 was reviewed by Anderson Sasaki -- Anderson Sasaki commented on a discussion on lib/accelerated/x86/aes-xts-x86-aesni.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244#note_338422876 > + /* Size in bits of each half for block and tweak (=keysize * 8 / 2) */ > + keybits = keysize * 4; > + I will replace ``memcmp()`` with ``safe_memcmp()`` and set the library state only in FIPS mode. -- Anderson Sasaki commented on a discussion on lib/accelerated/x86/aes-xts-x86-aesni.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244#note_338422878 > + * > + * Author: Nikos Mavrogiannopoulos > + * Author: Anderson Toshiyuki Sasaki I'll fix it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:18:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:18:01 +0000 Subject: [gnutls-devel] libtasn1 | Misc fixes for documentation (!66) In-Reply-To: References: Message-ID: Merge Request !66 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 Branches: tmp-fix-docs to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:18:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:18:10 +0000 Subject: [gnutls-devel] libtasn1 | Misc fixes for documentation (!66) In-Reply-To: References: Message-ID: Merge Request !66 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 Branches: tmp-fix-docs to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/66 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:18:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:18:10 +0000 Subject: [gnutls-devel] libtasn1 | GTK-DOC warnings (#20) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !66 (https://gitlab.com/gnutls/libtasn1/-/merge_requests/66) Issue #20: https://gitlab.com/gnutls/libtasn1/-/issues/20 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/20 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:24:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:24:33 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338427676 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + We should always limit the size here to avoid excessive wasting of CPU for nothing. Whatever makes, it could be like `if (size < 1024) return 0;`. But maybe even 512 is good enough. The smaller we can make it, the faster is the fuzzer in finding issues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338427676 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:25:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:25:31 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338428139 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + Else LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338428139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:25:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:25:35 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Merge Request !65 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 Branches: tmp-length-fuzz to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:29:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:29:13 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338430136 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + I will give it a though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338430136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 18:29:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 16:29:37 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338430373 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + I did not limit it mostly because of BER indefinite length parsing -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_338430373 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 7 20:51:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 May 2020 18:51:09 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: All discussions on Merge Request !1244 were resolved by Anderson Sasaki https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 14:12:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 12:12:05 +0000 Subject: [gnutls-devel] libtasn1 | parser: fix parser2tree memory leak (and parsing error) (!67) In-Reply-To: References: Message-ID: Merge Request !67 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 Branches: tmp-fix-16159 to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/67 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:33:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:33:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Add option to wait longer for resumption data (!1232) In-Reply-To: References: Message-ID: All discussions on Merge Request !1232 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:40:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:40:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Add option to wait longer for resumption data (!1232) In-Reply-To: References: Message-ID: Merge Request !1232 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 Project:Branches: ansasaki/gnutls:cli-wait-resumption to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:40:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:40:34 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Add option to wait longer for resumption data (!1232) In-Reply-To: References: Message-ID: Merge Request !1232 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 Project:Branches: ansasaki/gnutls:cli-wait-resumption to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:40:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:40:51 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Merge Request !1244 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 Project:Branches: ansasaki/gnutls:aesni-xts to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:42:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:42:19 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Merge Request !1244 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 Project:Branches: ansasaki/gnutls:aesni-xts to gnutls/gnutls:master Author: Anderson Sasaki Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:44:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:44:11 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't (#986) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/986 ## Description of problem: GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 x64 ## How reproducible: Steps to Reproduce: * certtool -i -infile path/to/cert_file ## Actual results: "import error: Error in the certificate" ## Expected results: No discrepancy between GnuTLS and OpenSSL/ZCertificate for this cert. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:48:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:48:21 +0000 Subject: [gnutls-devel] GnuTLS | There is no 'signature' in the part of 'tbsCertificate' (#983) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #983: https://gitlab.com/gnutls/gnutls/-/issues/983 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:48:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:48:20 +0000 Subject: [gnutls-devel] GnuTLS | There is no 'signature' in the part of 'tbsCertificate' (#983) In-Reply-To: References: Message-ID: Daiki Ueno commented: > As RFC 5280, 'signature' in 'tbsCertificate' is parsed. Although it is not displayed as part of the tbsCertificate (because the RFC says the value must be equivalent to the outer signatureAlgorithm, there is no point in showing it twice), it is checked when reading a certificate from PEM: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/x509/x509.c#L321 I think you can verify that if you create a bogus certificate with a mismatched tbsCertificate.signature. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/983#note_339128307 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:56:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:56:00 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report with the detail. I guess we can make use of `set_cloexec_flag` from Gnulib. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339132711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 16:59:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 14:59:04 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: P H commented: Alright, I forwarded the issue to [misc at openbsd.org](https://marc.info/?l=openbsd-misc&m=158894917805358&w=2). Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_339135222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 17:01:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 15:01:25 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Nicolas Mora started a new discussion: https://gitlab.com/gnutls/gnutls/-/issues/976#note_339136737 @lumag , as I said, I'd use AES key wrapping to implement the key management algorithm specified in the [JWA specifications](https://tools.ietf.org/html/rfc7518#section-4): > A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, and those where AESKW is used in complement with other key management algs: ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW I develop a [library](https://github.com/babelouest/rhonabwy) that implements JOSE specifications in C, with GnuTLS as cryptographic library, in order to manage JWK, JWS, JWE and JWT. Some of the key management algorithms described in the JWE specification can't be implemented as-is using GnuTLS. I would be very grateful if GnuTLS would implement those algorithms. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_339136737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 17:04:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 15:04:27 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS parsed a cert without error. But ZCertificate reported the error that the modulus is not a positive number (#987) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/987 ## Description of problem: GnuTLS parsed a cert without error. But ZCertificate reported the error that the modulus is not a positive number ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 x64 ## How reproducible: Steps to Reproduce: * certtool -i -infile path/to/cert_file ## Actual results: GnuTLS parsed a cert without error. But ZCertificate reported the error "level=error msg="could not parse certificate: x509: RSA modulus is not a positive number". ## Expected results: No discrepancy between GnuTLS and ZCertificate. [cert-example-ie-cer02.zip](/uploads/39891d7cc28d70395c92bd0c9c1ff8e5/cert-example-ie-cer02.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/987 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 17:39:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 15:39:54 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "Netscape Cert Type" (#988) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/988 ## Description of problem: GnuTLS does not recognize the extension "Netscape Cert Type" ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i -infile path/to/cert_file ## Actual results: GnuTLS recognizes the extension "Netscape Cert Type" as an unknown extension. ## Expected results: GnuTLS recognizes the extension "Netscape Cert Type".[cert-example-ie-cer01.zip](/uploads/432cf192de1d6e60864745c217cb9d70/cert-example-ie-cer01.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/988 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 17:44:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 15:44:09 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Maarten Boekhold commented: I have a similar issue with Ubuntu Focal Fossa (completely fresh install, updated with all the latest updates). ``` $ gnutls-cli github.com Processed 128 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.118.4:443'... *** Fatal error: The operation timed out ``` As a consequence, the following doesn't work: ``` GIT_CURL_VERBOSE=1 git clone https://github.com/prominic/groovy-language-server.git Cloning into 'groovy-language-server'... * Couldn't find host github.com in the .netrc file; using defaults * Trying 140.82.118.4:443... * TCP_NODELAY set * Connected to github.com (140.82.118.4) port 443 (#0) * found 388 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * gnutls_handshake() failed: Error in the pull function. * Closing connection 0 fatal: unable to access 'https://github.com/prominic/groovy-language-server.git/': gnutls_handshake() failed: Error in the pull function. ``` or ``` echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list sudo apt update ... Get:11 http://ae.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [20.0 kB] Get:12 http://ae.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [27.2 kB] Ign:13 https://download.mono-project.com/repo/ubuntu stable-bionic InRelease Err:14 https://download.mono-project.com/repo/ubuntu stable-bionic Release Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 152.199.19.161 443] ``` For the error, I get either `Timeout` or `gnutls_handshake() failed: Error in the pull function.` Versions: ``` $ apt show libgnutls30 Package: libgnutls30 Version: 3.6.13-2ubuntu1 $ apt show gnutls-bin Package: gnutls-bin Version: 3.6.13-2ubuntu1 ``` OpenSSL-linked curl works fine, so do browsers, wget... I also have a Linux Mint 19.2 VM (based on Ubuntu bionic), where I have none of these issues. On the same network btw. No proxies involved here, no authentication required anywhere. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_339171011 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 18:03:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 16:03:39 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Remi Denis-Courmont commented: I doubt that. Normally you need the flag to be set atomically in multi-thread context. That's the whole point of using *_CLOEXEC flags. Otherwise there is a race if a thread calls `fork()` between the `fopen()` and the `set_close_exec()` flag. `fork()` copies the flag at the time of forking. For instance: * Thread A calls `gnutls_handshake()`... which opens the master key log file wit `fopen()`. * This creates a new file descriptor (without close-on-exec flag). * Thread B calls `fork()` from application code. * The file descriptor is copied into the child process (also without the close-on-exec flag). * Thread A calls `set_cloese_exec()` (or directly `fcntl()`). * This sets the flag on the parent process FD, but not the child process FD. * Child process calls `execv()` oblivious to the FD. The master key log FD is leaked to the child process. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339180992 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 18:05:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 16:05:28 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "commonName" (#989) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/989 ## Description of problem: GnuTLS does not recognize the extension "commonName" ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i -infile path/to/cert_file ## Actual results: GnuTLS recognize the extension "commonName" as unknown. ## Expected results: GnuTLS recognizes[cert-example-ie-cer02.zip](/uploads/23f679bf642035091af682bfed346260/cert-example-ie-cer02.zip) the extension "commonName" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 18:45:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 16:45:09 +0000 Subject: [gnutls-devel] GnuTLS | Connect connect to github.com, download.mono-project.com (#990) References: Message-ID: Maarten Boekhold created an issue: https://gitlab.com/gnutls/gnutls/-/issues/990 ## Description of problem: GnuTLS based applications fail to connect to github.com and download.monoproject.com ## Version of gnutls used: 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 20.04 Focal Fossa ## How reproducible: Consistently reproducable Steps to Reproduce: `git clone https://github.com/prominic/groovy-language-server.git` ``` echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list sudo apt update ``` ## Actual results: **GIT_CURL_VERBOSE=1 git clone https://github.com/prominic/groovy-language-server.git** ``` Cloning into 'groovy-language-server'... * Couldn't find host github.com in the .netrc file; using defaults * Trying 140.82.118.4:443... * TCP_NODELAY set * Connected to github.com (140.82.118.4) port 443 (#0) * found 388 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * gnutls_handshake() failed: Error in the pull function. * Closing connection 0 fatal: unable to access 'https://github.com/prominic/groovy-language-server.git/': gnutls_handshake() failed: Error in the pull function. ``` **sudo apt update*** ``` ... Get:11 http://ae.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [20.0 kB] Get:12 http://ae.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [27.2 kB] Ign:13 https://download.mono-project.com/repo/ubuntu stable-bionic InRelease Err:14 https://download.mono-project.com/repo/ubuntu stable-bionic Release Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 152.199.19.161 443] ``` ## Expected results: * `git clone` succeeds * `sudo apt update` succeeds I already posted about this in https://gitlab.com/gnutls/gnutls/-/issues/984#note_339171011 but in hindsight I don't think this is the same issue, so I'm creating a separate issue for this. ``` $ gnutls-cli github.com Processed 128 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.118.4:443'... *** Fatal error: The operation timed out ``` Versions: ``` $ apt show libgnutls30 Package: libgnutls30 Version: 3.6.13-2ubuntu1 $ apt show gnutls-bin Package: gnutls-bin Version: 3.6.13-2ubuntu1 ``` OpenSSL-linked curl works fine, so do browsers, wget... I also have a Linux Mint 19.2 VM (based on Ubuntu bionic), where I have none of these issues. On the same network btw. No proxies involved here, no authentication required anywhere.[debug.txt](/uploads/671e3bac6aff762ea9c69273cb2f3128/debug.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 18:57:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 16:57:18 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/991 ## Description of problem: GnuTLS does not recognize the DirName and serial of the extension AKI. ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i --infile path/to/cert_file ## Actual results: GnuTLS does not recognize the DirName and serial of the extension AKI while OpenSSL recognizes the two fields of AKI. ## Expected results: GnuTLS recognizeS the DirName and serial of the extension AKI.[cert-example-ie-cer06.zip](/uploads/abba4aa1bfc6d7c30a57b5e549413c92/cert-example-ie-cer06.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 19:20:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 17:20:35 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not correctly recognize policies in the extension certificate policies (#992) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/992 ## Description of problem: GnuTLS does not correctly recognize policies in the extension certificate policies ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i --infile path/to/cert_file ## Actual results: Unknown extension 1.3.6.1.4.1.311.21.1 (not critical): ASCII: ... Hexdump: 020100 ## Expected results: X509v3 Certificate Policies: Policy: X509v3 Any Policy Policy: 1.3.6.1.4.1.311.76.509.1.1 CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm[cert-example-ie-cer31.zip](/uploads/267fd084771ab27a1f3dda318a6ae630/cert-example-ie-cer31.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/992 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 19:28:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 17:28:58 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS parsed the Netscape Comment to unknown extensions (#993) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/993 ## Description of problem: GnuTLS parsed the Netscape Comment to unknown extensions ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i --infile path/to/cert_file ## Actual results: Unknown extension 2.16.840.1.113730.1.13 (not critical): ASCII: .)StartCom Free SSL Certification Authority Hexdump: 16295374617274436f6d20467265652053534c2043657274696669636174696f6e20417574686f72697479 ## Expected results: Netscape Comment: StartCom Free SSL Certification Authority[cert-example-ie-cer40.zip](/uploads/5be63f1e0043092c9d6cd7559e14e1a3/cert-example-ie-cer40.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 21:10:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 19:10:24 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_339274974 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + No limit will possibly blow up the size of corpora. And maybe parsing a 200 bytes field may have the same code path as parsing 20 kb. As long as there are no fixed length buffers in the code, I see no benefit in arbitrary input sizes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_339274974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 8 21:35:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 19:35:07 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS adds an escape symbol before comma (#994) References: Message-ID: Chu Chen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/994 ## Description of problem: GnuTLS adds an escape symbol before comma while OpenSSL and ZCertificate do not. ## Version of gnutls used: 3.5.5 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: * certtool -i --infile path/to/cert ## Actual results: Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority ## Expected results: Issuer: C=US,O=VeriSign[cert-example-ie-cer01.zip](/uploads/b768902a188755cb0282fc34374c7069/cert-example-ie-cer01.zip), Inc.,OU=Class 3 Public Primary Certification Authority -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 00:52:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 May 2020 22:52:37 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Bob Beck commented: I can confirm this is not a gnuTLS issue. www.openbsd.org is running the server side 1.3 code for libressl (which is not yet released) and indeed this was our bug. You'll proabably find it works now, I suggest this issue be closed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_339339928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 06:30:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 04:30:12 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the update (and the fix; I confirm it works now). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_339372023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 06:30:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 04:30:12 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #984: https://gitlab.com/gnutls/gnutls/-/issues/984 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 08:06:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 06:06:10 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: OK, this is depressing. I just fired up an Ubuntu Server 20.04 instance on AWS in eu-west-1a, and from there everything is working fine. Same version of the libgnutls30 and git packages. I'll leave aside for a moment the possibility that my router has anything to do with this (Ubiquity EdgeRouter-X FYI). So I'm wondering if this could have anything to do with traffic shaping/DPI that my telco provider is doing. I'm located in the UAE, where all traffic is monitored by the 2 telco providers. I need to reiterate however that OpenSSL-based applications seem to be tolerant to this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_339379213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 09:20:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 07:20:53 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: Fun fact: I just realized that I did not have this issue while connecting to https://download.docker.com. Docker must be using a different version of TLS? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_339388942 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 18:52:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 16:52:54 +0000 Subject: [gnutls-devel] libtasn1 | coding.c: fix undefined behavior with pointer arithmetics (!63) In-Reply-To: References: Message-ID: Alexander Us commented: These look related to my change. I changed check for NULL to account for passed size. Clang-analyzer started to assume that condition before memcpy/memmove can be true if `der == NULL && max_len <= 0`: ``` if ((len_len + str_len) <= max_len) memcpy (der + len_len, str, str_len); ``` >From the code, len_len will always be greater than zero, however, it is hard to tell that str_len will be non-negative. I added explicit check for NULL in two suspicious places. ``` if (der && (len_len + str_len) <= max_len) memcpy (der + len_len, str, str_len); ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/63#note_339470214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 18:53:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 16:53:55 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Daiki Ueno commented: Indeed. However, this doesn't apply every `fopen` in `lib/`. GnuTLS has the [design](https://www.gnutls.org/manual/gnutls.html#Thread-safety) that prohibits access to a single `gnutls_session_t` object from multiple threads, and also the global initialization within the ELF constructor should be protected. According to `git grep`, there are the following occurrences of `fopen`: ``` lib/auth/psk_passwd.c: fd = fopen(cred->password_file, "r"); lib/auth/srp_passwd.c: fd = fopen(pconf_file, "r"); lib/auth/srp_passwd.c: fd = fopen(cred->password_file, "r"); lib/file.c: fd = fopen(file, "r"); lib/fips.c: fd = fopen(FIPS_KERNEL_FILE, "r"); lib/inih/ini.c: file = fopen(filename, "r"); lib/kx.c: keylog = fopen(keylogfile, "a"); lib/minitasn1/structure.c: file = fopen (output_file_name, "w"); lib/pkcs11.c: fp = fopen(configfile, "r"); lib/verify-tofu.c: fd = fopen(file, "rb"); lib/verify-tofu.c: fd = fopen(db_name, "ab+"); lib/verify-tofu.c: fd = fopen(db_name, "ab+"); ``` I think the calls in `lib/auth/*` and `lib/file.c` can only reach from the `gnutls_session_t` interface. Similarly, the calls in `lib/fips.c` and `lib/inih/ini.c` are only reachable from the ELF constructor, and the function calling `fopen` in `lib/minitasn1/structure.c` is not used at all. The others (keylogfile, PKCS#11 config, and TOFU) might be still problematic, though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339470410 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 18:56:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 16:56:42 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't (#986) In-Reply-To: References: Message-ID: Daiki Ueno commented: Could you attached the certificate that causes the problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/986#note_339470843 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 19:05:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 17:05:42 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to https://www.openbsd.org (#984) In-Reply-To: References: Message-ID: Bob Beck commented: So, in case you are curious, the bug was that we didn't force PSS as per spec when using tls 1.3. I just committed this in our tree: @@ -320,6 +320,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs, tls_sigalgs_len)) == NULL) + continue; -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/984#note_339472213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 9 19:22:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 May 2020 17:22:14 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Remi Denis-Courmont commented: The problem is another thread doing something unrelated to GnuTLS. GnuTLS leaks its file descriptor to forked children of other threads. The access rules on `gnutls_session_t` are irrelevant here. The point really is that libraries running in potentially multithread programs must set close-on-exec atomically regardless of their own internal threading rules. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339474317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 10 02:40:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 10 May 2020 00:40:51 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't (#986) In-Reply-To: References: Message-ID: Chu Chen commented: [cert51.pem](/uploads/1c534ff660085f7f0010147d2ffa1309/cert51.pem) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/986#note_339569027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 05:06:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 03:06:52 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_verify_data2 should support IEEEP1363 style ECDSA_SHA256 signatures (#995) References: Message-ID: Alan Jowett created an issue: https://gitlab.com/gnutls/gnutls/-/issues/995 ## Description of the feature: There are two formats for ECDSA_SHA256 signatures. IEEEP1363 and Rfc3279. Currently it appears as if GnuTLS only supports Rfc3279 signatures and .NET Core only supports IEEEP1363 signatures. ## Applications that this feature may be relevant to: Any application that uses gnutls_pubkey_verify_data2 ## Is this feature implemented in other libraries (and which) .NET Core is implementing is adding support for both forms. [.NET core issue](https://github.com/dotnet/runtime/issues/31548) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/995 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 11:12:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 09:12:08 +0000 Subject: [gnutls-devel] libtasn1 | Update testing routines (!64) In-Reply-To: References: Message-ID: Merge Request !64 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 Branches: tmp-tests to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 11:12:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 09:12:13 +0000 Subject: [gnutls-devel] libtasn1 | Update testing routines (!64) In-Reply-To: References: Message-ID: Merge Request !64 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 Branches: tmp-tests to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/64 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 14:05:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 12:05:10 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) References: Message-ID: Nikita Gillmann created an issue: https://gitlab.com/gnutls/gnutls/-/issues/996 I'm trying to make security/gnutls build with guile bindings (for guile 2.2). I can't really figure out right now if guild or the bindings are to be blamed for the error below. If I recall a conversation in 2019 where I looked at this, I came to the conclusion, that pkgsrc removes one part of the host identifies by default, which is why the assumption of complying to -<...>- does break. ``` gmake[4]: Leaving directory '/usr/work/security/gnutls/work/gnutls-3.6.13/guile/src' gmake[3]: Leaving directory '/usr/work/security/gnutls/work/gnutls-3.6.13/guile/src' gmake[3]: Entering directory '/usr/work/security/gnutls/work/gnutls-3.6.13/guile' GEN modules/gnutls.scm GUILEC modules/gnutls/extra.go GUILEC modules/gnutls.go Backtrace: Backtrace: 7 7 (apply-smob/1 #) (apply-smob/1 #) InIn ice-9/boot-9.scm:ice-9/boot-9.scm: 705:2 705:26 6 (call-with-prompt _ _ #) (call-with-prompt _ _ #) In ice-9/eval.scm: In ice-9/eval.scm: 619:8 5 (_ #(#(#))) 619:8 5 (_ #(#(#))) 155:9 4 (_ #(#(# ("comp?" ?)) #)) 155:9 4 (_ #(#(# ("comp?" ?)) #)) In srfi/srfi-1.scm: In srfi/srfi-1.scm: 640:9 3 640:9 3 (for-each # ?) (for-each # ?) In scripts/compile.scm: In scripts/compile.scm: 264:26 2 (_ _) 264:26 2 (_ _) In system/base/target.scm: In system/base/target.scm: 52:2 1 52:2 1 (with-target "x86_64--netbsd" #) In unknown file: 0 (scm-error misc-error #f "~A ~S" ("invalid target" "?") #) ERROR: In procedure scm-error: invalid target "x86_64--netbsd" (with-target "x86_64--netbsd" #) In unknown file: 0 (scm-error misc-error #f "~A ~S" ("invalid target" "?") #) ERROR: In procedure scm-error: invalid target "x86_64--netbsd" gmake[3]: *** [Makefile:2503: modules/gnutls.go] Error 1 gmake[3]: *** Waiting for unfinished jobs.... gmake[3]: *** [Makefile:2503: modules/gnutls/extra.go] Error 1 gmake[3]: Leaving directory '/usr/work/security/gnutls/work/gnutls-3.6.13/guile' gmake[2]: *** [Makefile:1982: all-recursive] Error 1 gmake[2]: Leaving directory '/usr/work/security/gnutls/work/gnutls-3.6.13/guile' gmake[1]: *** [Makefile:1744: all-recursive] Error 1 gmake[1]: Leaving directory '/usr/work/security/gnutls/work/gnutls-3.6.13' gmake: *** [Makefile:1671: all] Error 2 *** Error code 2 Stop. make[1]: stopped in /usr/pkgsrc/security/gnutls *** Error code 1 Stop. make: stopped in /usr/pkgsrc/security/gnutls ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 14:19:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 12:19:40 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: civodul commented: Hi, > ERROR: In procedure scm-error: > invalid target "x86_64--netbsd" The problem is that `x86_64--netbsd` is not a valid triplet. A [valid triplet](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html_node/Specifying-Target-Triplets.html) would be `x86_64-pc-netbsd` or `x86_64-unknown-netbsd`. That triplet was presumably passed as an option to `./configure`. Could you check the command-line options that `./configure` received? HTH! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_340165294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 14:44:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 12:44:14 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Nikita Gillmann commented: ```x86_64--netbsd``` is pretty normal for us (in pkgsrc), I'll track down the file where it is set. ``` This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by GnuTLS configure 3.6.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ ./configure --disable-openssl-compatibility --disable-libdane --without-idn --without-tpm --disable-valgrind-tests --with-default-trust-store-file=/usr/pkg/share/mozilla-rootcerts/cacert.pem --with-libintl-prefix=/usr --enable-local-libopts --enable-libdane --enable-guile --prefix=/usr/pkg --build=x86_64--netbsd --host=x86_64--netbsd --infodir=/usr/pkg/info --mandir=/usr/pkg/man --enable-option-checking=yes ``` ... ``` ## ----------- ## ## Core tests. ## ## ----------- ## configure:4536: checking build system type configure:4550: result: x86_64--netbsd configure:4570: checking host system type configure:4583: result: x86_64--netbsd ``` is produced by configure. this happens on platforms which don't set the vendor, for which some exist (pkgsrc targets many OS, NetBSD is just an example where it is not done). This is www/curl: ``` It was created by curl configure -, which was generated by GNU Autoconf 2.69. Invocation command line was $ ./configure --with-ssl=/usr --with-ca-path=/etc/openssl/certs --with-zlib=/u sr --enable-ipv6 --without-libssh2 --with-gssapi=/usr --with-gssapi-includes=/us r/include/gssapi --disable-ldap --without-librtmp --with-libidn2 --with-nghttp2= /usr/pkg --prefix=/usr/pkg --build=x86_64--netbsd --host=x86_64--netbsd --mandir =/usr/pkg/man --enable-option-checking=yes ## --------- ## ## Platform. ## ## --------- ## hostname = hex uname -m = amd64 uname -r = 9.0 uname -s = NetBSD uname -v = NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020 mkrepro at mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC ``` in http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/mk/bsd.prefs.mk?rev=1.407&content-type=text/x-cvsweb-markup you are looking for keyword ```MACHINE_GNU_PLATFORM``` specifically here: ```LOWER_VENDOR?= # empty ("arch--opsys")``` in addition to that we usually replace config.status with our own version to make it easier to patch if we require it. Following that the vendor string can be empty, the check for the vendor string should accept an empty string as well. Does this explanation make more sense? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_340183371 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 14:59:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 12:59:43 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: Nikita Gillmann commented: Another developer just summarized the issue as: the second component of the triple is optional, furthermore outside mingw and some linux distributions it has no value. So to assume the 2nd value must be a string and can not be an empty string is wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_340194191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 15:31:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 13:31:52 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't (#986) In-Reply-To: References: Message-ID: Daiki Ueno commented: This is because `tbsCertificate.signature` doesn't match the outer `signatureAlgorithm`: ```console certtool -i --infile cert51.pem Setting log level to 10 |<2>| signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: 1.2.840.113549.1.1.5, 1.2.840.113549.1.1.11 |<3>| ASSERT: x509.c[compare_sig_algorithm]:330 |<3>| ASSERT: x509.c[gnutls_x509_crt_import]:615 |<3>| ASSERT: x509.c[gnutls_x509_crt_list_import]:3834 import error: Error in the certificate. ``` As mentioned in https://gitlab.com/gnutls/gnutls/-/issues/983#note_339128307, this is not permitted according to RFC 5280. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/986#note_340219147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 15:31:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 13:31:52 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS reports "import error: Error in the certificate" while OpenSSL and ZCertificate don't (#986) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #986: https://gitlab.com/gnutls/gnutls/-/issues/986 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 16:34:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 14:34:00 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Daiki Ueno commented: > OpenSSL-linked curl works fine [...] I guess the best way to diagnose this kind of issues would be to do a packet capture and compare the exchanged messages. That may require enabling decryption, which should be possible through the keylog file feature. Here is a tshark command line I use: ```console $ tshark -o "tls.desegment_ssl_records: TRUE" \ -o "tls.desegment_ssl_application_data: TRUE" \ -o "tls.keylog_file: $PWD/keylog.txt" \ -i lo -Px -O tls -Y "tcp.port == 443" $ SSLKEYLOGFILE=$PWD/keylog.txt gnutls-cli ... $ openssl s_client -keylogfile $PWD/keylog.txt -connect ... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_340271620 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 16:35:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 14:35:24 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Tim R?hsen commented: I agree with @Courmisch. We should add the 'open' gnulib module to `bootstrap.conf` which seems to provide a portable version of O_CLOEXEC (portable = best effort) for old or non-POSIX systems. The GNU libc allows 'e' for the fopen mode (Open the file with the O_CLOEXEC flag). I don't know how portable that is. It looks like gnulib doesn't support it explicitly - we could ask there to provide a compatibility layer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_340272725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 22:57:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 20:57:18 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 Project:Branches: GostCrypt/gnutls:cert-policies to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 11 22:57:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 May 2020 20:57:51 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: Merge Request !1243 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 Branches: tmp-fips-leftover to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 02:23:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 00:23:03 +0000 Subject: [gnutls-devel] libtasn1 | Support reinstantiating OPTIONAL entries (#27) References: Message-ID: Dmitry Baryshkov created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/27 ## Description of problem: It is not possible to reinstantiate deleted OPTIONAL field. It does not matter, why the field is deleted: because corresponding field was missing from parsed file or because it was explicitly deleted by `asn1_write_value` call. ## Version of libtasn1 used: 4.16 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Steps to Reproduce: * delete the OPTIONAL field * try readding it ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/27 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 14:55:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 12:55:58 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: Hi, I don't really have the skills to do the comparison of the captures, however I'm attaching them here in the hope that somebody more knowledgeable about TLS can figure out what GnuTLS is doing differently. [openssl.capture.txt](/uploads/7031027ad555152896d06e8b9f317b42/openssl.capture.txt) [gnutls-cli.capture.txt](/uploads/7a9a9d851dc5d3b923607ed64d7b9fee/gnutls-cli.capture.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_340953262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 19:37:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 17:37:59 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_341185632 > + strcmp(cp_oid2str[i].oid, oid) == 0 && cp_oid2str[i].name_desc != NULL) > + return cp_oid2str[i].name_desc; > + i++; nit: why not just use a `for` loop? -- Daiki Ueno started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_341185633 > + do { > + if ((cp_oid2str[i].oid_size == len) && > + strcmp(cp_oid2str[i].oid, oid) == 0 && cp_oid2str[i].name_desc != NULL) nit: if length check is necessary, I would use `memcmp`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 19:40:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 17:40:49 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_341186948 I agree; that sounds like the best approach. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_341186948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 19:42:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 17:42:04 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Daiki Ueno commented: I suppose this could be simpler if rebased against the master where cmac.c is imported from nettle. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_341187493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 20:18:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 18:18:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_341204173 For reference: https://lists.gnu.org/archive/html/bug-gnulib/2020-05/msg00112.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_341204173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 20:54:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 18:54:03 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Remi Denis-Courmont commented: As far as I know, there are two ways to solve this (and none else): - use the "e" flag to `fopen()` (specified in POSIX.next if I understood correctly, originating in glibc), or - use `open() with the `O_CLOEXEC` flag followed by `fdopen()` (specified in POSIX.2008 already). As to portability, you have four cases: 1) The OS does not support `fork()` (e.g. Windows): no need to do anything. 2) The OS supports `fork()`, lacks POSIX.2008: this is broken beyond repair. 3) The OS supports `fork()` and POSIX.2008: using `open()` then `fdopen()` is the only solution. 4) The OS supports both solutions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_341226072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 21:28:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 19:28:03 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_341241175 Done. I don't know thought if you'd like `cmac64.h` approach. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_341241175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 12 21:29:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 May 2020 19:29:42 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_341241853 > + ENTRY("1.2.643.100.113.5", "Russian security class KB2"), > + ENTRY("1.2.643.100.113.6", "Russian security class KA1"), > + > + {NULL, 0, NULL, 0}, > +}; > + > +static const char *_gnutls_x509_cp_oid_name(const char *oid) > +{ > + unsigned int i = 0; > + unsigned len = strlen(oid); > + > + do { > + if ((cp_oid2str[i].oid_size == len) && > + strcmp(cp_oid2str[i].oid, oid) == 0 && cp_oid2str[i].name_desc != NULL) > + return cp_oid2str[i].name_desc; > + i++; For both of them: it was just a c&p from `lib/x509/common.h`. I'm thinking about reworking common code instead. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_341241853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 12:51:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 10:51:34 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: updated to latest upstream (!1240) In-Reply-To: References: Message-ID: Merge Request !1240 was closed by Franti?ek Kren?elok Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1240 Project:Branches: FrantisekKrenzelok/gnutls:master to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1240 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 20:36:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 18:36:42 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) References: Message-ID: rrivers2 created an issue: https://gitlab.com/gnutls/gnutls/-/issues/997 ## Description of problem: GnuTLS based applications fail to connect to pop.verizon.net:995 ## Version of gnutls used: 3.5.18 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04.4 ## How reproducible: Consistently reproducible ## Steps to Reproduce: ``` gnutls-cli -d 99 pop.verizon.net:995 ``` ``` 1. run evolution, 2. configure a pop connection (no account needed since its a handshake failure) Server: pop.verizon.net Port: 995 User: test Encryption method: TLS on a dedicated port Authentication: password 3. click on send/receive ``` ## Actual results: [debug.txt](/uploads/4566006cb094e63c3c37e32045feccba/debug.txt) ``` Full output attached as debug.txt the last packet received and sent: |<5>| REC[0x555555b215f0]: SSL 3.3 Handshake packet received. Epoch 0, length: 10 |<5>| REC[0x555555b215f0]: Expected Packet Handshake(22) |<5>| REC[0x555555b215f0]: Received Packet Handshake(22) with length: 10 |<10>| READ: Got 10 bytes from 0x3 |<10>| READ: read 10 bytes from 0x3 |<10>| RB: Have 5 bytes into buffer. Adding 10 bytes. |<10>| RB: Requested 15 bytes |<5>| REC[0x555555b215f0]: Decrypted Packet[1] Handshake(22) with length: 10 |<13>| BUF[REC]: Inserted 10 bytes of Data(22) |<4>| HSK[0x555555b215f0]: NEW SESSION TICKET (4) was received. Length 6[6], frag offset 0, frag length: 6, sequence: 0 |<3>| ASSERT: session_ticket.c[_gnutls_recv_new_session_ticket]:767 |<3>| ASSERT: handshake.c[handshake_client]:2979 *** Fatal error: Internal error in memory allocation. |<5>| REC: Sending Alert[2|80] - Internal error |<5>| REC[0x555555b215f0]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<9>| ENC[0x555555b215f0]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 1 |<11>| WRITE: enqueued 31 bytes for 0x3. Total 31 bytes. |<11>| WRITE FLUSH: 31 bytes in buffer. |<11>| WRITE: wrote 31 bytes, 0 bytes left. |<5>| REC[0x555555b215f0]: Sent Packet[2] Alert(21) in epoch 1 and length: 31 *** handshake has failed: Internal error in memory allocation. ``` ``` Evolution will display the error message "Error performing TLS handshake: Internal error in memory allocation." ``` ## Expected results: ``` gnutls-cli should connect to the server ``` ``` evolution should connect and download new email if you have an account ``` The issue appears to be in the function _gnutls_recv_new_session_ticket around line 758 of session_ticket.c. The code reads two bytes and assigns the result to the variable ticket_len. Unfortunately this value is zero. A few lines later when the variable is used in a call to gnutls_realloc_fast(), the call fails and the code returns GNUTLS_E_MEMORY_ERROR. Wireshark confirms the new session ticket returned by the server has length 0: ``` Handshake Protocol: New Session Ticket Handshake Type: New Session Ticket (4) Length: 6 TLS Session Ticket Session Ticket Lifetime Hint: 60 seconds (1 minute) Session Ticket Length: 0 Session Ticket: ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 22:50:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 20:50:11 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on fuzz/asn1_get_length_ber_fuzzer.c: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_342071377 > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + * > + * This fuzzer is testing asn1_get_length_ber()'s robustness with arbitrary > + * input data. > + */ > + > +#include > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > +{ > + int ret_len; > + I've limited input to 512 bytes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65#note_342071377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 22:50:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 20:50:12 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: All discussions on Merge Request !65 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 23:19:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 21:19:26 +0000 Subject: [gnutls-devel] libtasn1 | fuzz/Makefile.am: do not force static (!61) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @ffontaine it would be better to add `AM_CONDITIONAL` to configure.ac and use it to conditionally enable/disable `-static` option. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/61#note_342082424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 23:24:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 21:24:19 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Merge Request !65 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 Branches: tmp-length-fuzz to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 13 23:40:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 21:40:38 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: add fuzzers for asn1_get_length_b/der (!65) In-Reply-To: References: Message-ID: Merge Request !65 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 Branches: tmp-length-fuzz to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/65 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 01:24:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 23:24:57 +0000 Subject: [gnutls-devel] GnuTLS | PKCS7 attribute printing update (!1246) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 Project:Branches: GostCrypt/gnutls:pkcs7-attrs to gnutls/gnutls:master Author: Dmitry Baryshkov Print symbolic names for PKCS7 attributes. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 01:25:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 May 2020 23:25:44 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_342121592 > + ENTRY("1.2.643.100.113.5", "Russian security class KB2"), > + ENTRY("1.2.643.100.113.6", "Russian security class KA1"), > + > + {NULL, 0, NULL, 0}, > +}; > + > +static const char *_gnutls_x509_cp_oid_name(const char *oid) > +{ > + unsigned int i = 0; > + unsigned len = strlen(oid); > + > + do { > + if ((cp_oid2str[i].oid_size == len) && > + strcmp(cp_oid2str[i].oid, oid) == 0 && cp_oid2str[i].name_desc != NULL) > + return cp_oid2str[i].name_desc; > + i++; If !1246 is accepted, I'll rebase this MR on top of it to get oid-to-string function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_342121592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 04:56:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 02:56:46 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 Branches: tmp-vendor-minitasn1 to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 07:51:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 05:51:11 +0000 Subject: [gnutls-devel] GnuTLS | fips: leftover fixes (!1243) In-Reply-To: References: Message-ID: Merge Request !1243 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 Branches: tmp-fips-leftover to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 08:06:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 06:06:24 +0000 Subject: [gnutls-devel] GnuTLS | PKCS7 attribute printing update (!1246) In-Reply-To: References: Message-ID: Merge Request !1246 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 Project:Branches: GostCrypt/gnutls:pkcs7-attrs to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 08:07:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 06:07:25 +0000 Subject: [gnutls-devel] GnuTLS | PKCS7 attribute printing update (!1246) In-Reply-To: References: Message-ID: Daiki Ueno commented: Nice, looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246#note_342210998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 11:26:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 09:26:40 +0000 Subject: [gnutls-devel] GnuTLS | PKCS7 attribute printing update (!1246) In-Reply-To: References: Message-ID: Merge Request !1246 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 Project:Branches: GostCrypt/gnutls:pkcs7-attrs to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 12:18:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 10:18:42 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @dueno rebased on top of common implementation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_342389091 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 19:03:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 17:03:02 +0000 Subject: [gnutls-devel] libtasn1 | fuzz/Makefile.am: do not force static (!61) In-Reply-To: References: Message-ID: Fabrice Fontaine commented: OK updated as requested -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/61#note_342735320 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 19:49:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 17:49:18 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: All discussions on Merge Request !1245 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 23:05:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 21:05:57 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245#note_342852297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 23:05:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 21:05:53 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Merge Request !1245 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 Project:Branches: GostCrypt/gnutls:cert-policies to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 23:06:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 21:06:33 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: All discussions on Merge Request !1161 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 23:06:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 21:06:51 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342853599 > + * Returns: Zero or a negative error code on error. > + * > + * Since: 3.6.12 3.6.14? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 14 23:07:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 21:07:53 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Daiki Ueno commented: I can't really review the algorithm implementation offhand, but other parts look good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342855344 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 00:33:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 22:33:31 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342903659 > +/*- > + * _gnutls_cipher_set_key: > + * @handle: is a #gnutls_cipher_hd_t type > + * @key: the key to set > + * @keylen: the length of the key > + * > + * This function will set the key used by the cipher > + * > + * This is solely for validation purposes of our crypto > + * implementation. For other purposes, the key should be set at the time of > + * cipher setup. As such, this function only works with the internally > + * registered ciphers. > + * > + * Returns: Zero or a negative error code on error. > + * > + * Since: 3.6.12 I thought this is postponed till 3.7. I will update this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342903659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 00:43:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 22:43:57 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342906404 > +/*- > + * _gnutls_cipher_set_key: > + * @handle: is a #gnutls_cipher_hd_t type > + * @key: the key to set > + * @keylen: the length of the key > + * > + * This function will set the key used by the cipher > + * > + * This is solely for validation purposes of our crypto > + * implementation. For other purposes, the key should be set at the time of > + * cipher setup. As such, this function only works with the internally > + * registered ciphers. > + * > + * Returns: Zero or a negative error code on error. > + * > + * Since: 3.6.12 done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_342906404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 00:43:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 May 2020 22:43:56 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: All discussions on Merge Request !1161 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:36 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Support AIA (downloading intermediate certs) (#968) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/968#note_342983249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: GnuTLS bot commented: @crossd This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966#note_342983256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: Merge Request !830 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/830 Project:Branches: GostCrypt/gnutls:pkcs12-signed to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/830 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:36 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#998) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/998 The following issues require labels: - [ ] [gnutls-cli: Support AIA (downloading intermediate certs)](https://gitlab.com/gnutls/gnutls/-/issues/968) - [ ] [Build failure on macOS Catalina 10.15.4 under Xcode 11.4.](https://gitlab.com/gnutls/gnutls/-/issues/966) - [ ] [Service Desk (from noloader at gmail.com): GnuTLS 3.6.13 test results](https://gitlab.com/gnutls/gnutls/-/issues/964) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/830#note_342983269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 06:08:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 04:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.13 test results (#964) In-Reply-To: References: Message-ID: GnuTLS bot commented: @support-bot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/964#note_342983263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 15 21:10:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 19:10:28 +0000 Subject: [gnutls-devel] GnuTLS | Decode certificate policies OIDs (!1245) In-Reply-To: References: Message-ID: Merge Request !1245 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 Project:Branches: GostCrypt/gnutls:cert-policies to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 00:34:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 May 2020 22:34:07 +0000 Subject: [gnutls-devel] GnuTLS | devel: provide external git diff driver for *.abi files (!1214) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @dueno I could not get it to work fully: it always filters out everything. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214#note_343634304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 05:11:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 03:11:48 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Siguza commented: Running into the same issue. macOS 10.15.3, Xcode 11.4.1. It seems the Mono project ran into this as well not long ago: https://github.com/mono/mono/issues/19393 The issue traces back to this declaration in `$SDK/usr/include/sys/_types/_fd_def.h`: ```c int __darwin_check_fd_set_overflow(int, const void *, int) __attribute__((__weak_import__)); ``` And to provide some more context, from the same file: ```c __BEGIN_DECLS typedef struct fd_set { __int32_t fds_bits[__DARWIN_howmany(__DARWIN_FD_SETSIZE, __DARWIN_NFDBITS)]; } fd_set; int __darwin_check_fd_set_overflow(int, const void *, int) __attribute__((__weak_import__)); __END_DECLS __header_always_inline int __darwin_check_fd_set(int _a, const void *_b) { if ((uintptr_t)&__darwin_check_fd_set_overflow != (uintptr_t) 0) { #if defined(_DARWIN_UNLIMITED_SELECT) || defined(_DARWIN_C_SOURCE) return __darwin_check_fd_set_overflow(_a, _b, 1); #else return __darwin_check_fd_set_overflow(_a, _b, 0); #endif } else { return 1; } } /* This inline avoids argument side-effect issues with FD_ISSET() */ __header_always_inline int __darwin_fd_isset(int _fd, const struct fd_set *_p) { if (__darwin_check_fd_set(_fd, (const void *) _p)) { return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS))); } return 0; } __header_always_inline void __darwin_fd_set(int _fd, struct fd_set *const _p) { if (__darwin_check_fd_set(_fd, (const void *) _p)) { (_p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] |= ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)))); } } __header_always_inline void __darwin_fd_clr(int _fd, struct fd_set *const _p) { if (__darwin_check_fd_set(_fd, (const void *) _p)) { (_p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] &= ~((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)))); } } #define __DARWIN_FD_SET(n, p) __darwin_fd_set((n), (p)) #define __DARWIN_FD_CLR(n, p) __darwin_fd_clr((n), (p)) #define __DARWIN_FD_ISSET(n, p) __darwin_fd_isset((n), (p)) ``` And then from `$SDK/usr/include/sys/_types/_fd_set.h`: ```c #define FD_SET(n, p) __DARWIN_FD_SET(n, p) ``` And if you grep through gnutls source, you'll find plenty of instances where `FD_SET` is used. There's a changelog entry dated to `Thu Jun 14 12:36:10 2018 +0300` that seems to have introduced this behaviour, but I'm assuming that doesn't matter, as it looks like it was a change on the Xcode/SDK side that broke this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966#note_343664684 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 12:28:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 10:28:01 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_verify_data2 should support IEEEP1363 style ECDSA_SHA256 signatures (#995) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Could you please attach an example of such files/signatures? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/995#note_343707734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 15:18:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 13:18:35 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 15:18:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 13:18:49 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Reassigned Issue 991 https://gitlab.com/gnutls/gnutls/-/issues/991 Assignee changed to Dmitry Baryshkov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 15:19:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 13:19:57 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "commonName" (#989) In-Reply-To: References: Message-ID: Reassigned Issue 989 https://gitlab.com/gnutls/gnutls/-/issues/989 Assignee changed to Dmitry Baryshkov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 15:19:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 13:19:54 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "commonName" (#989) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 15:21:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 13:21:14 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "Netscape Cert Type" (#988) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: While GnuTLS tries to support sensible extensions, I do not think it makes sense to support each and every one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/988#note_343734276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 16 19:22:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 17:22:37 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_verify_data2 should support IEEEP1363 style ECDSA_SHA256 signatures (#995) In-Reply-To: References: Message-ID: Alan Jowett commented: Sure. Output + repro for both GnuTLS and .NET Core. IEEEP1363: ``` Clear: Hello World Cert: MIIBwTCCAWegAwIBAgIMXrWF+g5a7/xDYB0jMAoGCCqGSM49BAMCMDwxJjAkBgNVBAMTHVVEQyBUZXN0IENvbnRyb2xsZXIgUm9vdCBDZXJ0MRIwEAYDVQQKEwlNaWNyb3NvZnQwHhcNMjAwNTA4MTYxNjU4WhcNMjEwNTA4MTYxNjU4WjAqMRQwEgYDVQQDEwtBbGFuIEpvd2V0dDESMBAGA1UEChMJTWljcm9zb2Z0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtMMYSxFeK/dLK2+bhFdnO8XMYnTpPrsIxJbW2kC/K8aOphmv+qPyiyzum7u08eOAYRxyvXbT52AIcQeiAC3rkaNhMF8wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBSEDKS9MpTEoDN5WPEzHZBE7/2zcDAfBgNVHSMEGDAWgBQB1Q8kA1jZINSiOBUFeUesUYIEjDAKBggqhkjOPQQDAgNIADBFAiEAov3dhOEcX62K3FEesTjEt7vEN4OIbzkTE6Vv8Rea59YCIDKDWJSWNS82spgN4uoJuWgim0arIa2g6n4LddvVzqZ/ Signature: XQ64HunnMsOcV1EuLXlX6DUb2tnjWiFstiLJllT9usIk/69Ei23idItDzH64dhUnIGjsp232GrVeuK7zYtmMPA== ``` Rfc3279: ``` Clear: Hello World Cert: MIIBwTCCAWegAwIBAgIMXrWF+g5a7/xDYB0jMAoGCCqGSM49BAMCMDwxJjAkBgNVBAMTHVVEQyBUZXN0IENvbnRyb2xsZXIgUm9vdCBDZXJ0MRIwEAYDVQQKEwlNaWNyb3NvZnQwHhcNMjAwNTA4MTYxNjU4WhcNMjEwNTA4MTYxNjU4WjAqMRQwEgYDVQQDEwtBbGFuIEpvd2V0dDESMBAGA1UEChMJTWljcm9zb2Z0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtMMYSxFeK/dLK2+bhFdnO8XMYnTpPrsIxJbW2kC/K8aOphmv+qPyiyzum7u08eOAYRxyvXbT52AIcQeiAC3rkaNhMF8wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBSEDKS9MpTEoDN5WPEzHZBE7/2zcDAfBgNVHSMEGDAWgBQB1Q8kA1jZINSiOBUFeUesUYIEjDAKBggqhkjOPQQDAgNIADBFAiEAov3dhOEcX62K3FEesTjEt7vEN4OIbzkTE6Vv8Rea59YCIDKDWJSWNS82spgN4uoJuWgim0arIa2g6n4LddvVzqZ/ Signature: MEQCICWyVOgE1vN8CjSWTRf3I26vvG/oT64d/bqjZgcqYUM0AiAC47ZzDEWdlFQTsDy0eWxxY1TnOskNNAeZUDCWzSKKxA== ``` [Repro.c](/uploads/064c108c5ffe293b3cf0a2822b1e8dea/Repro.c) [Repro.cs](/uploads/a310233b85ed385bc130282c3c4f3398/Repro.cs) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/995#note_343780245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 00:28:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 16 May 2020 22:28:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: CMS support (RFC 5652) (!1248) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1248 Branches: tmp-cms-support to master Author: Dmitry Baryshkov This MR targets supporting different types of CMS (ex-PKCS7) files in addition to just Signed data. * [x] Data * [x] Signed * [ ] Enveloped * [x] Digested * [ ] Encrypted * [ ] Authenticated * [ ] AuthEnveloped ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1248 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 21:06:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 19:06:44 +0000 Subject: [gnutls-devel] GnuTLS | x509: aki: always print authorityCert info (!1249) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 Project:Branches: GostCrypt/gnutls:fix-aki to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:14:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:14:00 +0000 Subject: [gnutls-devel] GnuTLS | x509: support commonName extension (!1250) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 Project:Branches: GostCrypt/gnutls:x509-common-name to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:20:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:20:38 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not correctly recognize policies in the extension certificate policies (#992) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Provided file contains an extension which we believe is incorrect. Certificate Policies extension (2.5.29.32) uses IA5String with an embedded NUL character. This is reported by certtool: > error: certificate policies import: The provided string has an embedded null. dumpasn1 tool also reports this error. Closing as invalid. ``` 604 82: SEQUENCE { 606 12: OBJECT IDENTIFIER '1 3 6 1 4 1 311 76 509 1 1' 620 66: SEQUENCE { 622 64: SEQUENCE { 624 8: OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1) 634 52: IA5String : 'http://www.microsoft.com/pkiops/Docs/Repository.' : 'htm.' : Error: IA5String contains illegal character(s). : } : } : } : } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/992#note_344018650 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:20:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:20:43 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not correctly recognize policies in the extension certificate policies (#992) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #992: https://gitlab.com/gnutls/gnutls/-/issues/992 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/992 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:45:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:45:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_verify_data2 should support IEEEP1363 style ECDSA_SHA256 signatures (#995) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I don't feel like there is an urgent need to implement this signature format. WebCrypto/C# have selected an interesting way of using different signature format. Fortunately it is pretty easy to convert between those formats. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/995#note_344021805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:52:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:52:04 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS adds an escape symbol before comma (#994) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: The escape symbol is on purpose, otherwise one might be easily mislead by using `,O=Microsoft` as a part of OU/CN/any part of Subject field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/994#note_344022531 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 17 23:52:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 May 2020 21:52:17 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS adds an escape symbol before comma (#994) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #994: https://gitlab.com/gnutls/gnutls/-/issues/994 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 02:14:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 00:14:01 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) References: Message-ID: Daniel Lenski created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski This is a follow-up to !1221. See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a real-world example of ancient Cisco servers with these deficiencies. With !1221 only, gnutls-cli-debug reports that these ancient servers only support SSL 3.0 (but without extensions). With this additional change, gnutls-cli-debug correctly reports that such a server also supports TLS 1.0 (but again with extensions disabled), and also reports correctly the supported ciphers. Unfortunately, these insecure and non-standards compliant servers remain in-use in the real world, and it's helpful to understand the priority strings needed to support them, especially for VPNs where there is often no alternative. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 02:15:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 00:15:36 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) In-Reply-To: References: Message-ID: Daniel Lenski started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251#note_344037236 > { > int ret; > sprintf(prio_str, INIT_STR > - ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" > + ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" This is no longer needed because it's already been added to `rest` by the preceding test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251#note_344037236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 02:21:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 00:21:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958) In-Reply-To: References: Message-ID: Daniel Lenski commented: My previous MR (!1221) could be improved, because it correctly shows the (partial) SSL 3.0 support of these servers but does not show the (partial) TLS 1.0 support. ``` $ ../gnutls/src/gnutls-cli-debug jazzvpn.jazzsemi.com GnuTLS debug client 3.6.12 Checking jazzvpn.jazzsemi.com:443 whether the server accepts default record size (512 bytes)... no whether %ALLOW_SMALL_RECORDS is required... no for SSL 3.0 (RFC6101) support... yes for SSL 3.0 with extensions... no for SSL 3.0 with cipher suites not in SSL 3.0 spec... yes whether we need to disable TLS 1.2... yes whether we need to disable TLS 1.1... yes whether we need to disable TLS 1.0... no ``` With !1251, this is improved, and a few other important bits of the output are clarified: ``` whether we need to disable TLS 1.0... no whether %NO_EXTENSIONS is required... yes for 3DES-CBC cipher (RFC2246) support... yes for ARCFOUR 128 cipher (RFC2246) support... yes ``` This clarifying information may enable someone who needs to use such a server to use the (marginally-less insecure?) combination of TLS 1.0 and RC4 rather than SSL 3.0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_344037865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 08:43:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 06:43:15 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: Trying to revive this... OpenSSL is sending a TLSv1 Client Hello packet, GnuTLS is sending a TLSv1.2 Client Hello, and never receives the Server Hello response. I can see a bunch of retransmissions and then more TLSv1.2 Client Hello with Alert Level Fatal packets, until GnuTLS gives up. I can see as well that GnuTLS is sending more extensions in the Client Hello, but no idea if that is important or relevant in any way. Anybody got any idea why I would not receive any Server Hello response with GnuTLS? It doesn't appear to be caused by the destination server: if I start a VPN connection, the requests work. So there's something in my normal ISP connection that doesn't like this TLSv1.2 Client Hello (or in the specific Server Hello that this Client Hello triggers). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_344156293 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 09:47:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 07:47:15 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: add option to skip the duplicate modules check (!1252) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1252 Branches: tmp-pkcs11-reject-duplicate-modules to master Author: Daiki Ueno The check introduced by commit 12f4abc02e718e2ab0f7ae80b3026a29028536e7 prevents the same smart card drivers being accessed from multiple drivers, but also prevents using multiple different tokens configured to be used with p11-kit's "remote:" option. This reverts that behavior but adds a new flag to opt for the check. Fixes #961. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1252 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 13:52:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 11:52:42 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 Branches: tmp-fips-redefinition to master Author: Daiki Ueno Previously, to enable the FIPS140-2 mode, both `/etc/system-fips` and the `fips=1` kernel command line need to be set. While this was designed to be consistent, the convention is not well followed by the other crypto libraries and the former tends to be ignored. This aligns the behavior to the latter, i.e. if `fips=1` is set, the library enables the FIPS140-2 mode regardless of the existence of `/etc/system-fips`. Suggested by Alexander Sosedkin. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 15:59:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 13:59:07 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344496724 > - at item Only approved by FIPS140-2 algorithms are enabled > - at item Only approved by FIPS140-2 key lengths are allowed for key generation > @item The random generator used switches to DRBG-AES I don't think it's true, based on https://gitlab.com/gnutls/gnutls/-/blob/a9f907be146be0df2cc756c19543ec1d10ccdef9/lib/random.c#L110. I'm not against switching to FIPS RNG on FIPS-enabled, but then I consider this MR to be dependent on actually ensuring that FIPS RNG is both enabled and self-tested in FIPS-installed-and-not-enabled scenario. On the subject of non-zero comparisons, https://gitlab.com/gnutls/gnutls/-/blob/a9f907be146be0df2cc756c19543ec1d10ccdef9/lib/crypto-selftests.c#L1943 also seems strange to me; whatever it is, I can't really rationalize it. -- Alexander Sosedkin started a new discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344496730 > + > + at itemize > + at item Only approved by FIPS140-2 algorithms are enabled I think it'd be nice to elaborate which classes of algorithms have the restriction enforced and which are not. AFAIK, ciphers and macs are limited, when, e.g., curve selection is not restricted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 16:00:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 14:00:35 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: The code changes look fine. Well, documentation changes look fine too, except I think they should be first reconciled with reality a bit, see above. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344497960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 18 21:22:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 18 May 2020 19:22:22 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) In-Reply-To: References: Message-ID: Daniel Lenski commented: Not sure if you want a `NEWS` update given that there's already one for !1221. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251#note_344701056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 10:29:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 08:29:05 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 was reviewed by Alexander Sosedkin -- Alexander Sosedkin commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344975618 > - at item Only approved by FIPS140-2 algorithms are enabled > - at item Only approved by FIPS140-2 key lengths are allowed for key generation > @item The random generator used switches to DRBG-AES I believe that the first point is addressed in b48f7fa7, will extract the second concern into a separate comment. -- Alexander Sosedkin started a new discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_344975620 > #define FIPS_STARTUP_ONLY_TEST_CASE(x, func, vectors) case x: \ > - if (_gnutls_fips_mode_enabled() != 1) { \ > + if (_gnutls_fips_mode_enabled() != 1 && \ Sorry, I'm thoroughly lost here. What's the intended meaning of `FIPS_STARTUP_ONLY_TEST_CASE`? * only in FIPS? * only in FIPS and only during selftests? * when in FIPS, then it's selftests-time only; when in non-FIPS, always? * something else? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 13:41:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 11:41:50 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 Project:Branches: robUx4/gnutls:static-ncrypt to gnutls/gnutls:master Author: Steve Lhomme This patch adds a configure option to link ncrypt statically when building for Windows. If the option is not set and gnutls is built with a `_WIN32_WINNT` which targets at least Windows Vista, then ncrypt is used statically. It's available on all versions of Windows since then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 13:50:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 11:50:07 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 Project:Branches: robUx4/gnutls:nowincrypt to gnutls/gnutls:master Author: Steve Lhomme Wincrypt is deprecated and replaced by bcrypt. (see https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom) BCrypt is available in Win10 apps when wincrypt APIs are not. (see https://docs.microsoft.com/en-us/uwp/win32-and-com/win32-apis#apis-from-ncryptdll) When building for Vista and up bcrypt is automatically picked and linked statically. (by default mingw targets XP) This patch will conflict with !1254 depending on which is merged first. They rely on the same Vista detection but work independently. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 13:53:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 11:53:18 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 Project:Branches: robUx4/gnutls:ncrypt-uwp10 to gnutls/gnutls:master Author: Steve Lhomme It is now allowed in win10 UWP apps (not win8 UWP apps). (see https://docs.microsoft.com/en-us/uwp/win32-and-com/win32-apis#apis-from-ncryptdll) This patch will require !1254 to be merged to be usable and using LoadLibrary to load ncrypt.dll is not allowed in UWP. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 16:27:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 14:27:20 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 Project:Branches: robUx4/gnutls:crpyt32 to gnutls/gnutls:master Author: Steve Lhomme Fixes linking gnutls as a static library. `-lcrypt32` was missing from the pkg-config. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 17:59:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 15:59:02 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345329190 > } > > #define FIPS_STARTUP_ONLY_TEST_CASE(x, func, vectors) case x: \ > - if (_gnutls_fips_mode_enabled() != 1) { \ > + if (_gnutls_fips_mode_enabled() != 1 && \ After checking the history of the change, it seems that: * the macro was introduced to avoid non-recoverable errors if the FIPS self-tests are run as part of library initialization * that code path, however, has been removed in the later commit 3963518d067a64412bbe0aa9ce5fc33ae729c15f Therefore, I am going to remove that macro and use `NON_FIPS_CASE` exclusively. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345329190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 18:01:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 16:01:30 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345331656 > +configure option. > + > +There are two distinct library states with regard to FIPS140-2: the FIPS140-2 > +mode is @emph{installed} if @code{/etc/system-fips} is present, and the > +FIPS140-2 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled} > +contains '1', which is typically set with the ``fips=1'' kernel command line > +option. > + > +When the FIPS140-2 mode is installed, the operation of the library is modified > +as follows. > > @itemize > - at item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present. > - at item Only approved by FIPS140-2 algorithms are enabled > - at item Only approved by FIPS140-2 key lengths are allowed for key generation > @item The random generator used switches to DRBG-AES I've changed the RNG part to always switch to FIPS RNG if FIPS installed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345331656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 19:28:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 17:28:33 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345393863 > +as follows. > > @itemize > - at item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present. > - at item Only approved by FIPS140-2 algorithms are enabled > - at item Only approved by FIPS140-2 key lengths are allowed for key generation > @item The random generator used switches to DRBG-AES > @item The integrity of the GnuTLS and dependent libraries is checked on startup > @item Algorithm self-tests are run on library load > + at end itemize > + > +When the FIPS140-2 mode is enabled, The operation of the library is in addition > +modified as follows. > + > + at itemize > + at item Only approved by FIPS140-2 algorithms are enabled Or maybe state that just some of the unapproved algorithms are restricted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345393863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 19 19:30:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 19 May 2020 17:30:10 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: r+ other than for the incidental doc clarification discussed above; doesn't have to go with this particular MR if it's tracked anywhere else. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_345394470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 22 12:12:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 22 May 2020 10:12:53 +0000 Subject: [gnutls-devel] GnuTLS | deleting stale objects having no ID or LABEL (#1000) References: Message-ID: cek created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1000 There should be a way to delete them. Right now, when I'm specifying the URL in "Object 4 URL:" string, it tries to delete them all. There's no way to select one and get rid of it. As per [softhsm](https://github.com/opendnssec/SoftHSMv2/issues/555) suggestion, I'm logging a bugreport here. ``` # p11tool --delete --label '' 'pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;type=cert' Object 0: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;id=%1A;object=THECA;type=cert Type: X.509 Certificate (RSA-4096) Expires: Tue Sep 16 15:18:33 2036 Label: THECA Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; ID: 1a Object 1: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;id=%1A;object=EC%20Test;type=cert Type: X.509 Certificate (EC/ECDSA-SECP384R1) Expires: Tue May 10 14:25:17 2022 Label: EC Test ID: 1a Object 2: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;type=cert Type: X.509 Certificate Label: ID: Object 3: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;type=cert Type: X.509 Certificate Label: ID: Object 4: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;type=cert Type: X.509 Certificate Label: ID: Object 5: URL: pkcs11:library-description=Implementation%20of%20PKCS11;library-manufacturer=SoftHSM;model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=058d033952c28e72;token=SW%20token%201;type=cert Type: X.509 Certificate Label: ID: Are you sure you want to delete those objects? (y/N): ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 22 12:13:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 22 May 2020 10:13:28 +0000 Subject: [gnutls-devel] GnuTLS | deleting stale objects having no ID or LABEL (#1000) In-Reply-To: References: Message-ID: cek commented: issue # 1000 !!1! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1000#note_347271966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 09:40:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 07:40:02 +0000 Subject: [gnutls-devel] GnuTLS | RFE: gnutls_datum_wipe() (similar to private _gnutls_free_key_datum()) (#1001) References: Message-ID: Glenn Strauss created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1001 RFE: gnutls_datum_wipe() (similar to private _gnutls_free_key_datum()) GnuTLS does not expose _gnutls_free_key_datum(). Please consider creating public interfaces for wiping gnutls_datum_t, such as the following: ``` void gnutls_datum_wipe (gnutls_datum_t * const d) { if (NULL == d) return; if (d->data) { if (d->size) gnutls_memset(d->data, 0, d->size); gnutls_free(d->data); d->data = NULL; } d->size = 0; } gnutls_datum_t * gnutls__datum_alloc (void) { gnutls_datum_t *d = gnutls_malloc(sizeof(gnutls_datum_t)); if (d) { d->data = NULL; d->size = 0; } return d; } void gnutls_datum_free (gnutls_datum_t * const d) { if (NULL == d) return; gnutls_free(d->data); gnutls_free(d); } void gnutls_datum_wipe_free (gnutls_datum_t * const d) { if (NULL == d) return; gnutls_datum_wipe(d); gnutls_free(d); } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 09:58:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 07:58:35 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_Does_GnuTLS_need_to_check_?= =?utf-8?b?4oCcbGFzdCB1cGRhdGXigJ0gb3Ig4oCcbmV4dCB1cGRhdGXigJ0gb2YgQ1JM?= =?utf-8?q?_during_revoking_certificate=28s=29=3F_=28=231003=29?= References: Message-ID: yuemonangong created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1003 I created two CRLs [test1.crl, test2.crl] and a certificate chain revoked by test1.crl. When ?**next update**? of two CRLs is **earlier than current time** (or ?last update? is later than current time), **GnuTLS 3.6.10** takes them as normal CRLs during certificate(s) validation, **lacking check on last update/next update of CRL**. Comparatively, **OpenSSL will check the validity** of CRL no matter using it to revoke certificate(s) or not. The command I used is: ``` certtool --verify --load_crl=test1.crl --load_ca_certificate=root.pem < leaf.pem ``` and ``` certtool --verify --load_crl=test2.crl --load_ca_certificate=root.pem < leaf.pem ``` Results of test1.crl: GnuTLS: ``` Loaded CAs (2 available) Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Signature algorithm: RSA-SHA256 Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Output: Not verified. The certificate is NOT trusted. The certificate chain is revoked. Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain is revoked. ``` OpenSSL: ``` C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd error 12 at 0 depth lookup: CRL has expired C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd error 23 at 0 depth lookup: certificate revoked error leaf.pem: verification failed ``` Results of test2.crl: GnuTLS: ``` Loaded CAs (2 available) Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Signature algorithm: RSA-SHA256 Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` OpenSSL: ``` C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd error 12 at 0 depth lookup: CRL has expired C = CN, ST = SH, O = SJTU, OU = DDST, CN = NCRL error 12 at 1 depth lookup: CRL has expired error leaf.pem: verification failed ``` root.pem: ``` -----BEGIN CERTIFICATE----- MIIDNDCCAhygAwIBAgIJAPU0AU3ad04vMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsGA1UECwwERERT VDENMAsGA1UEAwwETkNSTDAeFw0yMDAzMjYwODI3NDlaFw0yMzAxMTQwODI3NDla MEcxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsG A1UECwwERERTVDENMAsGA1UEAwwETkNSTDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAPNLlu+KPCcjj1KiZ1/sUFvFRDt3Z7WZTWjOYeJUFvycHNcYN9cE laGJ32hfjgaPw9u3cOgs0JJHwIhlQkNhSexUvgGatw336H/3FjPQCJKs48lDJG13 sDF7TK1MvG5wcF1pgRkfvoRSWOyr30aqoeQHaRnqMnT0lWBy26mmV6mgM7LPeNq8 E6jh6aLy7uep3+rO/Ef7LvFi/QWqy+vVVmr5MljXtFyWI+aLs4uFtZZ6rFw5Va4U Y6OffwchjkVex1eML4D593fobkmkubxZEm2o2Upi/Eiech7CM8HuwgqrAwoIVxi6 FlObraD90sUSUKUwohvl03tkjCTXakXF2TUCAwEAAaMjMCEwEgYDVR0TAQH/BAgw BgEB/wIBAzALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQELBQADggEBACb6hOtUCqD5 sH4VucCO4FYFHM6nfBvB9vx+c2RPC/psam9clOvL5llrUhY070pXbZnd2hwxfnzj cdr448sVyJkHosukzZj/MyEBV9BERTUMOaY4etQxM2L33uyzn5++/NeRC2Yd53AL vY/s4znat7txqBK/izvLemLerp1Z5E58VFzLOvYNz+7vEoxMmNaU55TGh88VJIvo THaZ3LflTc7hv9eUWin0LTV0mg7cvM+/qWrM2N2hyOukztF5gCcMEgoVkpEgUCJP WsrvOumtDNuXnPr80r4N54n5TaQCTBG22Tj89klc6jUji63+UR9KKACCV44KT8hc +0ecJPmXqEU= -----END CERTIFICATE----- ``` leaf.pem: ``` -----BEGIN CERTIFICATE----- MIIDITCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjEL MAkGA1UECAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNV BAMMBE5DUkwwHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjBMMQswCQYD VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw FQYDVQQKEw5NeSBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL+N0yePi18I/+MxN/31iBehb2rO5s8MzykUz3aGp3BG/5uEFueqoYZN CNLA38wIUT/ry8wIw+jlTNj29L7Q9uOX8+10XgF4VTVtN14KT0s7tZ5dLjGRD7ft fZF03ifbGYp39fW2Wjutjo4Jyop+Bm7g6SrSJB3uaioITpZh8Xf7MHo+kNjJKPsu ZlVVNQ3T5WQWzoskcpRRIujv7U/NATuRzXODUzqnw+HGavu2qTX3falo5i0dzzrt 9yCtLKqtC+0oX+kZPIi3ib/o20fY3hEXwYstq5sKpvV25xgKTbtwRN1KlMIhfSQN uFXIg/Rd6rbd9P60zPYxzOTwMsaEysECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB /zANBgkqhkiG9w0BAQsFAAOCAQEAKhf5CQGxsJCzkFJv26ggzi2HxN/X/eXcwJyy 3gfPP0JZNLzRb6bmracLui58LyCX+0tmY5TA1G3V94Vdu2LIUMRoANwKszTxhW/n 8oNvXDji+E62EsivCtoPgYRAwFE0q4flvcWzDwGlqCfEdaG1uqYGLlLxW8gmHdFs pKJf4yCzQOn04RmReXOhaAtyUT+xp9AUzawzr2PPGA75x7B07HT4ezLPWy+l1X0o gMBOWm3AwrwTD8k1B488NiKivCYjBn6UPG0r9/gKxSvdEJEJ6SyM8+Jw+f7lij8i 55LYqy8oyPPknQOAWzB+KZkCbqkcBGJLEPR35agBN/SDSdioXA== -----END CERTIFICATE----- ``` test1.crl: ``` -----BEGIN X509 CRL----- MIIBtjCBnwIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D UkwXDTIwMDIxMDAzMjczMloXDTIwMDMzMTAzMjczMlowFDASAgEBFw0yMTAzMTYw MzI3MzJaoA4wDDAKBgNVHRQEAwIBADANBgkqhkiG9w0BAQ4FAAOCAQEA2Pdr+xMb XqLhN50342Kvv7QZyr8ocgVDjmeg15PjbbdubTqFwxgvBy62VscE46NuYBFHBL9D aDXGngVgxyQeBDFDTozcb2AcqbMtT1UtFQ/KnkYL9FZg+Vv4xJywAz0GjXvjcUiw wMzL4nzwarnLyLElNdyXA9+aMWdCYySaumUDS0fWFEpAKgjByNJ2neDPW/SF8G87 E5tbdC28lMNJepewQC5lJONeleNOz65U5zjd60KY+vjEPtf85RAf8W3dzSSWzY6W qe2IOt4hGrE6aOVc+yE4ykrPoagZeA4c4oOZTq7b3T+MidrDV3ckdIYYC4vWvcVj /CoixkTJXBRnYw== -----END X509 CRL----- ``` test2.crl: ``` -----BEGIN X509 CRL----- MIIBoDCBiQIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D UkwXDTIwMDIxMDAzMzEyNloXDTIwMDMzMTAzMzEyNlqgDjAMMAoGA1UdFAQDAgEA MA0GCSqGSIb3DQEBDgUAA4IBAQCYxlVo38+wlB1zt+VIWusPZGJhe5Kda5B7lgB7 qxoAio79rY/in0ydTKbvPa4CJk4HfwcFxbDlZE/9uDlt9teVsYSvrswQnCriab02 DvQMA8pi7qtOB0I6l+3jajojZ4TqulDhJiZAqnjjEUmkXgbN+oIdj4+TVt4mGGBA HGjQdDpnDLpYEqNqhLvP7H8D0ErsSIw+M74iTP/1hMWdhfPjdYDwrtJ2EyIo5OpW HQ23xQRgTh/65qqdc7165vI6PTUCAeB2rIFiDX5SSF+teCjQM47sONLFoglFz1me gqHldvb5wHvdhrSbTNCgCCkksgnJmnm9w7vYwnaNvD1BK+n7 -----END X509 CRL----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1003 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:41:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:41:54 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#982) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #982: https://gitlab.com/gnutls/gnutls/-/issues/982 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:43:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:43:47 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#972) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #972: https://gitlab.com/gnutls/gnutls/-/issues/972 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/972 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:47:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:47:40 +0000 Subject: [gnutls-devel] GnuTLS | x509: aki: always print authorityCert info (!1249) In-Reply-To: References: Message-ID: Merge Request !1249 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 Project:Branches: GostCrypt/gnutls:fix-aki to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:49:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:49:13 +0000 Subject: [gnutls-devel] GnuTLS | x509: support commonName extension (!1250) In-Reply-To: References: Message-ID: Merge Request !1250 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 Project:Branches: GostCrypt/gnutls:x509-common-name to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:51:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:51:43 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on devel/import-minitasn1.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_347736528 > +#!/bin/sh > + > +# This script copies files from the nettle upstream, with necessary s/nettle/libtasn1/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:52:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:52:00 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Merge Request !1247 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 Branches: tmp-vendor-minitasn1 to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 10:52:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 08:52:47 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. I assume that the relevant part is already tested in the CI, with `--with-included-libtasn1`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_347736670 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 15:28:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 13:28:30 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: I just discovered the `gnutls-cli-debug` program, posting the output below in case it can be of any help: ``` $ gnutls-cli-debug github.com GnuTLS debug client 3.6.13 Checking github.com:443 whether the server accepts default record size (512 bytes)... yes whether %ALLOW_SMALL_RECORDS is required... no whether we need to disable TLS 1.2... no whether we need to disable TLS 1.1... no whether we need to disable TLS 1.0... no whether %NO_EXTENSIONS is required... no whether %COMPAT is required... no for TLS 1.0 (RFC2246) support... no for TLS 1.1 (RFC4346) support... no fallback from TLS 1.1 to... failed for TLS 1.2 (RFC5246) support... yes for TLS 1.3 (RFC8446) support... yes for known TLS or SSL protocols support... yes TLS1.2 neg fallback from TLS 1.6 to... TLS1.2 for HTTPS server name... unknown for certificate chain order... sorted for safe renegotiation (RFC5746) support... yes for encrypt-then-MAC (RFC7366) support... yes for ext master secret (RFC7627) support... yes for heartbeat (RFC6520) support... no for version rollback bug in RSA PMS... dunno for version rollback bug in Client Hello... no whether the server ignores the RSA PMS version... yes whether small records (512 bytes) are tolerated on handshake... yes whether cipher suites not in SSL 3.0 spec are accepted... yes whether a bogus TLS record version in the client hello is accepted... yes whether the server understands TLS closure alerts... yes whether the server supports session resumption... no for anonymous authentication support... no for RSA key exchange support... yes for ephemeral Diffie-Hellman support... no for RFC7919 Diffie-Hellman support... no for ephemeral EC Diffie-Hellman support... yes for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... no for curve SECP256r1 (RFC4492)... no for curve SECP384r1 (RFC4492)... no for curve SECP521r1 (RFC4492)... no for curve X25519 (RFC8422)... yes for AES-GCM cipher (RFC5288) support... yes for AES-CCM cipher (RFC6655) support... no for AES-CCM-8 cipher (RFC6655) support... no for AES-CBC cipher (RFC3268) support... yes for CAMELLIA-GCM cipher (RFC6367) support... no for CAMELLIA-CBC cipher (RFC5932) support... no for 3DES-CBC cipher (RFC2246) support... no for ARCFOUR 128 cipher (RFC2246) support... no for CHACHA20-POLY1305 cipher (RFC7905) support... yes for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no for MD5 MAC support... no for SHA1 MAC support... yes for SHA256 MAC support... yes for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no for max record size (RFC6066) support... yes for OCSP status response (RFC6066) support... no ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347776171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 16:53:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 14:53:53 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: rrivers2 commented: [allow_zero_length_session_tickets.patch](/uploads/26bec94f704ed4f5530703e377d7232b/allow_zero_length_session_tickets.patch) Daiki, Will Ubuntu upgrade the version of GnuTLS in 18.04 from 3.5 to 3.6? If not, I attached a first cut at a patch to allow zero length sessions tickets returned by a server. It is based on the latest source code from Ubuntu 18.04 in the gnutls28-3.5.18 package. After the patch is applied gnutls-cli will connect to pop.verizon.net:995 successfully, display the banner and prompt for input: ``` - Handshake was completed - Simple Client Mode: +OK Hello from jpop-0.1 ``` More testing is needed to make sure that setting priv->session_ticket to NULL and priv->session_ticket_len to 0 doesn't break the rest of the code. Testing with the current version of OpenSSL on Ubuntu 18.04.4 (1.1.1-1ubuntu2.1~18.04.5) showed that it is able to handle zero length session tickets: ``` openssl s_client -msg -tls1_2 -connect pop.verizon.net:995 <<< TLS 1.2, Handshake [length 000a], NewSessionTicket 04 00 00 06 00 00 00 3c 00 00 ``` It displays the banner and waits for input. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997#note_347792969 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 17:14:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 15:14:31 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the patch, that looks correct and still applicable to 3.6. Would you like to file a merge request? I'd remove the `if` around `gnutls_free` and the `else` clause in `_gnutls_recv_new_session_ticket`, which should be unnecessary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997#note_347801370 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 18:27:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 16:27:38 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Tim R?hsen commented: On Debian with GnuTLS 3.6.13-2, i don't have the mentioned issue. The connection is established to both mentioned sites. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347813753 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 18:31:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 16:31:51 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to Add support for zero length session tickets returned from the server (!1258) References: Message-ID: rrivers2 created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1258 Project:Branches: rrivers2/gnutls:patch-1 to gnutls/gnutls:master Author: rrivers2 Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 23 18:34:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 May 2020 16:34:37 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: rrivers2 commented: Thanks Daiki! I submitted a merge request with the changes you asked for included. This is the first time I have done this so let me know if there is anything else that needs to be modified. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997#note_347814550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 03:14:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 01:14:19 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to Add support for zero length session tickets returned from the server (!1258) In-Reply-To: References: Message-ID: Merge Request !1258 was closed by rrivers2 Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1258 Project:Branches: rrivers2/gnutls:patch-1 to gnutls/gnutls:master Author: rrivers2 Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 03:22:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 01:22:57 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c Add support for zero length session tickets returned from the server (!1259) References: Message-ID: rrivers2 created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1259 Project:Branches: rrivers2/gnutls:master to gnutls/gnutls:master Author: rrivers2 Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1259 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 11:40:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 09:40:26 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347953159 @rockdaboot the issue is specific to my **geography** (United Arab Emirates). If I switch on a VPN so my connection is routed through, say, Amsterdam, it works fine. I suspect some interference from the local telecom operator is breaking this from this location (and no, neither github.com nor mono-project.com are blocked, they work fine from web browsers and anything OpenSSL based). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347953159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 13:28:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 11:28:09 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347965938 So, one step further now :-) I mean, knowing that it's your provider. The gnutls-cli-debug output here looks exactly the same than yours. Do you have a TLS server where you can use tshark / tcpdump ? If so, see if you can reproduce the issue and make sure that it works with your VPN. Next, capture the packages for both connections on the server. Then compare. There could just be packets being split in the network, for example. I see no other way to track it down. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347965938 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 13:58:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 11:58:13 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347969144 I don't have a TLS server available right now, but (with some research) I could set one up on an Azure instance somewhere. Thing is, this doesn't happen with all TLS servers, only a few ones, and so far I've only identified github.com and mono-project.com. So I assume this behavior is also very specific to server configuration, and there's no guarantee that if I set up a TLS server, I will experience the same issue... will keep thinking of some way to get further in this... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_347969144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 17:36:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 15:36:12 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c Add support for zero length session tickets returned from the server (!1259) In-Reply-To: References: Message-ID: Merge Request !1259 was closed by rrivers2 Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1259 Project:Branches: rrivers2/gnutls:master to gnutls/gnutls:master Author: rrivers2 Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1259 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:46:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:46:15 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_348023475 Yes, it is tested by that clause. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_348023475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:47:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:47:12 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: All discussions on Merge Request !1247 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:47:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:47:12 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on devel/import-minitasn1.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_348023596 > +#!/bin/sh > + > +# This script copies files from the nettle upstream, with necessary Fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247#note_348023596 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:48:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:48:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via commit 603fb91743ba66b46333d614d2d56d403d6c5a3d Issue #991: https://gitlab.com/gnutls/gnutls/-/issues/991 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:48:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:48:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1249 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1249) Issue #991: https://gitlab.com/gnutls/gnutls/-/issues/991 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:48:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:48:25 +0000 Subject: [gnutls-devel] GnuTLS | x509: aki: always print authorityCert info (!1249) In-Reply-To: References: Message-ID: Merge Request !1249 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 Project:Branches: GostCrypt/gnutls:fix-aki to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:49:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:49:25 +0000 Subject: [gnutls-devel] GnuTLS | x509: support commonName extension (!1250) In-Reply-To: References: Message-ID: Merge Request !1250 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 Project:Branches: GostCrypt/gnutls:x509-common-name to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:49:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:49:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "commonName" (#989) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via commit a79c1b931c116bdda2559d31b14a509e16a8fd93 Issue #989: https://gitlab.com/gnutls/gnutls/-/issues/989 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:49:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:49:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the extension "commonName" (#989) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1250 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1250) Issue #989: https://gitlab.com/gnutls/gnutls/-/issues/989 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 20:52:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 18:52:58 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @robUx4 could you please adjust CI timeout settings (Settings/CICD/General pipelines/Timeout) to 2 hours and restart failed jobs for all your merge requests? Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348024381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 21:17:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 19:17:37 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/nettle/sysrng-windows.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348027234 > */ > > #include > +#ifdef HAVE_BCRYPT_ALG_HANDLE > +#include > +#else > #include > +#endif > > get_entropy_func _rnd_get_system_entropy = NULL; > > +#ifdef HAVE_BCRYPT_ALG_HANDLE > +static BCRYPT_ALG_HANDLE device_fd = 0; > +#else > static HCRYPTPROV device_fd = 0; > +#endif This file is small enough. I'd suggest to introduce two separate versions: one for WinCrypt API, one for BCrypy API instead of putting `#ifdef` everywhere. Then one can select between them in `Makefile.am` using a conditional. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348027234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 21:27:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 19:27:37 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348028407 > *mingw32* | *mingw64*) > have_win=yes > AC_DEFINE([_UNICODE], [1], [Defined to 1 for Unicode (wide chars) APIs]) > + AC_PREPROC_IFELSE([AC_LANG_PROGRAM( > + [[#include > + #if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0600 > + # error Vista APIs allowed statically > + #endif > + ]],[[;]])],[have_vista_dynamic=yes],[have_vista_dynamic=no]) > + AC_ARG_ENABLE(dyn_ncrypt, > + AS_HELP_STRING([--enable-dyn-ncrypt], [use ncrypt dynamically]), If I understand you correctly, one must use `DYN_NCRYPT` for WinXP/Win7, but can always use static linking when building for Vista+. I'd suggest to drop this `AC_ARG_ENABLE` altogether. You can select whether to define `DYN_NCRYPT` depending on the `_WIN32_WINNT`. Also could you please add a separate testcase to .gitlab-ci.yml till MinGW switches to Vista+ by default? And last but not least it might be sensible to move `FreeLibrary` calls also under `#ifndef DYN_NCRYPT` calls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348028407 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 21:29:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 19:29:12 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348028571 > > AM_CONDITIONAL(HAVE_LIBIDN2, test "$with_libidn2" != "no") > > +AC_ARG_ENABLE(bcrypt, > +AS_HELP_STRING([--enable-bcrypt], > + [use bcrypt for random generator on Windows (otherwise wincrypt)]), > + use_win_bcrypt=$enableval, use_win_bcrypt=no) > +if test "x$have_vista_dynamic" = "xno"; then > + if test "x$use_win_bcrypt" != xno; then > + AC_CHECK_TYPES([BCRYPT_ALG_HANDLE],[LIBBCRYPT="-lbcrypt"],[],[#include > + #include ]) > + fi > +fi > +AC_SUBST([LIBBCRYPT]) As with !1254 if there is no point in manually selecting WinCrypt for Vista+ builds, I'd suggest to select one depending on the selected version. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348028571 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 21:36:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 19:36:51 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/system/keys-win.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348029422 > > CertCloseStore(store, 0); > return ret; > -#endif > +#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ > } It looks like this function would benefit from splitting into two separate codepieces: one for NCrypt, one for WinCrypt API. Then it would be easier to put them under proper `#ifdef` guards and have umbrella function just call both of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348029422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 21:37:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 19:37:42 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: This one looks good to me and can go once CI timeouts are fixed and all jobs are marked as passing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257#note_348029511 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 22:00:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 20:00:16 +0000 Subject: [gnutls-devel] GnuTLS | Vendor-in libtasn1 sources in a form of minitasn1 (!1247) In-Reply-To: References: Message-ID: Merge Request !1247 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 Branches: tmp-vendor-minitasn1 to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 22:46:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 20:46:11 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348037058 @daiki There is a new gnulib module fopen-gnu that takes care for the 'e' flag, see https://lists.gnu.org/archive/html/bug-gnulib/2020-05/msg00294.html Updating gnulib, adding `fopen-gnu` to `boostrap.conf`, adding the 'e' flag to `fopen`/`fdopen` and O_CLOEXEC to `open()` should fix this issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348037058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 24 23:18:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 21:18:08 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348040454 But let's think about what happens when being forked... should a forked thread fail, e.g. when in the middle of reading a file ? That might break the forked process or at least throws up errors - the consequences are unforseeable. So each case of open / fopen has to be thought of. Forking a multi-threaded process without a defined state of the threads is almost uncontrollable and IMO one of the worst ideas I heard of in a long time. @daiki I have to leave the decision on you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348040454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 00:55:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 22:55:40 +0000 Subject: [gnutls-devel] libtasn1 | SIZE: restore handling of SIZE nodes (!68) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/68 Branches: tmp-restore-size to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/68 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 01:12:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 May 2020 23:12:59 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) References: Message-ID: rrivers2 created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 Project:Branches: rrivers2/gnutls:rrivers2-master-patch-89518 to gnutls/gnutls:master Author: rrivers2 Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 06:46:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 04:46:21 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Remi Denis-Courmont commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348103783 `fork()` is very limited in a multi-thread process. But that is a red herring: The problem is not `fork()` here. The problem comes with `exec()` family functions, which leak file descriptors. If you call `exec()` directly, the problem exists all the same - it's just far more likely that `fork()` would occur first. And if you don't like the idea of calling `fork()` then `exec()` in a multi-thread process, you can imagine using a function from the `posix_spawn()` instead: same causes, same problem. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348103783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 06:46:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 04:46:54 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_348103875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 06:47:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 04:47:02 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Merge Request !1260 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 Project:Branches: rrivers2/gnutls:rrivers2-master-patch-89518 to gnutls/gnutls:master Author: rrivers2 Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 06:46:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 04:46:58 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Merge Request !1260 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 Project:Branches: rrivers2/gnutls:rrivers2-master-patch-89518 to gnutls/gnutls:master Author: rrivers2 Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 09:56:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 07:56:44 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) In-Reply-To: References: Message-ID: Steve Lhomme commented: The settings trick worked. Thanks ! I'll update the other patches once this is merged as they modify the same file in the same place so I will need to rebase them properly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257#note_348174624 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:42:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:42:48 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348213844 > But that is a red herring: The problem is not fork() here. The problem comes with exec() family functions Yes, you are right, fork and exec are two different pais of shoes. Forking a MT application needs application logic to deal with e.g. write-open files (not suddenly having two processes writing into the same file). And that is a different issue than the exec() one, leaking file descriptors. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_348213844 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:46:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:46:15 +0000 Subject: [gnutls-devel] libtasn1 | SIZE: restore handling of SIZE nodes (!68) In-Reply-To: References: Message-ID: Merge Request !68 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/68 Branches: tmp-restore-size to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/68 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:49:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:49:31 +0000 Subject: [gnutls-devel] libtasn1 | fuzz/Makefile.am: do not force static (!61) In-Reply-To: References: Message-ID: Tim R?hsen commented: @ffontaine Could you just restart the MinGW32 runner, please ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/61#note_348218175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:53:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:53:24 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) In-Reply-To: References: Message-ID: Merge Request !1257 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 Project:Branches: robUx4/gnutls:crpyt32 to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:53:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:53:53 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) In-Reply-To: References: Message-ID: Merge Request !1257 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 Project:Branches: robUx4/gnutls:crpyt32 to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 10:54:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 08:54:05 +0000 Subject: [gnutls-devel] GnuTLS | win32: link with crypt32 (!1257) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: done, thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1257#note_348221250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 15:24:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 13:24:58 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: rrivers2 commented: Daiki, thanks for all your help and patience while I created the merge request! Do you have any advice on getting the various distro?s to backport the changes? I have a ticket open at launchpad.net originally filed against evolution which another user beat me to linking the gnutls28 package. I hope that is sufficient for Ubuntu and its derivatives. Also, I would like to commend you on the debugging implemented in this project. That made it easy to pinpoint the issue. Well done! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_348397922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 15:42:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 13:42:51 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 Branches: tmp-fileio to master Author: Daiki Ueno This tightens the logic loading private keys from the file, and also improves thread safety as pointed in #985. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 16:54:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 14:54:22 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: * It's a *must* when targeting XP because it may not be available. Above XP it's guaranteed to be there. * I just wanted to give the option for anyone who still want to use a DLL loading. It's possible people want as little hard dependencies as possible, so when gnutls is loaded it doesn't grab a whole bunch of other DLLs. In dynamic mode the DLL will only be loaded if it's really used. So IMO it's still good to provide the option, even though by default the static linking is preferred. * I'll have a look at the CI thing * OK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348456507 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 17:07:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 15:07:58 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/auth/psk_passwd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_348465129 > > /* Open the selected password file. > */ > - fd = fopen(cred->password_file, "r"); Did you read my comments in #985 ? "Updating gnulib, adding fopen-gnu to boostrap.conf, adding the 'e' flag to fopen/fdopen and O_CLOEXEC to open()." Since 'e' is proposed POSIX and understood on most systems already, we should use it for fopen. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_348465129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 18:07:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 16:07:01 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: Steve Lhomme commented on a discussion on lib/system/keys-win.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348498035 > > CertCloseStore(store, 0); > return ret; > -#endif > +#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ > } I've split the two versions of the import. Not sure if you wanted to `#ifdef` the `_gnutls_privkey_import_system_url` as well with a version that does nothing and one the regular calls. IMO it's not worth. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348498035 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 18:33:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 16:33:10 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/auth/psk_passwd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_348510432 > > /* Open the selected password file. > */ > - fd = fopen(cred->password_file, "r"); Oh, sorry; for some reason I missed the notification. That's awesome! I'll try to simplify the patches (perhaps the `read-file` module can also benefit from the 'e' flag). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_348510432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:44:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:44:06 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348558716 > - win64-build/ > retry: 1 > > +MinGW64.Vista: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD > + script: > + - ./bootstrap > + - export CC="ccache x86_64-w64-mingw32-gcc" > + # Target Vista instead of XP, currently the default in mingw > + - export CFLAGS="-D_WIN32_WINT=0x600" > + - export CXXFLAGS="$CFLAGS" Great! However if you replace these two lines (`CFLAGS`/`CXXFLAGS`) with just `export CPPFLAGS=-DWIN32_WINNT=0x600`, will it work? `configure` tends to set `CFLAGS` to sane default (`-g -O2`) if it is not set. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348558716 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:47:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:47:02 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/system/keys-win.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348559826 > > CertCloseStore(store, 0); > return ret; > -#endif > +#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ > } This is good, thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256#note_348559826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:47:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:47:03 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: All discussions on Merge Request !1256 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:53:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:53:02 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: All discussions on Merge Request !1256 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:53:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:53:53 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348562103 fine with me then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348562103 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 20:54:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 18:54:55 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @dueno @asosedkin is this MR finished or you do plan to update the docs? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_348562423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 22:19:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 20:19:33 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on doc/cha-internals.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_348586056 > +as follows. > > @itemize > - at item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present. > - at item Only approved by FIPS140-2 algorithms are enabled > - at item Only approved by FIPS140-2 key lengths are allowed for key generation > @item The random generator used switches to DRBG-AES > @item The integrity of the GnuTLS and dependent libraries is checked on startup > @item Algorithm self-tests are run on library load > + at end itemize > + > +When the FIPS140-2 mode is enabled, The operation of the library is in addition > +modified as follows. > + > + at itemize > + at item Only approved by FIPS140-2 algorithms are enabled I'd rather keep the documentation as-is, because some part of the restriction is now being moved to the configuration (crypto-policies). If we explicitly mention the default behavior, it might be an obstacle when we support FIPS140-3 in the future. Or I could be wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253#note_348586056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 22:36:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 20:36:40 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Merge Request !1253 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 Branches: tmp-fips-redefinition to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 25 23:18:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 May 2020 21:18:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) References: Message-ID: Sahana Prasad created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 Project:Branches: sahprasa/gnutls:aia to gnutls/gnutls:master Author: Sahana Prasad Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 07:02:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 05:02:46 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: Ah yes, you're right. I even used `AC_PREPROC_IFELSE` in configure.ac. I tend to set all three of them as I'm never sure CPPFLAGS is used in addition to CFLAGS/CXXFLAGS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348709806 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 07:49:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 05:49:15 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Steve Lhomme commented on a discussion on lib/nettle/sysrng-windows.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348723767 > */ > > #include > +#ifdef HAVE_BCRYPT_ALG_HANDLE > +#include > +#else > #include > +#endif > > get_entropy_func _rnd_get_system_entropy = NULL; > > +#ifdef HAVE_BCRYPT_ALG_HANDLE > +static BCRYPT_ALG_HANDLE device_fd = 0; > +#else > static HCRYPTPROV device_fd = 0; > +#endif Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348723767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 07:50:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 05:50:49 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Steve Lhomme commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348724345 > > AM_CONDITIONAL(HAVE_LIBIDN2, test "$with_libidn2" != "no") > > +AC_ARG_ENABLE(bcrypt, > +AS_HELP_STRING([--enable-bcrypt], > + [use bcrypt for random generator on Windows (otherwise wincrypt)]), > + use_win_bcrypt=$enableval, use_win_bcrypt=no) > +if test "x$have_vista_dynamic" = "xno"; then > + if test "x$use_win_bcrypt" != xno; then > + AC_CHECK_TYPES([BCRYPT_ALG_HANDLE],[LIBBCRYPT="-lbcrypt"],[],[#include > + #include ]) > + fi > +fi > +AC_SUBST([LIBBCRYPT]) I removed the option and rebased on top of !1254 to get the same Vista detection and Vista CI build. This MR shouldn't be merged until !1254 is merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_348724345 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 08:03:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 06:03:04 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: It seems setting the CPPFLAGS triggers some error in the CI: ``` configure: error: `CFLAGS' was set to `-D_WIN32_WINT=0x600' in the previous run configure: error: `CPPFLAGS' was not set in the previous run configure: error: `CXXFLAGS' was set to `-D_WIN32_WINT=0x600' in the previous run ``` I don't know what to do about this. Is it because it's the same image that is used ? I have the [same thing](https://gitlab.com/robUx4/gnutls/-/jobs/567149004) in !1255 which didn't have the Vista CI before. Is there a way to reset this ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348732386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 08:25:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 06:25:12 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: I think it has something to do with this ``` Restoring cache 00:04 Checking cache for MinGW64.Vista-ver14-1... Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/11160790/MinGW64.Vista-ver14-1 ``` But I don't know how to force a new version of MinGW64.Vista. If anything I can change the name... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_348741054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 10:56:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 08:56:57 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Reassigned Issue 966 https://gitlab.com/gnutls/gnutls/-/issues/966 Assignee changed to Dmitry Baryshkov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 10:57:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 08:57:56 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @crossd @Siguza could you please check if compiling the following code with `-Wl,-no_weak_imports` would result in an error for you, but will work without this option: ```c #include int main(void) { fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds); return 1; } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966#note_348856217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 11:01:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 09:01:31 +0000 Subject: [gnutls-devel] GnuTLS | tests: disable slow tests if configured with --disable-full-test-suite (!1263) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263 Project:Branches: GostCrypt/gnutls:fix-testsuite to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 11:04:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 09:04:47 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from noloader@gmail.com): GnuTLS 3.6.12 and Failed slow tests with --disable-full-test-suite (#929) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Could you please provide your testing box details and the logs of failed tests? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/929#note_348862289 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 11:05:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 09:05:07 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#998) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #998: https://gitlab.com/gnutls/gnutls/-/issues/998 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 11:05:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 09:05:17 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#963) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #963: https://gitlab.com/gnutls/gnutls/-/issues/963 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 11:05:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 09:05:39 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#955) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #955: https://gitlab.com/gnutls/gnutls/-/issues/955 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/955 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:09:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:09:10 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 Project:Branches: GostCrypt/gnutls:fix-valgrind to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:09:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:09:32 +0000 Subject: [gnutls-devel] GnuTLS | Valgrind: Testsuite fails when libgnutls is built with -O2 (#944) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:09:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:09:52 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:14:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:14:11 +0000 Subject: [gnutls-devel] GnuTLS | tests: build datefudge-check during make all (!1265) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 Project:Branches: GostCrypt/gnutls:build-datefudge-check to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:17:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:17:27 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Siguza commented: @lumag ``` % cc -o t t.c % cc -o t t.c -Wl,-no_weak_imports ld: weak import of symbol '___darwin_check_fd_set_overflow' not supported because of option: -no_weak_imports for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966#note_348919236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 12:37:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 10:37:18 +0000 Subject: [gnutls-devel] GnuTLS | session resumption: ability to limit resumption to TLS 1.3+ connections (#477) In-Reply-To: References: Message-ID: Petr ?pa?ek commented: Hi! With TLS 1.3 out, could you please consider this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/477#note_348940017 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 14:56:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 12:56:29 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974 @rockdaboot Can I ask one question? How is `gnutls-cli-debug` able to complete successfully, while `gnutls-cli` is not? If I run `gnutls-cli-debug -d 4 github.com`, I can see: ``` |<4>| HSK[0x558b10fd4620]: CLIENT HELLO was queued [254 bytes] |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168 |<4>| HSK[0x558b10fd4620]: SERVER HELLO (2) was received. Length 93[93], frag offset 0, frag length: 93, sequence: 0 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1159 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1411 ``` If on the other hand I run `gnutls-cli -d 4 github.com`, I never get passed the `CLIENT HELLO was queued`: ``` <4>| HSK[0x55da6730e920]: CLIENT HELLO was queued [351 bytes] |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_stream_read]:337 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589 |<3>| ASSERT: ../../lib/record.c[recv_headers]:1183 |<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1309 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446 |<3>| ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1531 |<3>| ASSERT: ../../lib/handshake.c[handshake_client]:2918 *** Fatal error: The operation timed out ``` Note however that the CLIENT HELLO packets are clearly different. With `gnutls-cli-debug -d 4 github.com 2>&1 | grep 'CLIENT HELLO'`, I can see that it's never using the same CLIENT HELLO packet as `gnutls-cli github.com`. I've discovered as well that the following 2 invocations work! - `gnutls-cli --priority=PERFORMANCE github.com` - `gnutls-cli --priority=SECURE128 github.com` Using `SECURE256` results in: ``` $ gnutls-cli --priority=SECURE256 github.com Processed 128 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.118.3:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed ``` Also discovered is that `gnutls-cli --priority=NORMAL:-VERS-TLS1.3 github.com` is working. So this looks to be something related to TLSv1.3... I'll continue digging, suggestions to narrow down the priorities to exclude would be much appreciated however. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 15:08:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 13:08:18 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349149207 I think I've got deeper. I was studying the captures of the GnuTLS vs OpenSSL network traffic (posted earlier), and I noticed a difference in the "Key Share extension". OpenSSL only advertises "x25519", while GnuTLS also advertises "secp256r1". So I ran: ``` gnutls-cli github.com --priority=NORMAL:-GROUP-SECP256R1 ``` I'll now go and try to figure out how I can set up a web server somewhere with TLSv1.3 and SECP256R1 enabled... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349149207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 15:22:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 13:22:03 +0000 Subject: [gnutls-devel] GnuTLS | configure: check that -no_weak_links works with FD_SET (!1266) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 Project:Branches: GostCrypt/gnutls:tmp-fix-macosx-link to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 15:48:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 13:48:20 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Should be fixed by !1266 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966#note_349233783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 15:56:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 13:56:51 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: Sorry for all the updates... I've got an Apache HTTPD up and running with TLSv1.3 enabled, and it's exhibiting the exact same issue as github.com: - DOESN'T WORK: `gnutls-cli xxxxx.westeurope.cloudapp.azure.com` - WORKS: `gnutls-cli --priority=NORMAL:-GROUP-SECP256R1 xxxxx.westeurope.cloudapp.azure.com` @dueno, @rockdaboot suggested doing a tshark packet capture on the *server side*. I'm not sure how to handle that with the decryption however. Could you provide some suggestions here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349254435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 17:02:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 15:02:52 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented: @dueno: we noticed that ed448 is disabled when using SECURE192 priority string. Is that intentional? (say, due to the code being new) This MR's commit 07596231f2 extended `_sign_priority_secure128` but not `_sign_priority_secure192`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/984#note_349374656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 18:02:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 16:02:36 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #997: https://gitlab.com/gnutls/gnutls/-/issues/997 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 18:02:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 16:02:36 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closed by !1260 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997#note_349428024 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 18:09:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 16:09:28 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @boekhold could you please just capture the packets on the server side (w/o decryption, etc). That would help. Ideally would be to have two captures: one for the server side, one for the client side. And if you could get actual packet dumps (`tshark -w`/`tcpdump -w`) that would be the best. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349432149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 18:25:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 16:25:35 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'm currently working on CMS (PKCS#7) support. It also requires me to implement key wrapping. I'm thinking about implementing a lightweight API (separate from generic `gnutls_cipher`) doing only keywrap. Does that sound good to you or you'd prefer to have KW algorithms to be a part of main `gnutls_cipher` family? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_349446383 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 19:34:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 17:34:20 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: @lumag will work on getting this info tomorrow. In the mean time, I think there's a way on Ubuntu 20.04 to disable elliptic crypto curves globally, using `update-crypto-policies` (not installed by default). I just can't figure out the right invocation for that. Tried some variations of `update-crypto-policy --set DEFAULT:NO-GROUP-SECP256R1` but all variations I've tried complain about `Unknown policy`... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349489599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 20:27:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 18:27:43 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Daiki Ueno commented: @ametzler do you have any idea on the backport? This is going to be serious as Yahoo!'s IMAP server also behaves the [same](https://bugzilla.redhat.com/show_bug.cgi?id=1838187). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_349512337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 20:59:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 18:59:31 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Andreas Metzler commented: On 2020-05-26 Daiki Ueno commented: > @ametzler do you have any idea on the backport? This is going to be serious as Yahoo!'s IMAP server also behaves the [same](https://bugzilla.redhat.com/show_bug.cgi?id=1838187). Thanks for the heads-up. I have a gnutls stable update in the review queue and will look whether I can add another fix. cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_349534904 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 21:01:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 19:01:14 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: rrivers2 commented: @dueno Just to let you know the impact is larger than that as one company runs the Yahoo, AOL, Verizon.net, AT&T and Bell South, etc servers. The original launchpad bug report I filed on May 1 is here: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1876286 To add insult to injury yesterday the smtp server stopped working and now I can't send any email. I'm working on creating a new bug report for that issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_349535626 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 21:28:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 19:28:20 +0000 Subject: [gnutls-devel] GnuTLS | Remove the support for SRP protocol (#201) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @dueno should we consider this for 3.7? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/201#note_349546654 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 22:03:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 20:03:36 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Nicolas Mora commented: I think having AES-KW outside of the `gnutls_cipher` family would make it more readable. Although, I'll be happy anyway, as long as I can use AES-KW as defined in RFC 3394, using default initial value or alternative initial values. Thanks a lot for the support! If you need help to test the AES-KW implementation, I'll be happy to! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_349566634 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 22:04:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 20:04:49 +0000 Subject: [gnutls-devel] GnuTLS | handle OID 1.3.6.1.4.1.11129.2.4.2 (x.509 extension for certificate transparency SCTs) (#232) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @pmevzek any update on your code? If you need any help, please don't hesitate to ask questions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/232#note_349567171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 22:09:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 20:09:32 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: BTW: I noticed that you'd benefit from AES192-GCM. Is it so? Should it also be supported by GnuTLS (in addition to 128 and 256-bit versions). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_349569083 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 22:15:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 20:15:50 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Nicolas Mora commented: Indeed, having `AES192-GCM` available would be awesome! As well as `RSA-OAEP` and `ECDH-ES` but those last 2 are for another feature request :) *I'd love to implement all the `Supported Cryptographic Algorithms for Key Management` in JWA* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_349571249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 22:52:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 20:52:51 +0000 Subject: [gnutls-devel] GnuTLS | via padlock: add support for AES-192 (#1004) References: Message-ID: Dmitry Baryshkov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1004 Assignee: Dmitry Baryshkov Padlock code misses support for AES-192. Extend it to support AES-192. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1004 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 23:36:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 21:36:18 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for AES-192-GCM (!1267) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 Project:Branches: GostCrypt/gnutls:add-aes192-gcm to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 26 23:38:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 May 2020 21:38:37 +0000 Subject: [gnutls-devel] GnuTLS | Add support for AES Key Wrap (#976) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: AES-192-GCM support is pending in !1267 (with the hope to get it in 3.6.14). AES-KW will probably be a 3.7.x material. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/976#note_349619252 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 07:03:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 05:03:49 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: @lumag all requested files attached... The files are the "-w" capture files - [novpn-client.packets](/uploads/2c9da5bf0b1fe9bd3ad47e90da4c98e1/novpn-client.packets) - [novpn-server.packets](/uploads/649f675cf29e18a1a52d3dfbf29cc225/novpn-server.packets) - [vpn-client.packets](/uploads/994e79e4b5cfaea184d808412b2418e1/vpn-client.packets) - [vpn-server.packets](/uploads/8acb5e6e30a75216731a78e26360c949/vpn-server.packets) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349728378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 16:54:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 14:54:19 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350146329 > { > int ret; > struct stat sb; > + FILE *fd; `fd` normally means file descriptor, `fp` means file pointer. Having `FILE *fd` is a bit irritating, at least to me. At GNU Poke I recently introduced this syntax-check rule in `cfg.mk` ;-) ``` sc_jemarchism_file_fd: @prohibit='FILE \*fd[,;]' \ exclude=cfg.mk \ halt='do not use FILE *fd, use FILE *fp instead' \ $(_sc_search_regexp) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350146329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 17:02:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 15:02:47 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350154379 > > } else { > /* Read our raw public-key into memory from file */ > - rawpubkey.data = (void*) read_file(rawpkfile, RF_BINARY, &key_size); > + rawpubkey.data = (void*) read_file(rawpkfile, `rawpubkey` is only used in this else block. Why not moving the variable declaration here to narrow the scope ? (yes, this change isn't directly related. but would be a good opportunity when touching the code.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350154379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 17:09:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 15:09:50 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350159090 > ret = gnutls_pcert_import_rawpk_raw(pcert, &rawpubkey, > format, key_usage, 0); > > - _gnutls_free_datum(&rawpubkey); > + zeroize_key(rawpubkey.data, rawpubkey.size); Why not using `_gnutls_free_key_datum` here ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350159090 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 17:14:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 15:14:12 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350163869 > > } else { > /* Read our raw public-key into memory from file */ > - rawpubkey.data = (void*) read_file(rawpkfile, RF_BINARY, &key_size); > + rawpubkey.data = (void*) read_file(rawpkfile, same goes for `key_size` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350163869 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 17:16:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 15:16:09 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/cert-cred-x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350165389 > ret = > gnutls_certificate_set_x509_simple_pkcs12_mem(res, &p12blob, > type, password); > + zeroize_key(p12blob.data, p12blob.size); Maybe also a job for _gnutls_free_key_datum -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350165389 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 18:27:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 16:27:23 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350214224 > ret = gnutls_pcert_import_rawpk_raw(pcert, &rawpubkey, > format, key_usage, 0); > > - _gnutls_free_datum(&rawpubkey); > + zeroize_key(rawpubkey.data, rawpubkey.size); Because `_gnutls_free_key_datum` assumes that the memory is allocated using `gnutls_malloc` and friends, while `read_file` allocates it with the system `malloc`. This might not be a problem nowadays, as the custom allocator support was removed long ago, but I'm pedantic :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350214224 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 18:35:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 16:35:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350219511 > > +/** > + * gnutls_trust_list_set_getissuer_function: I'd suggest prefixing `gnutls_x509_trust_list_` as other functions in this family. -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350219513 > + * gnutls_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @priv: is any private data to be exchanged between the application I'm still not sure how useful it is to have `priv` argument here. In other places, we provide `_set_ptr` functions for that purpose. -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350219515 > + gnutls_trust_list_getissuer_function * func) > +{ > + tlist->issuer_callback = func; Use tab for indent. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350219518 > + "gnutls_x509_crt_init: %s\n", > + gnutls_strerror(ret)); > + exit(1); Please don't call `exit` from the library, unless it is a programming error which shouldn't happen. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350219520 > > if (cert_list == NULL || cert_list_length == 0) > return GNUTLS_E_NO_CERTIFICATE_FOUND; Here `list` is leaking. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 18:51:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 16:51:54 +0000 Subject: [gnutls-devel] GnuTLS | tests: build datefudge-check during make all (!1265) In-Reply-To: References: Message-ID: Merge Request !1265 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 Project:Branches: GostCrypt/gnutls:build-datefudge-check to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 19:23:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 17:23:50 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Andreas Metzler commented: Hello, The issue does not seem to be relevant for Debian stable (10 aka buster, featuring gnutls 3.6.7), is it? I see an error on oldstable (9 aka stretch, gnutls 3.5.8). cu And- I wish other BTS apart from Debian showed/tracked the versions a bug a) applies and b) was fixed as metadata -reas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350244232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 19:34:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 17:34:08 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: rrivers2 commented: @ametzler I believe the issue is related to older versions of GnuTLS. The version I was using was 3.5.18 included with Ubuntu 18.04.4. Another user on the launchpad bug report stated that Debian 9 has the same issue but didn't report the version of GnuTLS. I think the 3.6 branch uses TLS1.3 which the server returns a valid session ticket and isn't an issue. It is only with older versions that use TLS1.2 and below that the server returns the zero length session ticket and the problem exists. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350251365 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 19:43:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 17:43:15 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350255352 @rrivers2 wrote > @ametzler I believe the issue is related to older versions of GnuTLS. The version I was using was 3.5.18 included with Ubuntu 18.04.4. Another user on the launchpad bug report stated that Debian 9 has the same issue but didn't report the version of GnuTLS. > > I think the 3.6 branch uses TLS1.3 which the server returns a valid session ticket and isn't an issue. It is only with older versions that use TLS1.2 and below that the server returns the zero length session ticket and the problem exists. I see, thanks. Disabling TLS1.3 makes the issue reproducible even on 3.6.13: ~~~ ametzler at argenau:~$ gnutls-cli --priority=NORMAL:-VERS-TLS1.3 pop.verizon.net:995 [...] - Status: The certificate is trusted. *** Fatal error: Internal error in memory allocation. ~~~ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350255352 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 19:45:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 17:45:52 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: rrivers2 commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350256550 I guess the Yahoo/AOL/etc server admins did something to reject session tickets if the version of TLS is < 1.3 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260#note_350256550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 20:08:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 18:08:12 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350266761 > ret = gnutls_pcert_import_rawpk_raw(pcert, &rawpubkey, > format, key_usage, 0); > > - _gnutls_free_datum(&rawpubkey); > + zeroize_key(rawpubkey.data, rawpubkey.size); Oh yes. And your are right in being pedantic. Don't we still have the custom allocators (as global variables) ? From gnutls.h: ``` /* For use in callbacks */ extern _SYM_EXPORT gnutls_alloc_function gnutls_malloc; extern _SYM_EXPORT gnutls_realloc_function gnutls_realloc; extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc; extern _SYM_EXPORT gnutls_free_function gnutls_free; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350266761 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 22:11:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 20:11:47 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1265 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1265) Issue #920: https://gitlab.com/gnutls/gnutls/-/issues/920 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 22:11:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 20:11:47 +0000 Subject: [gnutls-devel] GnuTLS | tests: build datefudge-check during make all (!1265) In-Reply-To: References: Message-ID: Merge Request !1265 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 Project:Branches: GostCrypt/gnutls:build-datefudge-check to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 22:43:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 20:43:00 +0000 Subject: [gnutls-devel] GnuTLS | certtool ignores --password option (#933) In-Reply-To: References: Message-ID: Reassigned Issue 933 https://gitlab.com/gnutls/gnutls/-/issues/933 Assignee changed to Dmitry Baryshkov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 22:49:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 20:49:06 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350338522 > + * certificate verification procedure in verify_crt(). > + * To verify or obtain the certificate the verification functions such as > + * gnutls_x509_trust_list_verify_crt() and gnutls_x509_trust_list_verify_crt2() > + * can be used. > + * > + * The callback function should return 0 if the missing issuer certificate > + * for 'crt' was properly polulated in 'issuer' or non-zero to continue > + * the certificate list verification but with issuer as NULL. > + * > + * Since: 3.6.14 > + **/ > +void gnutls_trust_list_set_getissuer_function > + (gnutls_x509_trust_list_t tlist, void *priv, > + gnutls_trust_list_getissuer_function * func) > +{ > + tlist->issuer_callback = func; yeah, I usually use tab. But other functions in this file were indented like this, see gnutls_certificate_set_retrieve_function, gnutls_certificate_set_retrieve_function2, and gnutls_certificate_set_retrieve_function3 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350338522 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:08:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:08:22 +0000 Subject: [gnutls-devel] GnuTLS | tests: build datefudge-check during make all (!1265) In-Reply-To: References: Message-ID: Tim R?hsen commented: @lumag Just saw this - nice ! :-) Does it mean, we can retry the combined ubsan/asan clang CI runner ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265#note_350346753 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:10:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:10:06 +0000 Subject: [gnutls-devel] GnuTLS | tests: build datefudge-check during make all (!1265) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @rockdaboot no, remember, we had issues with OpenSSL. This just fixes the makefile dependency. I'm going to look onto the OpenSSL issue, if I have time in the next few days. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1265#note_350347552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:10:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:10:32 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 Branches: tmp-fix-cert-pass to master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:11:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:11:42 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Merge Request !1253 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 Branches: tmp-fips-redefinition to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:11:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:11:38 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: All discussions on Merge Request !1253 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:13:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:13:35 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Merge Request !1254 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 Project:Branches: robUx4/gnutls:static-ncrypt to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:13:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:13:27 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: All discussions on Merge Request !1254 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:14:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:14:46 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: Merge Request !1256 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 Project:Branches: robUx4/gnutls:ncrypt-uwp10 to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:15:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:15:03 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Merge Request !1254 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 Project:Branches: robUx4/gnutls:static-ncrypt to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:14:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:14:52 +0000 Subject: [gnutls-devel] GnuTLS | win32: allow using ncrypt in UWP builds (!1256) In-Reply-To: References: Message-ID: Merge Request !1256 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 Project:Branches: robUx4/gnutls:ncrypt-uwp10 to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:16:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:16:59 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350350342 > cred->verify_callback = func; > } > > +/** > + * gnutls_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @priv: is any private data to be exchanged between the application yeah, it is not really useful actually. I removed it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_350350342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:22:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:22:45 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @labnewbie Could you please try changing the template file to use UNIX newline symbols (LF `0a`) instead of Windows ones (CR LF `0d 0a). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/923#note_350352326 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 27 23:29:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 May 2020 21:29:40 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @Cashalow could you please provide the log file generated by the failed test? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274#note_350355040 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 04:01:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 02:01:54 +0000 Subject: [gnutls-devel] GnuTLS | .travis.yml: use several different OSX versions (!1269) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 Project:Branches: GostCrypt/gnutls:tmp-macosx-vers to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 04:06:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 02:06:14 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @robUx4 this can be rebased now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_350431229 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 07:46:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 05:46:47 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Steve Lhomme commented: Done :+1: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255#note_350570441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 08:35:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 06:35:39 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Sacha Laurent commented: Hello @lumag same user than OP here Here is the error I found in the travis log : cipher-openssl-compat.c:78:27: error: use of undeclared identifier 'EVP_CTRL_GCM_SET_TAG' EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_size, enc_data+enc_data_size-tag_size); But actually I think this issue is a duplicate of the one presented here right ? https://gitlab.com/gnutls/gnutls/-/issues/660 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274#note_350611854 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 11:47:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 09:47:20 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen commented: The gnulib update should remove `#define FALLTHROUGH` in utils.h: ``` In file included from ../lib/gnutls_int.h:58, from pkcs12_s2k.c:30: ../gl/attribute.h:142: error: "FALLTHROUGH" redefined [-Werror] 142 | #define FALLTHROUGH _GL_ATTRIBUTE_FALLTHROUGH | In file included from pkcs12_s2k.c:29: ./utils.h:46: note: this is the location of the previous definition 46 | #define FALLTHROUGH __attribute__ ((fallthrough)) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350884723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 11:49:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 09:49:13 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/cert-cred-rawpk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350886301 > } > > } else { > + gnutls_datum_t rawpubkey = { NULL, 0 }; // to hold rawpk data from file Isn't the initializer superfluous here ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_350886301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 11:54:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 09:54:31 +0000 Subject: [gnutls-devel] GnuTLS | consider supporting an AEAD mode which does not require unique nonce (#356) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #356: https://gitlab.com/gnutls/gnutls/-/issues/356 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/356 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 11:55:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 09:55:30 +0000 Subject: [gnutls-devel] GnuTLS | consider supporting an AEAD mode which does not require unique nonce (#356) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closed by !1238 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/356#note_350890840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 14:16:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 12:16:05 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: All discussions on Merge Request !1261 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 17:28:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 15:28:44 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Do you have libressl headers installed? I have tried building for several OS X versions both with and without OpenSSL. I have failed to observe this failure. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274#note_351209765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 17:42:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 15:42:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351218856 > + gnutls_trust_list_getissuer_function * func) > +{ > + tlist->issuer_callback = func; Well, please use tabs in new code. As mentioned in CONTRIBUTING.md, our coding style is [the Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html). -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351218860 > + ret = gnutls_x509_crt_init(&issuer); > + if (ret < 0) { > + fprintf(stderr, Use any of the `gnutls_*_log` functions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 19:32:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 17:32:00 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Sacha Laurent commented: I don't use osX I was just asking when I tried building and testing on conda forge. I think it's safe to close that issue and refer to the other one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274#note_351293528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 19:34:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 17:34:15 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: ok, thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274#note_351295071 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 19:35:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 17:35:25 +0000 Subject: [gnutls-devel] GnuTLS | libcrypto but no openssl (#274) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #274: https://gitlab.com/gnutls/gnutls/-/issues/274 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 21:03:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 19:03:38 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: All discussions on Merge Request !1262 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:10:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:10:53 +0000 Subject: [gnutls-devel] GnuTLS | Not possible to build tests on macOS. (#660) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @mingwandroid I've tried tried building with several Xcode/OSX versions, but got no such failure. Can you please doublecheck: - do you have LibreSSL headers installed? - do you have any OpenSSL headers/library in place? A Travis build succeeded even if I disabled `brew install openssl`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/660#note_351362520 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:15:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:15:12 +0000 Subject: [gnutls-devel] GnuTLS | Remove SSLv2 hello support (#97) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Is it time to remove SSLv2 hello in 3.7? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/97#note_351364185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:23:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:23:05 +0000 Subject: [gnutls-devel] GnuTLS | consider automating the .map file generation (#465) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @dueno I think this can be closed now. WDYT? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/465#note_351367764 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:25:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:25:47 +0000 Subject: [gnutls-devel] GnuTLS | pkg-config file does not contain the right libraries under windows (#412) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closed by !1254 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/412#note_351368910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:25:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:25:54 +0000 Subject: [gnutls-devel] GnuTLS | pkg-config file does not contain the right libraries under windows (#412) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #412: https://gitlab.com/gnutls/gnutls/-/issues/412 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:32:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:32:40 +0000 Subject: [gnutls-devel] GnuTLS | certtool creating authentication failures with TPM 1.2 when TPM SRK uses a password (#601) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Fixed in !792/!796. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/601#note_351371887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:33:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:33:47 +0000 Subject: [gnutls-devel] GnuTLS | certtool creating authentication failures with TPM 1.2 when TPM SRK uses a password (#601) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #601: https://gitlab.com/gnutls/gnutls/-/issues/601 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:35:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:35:46 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer can not be executed with out-of-tree builds (#468) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #468: https://gitlab.com/gnutls/gnutls/-/issues/468 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 22:35:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 20:35:46 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer can not be executed with out-of-tree builds (#468) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Seems fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/468#note_351373099 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 23:05:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 21:05:47 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_CPUID_OVERRIDE does not have any impact on performance (#566) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closing -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/566#note_351384718 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 23:06:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 21:06:44 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_CPUID_OVERRIDE does not have any impact on performance (#566) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #566: https://gitlab.com/gnutls/gnutls/-/issues/566 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 23:12:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 21:12:03 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-info should parse PKCS#7 attributes (#611) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov Issue #611: https://gitlab.com/gnutls/gnutls/-/issues/611 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/611 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 28 23:12:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 May 2020 21:12:01 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-info should parse PKCS#7 attributes (#611) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Closed by !1246 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/611#note_351386914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 05:32:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 03:32:23 +0000 Subject: [gnutls-devel] GnuTLS | .travis.yml: use several different OSX versions (!1269) In-Reply-To: References: Message-ID: Merge Request !1269 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 Project:Branches: GostCrypt/gnutls:tmp-macosx-vers to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:24:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:24:05 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351491138 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); Would it make sense to move this (and the paragraph below starting with "The callback function should return 0") to the place where `gnutls_trust_list_getissuer_function` is defined in `abstract.h`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351491138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:28:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:28:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492112 > + * > + * If the callback function is provided then gnutls will call it, in the > + * certificate verification procedure in verify_crt(). As `verify_crt()` is an internal function, it doesn't make much sense to mention it in the public API documentation. -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492115 > + * The callback function should return 0 if the missing issuer certificate > + * for 'crt' was properly polulated in 'issuer' or non-zero to continue > + * the certificate list verification but with issuer as NULL. `%NULL` -- Daiki Ueno started a new discussion on lib/libgnutls.map: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492116 > gnutls_ext_get_name2; > gnutls_pkcs7_print_signature_info; > + gnutls_x509_trust_list_set_getissuer_function; indent -- Daiki Ueno started a new discussion on lib/x509/verify-high.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492118 > char* pkcs11_token; > + > + /* set this callback if the issuer in the certificate indent -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492119 > issuer = find_issuer(cert, trusted_cas, tcas_size); > > + if (issuer == NULL) { In this block, indentation is messed up. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492121 > + if (issuer == NULL) { > + if (tlist != NULL && tlist->issuer_callback != NULL) { > + _gnutls_debug_log("Missing issuer callback set. \n"); Remove ` ` after `.`. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492123 > + ret = gnutls_x509_crt_init(&issuer); > + if (ret < 0) { > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n",gnutls_strerror(ret)); Add ` ` after `,`. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351492124 > unsigned int > -_gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list, > +_gnutls_verify_crt_status(gnutls_x509_trust_list_t list, Wouldn't it be a little more consistent to name the argument `tlist` instead of `list`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:34:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:34:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351493399 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); yes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351493399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:35:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:35:21 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351493519 > (gnutls_certificate_credentials_t cred, > gnutls_certificate_retrieve_function3 *func); > > +typedef int gnutls_trust_list_getissuer_function(gnutls_x509_crt_t crt, > + gnutls_x509_crt_t issuer); I would suggest changing the signature to: ```c typedef int gnutls_trust_list_getissuer_function(const gnutls_x509_trust_list_t tlist, const gnutls_x509_crt_t issuer, gnutls_x509_crt_t crt); ``` The first argument makes it future proof, if we eventually add `gnutls_x509_trust_list_{set,get}_ptr` functions for applications. The `const` serves the documentation that the callback is supposed to set `crt` using the information of `issuer`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351493519 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:38:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:38:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/libgnutls.map: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351494402 > global: > gnutls_ext_get_name2; > gnutls_pkcs7_print_signature_info; > + gnutls_x509_trust_list_set_getissuer_function; wonder why it shows like that here. in my file it is indented properly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351494402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:51:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:51:49 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/libgnutls.map: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351497368 > global: > gnutls_ext_get_name2; > gnutls_pkcs7_print_signature_info; > + gnutls_x509_trust_list_set_getissuer_function; No, it's not only on the web interface, but incorrect at the file level. Check with: ```sh $ grep -C2 getissuer lib/libgnutls.map gnutls_ext_get_name2; gnutls_pkcs7_print_signature_info; gnutls_x509_trust_list_set_getissuer_function; } GNUTLS_3_6_13; ``` Perhaps your editor configuration is affecting? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351497368 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 06:57:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 04:57:07 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351498587 > * list should lead to a trusted certificate in order to be trusted. > */ > unsigned int > -_gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list, > +_gnutls_verify_crt_status(gnutls_x509_trust_list_t list, yes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351498587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 07:08:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 05:08:53 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/libgnutls.map: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351508297 > global: > gnutls_ext_get_name2; > gnutls_pkcs7_print_signature_info; > + gnutls_x509_trust_list_set_getissuer_function; yeah, it is definitely my editor config affecting :/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351508297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 09:55:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 07:55:34 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351584381 > (gnutls_certificate_credentials_t cred, > gnutls_certificate_retrieve_function3 *func); > > +typedef int gnutls_trust_list_getissuer_function(gnutls_x509_crt_t crt, > + gnutls_x509_crt_t issuer); I think you have interchanged crt and issuer. find_crt() returns issuer, so I kept the same name. So I'll make it typedef int gnutls_x509_trust_list_getissuer_function(const gnutls_x509_trust_list_t tlist, const gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer); -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351584381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 12:27:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 10:27:57 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: All discussions on Merge Request !1262 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 15:49:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 13:49:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351851834 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); I reverted this back to lib/cert-cred.c Doc test fails otherwise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_351851834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 19:22:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 17:22:32 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352074038 > > +typedef int gnutls_trust_list_getissuer_function(gnutls_x509_crt_t crt, > + gnutls_x509_crt_t issuer); Yes, that's right, thanks! -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352074040 > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback This part is still not indented properly. Also note, while the Linux kernel coding style doesn't explicitly mention whether to use hard tabs or spaces, we extensively use tabs for indent as the coding style implicitly suggests as part of its [Emacs configuration](https://www.kernel.org/doc/html/v5.6/process/coding-style.html#you-ve-made-a-mess-of-it). Looks like your new code is indented only with spaces. I would not force you to switch to using Emacs, but you might want to try the auto indent feature. GnuTLS already has a project wide [setup](https://gitlab.com/gnutls/gnutls/-/blob/master/.dir-locals.el) for the coding style. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 20:04:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 18:04:20 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Tim R?hsen commented: I still see `fd = fopen`, but I leave it to you to amend that or not, as it is just cosmetics. Maybe we can add the proposed syntax-check rule sometimes later. Else LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_352094814 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 20:04:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 18:04:25 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Merge Request !1261 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 Branches: tmp-fileio to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 29 20:39:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 18:39:49 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352108236 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); @dueno is this ok? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352108236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 01:04:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 May 2020 23:04:08 +0000 Subject: [gnutls-devel] GnuTLS | specialize gnutls_load_file() for unix-like OS (!1270) References: Message-ID: Glenn Strauss created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1270 Project:Branches: gstrauss/gnutls:specialize-gnutls_load_file to gnutls/gnutls:master Author: Glenn Strauss specialize `gnutls_load_file()` for unix-like OS This implementation is safer, more secure, more robust, and more efficient than the existing generic implementation using system stdio. reference: #1002 @dueno has committed some related improvements to gnulib http://git.savannah.gnu.org/gitweb/?p=gnulib.git http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=e4a38aadac2e90c6dfb317d0845746c200cf6697 http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=a2080f6506701d8d9ca5111d628607a6a8013f61 http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=fb64a78174042189f4d012cbd748d565f021cd69 This patch for gnutls loads a file into a gnutls_datum_t, but most of this patch could alternatively be submitted to the gnulib implementation of `read_file()`. Were that to be done, gnutls would retain the cost of double-copying the file contents in `gnutls_load_file()` when `gnutls_malloc != malloc` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [-] Test suite updated with functionality tests * [-] Test suite updated with negative tests * [-] Documentation updated / NEWS entry present (for non-trivial changes) * [-] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1270 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 06:37:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 04:37:20 +0000 Subject: [gnutls-devel] GnuTLS | specialize gnutls_load_file() for unix-like OS (!1270) In-Reply-To: References: Message-ID: Glenn Strauss commented: I revamped the code to split out parts that could potentially be added to generic interfaces in gnulib, with some function renames, of course. The generic interfaces take `(off_t)` pointer into which to store the file size, and matches the `(off_t)` type of `struct stat` `st.st_size`, which is more appropriate than `size_t`. The proposed generic interfaces also take a function pointer to be used for allocating memory, e.g. so that `gnutls_malloc` can be passed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1270#note_352236434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 06:47:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 04:47:20 +0000 Subject: [gnutls-devel] GnuTLS | lib/file.c gnutls_load_file() does not include trailing '\0' if malloc != gnutls_malloc (#1006) References: Message-ID: Glenn Strauss created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1006 lib/file.c `gnutls_load_file()` does not include trailing `'\0'` if `malloc != gnutls_malloc` and does not check if `gnutls_malloc()` fails. ``` --- a/lib/file.c +++ b/lib/file.c @@ -60,11 +60,14 @@ int gnutls_load_file(const char *filename, gnutls_datum_t * data) return GNUTLS_E_FILE_ERROR; if (malloc != gnutls_malloc) { - void *tmp = gnutls_malloc(len); - - memcpy(tmp, data->data, len); + void *tmp = gnutls_malloc(len+1); + if (tmp) + memcpy(tmp, data->data, len+1); + zeroize_key(data->data, len); free(data->data); data->data = tmp; + if (tmp == NULL) + return GNUTLS_E_FILE_ERROR; } data->size = len; ``` Note: `gnutls_load_file()` also does not check that (size_t) len < UINT_MAX before assigning len in `data->size = len;` (fix not included above) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1006 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 08:12:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 06:12:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352243993 > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback It is getting better, but there are still a few places with mismatched indentation. Please consider amending the first commit with something like [this patch](/uploads/3c112c60fe54454463d017ce51c06659/indent-fixes.patch). -- Daiki Ueno started a new discussion on tests/missingissuer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352243996 > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + gnutls_free(tmp.data); Do not free the static memory. Also, as these error conditions shouldn't happen, you could simply write: ```c assert(gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0); ``` -- Daiki Ueno started a new discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352243997 > + > +void gnutls_x509_trust_list_set_getissuer_function(gnutls_x509_trust_list_t tlist, > + gnutls_x509_trust_list_getissuer_function *func); I suspect `x509.h` might be the better place to have those declarations, because those functions have nothing to do with the "abstract" interface. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352243998 > + issuer = NULL; > + } else > + issuer_deinit = true; I feel suspicious when I see this pattern of code (i.e. having a flag to distinguish allocated/non-allocated memory). It is error-prone and in most cases there is a better way to work around. Now that we added `tlist` to the callback, the callback could simply add the issuer certificate(s) to it, with: ```c gnutls_x509_crt_init(&issuer); /* This transfer the ownership of `issuer` to `tlist`. */ gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); ``` Then you can omit the `issuer` argument from the callback. The library code can be changed to: ```c ret = tlist->issuer_callback(tlist, cert); /* This function doesn't exist yet; it should be `trust_list_get_issuer` defined as static in `verify-high.c`. */ ret = _gnutls_trust_list_get_issuer(tlist, cert, &issuer, 0); ``` As `tlist` has the ownership of `issuer`, you don't need to manually call `gnutls_x509_crt_deinit` on the issuer. It should be released among other certificates at the end of certificate validation process. -- Daiki Ueno started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352243999 > > + if (issuer == NULL) { > + if (tlist != NULL && tlist->issuer_callback != NULL) { Can't you merge those `if` conditions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 11:54:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 09:54:37 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1007 ## Description of problem: My latest upload to Debian failed multiple tests: https://buildd.debian.org/status/fetch.php?pkg=gnutls28&arch=amd64&ver=3.6.13-3&stamp=1590697920&raw=0 Afaict the errors all look like this: ~~~ FAIL: sni-hostname.sh ===================== Checking SNI hostname in gnutls-cli Echo Server listening on IPv6 :: port 9148...done Could not connect to 127.0.0.1:9148: Connection refused Failure: 1. handshake should have succeeded! Exiting via signal 15 FAIL sni-hostname.sh (exit status: 1) ~~~ i.e. gnutls-serv somehow ends up listening only on IPv6 but the corresponding gnutls-cli command tries to connect to 127.0.0.1 (IPv4). I do not know why gnutls-serv does not listen on IPv4, too (perhaps the virtual host has no IPv4 interfaces), but afaiui the testsuite logic really is buggy in that respect. ## Version of gnutls used: 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 11:55:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 09:55:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352269433 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); That's strange as we have other callback docs in the public header, e.g., `gnutls_pin_callback_t`. What error do you see? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352269433 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:00:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:00:53 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_352270275 To minimize the diff, I only fixed that in the new code. It should now be fixed everywhere with the latest version. Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261#note_352270275 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:01:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:01:05 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: All discussions on Merge Request !1261 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:04:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:04:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352270717 > issuer = find_issuer(cert, trusted_cas, tcas_size); > > + if (issuer == NULL) { > + if (tlist != NULL && tlist->issuer_callback != NULL) { > + _gnutls_debug_log("Missing issuer callback set.\n"); > + ret = gnutls_x509_crt_init(&issuer); > + if (ret < 0) { > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + issuer = NULL; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback I can fix the spaces into tabs. (but I would have to align with spaces towards the end, like in the patch)But unlike the patch I do prefer that the next function parameter starts after the parentheses and not exactly under it. What do you think? (a b over (a b -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352270717 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:11:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:11:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on tests/missingissuer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352271774 > + gnutls_datum_t tmp; > + int ret; > + > + tmp.data = (unsigned char *)missing_cert_insert; > + tmp.size = strlen(missing_cert_insert); > + > + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + return -1; > + } > + > + ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + gnutls_free(tmp.data); I think gnutls_x509_crt_print() is allocating dynamic memory and `gnutls_free(tmp.data)` has to be freed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352271774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:14:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:14:22 +0000 Subject: [gnutls-devel] GnuTLS | configure: check that -no_weak_links works with FD_SET (!1266) In-Reply-To: References: Message-ID: Merge Request !1266 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 Project:Branches: GostCrypt/gnutls:tmp-fix-macosx-link to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:16:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:16:11 +0000 Subject: [gnutls-devel] GnuTLS | tests: disable slow tests if configured with --disable-full-test-suite (!1263) In-Reply-To: References: Message-ID: Daiki Ueno commented: Wouldn't this require update in `.gitlab-ci.yml` to keep the previous test coverage? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263#note_352272425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:18:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:18:55 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: Daiki Ueno commented: Wouldn't it be sufficient to suppress the errors with a suppressions file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264#note_352272769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:20:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:20:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352272901 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); https://gitlab.com/sahprasa/gnutls/-/jobs/573021651 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352272901 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:22:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:22:20 +0000 Subject: [gnutls-devel] GnuTLS | lib: improve external file loading (!1261) In-Reply-To: References: Message-ID: Merge Request !1261 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 Branches: tmp-fileio to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:24:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:24:53 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for AES-192-GCM (!1267) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267#note_352273417 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:24:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:24:41 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for AES-192-GCM (!1267) In-Reply-To: References: Message-ID: Merge Request !1267 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 Project:Branches: GostCrypt/gnutls:add-aes192-gcm to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:38:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:38:02 +0000 Subject: [gnutls-devel] GnuTLS | devel: provide external git diff driver for *.abi files (!1214) In-Reply-To: References: Message-ID: Daiki Ueno commented: That might be because git log stops processing when it sees a non-zero exit status of an external diff driver. With the latest version, I can see: ```console $ git log -p --ext-diff devel commit 8da3a71b358aa4a3199d1ee72c4e0d25a4588131 (tmp-keylog-func) Author: Daiki Ueno Date: Fri Feb 21 16:38:29 2020 +0100 keylogfile: simplify the callback mechanism This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno devel/libgnutls-latest-x86_64.abi Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 1 Removed, 1 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 1 Removed function symbol not referenced by debug info: gnutls_handshake_set_secret_function@@GNUTLS_3_6_13 1 Added function symbol not referenced by debug info: gnutls_session_set_keylog_function@@GNUTLS_3_6_13 diff --git a/devel/symbols.last b/devel/symbols.last [...] ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214#note_352274930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 12:45:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 10:45:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/missingissuer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352275853 > + gnutls_datum_t tmp; > + int ret; > + > + tmp.data = (unsigned char *)missing_cert_insert; > + tmp.size = strlen(missing_cert_insert); > + > + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + return -1; > + } > + > + ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + gnutls_free(tmp.data); That is true, but `gnutls_x509_crt_print` can return without touching the `out` parameter upon failure, e.g., around https://gitlab.com/gnutls/gnutls/-/blob/master/lib/x509/output.c#L2218. In that case `tmp.data` will still point to the static memory. In general, I think you can safely assume that the out parameter is not modified when the operation fails. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352275853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 14:44:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 12:44:10 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264#note_352297937 No. Strcmp gets inlined, so there is no way to suppress only those calls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264#note_352297937 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 14:50:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 12:50:40 +0000 Subject: [gnutls-devel] GnuTLS | configure: check that -no_weak_links works with FD_SET (!1266) In-Reply-To: References: Message-ID: Merge Request !1266 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 Project:Branches: GostCrypt/gnutls:tmp-fix-macosx-link to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 14:50:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 12:50:50 +0000 Subject: [gnutls-devel] GnuTLS | Build failure on macOS Catalina 10.15.4 under Xcode 11.4. (#966) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1266 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1266) Issue #966: https://gitlab.com/gnutls/gnutls/-/issues/966 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 14:51:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 12:51:02 +0000 Subject: [gnutls-devel] GnuTLS | .travis.yml: use several different OSX versions (!1269) In-Reply-To: References: Message-ID: Merge Request !1269 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 Project:Branches: GostCrypt/gnutls:tmp-macosx-vers to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 14:53:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 12:53:21 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for AES-192-GCM (!1267) In-Reply-To: References: Message-ID: Merge Request !1267 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 Project:Branches: GostCrypt/gnutls:add-aes192-gcm to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 16:30:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 14:30:22 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352312200 > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_FOUND); > + goto cleanup; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback > + * wasn't invoked i.e issuer remains NULL */ > + gnutls_x509_crt_deinit(issuer); > + gnutls_assert(); > + issuer = NULL; > + } else > + issuer_deinit = true; @I'm afraid this would still leak. I tried this method and If I don't call `gnutls_x509_crt_deinit` in verify_crt() in cleanup, ==9252==ERROR: LeakSanitizer: detected memory leaks Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x7f2096d83e56 in __interceptor_calloc (/lib64/libasan.so.5+0x10de56) #1 0x7f20966de301 in gnutls_x509_crt_init /home/sprasad/workspace/projects/gnutls/gnutls/lib/x509/x509.c:207 #2 0x402677 in getissuer_callback /home/sprasad/workspace/projects/gnutls/gnutls/tests/missingissuer_aia.c:74 #3 0x7f20966d6691 in verify_crt /home/sprasad/workspace/projects/gnutls/gnutls/lib/x509/verify.c:653 #4 0x7f20966d9cf5 in _gnutls_verify_crt_status /home/sprasad/workspace/projects/gnutls/gnutls/lib/x509/verify.c:1033 #5 0x7f209670d6ac in gnutls_x509_trust_list_verify_crt2 /home/sprasad/workspace/projects/gnutls/gnutls/lib/x509/verify-high.c:1335 #6 0x7f209670e892 in gnutls_x509_trust_list_verify_crt /home/sprasad/workspace/projects/gnutls/gnutls/lib/x509/verify-high.c:1188 #7 0x403586 in doit /home/sprasad/workspace/projects/gnutls/gnutls/tests/missingissuer_aia.c:228 #8 0x404876 in main /home/sprasad/workspace/projects/gnutls/gnutls/tests/utils.c:254 #9 0x7f2095229f42 in __libc_start_main (/lib64/libc.so.6+0x23f42) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352312200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 16:34:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 14:34:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on tests/missingissuer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352312763 > + gnutls_datum_t tmp; > + int ret; > + > + tmp.data = (unsigned char *)missing_cert_insert; > + tmp.size = strlen(missing_cert_insert); > + > + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + return -1; > + } > + > + ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + gnutls_free(tmp.data); I thought it is not recommended to assert in callback. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352312763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 17:57:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 15:57:00 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352325131 > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_FOUND); > + goto cleanup; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback > + * wasn't invoked i.e issuer remains NULL */ > + gnutls_x509_crt_deinit(issuer); > + gnutls_assert(); > + issuer = NULL; > + } else > + issuer_deinit = true; Sigh, you are right and I was completely wrong. There is no such ownership transfer mechanism and the library side still need to maintain the lifetime of `issuer`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352325131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 18:05:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 16:05:49 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352326308 > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_FOUND); > + goto cleanup; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback > + * wasn't invoked i.e issuer remains NULL */ > + gnutls_x509_crt_deinit(issuer); > + gnutls_assert(); > + issuer = NULL; > + } else > + issuer_deinit = true; Well, no. It will be `free`'ed if you call `gnutls_x509_trust_list_deinit` with `all` argument set to 1. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352326308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 18:08:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 16:08:03 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: All discussions on Merge Request !1264 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 18:08:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 16:08:07 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: Merge Request !1264 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 Project:Branches: GostCrypt/gnutls:fix-valgrind to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 18:08:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 16:08:03 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264#note_352326649 OK, if there are so many errors then it makes sense to fix this way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264#note_352326649 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 19:35:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 17:35:00 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352341394 > issuer = find_issuer(cert, trusted_cas, tcas_size); > > + if (issuer == NULL) { > + if (tlist != NULL && tlist->issuer_callback != NULL) { > + _gnutls_debug_log("Missing issuer callback set.\n"); > + ret = gnutls_x509_crt_init(&issuer); > + if (ret < 0) { > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + issuer = NULL; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback Yes, and isn't that the case already (as long as the terminal or editor renders a tab as 8 spaces)? I rely on Emacs for that job so that such mistakes do not come in. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352341394 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 19:36:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 17:36:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/missingissuer.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352341566 > + gnutls_datum_t tmp; > + int ret; > + > + tmp.data = (unsigned char *)missing_cert_insert; > + tmp.size = strlen(missing_cert_insert); > + > + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + return -1; > + } > + > + ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); > + if (ret < 0) { > + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); > + gnutls_free(tmp.data); It's fine: there are quite a few places where `assert` is used in handshake hooks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_352341566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 30 20:37:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 18:37:52 +0000 Subject: [gnutls-devel] GnuTLS | RFE: gnutls_datum_wipe() (similar to private _gnutls_free_key_datum()) (#1001) In-Reply-To: References: Message-ID: Glenn Strauss commented: gnutls_datum_t is a first-class object in GnuTLS. `gnutls_load_file()` is a common idiom and should probably be renamed `gnutls_datum_load_file()` so that it can be paired with `gnutls_datum_free()` or `gnutls_datum_wipe_free()` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1001#note_352348402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 00:08:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 22:08:46 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (#1008) References: Message-ID: Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1008 [Sectigo's old AddTrust root certificate expired earlier today.](https://sectigo.com/resource-library/sectigos-addtrust-root-is-soon-to-expire-what-you-need-to-know) This was supposed to go unnoticed by users because GnuTLS should ignore the expired root and instead use a non-expired root instead, given that it has the same public key as the expired one. [Here is a blog post I found describing today's issue.](https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration) In practice, a lot of websites depend on this root, so it's a bit of an apocalypse for Epiphany, and we'll likely start losing users to Firefox every day until resolved. :/ Example broken websites include: * [EasyList adblock filters](https://easylist-downloads.adblockplus.org) required for adblocking in Epiphany * [This knowledgebase article explaining how TLS clients will handle this certificate's expiration without issue](https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT) We actually have [a test in glib-networking to ensure a similar case works](https://gitlab.gnome.org/GNOME/glib-networking/-/blob/533d3a76e2cc622b072e3ec789f69e888f3fd8eb/tls/tests/connection.c#L832), and the test is passing, so the test must not be good enough. I'm trying to find the issue report where GnuTLS originally added support for this case, but am having some difficulty doing so (it was a while back... 2014? 2015?). The blog post I linked to above (quite rudely) implies GnuTLS is just bad at completing chains, but I . Example gnutls-cli: ``` $ gnutls-cli support.sectigo.com Processed 157 CA certificate(s). Resolving 'support.sectigo.com:443'... Connecting to '13.109.141.149:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=support.sectigo.com,OU=COMODO EV SSL,OU=IT,O=Comodo CA Limited,street=3rd Floor Building 26,street=Office Village Exchange Quay,street=Trafford Road,L=Salford,ST=Manchester,postalCode=M5 3EQ,C=GB,businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=GB,serialNumber=04058690', issuer `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x6a6d5a985263e1676288c3a67c3d61d3, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-01 00:00:00 UTC', expires `2020-10-31 23:59:59 UTC', pin-sha256="ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0=" Public Key ID: sha1:d819ea14af7a4a45250f3d968050fffbaf36a1c7 sha256:b9e41d0df2283da354325e1eca7d7d2baa29bfa6eb47e3d0fc60ae6378711efd Public Key PIN: pin-sha256:ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0= - Certificate[1] info: - subject `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x06a74380d4ebfed435b5a3f7e16abdd8, RSA key 2048 bits, signed using RSA-SHA384, activated `2012-02-12 00:00:00 UTC', expires `2027-02-11 23:59:59 UTC', pin-sha256="Fbr/5aSOo4KRal8YE49t4lc76IOnK/oto9NWV1cSKWM=" - Certificate[2] info: - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` Again, the expired COMODO RSA Certification Authority root should just be ignored because there is a non-expired root with the same public key shipped by ca-certificates. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 00:28:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 22:28:58 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Michael Catanzaro commented: > (Still trying to find the original change, I'm having some difficulty searching for it.) The only reference I can find is [this downstream bug](https://bugzilla.redhat.com/show_bug.cgi?id=1142137), but it's missing a link to upstream. Anyway, that historical bug describes the use-case for how this is expected to work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352369105 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 00:53:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 30 May 2020 22:53:04 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Michael Catanzaro commented: > The only reference I can find is [this downstream bug](https://bugzilla.redhat.com/show_bug.cgi?id=1142137), but it's missing a link to upstream. Anyway, that historical bug describes the use-case for how this is expected to work. I think it was https://gitlab.com/gnutls/gnutls/-/commit/f77b78c9709e925d7702b37e265ab41658025671 (though I don't see any upstream issue reference) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352370753 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 05:14:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 03:14:45 +0000 Subject: [gnutls-devel] GnuTLS | specialize gnutls_load_file() for unix-like OS (!1270) In-Reply-To: References: Message-ID: Glenn Strauss commented: I added some commits to demonstrate more consistent easier and more correct code using the `gnutls_load_file()` interface and passing function params using the `gnutls_datum_t` data structure. With the latest push, I built gnutls and ran all tests with `make check`. All tests pass (or were skipped by the test harness) Along the way, I fixed a bug in `src/certtool.c:load_infile()` which misreported the filename in the error condition, always reporting `OPT_ARG(INFILE)` instead of the `file` param passed into `load_infile()` Remaining in the gnutls codebase (after applying these patches) is a single call to `read_file()` (for non-unix systems) and a single call to `fread_file()` for the applications under `src/` when the apps read `stdin` or device files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1270#note_352385153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 05:54:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 03:54:38 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Kenneth J_ Miller commented: The ticket name should be changed to describe the underlying issue, the failing validation of certificates chaining back to the expired Sectigo root/intermediate is a symptom of deeper issue with the way GnuTLS currently validates certificate paths. I recreated the issue locally with **GnuTLS 3.6.13**, Nginx, and some test certificates. From my observation, GnuTLS fails if the first path validated contains an expired certificate, even if there exist possible valid alternative paths. Here the X.509 PKI I tested with an intermediate cross-signed by a valid and expired root certificate respectively: ``` ROOT 1 ROOT 2 (valid) (expired) \ / \ / INTERMEDIATE 1 (valid) | | LEAF 1 (valid) ``` Note that this is a slightly different hierarchy than the issue presented by Sectigo's certificates where the public keys of an intermediate certificate were used to re-create a self-signed root. However, the underlying issue presents itself in the same way. Depending on the order in which Nginx serves the above cross-signed INTERMEDIATE 1 certificates after the LEAF 1 certificate, a request will either succeed or fail. When the certificate bundle supplied by Nginx contains the INTERMEDIATE 1 signed by the valid ROOT 1 *before* the one signed by ROOT 2, the TLS handshake succeeds: ``` asd# gnutls-cli example.test Processed 2 CA certificate(s). Resolving 'example.test:443'... Connecting to '127.0.1.1:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=example.test', issuer `CN=INTERMEDIATE 1', serial 0x6ce0398c3f993ad4f5509763fc2ed69286df6631, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:20:16 UTC', expires `2020-06-28 03:20:17 UTC', pin-sha256="ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo=" Public Key ID: sha1:66fc0194e47a524774be3c64c1fcf11dab218ebd sha256:c9294f990d25bfdcb87fb870b28a6c973804762527537ff9bb89c5c9ad96c12a Public Key PIN: pin-sha256:ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo= - Certificate[1] info: - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 1', serial 0x17662e3e54ea343b5e81205e0c69aafb94c2b29d, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:25:19 UTC', expires `2020-06-29 03:25:22 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4=" - Certificate[2] info: - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 2', serial 0x1040f78089e97ffefc343f977eaeedd78fc15f87, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:22:12 UTC', expires `2020-06-28 03:22:14 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4=" - Status: The certificate is trusted. - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed ``` When the certificate bundle supplied by Nginx contains the INTERMEDIATE 1 signed by the ROOT 1 *after* the one signed by the expired ROOT 1, the TLS handshake fails: ``` # gnutls-cli example.test Processed 2 CA certificate(s). Resolving 'example.test:443'... Connecting to '127.0.1.1:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=example.test', issuer `CN=INTERMEDIATE 1', serial 0x6ce0398c3f993ad4f5509763fc2ed69286df6631, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:20:16 UTC', expires `2020-06-28 03:20:17 UTC', pin-sha256="ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo=" Public Key ID: sha1:66fc0194e47a524774be3c64c1fcf11dab218ebd sha256:c9294f990d25bfdcb87fb870b28a6c973804762527537ff9bb89c5c9ad96c12a Public Key PIN: pin-sha256:ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo= - Certificate[1] info: - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 2', serial 0x1040f78089e97ffefc343f977eaeedd78fc15f87, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:22:12 UTC', expires `2020-06-28 03:22:14 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4=" - Certificate[2] info: - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 1', serial 0x17662e3e54ea343b5e81205e0c69aafb94c2b29d, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:25:19 UTC', expires `2020-06-29 03:25:22 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. The signature in the certificate is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352387084 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 07:10:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 05:10:53 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 07:27:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 05:27:34 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report. Though I am not following the discussion around this, my question is whether it is legitimate that the server sends such certificate chain. GnuTLS implements the [Basic Path Validation procedure](https://tools.ietf.org/html/rfc5280#section-6.1) quite naively, meaning that it assumes that the `n`th certificate is signed by `n-1`th, and individual certificate validity is only checked at the [Basic Certificate Processing phase](https://tools.ietf.org/html/rfc5280#section-6.1.3). Having said that, there is a pre-processing mechanism and it wouldn't be so hard to "fix" this (I confirmed that it works if I add an extra check in `_gnutls_sort_clist`, though I guess the behavior should probably be controlled with a flag, like unsorted chain). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352394245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 10:07:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 08:07:39 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Remi Denis-Courmont commented: Seeing seemingly same problem in VLC, though it's probably not as damaging as in Epiphany https://forum.videolan.org/viewtopic.php?f=2&t=153734&p=504443 I suppose the server listed in that post is serving an expired root cert, though I'm not sure how to ascertain that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352426909 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 11:15:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 09:15:15 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Daiki Ueno commented: Indeed, looks like @TheRealMichaelCatanzaro's initial analysis is right, that is we have a mechanism to shorten the certificate chain by removing known certificates in the system trust store, but for some reason the matching doesn't work correctly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352436116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 12:56:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 10:56:28 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 Branches: tmp-known-certs to master Author: Daiki Ueno To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. However, if it is found, the function checked the validity of the original certificate rather than the certificate found in the trust store. That revealed a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the certificate from the trust store and check against it. Fixes the PKCS#11 case of #1008. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 13:00:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 11:00:16 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Daiki Ueno commented: OK, the real cause seems to be that we actually look up the valid certificate from the trust store, but perform a sanity check against the original certificate (expired) and bail out. Note that !1271 fixes this on the systems using PKCS#11 trust store (i.e. Fedora, RHEL, etc), but does NOT fix the file based trust store (i.e. Debian, Ubuntu, etc). I'll look into it further. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 13:45:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 11:45:53 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Merge Request !1271 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 Branches: tmp-known-certs to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 13:46:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 11:46:28 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM, though I cannot test it here and we don't have a test case yet (that would be perfect). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271#note_352453875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:10:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:10:35 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Merge Request !1271 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 Branches: tmp-known-certs to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:32:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:32:32 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add -fno-builtin-strcmp if valgrind is enabled (!1264) In-Reply-To: References: Message-ID: Merge Request !1264 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 Project:Branches: GostCrypt/gnutls:fix-valgrind to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:32:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:32:32 +0000 Subject: [gnutls-devel] GnuTLS | Valgrind: Testsuite fails when libgnutls is built with -O2 (#944) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1264 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1264) Issue #944: https://gitlab.com/gnutls/gnutls/-/issues/944 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:32:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:32:36 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review; added a test case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271#note_352459649 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:40:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:40:58 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Merge Request !1255 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 Project:Branches: robUx4/gnutls:nowincrypt to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:41:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:41:09 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: All discussions on Merge Request !1255 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 14:41:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 12:41:16 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Merge Request !1255 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 Project:Branches: robUx4/gnutls:nowincrypt to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 17:10:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 15:10:24 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Michael Catanzaro commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352481491 > GnuTLS implements the [Basic Path Validation procedure](https://tools.ietf.org/html/rfc5280#section-6.1) quite naively, meaning that it assumes that the `n`th certificate is signed by `n-1`th, and individual certificate validity is only checked at the [Basic Certificate Processing phase](https://tools.ietf.org/html/rfc5280#section-6.1.3). We have tests in glib-networking to ensure that unordered chains are accepted (they are). (Though it's possible that glib-net attempts to reorder the chain before passing to GnuTLS.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352481491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 17:15:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 15:15:16 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Thanks so much, Daiki! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352482112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 17:54:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 15:54:51 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Michael Catanzaro commented: I tested this, verified it works on both support.sectigo.com and easylist-downloads.adblockplus.org. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271#note_352487538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 18:15:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 16:15:59 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Merge Request !1271 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 Branches: tmp-known-certs to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 18:19:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 16:19:25 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the hints; I couldn't have figured out the cause without those. Closing this as !1271 has been merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352490873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 18:19:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 16:19:27 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1008: https://gitlab.com/gnutls/gnutls/-/issues/1008 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 18:38:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 16:38:13 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Amazing response time! It'd be nice to start getting the fix out to distros. Would an early upstream release be appropriate? Otherwise, we can advise distros to take this patch. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352494044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 19:36:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 17:36:37 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352508563 @dueno wrote > Closing this as !1271 has been merged. I am mystified, 6 hours ago you wrote > Note that !1271 fixes this on the systems using PKCS#11 trust store (i.e. Fedora, RHEL, etc), but does NOT fix the file based trust store (i.e. Debian, Ubuntu, etc). I'll look into it further. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352508563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 31 19:45:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 17:45:07 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352510230 Yes, and I added "EDIT: I add a follow-up fix for the latter in the same MR" to that comment right after (sorry, s/add/added/). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352510230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: