From gnutls-devel at lists.gnutls.org Thu Apr 1 06:09:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 04:09:07 +0000 Subject: [gnutls-devel] GnuTLS | How can I lock gnutls_record_get_state or pending when receiving data? (Maybe bug?) (#1052) In-Reply-To: References: Message-ID: GnuTLS bot commented: @MXWXZ This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1052#note_542577650 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 06:09:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 04:09:09 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Netscape Cert Type (#1159) In-Reply-To: References: Message-ID: GnuTLS bot commented: @GOODPWDCETCSZ This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1159#note_542577658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 06:09:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 04:09:05 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1199) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1199 The following issues require labels: - [ ] [How can I lock gnutls_record_get_state or pending when receiving data? (Maybe bug?)](https://gitlab.com/gnutls/gnutls/-/issues/1052) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 06:09:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 04:09:10 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Netscape Cert Type (#1159) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1159: https://gitlab.com/gnutls/gnutls/-/issues/1159 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 06:58:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 04:58:10 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1199) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1199: https://gitlab.com/gnutls/gnutls/-/issues/1199 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 17:59:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 15:59:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543271078 > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > memcpy(ctx->iv, iv, iv_size); > + if(!ctx->encdec){ Sorry for the nit (and I guess you have tested it), but the afalg_cipher_init parameter is called enc - I would interpret that it contains 1 for encryption and 0 for decryption. If my interpretation would be correct, isn't this here a reversion of the logic? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543271078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 18:04:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 16:04:48 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543276187 > void *dst, size_t dst_size) > { > struct kcapi_ctx *ctx = _ctx; > + struct iovec iov; > > - if (kcapi_cipher_decrypt(ctx->handle, src, src_size, ctx->iv, > - dst, > - (src_size > dst_size) ? dst_size : src_size, > - 0) < 0) { > + iov.iov_base = (void *)src; > + iov.iov_len = src_size; > + > + > + if(kcapi_aead_stream_update(ctx->handle, &iov, 1) < 0) { _aead_ ? I guess you want to use the _cipher_ API? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543276187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 1 18:08:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Apr 2021 16:08:01 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543279568 > void *dst, size_t dst_size) > { > struct kcapi_ctx *ctx = _ctx; > + struct iovec iov; > + > + iov.iov_base = (void *)src; > + iov.iov_len = src_size; > + > + > + if(kcapi_aead_stream_update(ctx->handle, &iov, 1) < 0) { Just to clarify: Is the GnuTLS API here only providing access to block cipher modes (e.g. CBC)? Or do we also have stream-cipher modes (CTR, CTS)? Note, in case of stream ciphers, the call kcapi_cipher_stream_update_last() is necessary to handle the last block that may not be a multiple of the block size any more. How does GnuTLS the case of stream ciphers when invoking the enc/dec operation multiple times? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_543279568 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 15:49:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 13:49:10 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_543897301 > + > +int gnutls_x509_ct_sct_get_version(gnutls_x509_ct_scts_t scts, unsigned idx, > + unsigned int *version_out) > +{ > + int version; > + > + if (idx >= scts->size) > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; > + > + /* > + * Currently, only version 1 SCTs are defined (RFC 6962). > + * A version 1 SCT has actually the value 0 in the 'version' field. > + */ > + version = scts->scts[idx].version; > + if (version != 0 || version_out == NULL) > + return -1; @dueno I've looked at them but I don't know which one would be the most appropriate? Any suggestions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_543897301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 15:49:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 13:49:27 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_543897465 > + > +int gnutls_x509_ct_sct_v1_get(const gnutls_x509_ct_scts_t scts, unsigned idx, > + time_t *timestamp, > + gnutls_datum_t *logid, > + gnutls_sign_algorithm_t *sigalg, > + gnutls_datum_t *signature) > +{ > + int retval = 0; > + struct ct_sct_st *sct; > + > + if (idx >= scts->size) > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; > + > + sct = &scts->scts[idx]; > + if (sct->version != 0) > + return -1; Same here. Any suggestions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_543897465 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 16:09:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 14:09:12 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 Project:Branches: dueno/gnutls:wip/dueno/ecdsa-verify-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Some internal functions used in point multiplications are known to misbehave if the scaler is out-of-range. This performs canonical reduction on scalers, before point multiplication. This ports the fixes from Nettle upstream to the bundled EC code. See the Nettle 3.7.2 release announcement for details: https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 16:16:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 14:16:03 +0000 Subject: [gnutls-devel] GnuTLS | key_share, pre_shared_key: avoid use-after-free around realloc [3.6.x] (!1408) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 Project:Branches: dueno/gnutls:wip/dueno/realloc-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno This backports the fixes of from !1399 and !1401. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 16:20:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 14:20:54 +0000 Subject: [gnutls-devel] GnuTLS | testpkcs11: use datefudge to trick certificate expiry [3.6.x] (!1409) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1409 Project:Branches: dueno/gnutls:wip/dueno/test-fixes-3.6 to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno This backports the test fixes from !1371. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1409 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 2 16:28:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Apr 2021 14:28:07 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_543939368 OK, I'm going to release 3.6.16 with those fixes along with the bundled Nettle code update (!1407, !1408, and !1409). Could you take a look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_543939368 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 06:59:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 04:59:01 +0000 Subject: [gnutls-devel] GnuTLS | testpkcs11: use datefudge to trick certificate expiry [3.6.x] (!1409) In-Reply-To: References: Message-ID: Merge request !1409 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1409 Project:Branches: dueno/gnutls:wip/dueno/test-fixes-3.6 to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1409 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 07:19:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 05:19:01 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_544436783 I had started looking, and had stumbled over 02efad8b7612e4c5fc8dc180c00d3baff567a15d adding patch in the wrong location, but you have already fixed that in 7f33b401 since. Was still wondering why parallel builds continued to fail for me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_544436783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 11:04:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 09:04:32 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_544455288 > + _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING, > + ext->data, ext->size, &scts_content, > + 0); > + if (retval < 0) > + return gnutls_assert_val(retval); > + > + length = _gnutls_read_uint16(scts_content.data); > + if (length < 4) { > + gnutls_free(scts_content.data); > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; > + } > + > + ptr = &scts_content.data[2]; > + while (length > 0) { > + sct_length = _gnutls_read_uint16(ptr); > + if (sct_length == 0 || sct_length > length) AFAIK `sct_length == 0` doesn't indicate end of data. You know you've reached EOD when you've read all the bytes that the length field said there are. While you're reading the SCTs, each SCT has its own length field, which is what we're reading here. And all of these should be greater than zero. AFAIK it is an error to have a zero length SCT. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_544455288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 11:11:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 09:11:24 +0000 Subject: [gnutls-devel] GnuTLS | key_share, pre_shared_key: avoid use-after-free around realloc [3.6.x] (!1408) In-Reply-To: References: Message-ID: Merge Request !1408 was approved by Andreas Metzler Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 Project:Branches: dueno/gnutls:wip/dueno/realloc-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 11:22:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 09:22:26 +0000 Subject: [gnutls-devel] GnuTLS | key_share, pre_shared_key: avoid use-after-free around realloc [3.6.x] (!1408) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for checking! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408#note_544457607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 11:22:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 09:22:14 +0000 Subject: [gnutls-devel] GnuTLS | key_share, pre_shared_key: avoid use-after-free around realloc [3.6.x] (!1408) In-Reply-To: References: Message-ID: Merge request !1408 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 Project:Branches: dueno/gnutls:wip/dueno/realloc-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 11:40:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 09:40:37 +0000 Subject: [gnutls-devel] GnuTLS | key_share, pre_shared_key: avoid use-after-free around realloc [3.6.x] (!1408) In-Reply-To: References: Message-ID: Merge request !1408 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 Project:Branches: dueno/gnutls:wip/dueno/realloc-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 18:32:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 16:32:12 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Andreas Metzler commented: Hello Daiki, nettle upstream applied this fix to quite a bit more broadly than this patch does. e.g. to eddsa-verify.c which is also present in GnuTLS. Is the respective code dead in gnutls? Might less error prone to add a private helper function ("named like _nettle_backported_ecc_mod_mul_canonical") doing what upstream's ecc_mod_mul_canonical() does. cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544524763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 18:45:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 16:45:56 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544526472 > nettle upstream applied this fix to quite a bit more broadly than this patch does. e.g. to eddsa-verify.c which is also present in GnuTLS. Is the respective code dead in gnutls? I think you mean this change: https://git.lysator.liu.se/nettle/nettle/-/commit/5b7608fde3a6d2ab82bffb35db1e4e330927c906 which I thought as a cleanup rather than a fix (i.e., the code behavior is identical). > Might less error prone to add a private helper function ("named like _nettle_backported_ecc_mod_mul_canonical") doing what upstream's ecc_mod_mul_canonical() does. Maybe, but the convention of EC functions seems to have changed since the last nettle import in gnutls (based on nettle 3.6rc3): e.g., `ecc_mod_mul` takes scratch area now in the master. Therefore, I tried to rather minimize the amount of change. @nielsmoller any suggestions? I also have backports for nettle 3.4.1 and 2.7.1 (for RHEL and CentOS). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544526472 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 19:15:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 17:15:17 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Niels M?ller commented: I don't have the full context. Regarding https://git.lysator.liu.se/nettle/nettle/-/commit/5b7608fde3a6d2ab82bffb35db1e4e330927c906, that is indeed a cleanup. The bug fix changes are those that replace ecc_mod_mul, without any additional reduction logic, with calls to ecc_mod_mul_canonical. I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important? For backports, I know that the GNU guix project is interested in a backport to nettle-3.5, see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47222 I might make sense to add a helper similar to the the ecc_mod_mul_canonical in nettl-3.7.2, but as you have noticed, it can't be identical due to the changed conventions for ecc_mod_mul and the underlying mod functions. But I think it should be fairly straight forward to write a variant with an interface compatible with ecc_mod_mul in older versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544529364 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 20:11:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 18:11:22 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544537526 Thank you for the prompt response. > I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important? We only import any missing functionalities in the minimum supported version of nettle, which in this case are only Ed448 and GOSTDSA: https://gitlab.com/gnutls/gnutls/-/blob/gnutls_3_6_x/devel/import-ecc-from-nettle.sh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544537526 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 4 20:11:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 04 Apr 2021 18:11:25 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544537563 Thank you for the prompt response. > I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important? We only import any missing functionalities in the minimum supported version of nettle, which in this case are only Ed448 and GOSTDSA: https://gitlab.com/gnutls/gnutls/-/blob/gnutls_3_6_x/devel/import-ecc-from-nettle.sh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_544537563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 6 17:30:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Apr 2021 15:30:44 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) In-Reply-To: References: Message-ID: Issue was closed by David Hu Issue #1198: https://gitlab.com/gnutls/gnutls/-/issues/1198 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 6 17:31:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Apr 2021 15:31:19 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) In-Reply-To: References: Message-ID: David Hu commented: Closing because it is a `curl` issue which is not relavent to GnuTLS -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198#note_545868287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 6 18:16:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Apr 2021 16:16:13 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1198#note_545905707 Apologies for the delay. Glad to hear it has been fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198#note_545905707 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 7 09:52:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 07 Apr 2021 07:52:31 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_546345190 > void *dst, size_t dst_size) > { > struct kcapi_ctx *ctx = _ctx; > + struct iovec iov; > + > + iov.iov_base = (void *)src; > + iov.iov_len = src_size; > + > + > + if(kcapi_aead_stream_update(ctx->handle, &iov, 1) < 0) { You are right, i have made the mistake with using the `aead` instead of `cipher` here. Regarding `..update_last()` would it be sufficient to check the size of the message and call it only when it differs from the block size as GnuTLS doesn't indicate last message (as of my knowledge) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_546345190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 7 10:10:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 07 Apr 2021 08:10:30 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_546363702 > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > memcpy(ctx->iv, iv, iv_size); > + if(!ctx->encdec){ Actually it is 0 for encryption and 1 for decryption so the inverse logic should be alright. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_546363702 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 12:21:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 10:21:44 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) References: Message-ID: Jacek created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1202 ## Description of problem: When trusted root CA is self-signed using SHA-1 algorithms (some roots that are still valid and issue certs do), certificate verification will always fail when `%PROFILE_MEDIUM` is specified. Certificates included in trust store should be trusted implicitly. SHA-1 vulnerabilities have no effect on security of such certs. Either trusted CAs should be excluded from MEDIUM profile checks or flag that could be chained with PROFILE_MEDIUM, similar to `%VERIFY_ALLOW_SIGN_WITH_SHA1` but for root/trusted CAs only, should be introduced. Also see: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920 ## Version of gnutls used: RHEL 8/CentOS 8 - 3.6.14 Debian bullseye - 3.7.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) RHEL 8 / CentOS 8 / Debian bullseye (testing) ## How reproducible: Always. ## Steps to Reproduce: * `docker exec -i -t --rm debian:bullseye` * `apt update` * `apt install ca-certificates gnutls-bin` * `gnutls-cli --priority='PFS:%PROFILE_MEDIUM' --starttls-proto smtp --port 25 smtp.yandex.ru -d 2` ## Actual results: (Notice that all certificates sent by server are `signed using RSA-SHA256`) ``` - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=smtp.yandex.ru,O=Yandex LLC,OU=ITO,L=Moscow,C=RU', issuer `CN=Yandex CA,OU=Yandex Certification Authority,O=Yandex LLC,C=RU', serial 0x1091dc2c81285a6ac43099d9807911f2, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-03-10 13:11:13 UTC', expires `2021-09-08 13:11:13 UTC', pin-sha256="A11cXe/nKnLc57yB8f0qD6x5CXarK4dzIStUDKIA9K8=" Public Key ID: sha1:cf865545c989534f54118f6b8498495d424f79fb sha256:035d5c5defe72a72dce7bc81f1fd2a0fac790976ab2b8773212b540ca200f4af Public Key PIN: pin-sha256:A11cXe/nKnLc57yB8f0qD6x5CXarK4dzIStUDKIA9K8= - Certificate[1] info: - subject `CN=Yandex CA,OU=Yandex Certification Authority,O=Yandex LLC,C=RU', issuer `CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL', serial 0x00e40547830e0c6452976f7a3549c0dd48, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-01-21 12:00:00 UTC', expires `2025-01-18 12:00:00 UTC', pin-sha256="LNFe+yc4/NZbJVynpxAeAd+brU3EPwGbtwF6VeUjI/Y=" - Certificate[2] info: - subject `CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL', issuer `CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL', serial 0x00939285400165715f947f288fefc99b28, RSA key 2048 bits, signed using RSA-SHA256, activated `2008-10-22 12:07:37 UTC', expires `2027-06-10 10:46:39 UTC', pin-sha256="qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU=" |<2>| issuer in verification was not found or insecure; trying against trust list |<2>| GNUTLS_SEC_PARAM_MEDIUM: certificate's signature hash strength is unacceptable (is 80 bits, needed 112) - Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` ## Expected results: ``` - Status: The certificate is trusted. - Description: (...) - Session ID: (...) - Options: - Handshake was completed - Simple Client Mode: ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 14:39:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 12:39:26 +0000 Subject: [gnutls-devel] GnuTLS | afalg: consider implementing all methods required for IOV based AEAD encryption/decryption (#1203) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1203 This is a follow-up of !1404 once it has landed. `afalg_aead_struct` currently only implements the minimal set of API functions. It may be possible to speed up the IOV based functions such as `gnutls_aead_cipher_encryptv2` if it implements missing functions, e.g., `.tag`, `.auth`, `.encrypt`, `.decrypt`, etc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 14:44:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 12:44:31 +0000 Subject: [gnutls-devel] GnuTLS | Add a general purpose cipher benchmarking tool (#1204) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1204 While `gnutls-cli` already provides a couple of options for benchmarking, the supported cipher algorithms are hard coded and not all algorithms are supported. It would be nice if we have a simple benchmarking tool similar to OpenSSL's speedo command, that takes an arbitrary algorithm with different parameters. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1204 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 15:22:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 13:22:24 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Daiki Ueno commented: I agree that special-casing root CAs is one option. Another possibility might be to make `%PROFILE_MEDIUM:%VERIFY_ALLOW_SIGN_WITH_SHA1` tolerate SHA-1 signatures in certs (it currently rejects them, which is counterintuitive). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_550625464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 15:25:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 13:25:15 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Jacek commented: > to make `%PROFILE_MEDIUM:%VERIFY_ALLOW_SIGN_WITH_SHA1` tolerate SHA-1 signatures in certs That will be a security issue due to weaknesses in SHA-1. Some switch for self-signed/trusted/root certs only should be present, so that appropriate security levels might be maintained. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_550628575 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 13 15:37:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Apr 2021 13:37:24 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok changed the draft status of merge request !1404 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 05:46:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 03:46:47 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: jainshashank24 commented: Hi, We are getting the above vulnerability while building spark docker, As mentioned this vulnerability is fixed with 3.7.1 version but is it available for debian10 version ? As when i am doing apt-get install libgnutls30 it is not bringing the 3.7.1 version of GnuTLS Can someone help how to fix this issue and install 3.7.1 version of library GnuTLS. Help would really appreciated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_551117198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:29:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:29:19 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551225612 > void *dst, size_t dst_size) > { > struct kcapi_ctx *ctx = _ctx; > + struct iovec iov; > + > + iov.iov_base = (void *)src; > + iov.iov_len = src_size; > + > + > + if(kcapi_aead_stream_update(ctx->handle, &iov, 1) < 0) { Considering that we only use CBC, _last() should not be needed. But I recommend to add a big fat warning into the code that the _last call is to be added as soon as we have a stream cipher. That said, it is equally possible to call _last() without any data. But this implies another kernel round trip that adds more time to the processing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551225612 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:34:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:34:19 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551230818 > int ret = 0; > struct kcapi_aead_ctx *ctx = _ctx; > struct iovec iov[3]; Just a nit: if I read the code right, we have only 2 IOVECs? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551230818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:36:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:36:43 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551233156 > - iov[1].iov_base = plain; > - iov[1].iov_len = plain_size; > + iov[0].iov_base = (void *)plain; > + iov[0].iov_len = (plain_size > outbuflen) ? outbuflen : plain_size; > > - /* Older kernels require tag space for output. */ > - if ((auth_size + plain_size) < > - kcapi_aead_outbuflen_dec(ctx->handle, plain_size, auth_size, > - tag_size)) { > - iov[2].iov_base = tagtmp; > - iov[2].iov_len = tag_size; > - iovlen = 3; > - } > - > - if (kcapi_aead_stream_op(ctx->handle, iov, iovlen) < 0){ > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0){ hm, the tagtmp is not used any more - do you not want to return the tag? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551233156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:40:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:40:00 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551236000 > - iov[1].iov_base = plain; > - iov[1].iov_len = plain_size; > + iov[0].iov_base = (void *)plain; > + iov[0].iov_len = (plain_size > outbuflen) ? outbuflen : plain_size; > > - /* Older kernels require tag space for output. */ > - if ((auth_size + plain_size) < > - kcapi_aead_outbuflen_dec(ctx->handle, plain_size, auth_size, > - tag_size)) { > - iov[2].iov_base = tagtmp; > - iov[2].iov_len = tag_size; > - iovlen = 3; > - } > - > - if (kcapi_aead_stream_op(ctx->handle, iov, iovlen) < 0){ > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0){ The more I think about it, the more I am unsure why the old code was removed. The kernel returns AAD || CT || Tag as a data buffer. See crypto/algif_aead.c: /* * Copy of AAD from source to destination * * The AAD is copied to the destination buffer without change. Even * when user space uses an in-place cipher operation, the kernel * will copy the data as it does not see whether such in-place operation * is initiated. * * To ensure efficiency, the following implementation ensure that the * ciphers are invoked to perform a crypto operation in-place. This * is achieved by memory management specified as follows. */ /* * Decryption operation - To achieve an in-place cipher * operation, the following SGL structure is used: * * TX SGL: AAD || CT || Tag * | | ^ * | copy | | Create SGL link. * v v | * RX SGL: AAD || CT ----+ */ Note, the result of the RX SGL is then returned into the IOVECs provided by the caller. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551236000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:40:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:40:55 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551236740 > - iov[1].iov_base = plain; > - iov[1].iov_len = plain_size; > + iov[0].iov_base = (void *)plain; > + iov[0].iov_len = (plain_size > outbuflen) ? outbuflen : plain_size; > > - /* Older kernels require tag space for output. */ > - if ((auth_size + plain_size) < > - kcapi_aead_outbuflen_dec(ctx->handle, plain_size, auth_size, > - tag_size)) { > - iov[2].iov_base = tagtmp; > - iov[2].iov_len = tag_size; > - iovlen = 3; > - } > - > - if (kcapi_aead_stream_op(ctx->handle, iov, iovlen) < 0){ > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0){ Sorry, it seems I forgot to add markdown markers: ``` /* * Copy of AAD from source to destination * * The AAD is copied to the destination buffer without change. Even * when user space uses an in-place cipher operation, the kernel * will copy the data as it does not see whether such in-place operation * is initiated. * * To ensure efficiency, the following implementation ensure that the * ciphers are invoked to perform a crypto operation in-place. This * is achieved by memory management specified as follows. */ /* * Decryption operation - To achieve an in-place cipher * operation, the following SGL structure is used: * * TX SGL: AAD || CT || Tag * | | ^ * | copy | | Create SGL link. * v v | * RX SGL: AAD || CT ----+ */ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551236740 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:47:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:47:14 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551241704 > - iov[1].iov_base = plain; > - iov[1].iov_len = plain_size; > + iov[0].iov_base = (void *)plain; > + iov[0].iov_len = (plain_size > outbuflen) ? outbuflen : plain_size; > > - /* Older kernels require tag space for output. */ > - if ((auth_size + plain_size) < > - kcapi_aead_outbuflen_dec(ctx->handle, plain_size, auth_size, > - tag_size)) { > - iov[2].iov_base = tagtmp; > - iov[2].iov_len = tag_size; > - iovlen = 3; > - } > - > - if (kcapi_aead_stream_op(ctx->handle, iov, iovlen) < 0){ > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0){ Well, as we are in decryption, the tag truly is of no concern for the output. Yes, it can be ignored. But the AAD buffer should still remain to be part of the IOVEC. I.e. iov[0] should point to the AAD buffer and iov[1] to the pt buffer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551241704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:48:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:48:51 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551242922 > + goto end; > + } > } > } > > + outbuflen = kcapi_aead_outbuflen_enc(ctx->handle, plain_size, > + auth_size, tag_size); > + inbuflen = kcapi_aead_inbuflen_enc(ctx->handle, plain_size, > + auth_size, tag_size); > + > /* > * Set AAD: IOVECs do not support const, this buffer is guaranteed to be > * read-only > */ > - iov[0].iov_base = (void *)auth; > + memcpy(authtmp, auth, auth_size); Why do you think the memcpy is needed here? The kernel should only read the buffer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551242922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 09:58:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 07:58:07 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551250880 > goto end; > } > > - /* The kernel may set the AAD, avoid modification of auth */ > - iov[0].iov_base = authtmp; > - > /* Set CT buffer to be filled by kernel */ > - iov[1].iov_base = encr; > - iov[1].iov_len = plain_size + tag_size; > + iov[0].iov_base = encr; > + iov[0].iov_len = (encr_size > outbuflen) ? outbuflen : encr_size; > > - if (kcapi_aead_stream_op(ctx->handle, iov, 2) < 0) { > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0) { See the discussion above: for encryption, the kernel returns AAD || CT || TAG. Thus I am not fully sure I understand the change here why the AAD is not considered? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_551250880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 14 16:45:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Apr 2021 14:45:29 +0000 Subject: [gnutls-devel] GnuTLS | test-cipher-api.sh hits assertions in nettle when compiled without hardware acceleration (#1205) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1205 When configured with `--disable-hardware-acceleration`, the test shows several assertion failures inside nettle functions: ```console trying aes128-gcm cipher-api-test: gcm.c:328: nettle_gcm_update: Assertion `ctx->auth_size % GCM_BLOCK_SIZE == 0' failed. cipher-api-test: gcm.c:358: nettle_gcm_encrypt: Assertion `ctx->data_size % GCM_BLOCK_SIZE == 0' failed. trying aes192-gcm cipher-api-test: gcm.c:328: nettle_gcm_update: Assertion `ctx->auth_size % GCM_BLOCK_SIZE == 0' failed. cipher-api-test: gcm.c:358: nettle_gcm_encrypt: Assertion `ctx->data_size % GCM_BLOCK_SIZE == 0' failed. trying aes256-gcm cipher-api-test: gcm.c:328: nettle_gcm_update: Assertion `ctx->auth_size % GCM_BLOCK_SIZE == 0' failed. cipher-api-test: gcm.c:358: nettle_gcm_encrypt: Assertion `ctx->data_size % GCM_BLOCK_SIZE == 0' failed. trying aes128-cbc cipher-api-test: cbc.c:53: nettle_cbc_encrypt: Assertion `!(length % block_size)' failed. trying aes192-cbc cipher-api-test: cbc.c:53: nettle_cbc_encrypt: Assertion `!(length % block_size)' failed. trying aes256-cbc cipher-api-test: cbc.c:53: nettle_cbc_encrypt: Assertion `!(length % block_size)' failed. trying 3des-cbc cipher-api-test: cbc.c:53: nettle_cbc_encrypt: Assertion `!(length % block_size)' failed. trying camellia128-gcm cipher-api-test: gcm.c:328: nettle_gcm_update: Assertion `ctx->auth_size % GCM_BLOCK_SIZE == 0' failed. cipher-api-test: gcm.c:358: nettle_gcm_encrypt: Assertion `ctx->data_size % GCM_BLOCK_SIZE == 0' failed. trying camellia256-gcm cipher-api-test: gcm.c:328: nettle_gcm_update: Assertion `ctx->auth_size % GCM_BLOCK_SIZE == 0' failed. cipher-api-test: gcm.c:358: nettle_gcm_encrypt: Assertion `ctx->data_size % GCM_BLOCK_SIZE == 0' failed. trying chacha20-poly1305 cipher-api-test: chacha-poly1305.c:131: nettle_chacha_poly1305_encrypt: Assertion `ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0' failed. ``` The similar errors are also in #764, where the solution was to skip the test depending on the host CPU, but I suspect we should make the nettle fallback functions work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 09:22:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 07:22:41 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552204597 > goto end; > } > > - /* The kernel may set the AAD, avoid modification of auth */ > - iov[0].iov_base = authtmp; > - > /* Set CT buffer to be filled by kernel */ > - iov[1].iov_base = encr; > - iov[1].iov_len = plain_size + tag_size; > + iov[0].iov_base = encr; > + iov[0].iov_len = (encr_size > outbuflen) ? outbuflen : encr_size; > > - if (kcapi_aead_stream_op(ctx->handle, iov, 2) < 0) { > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0) { I am sorry, i was --amending to the commit so it seem you are looking at one of the older version. The above should be alright with the current version. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552204597 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 09:55:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 07:55:48 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552233163 > + struct kcapi_handle *handle; > + int encdec : 1; // 0-enc 1-dec > + uint8_t iv[0]; nit: afaik zero-length arrays are not super portable; can we just use `MAX_CIPHER_IV_SIZE`, and return error if the kernel returns larger IV size? -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552233166 > + struct kcapi_handle *handle; > + int taglen_set : 1; > + int ccm : 1; nit: let's not use bit fields; we are not so memory-stingy. -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552233171 > + switch(algorithm){ > + case GNUTLS_CIPHER_AES_128_CCM: > + FALLTHROUGH; I don't think you need this `FALLTHROUGH` line, as there are no statements between two `case`s. -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552233178 > + > + memcpy(ctx->iv, iv, iv_size); > + if(ctx->encdec){ nit: put a space between `if` and `(`, also `)` and `}`: https://www.kernel.org/doc/html/latest/process/coding-style.html#spaces -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552233183 > + iov[0].iov_len = auth_size; > + uint32_t outbuflen = kcapi_aead_outbuflen_dec(ctx->handle, > + encr_size - tag_size, nit: indent -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 10:59:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 08:59:48 +0000 Subject: [gnutls-devel] GnuTLS | afalg: switch to using pkgconfig for libkcapi detection (#1207) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1207 This is a follow-up of !1404 once it gets merged. Currently the build infrastructure unconditionally links to libkcapi if `--enable-afalg` is specified. It would be nice that we have a check in configure script using the [PKG_CHECK_MODULES](https://autotools.io/pkgconfig/pkg_check_modules.html) macro. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 11:43:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 09:43:18 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552438883 > goto end; > } > > - /* The kernel may set the AAD, avoid modification of auth */ > - iov[0].iov_base = authtmp; > - > /* Set CT buffer to be filled by kernel */ > - iov[1].iov_base = encr; > - iov[1].iov_len = plain_size + tag_size; > + iov[0].iov_base = encr; > + iov[0].iov_len = (encr_size > outbuflen) ? outbuflen : encr_size; > > - if (kcapi_aead_stream_op(ctx->handle, iov, 2) < 0) { > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0) { Apologies if I am not using gitlab right :-) But, I see that there is one IOVEC with the encryption buffer used for the _op operation. If I see that right, the encr buffer should be as large to hold the ciphertext || tag data. What I am trying to say is that the kernel, however returns the AAD first, followed by the ciphertext || tag. So, If I would understand it right, the encr buffer is filled with AAD concatenated with parts of the CT and potentially the tag depending on the size of the AAD. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552438883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 13:05:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 11:05:47 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552579977 > goto end; > } > > - /* The kernel may set the AAD, avoid modification of auth */ > - iov[0].iov_base = authtmp; > - > /* Set CT buffer to be filled by kernel */ > - iov[1].iov_base = encr; > - iov[1].iov_len = plain_size + tag_size; > + iov[0].iov_base = encr; > + iov[0].iov_len = (encr_size > outbuflen) ? outbuflen : encr_size; > > - if (kcapi_aead_stream_op(ctx->handle, iov, 2) < 0) { > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0) { The commits have been squashed, now you should see the updated code. then above code was me trying to figure out was is wrong by trial and error :), it should be ok now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552579977 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 13:07:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 11:07:22 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552581167 > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > memcpy(ctx->iv, iv, iv_size); > + if(!ctx->encdec){ You were right! I tested it wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552581167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 13:50:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 11:50:03 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552617954 > goto end; > } > > - /* The kernel may set the AAD, avoid modification of auth */ > - iov[0].iov_base = authtmp; > - > /* Set CT buffer to be filled by kernel */ > - iov[1].iov_base = encr; > - iov[1].iov_len = plain_size + tag_size; > + iov[0].iov_base = encr; > + iov[0].iov_len = (encr_size > outbuflen) ? outbuflen : encr_size; > > - if (kcapi_aead_stream_op(ctx->handle, iov, 2) < 0) { > + if (kcapi_aead_stream_op(ctx->handle, iov, 1) < 0) { Yes, I see it in the full patch set. Thank you for being patient with me here :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_552617954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 18:38:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 16:38:40 +0000 Subject: [gnutls-devel] GnuTLS | Add run-time option to disable TLS 1.3 middlebox compatibility mode (#1208) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1208 The middlebox compatibility mode is prohibited in the use with QUIC: https://tools.ietf.org/html/draft-ietf-quic-tls-34#section-8.4 Currently GnuTLS only provides a way to disable it with a compile-time option; there should be a run-time option to cover the use-case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 15 18:41:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Apr 2021 16:41:01 +0000 Subject: [gnutls-devel] GnuTLS | Add run-time option to disable TLS 1.3 middlebox compatibility mode (#1208) In-Reply-To: References: Message-ID: Daiki Ueno commented: Originally reported in: https://github.com/curl/curl/issues/6896 (thanks @tatsuhiro-t for the investigation) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1208#note_552922020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 17 11:24:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Apr 2021 09:24:53 +0000 Subject: [gnutls-devel] GnuTLS | Add run-time option to disable TLS 1.3 middlebox compatibility mode (#1208) In-Reply-To: References: Message-ID: Daniel Stenberg commented: I could be worth noticing that without this switched off, some QUIC servers will reject connections with GnuTLS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1208#note_554079466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 17 12:39:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Apr 2021 10:39:06 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_554088191 @jainshashank24 That is an issue that you'll need to [report to Debian](https://www.debian.org/Bugs/Reporting.en.html), not here. In general however Debian stable doesn't get version upgrades, only patches to fix issues. The Debian security tracker currently [lists those issues](https://security-tracker.debian.org/tracker/source-package/gnutls28) as open and "minor" for Debian 10/Buster. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_554088191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 17 20:19:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Apr 2021 18:19:34 +0000 Subject: [gnutls-devel] GnuTLS | priority: add option to disable TLS 1.3 middlebox compatibility mode (!1410) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1410 Project:Branches: dueno/gnutls:wip/dueno/tls13-compat to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1208 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1410 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 07:16:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 05:16:27 +0000 Subject: [gnutls-devel] GnuTLS | Add run-time option to disable TLS 1.3 middlebox compatibility mode (#1208) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1410 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1410) Issue #1208: https://gitlab.com/gnutls/gnutls/-/issues/1208 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 07:16:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 05:16:27 +0000 Subject: [gnutls-devel] GnuTLS | priority: add option to disable TLS 1.3 middlebox compatibility mode (!1410) In-Reply-To: References: Message-ID: Merge request !1410 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1410 Project:Branches: dueno/gnutls:wip/dueno/tls13-compat to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1410 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 16:12:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 14:12:23 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on m4/hooks.m4: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_554267996 > AC_DEFINE([ENABLE_CRYPTODEV], 1, [Enable cryptodev support]) > fi > > + # For AF_ALG > + AC_MSG_CHECKING([whether to add AF_ALG support]) > + AC_ARG_ENABLE(afalg, > + AS_HELP_STRING([--enable-afalg], [enable AF_ALG support]), > + enable_afalg=$enableval,enable_afalg=no) > + AC_MSG_RESULT($enable_afalg) > + > + if test "$enable_afalg" = "yes"; then > + AC_DEFINE([ENABLE_AFALG], 1, [Enable AF_ALG support]) > + fi > + AM_CONDITIONAL(ENABLE_AFALG, test "$ac_enable_afalg" != "no") The test should be: ```sh test "$enable_afalg" = "yes" ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_554267996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 17:32:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 15:32:27 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request !1404 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 Project:Branches: FrantisekKrenzelok/gnutls:af_alg to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 17:37:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 15:37:21 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Daiki Ueno commented: I think the code is quite solid now (after the `m4/hooks.m4` change, the CI should pass). Great work @FrantisekKrenzelok and many thanks to @smuellerDD for the help! I have filed a couple of follow-up issues (#1203 and #1207), but let's get the initial version merged first. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_554279944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 18 17:46:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Apr 2021 15:46:05 +0000 Subject: [gnutls-devel] GnuTLS | afalg: support AES-XTS algorithms (#1209) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1209 Although there is a known [issue](https://github.com/smuellerDD/libkcapi/issues/92), libkcapi supports AES-XTS through "xts(aes-*)". It might be worth considering the support for it (or document why it's not supported). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 20 15:13:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Apr 2021 13:13:14 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: All discussions on merge request !1404 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 20 15:13:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Apr 2021 13:13:22 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request !1404 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 Project:Branches: FrantisekKrenzelok/gnutls:af_alg to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 20 16:38:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Apr 2021 14:38:07 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request !1404 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 Project:Branches: FrantisekKrenzelok/gnutls:af_alg to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 20 17:15:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Apr 2021 15:15:54 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request !1404 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 Project:Branches: FrantisekKrenzelok/gnutls:af_alg to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 20 20:14:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Apr 2021 18:14:20 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (#308) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #308: https://gitlab.com/gnutls/gnutls/-/issues/308 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 22 00:25:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Apr 2021 22:25:41 +0000 Subject: [gnutls-devel] GnuTLS | session-id changing when responding to HelloRetryRequest (#1210) References: Message-ID: Vignesh Balasubramaniam created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1210 ## Description of problem: More information is available here: https://github.com/traefik/traefik/issues/8038 ## Version of gnutls used: 3.7.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Manjaro -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 22 08:50:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Apr 2021 06:50:55 +0000 Subject: [gnutls-devel] GnuTLS | session-id changing when responding to HelloRetryRequest (#1210) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report; it seems that the previous fix related to this part (!1381) didn't take into account of (non-resuming) HRR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1210#note_557557552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 22 16:48:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Apr 2021 14:48:36 +0000 Subject: [gnutls-devel] GnuTLS | handshake: don't regenerate legacy_session_id in second CH after HRR (!1411) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 Project:Branches: dueno/gnutls:wip/dueno/hrr-session-id to gnutls/gnutls:master Author: Daiki Ueno Fixes #1210. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 22 17:41:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Apr 2021 15:41:37 +0000 Subject: [gnutls-devel] GnuTLS | handshake: don't regenerate legacy_session_id in second CH after HRR (!1411) In-Reply-To: References: Message-ID: Merge request !1411 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 Project:Branches: dueno/gnutls:wip/dueno/hrr-session-id to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 22 17:51:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Apr 2021 15:51:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_t should be safely shared among multiple threads (#1212) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1212 The documentation about currently says: ``` The GnuTLS library is thread safe by design, meaning that objects of the library such as TLS sessions, can be safely divided across threads as long as a single thread accesses a single object. This is sufficient to support a server which handles several sessions per thread. Read-only access to objects, for example the credentials holding structures, is also thread-safe. ``` The last statement implies that the read-only usage of `gnutls_x509_trust_list_t`, such as for verifying certificate chain with already populated list, should be performed from multiple threads against the single `gnutls_x509_trust_list_t` object. This is apparently not true with the use with PKCS#11 trust store: https://bugzilla.redhat.com/show_bug.cgi?id=1937513#c33 We should either document this as an exception or actually make it thread safe. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 06:09:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 04:09:11 +0000 Subject: [gnutls-devel] GnuTLS | session-id changing when responding to HelloRetryRequest (#1210) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1411 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1411) Issue #1210: https://gitlab.com/gnutls/gnutls/-/issues/1210 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 06:09:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 04:09:11 +0000 Subject: [gnutls-devel] GnuTLS | handshake: don't regenerate legacy_session_id in second CH after HRR (!1411) In-Reply-To: References: Message-ID: Merge request !1411 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 Project:Branches: dueno/gnutls:wip/dueno/hrr-session-id to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1411 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 09:39:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 07:39:55 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests: tolerate errors of gnutls_{hash, hmac}_copy (!1412) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-selftests to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:40:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:40:05 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul This patch series fixes one potential bug (though I haven't seen it in the wild) and addresses minor issues. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:40:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:40:44 +0000 Subject: [gnutls-devel] GnuTLS | afalg: minor follow-up fixes (!1414) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 Project:Branches: dueno/gnutls:wip/dueno/afalg-fixes to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1207, #1209 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:42:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:42:09 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Merge request !1413 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:42:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:42:22 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_558652947 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:42:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:42:49 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests: tolerate errors of gnutls_{hash, hmac}_copy (!1412) In-Reply-To: References: Message-ID: Merge request !1412 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-selftests to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:46:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:46:01 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: civodul commented: Awesome, thanks for the quick reply! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_558658613 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:50:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:50:27 +0000 Subject: [gnutls-devel] GnuTLS | pk: Use 'mpz_init_set' instead of 'memcpy'. (!1415) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415 Project:Branches: civodul/gnutls:mpz-init-set to gnutls/gnutls:master Author: civodul This changes code to use `mpz_init_set` instead of `memcpy` where appropriate, as suggested by @dueno in https://lists.gnutls.org/pipermail/gnutls-help/2020-December/004677.html. Note that it's primarily a stylistic improvement; it does not solve the issues that were discussed in the thread above. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 10:56:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 08:56:05 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Merge request !1413 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 11:15:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 09:15:41 +0000 Subject: [gnutls-devel] GnuTLS | afalg: minor follow-up fixes (!1414) In-Reply-To: References: Message-ID: Merge request !1414 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 Project:Branches: dueno/gnutls:wip/dueno/afalg-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 11:40:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 09:40:10 +0000 Subject: [gnutls-devel] GnuTLS | afalg: support AES-XTS algorithms (#1209) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1414 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1414) Issue #1209: https://gitlab.com/gnutls/gnutls/-/issues/1209 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 11:40:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 09:40:10 +0000 Subject: [gnutls-devel] GnuTLS | afalg: switch to using pkgconfig for libkcapi detection (#1207) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1414 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1414) Issue #1207: https://gitlab.com/gnutls/gnutls/-/issues/1207 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 11:40:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 09:40:11 +0000 Subject: [gnutls-devel] GnuTLS | afalg: minor follow-up fixes (!1414) In-Reply-To: References: Message-ID: Merge request !1414 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 Project:Branches: dueno/gnutls:wip/dueno/afalg-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1414 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 12:11:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 10:11:36 +0000 Subject: [gnutls-devel] GnuTLS | crypto-selftests: tolerate errors of gnutls_{hash, hmac}_copy (!1412) In-Reply-To: References: Message-ID: Merge request !1412 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-selftests to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 17:05:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 15:05:47 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Daiki Ueno commented: @civodul the CI is failing in the `make syntax-check`: ```console guile/src/core.c:98:to TO maint.mk: doubled words make: *** [maint.mk:1050: sc_prohibit_doubled_word] Error 1 ``` I'd say the check is rather strange but if you could workaround that would be great :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559058322 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 23:24:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 21:24:37 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Merge request !1413 was closed by civodul Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 23 23:25:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Apr 2021 21:25:50 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: civodul commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559322815 Heheh, I?ve re-pushed ?wip-guile-fixes?. Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559322815 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 24 08:30:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Apr 2021 06:30:34 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Merge request !1413 was reopened by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 24 15:51:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Apr 2021 13:51:23 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559572550 @civodul sorry to bother you, but how did you do that? While I see the fixes are in [wip-guile-fixes](https://gitlab.com/civodul/gnutls/-/commits/wip-guile-fixes), the pipeline attached to this MR points to a different commit, which is still failing. Not sure if it might have caused because you closed this MR. The suggested workflow is to just push with `git push --force-with-lease` without touching the MR state. The CI will then be automatically retriggered. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559572550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 24 17:39:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Apr 2021 15:39:18 +0000 Subject: [gnutls-devel] GnuTLS | handshake: fix timing of sending early data (!1416) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1146 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 24 22:12:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Apr 2021 20:12:58 +0000 Subject: [gnutls-devel] GnuTLS | guile: Writes to record ports handle EAGAIN/EINTR transparently. (!1417) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417 Project:Branches: civodul/gnutls:guile-egain-eintr to gnutls/gnutls:master Author: civodul This patch fixes a bug whereby writes to a Guile "session record port" could throw an exception upon `GNUTLS_E_AGAIN` or `GNUTLS_E_INTERRUPTED`. Originally reported at https://issues.guix.gnu.org/47867. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [X] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Apr 24 22:16:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Apr 2021 20:16:45 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: civodul commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559621791 @dueno I had deleted the branch and pushed it again (I wrongfully assumed `-f` wouldn't be allowed). I tried again with `-f`, let's see how it goes... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559621791 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 06:21:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 04:21:07 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: All discussions on merge request !1413 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 06:21:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 04:21:06 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559706150 @civodul thank you; it seems to work! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413#note_559706150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 06:21:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 04:21:13 +0000 Subject: [gnutls-devel] GnuTLS | Minor Guile bindings improvements. (!1413) In-Reply-To: References: Message-ID: Merge request !1413 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 Project:Branches: civodul/gnutls:wip-guile-fixes to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 06:23:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 04:23:37 +0000 Subject: [gnutls-devel] GnuTLS | guile: Writes to record ports handle EAGAIN/EINTR transparently. (!1417) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on guile/src/core.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417#note_559709887 > c_result = gnutls_record_send (c_session, (char *) data + c_sent, > size - c_sent); > if (EXPECT_FALSE (c_result < 0)) > - scm_gnutls_error (c_result, FUNC_NAME); > + { > + if (c_result != GNUTLS_E_AGAIN && c_result != GNUTLS_E_INTERRUPTED) Perhaps `!gnutls_error_is_fatal(c_result)` might be a bit more generic? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417#note_559709887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 08:51:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 06:51:17 +0000 Subject: [gnutls-devel] GnuTLS | handshake: fix timing of sending early data (!1416) In-Reply-To: References: Message-ID: Merge request !1416 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 09:49:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 07:49:34 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1416 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1416) Issue #1146: https://gitlab.com/gnutls/gnutls/-/issues/1146 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 09:49:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 07:49:34 +0000 Subject: [gnutls-devel] GnuTLS | handshake: fix timing of sending early data (!1416) In-Reply-To: References: Message-ID: Merge request !1416 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1416 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 10:44:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 08:44:09 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Daiki Ueno commented: @tatsuhiro-t apologies for the long delay; I've just pushed a fix to the master. When I send early data with `gnutls-cli`: ```console $ ./src/gnutls-cli -p 5556 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3" --earlydata <(echo "earlydata") --insecure --inline-commands [...] ^resume^ ``` against `openssl s_server`: ```console $ openssl s_server -accept 5556 -keyform pem -certform pem -key doc/credentials/x509/key-rsa.pem -cert doc/credentials/x509/cert-rsa.pem -CAfile doc/credentials/x509/ca.pem -early_data ``` The packet sequence now look like: ```console 24 10.300286012 127.0.0.1 ? 127.0.0.1 TLSv1 482 Client Hello 25 10.300309262 127.0.0.1 ? 127.0.0.1 TCP 66 5556 ? 34978 [ACK] Seq=1 Ack=417 Win=65152 Len=0 TSval=362463014 TSecr=362463014 26 10.300359282 127.0.0.1 ? 127.0.0.1 TLSv1.3 98 Application Data 27 10.300368542 127.0.0.1 ? 127.0.0.1 TCP 66 5556 ? 34978 [ACK] Seq=1 Ack=449 Win=65152 Len=0 TSval=362463014 TSecr=362463014 28 10.300880960 127.0.0.1 ? 127.0.0.1 TLSv1.3 360 Server Hello, Change Cipher Spec, Encrypted Extensions, Finished 29 10.300897610 127.0.0.1 ? 127.0.0.1 TCP 66 34978 ? 5556 [ACK] Seq=449 Ack=295 Win=65280 Len=0 TSval=362463015 TSecr=362463015 30 10.301572698 127.0.0.1 ? 127.0.0.1 TLSv1.3 92 End of Early Data ``` while previously it was: ``` 27 7.057079556 127.0.0.1 ? 127.0.0.1 TLSv1 482 Client Hello 28 7.057102046 127.0.0.1 ? 127.0.0.1 TCP 66 5556 ? 35090 [ACK] Seq=1 Ack=417 Win=65152 Len=0 TSval=362604732 TSecr=362604732 29 7.057681034 127.0.0.1 ? 127.0.0.1 TLSv1.3 360 Server Hello, Change Cipher Spec, Encrypted Extensions, Finished 30 7.057709954 127.0.0.1 ? 127.0.0.1 TCP 66 35090 ? 5556 [ACK] Seq=417 Ack=295 Win=65280 Len=0 TSval=362604732 TSecr=362604732 31 7.058178572 127.0.0.1 ? 127.0.0.1 TLSv1.3 72 Change Cipher Spec 32 7.058191232 127.0.0.1 ? 127.0.0.1 TCP 66 5556 ? 35090 [ACK] Seq=295 Ack=423 Win=65536 Len=0 TSval=362604733 TSecr=362604733 33 7.058245462 127.0.0.1 ? 127.0.0.1 TLSv1.3 98 Application Data 34 7.058263172 127.0.0.1 ? 127.0.0.1 TCP 66 5556 ? 35090 [ACK] Seq=295 Ack=455 Win=65536 Len=0 TSval=362604733 TSecr=362604733 35 7.058464272 127.0.0.1 ? 127.0.0.1 TLSv1.3 92 End of Early Data ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146#note_559777770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 10:54:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 08:54:58 +0000 Subject: [gnutls-devel] GnuTLS | pk: Use 'mpz_init_set' instead of 'memcpy'. (!1415) In-Reply-To: References: Message-ID: Daiki Ueno commented: Well, although I suggested that, I guess it would require further changes, e.g., releasing the copy with `mpz_clear` (with proper zeroization if needed). Hopefully I can reproduce the original issue this weekend :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415#note_559779097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 17:11:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 15:11:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_get_dn: clarify null-termination of the output (!1418) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1418 Project:Branches: dueno/gnutls:wip/dueno/gitignore to gnutls/gnutls:master Author: Daiki Ueno Also adds a couple of build fixes. Fixes: #1187, #1191 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 19:32:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 17:32:01 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_get_dn: clarify null-termination of the output (!1418) In-Reply-To: References: Message-ID: Merge request !1418 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1418 Project:Branches: dueno/gnutls:wip/dueno/gitignore to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 19:32:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 17:32:00 +0000 Subject: [gnutls-devel] GnuTLS | fipshmac calculation needs to be done after library strip (#1191) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit a111a76d190af22bc54c3a5242d9ee65f1357d4a Issue #1191: https://gitlab.com/gnutls/gnutls/-/issues/1191 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Apr 25 22:02:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Apr 2021 20:02:44 +0000 Subject: [gnutls-devel] GnuTLS | guile: Writes to record ports handle EAGAIN/EINTR transparently. (!1417) In-Reply-To: References: Message-ID: civodul commented: @dueno Good question. I followed the same strategy as in a229bb36c9592b151f6feb277238c41ab39f40a9. It's clear that we'd like to loop (or try again later) in the case of `GNUTLS_E_AGAIN` and `GNUTLS_E_INTERRUPTED`. But are there other non-fatal "errors" that ought to be hidden from the application? Shouldn't the application have a chance to handle those errors? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417#note_559880529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:28:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:28:08 +0000 Subject: [gnutls-devel] GnuTLS | fipshmac calculation needs to be done after library strip (#1191) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:28:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:28:22 +0000 Subject: [gnutls-devel] GnuTLS | afalg: switch to using pkgconfig for libkcapi detection (#1207) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:28:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:28:34 +0000 Subject: [gnutls-devel] GnuTLS | afalg: support AES-XTS algorithms (#1209) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:28:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:28:50 +0000 Subject: [gnutls-devel] GnuTLS | session-id changing when responding to HelloRetryRequest (#1210) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:29:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:29:08 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (#308) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:29:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:29:44 +0000 Subject: [gnutls-devel] GnuTLS | Add run-time option to disable TLS 1.3 middlebox compatibility mode (#1208) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:31:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:31:56 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 07:33:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 05:33:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key_file - private key (#1123) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 16:48:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 14:48:54 +0000 Subject: [gnutls-devel] GnuTLS | pk: Use 'mpz_init_set' instead of 'memcpy'. (!1415) In-Reply-To: References: Message-ID: civodul commented: Yeah, CI suggests I messed up with something. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415#note_560653818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 20:57:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 18:57:16 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Daiki Ueno commented: @ametzler would you like to propose an MR with the patch [attached](https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206)? Given the `node` argument of `getaddrinfo` is always NULL in gnutls-serv, I don't see any reason to keep `AI_ADDRCONFIG`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_560836477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 26 20:57:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Apr 2021 18:57:46 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 09:52:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 07:52:47 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1214 The [draft](https://datatracker.ietf.org/doc/draft-ietf-kitten-tls-channel-bindings-for-tls13/) is now close to the IESG submission. It would make sense to consider adding support for it in our channel bindings API. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 09:53:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 07:53:53 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Resolve "Implement channel bindings for TLS 1.3" (!1419) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1419 Branches: 1214-implement-channel-bindings-for-tls-1-3 to master Author: Daiki Ueno Assignee: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code Closes #1214 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 09:54:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 07:54:04 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Resolve "Implement channel bindings for TLS 1.3" (!1419) In-Reply-To: References: Message-ID: Merge request !1419 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1419 Branches: 1214-implement-channel-bindings-for-tls-1-3 to master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 09:54:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 07:54:26 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Daiki Ueno commented: cc @rufferson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561248730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 10:07:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 08:07:31 +0000 Subject: [gnutls-devel] GnuTLS | slow performance on IBM POWER architecture (#853) In-Reply-To: References: Message-ID: Daiki Ueno commented: As Nettle has recently gained acceleration for the POWER architecture, the situation might have changed since this issue was reported. @bjacke would you like to take a benchmark with Nettle 3.7 series? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/853#note_561264881 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 10:17:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 08:17:51 +0000 Subject: [gnutls-devel] GnuTLS | slow performance on IBM POWER architecture (#853) In-Reply-To: References: Message-ID: Bj?rn Jacke commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/853#note_561276483 thanks, I also noticed that and I looked into that already. But it turns out that the acceleration is GNU as and 64bit build specific, for those two reasons I was not able to evaluate this yet on AIX. I'll keep you updated when I got the chance to change build and tool chain there to get the acceleration enabled. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/853#note_561276483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 11:12:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 09:12:24 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Ruslan Marchenko commented: Sorry I didn't quite get what is going on here? The related MR is empty and closed, 1.3's `finished` is still not copied. Is it a place-holder to implement TLSv1.3 binding? And if yes would you still agree having tls-unique implemented? Or at the very least handled properly to return error (instead of empty payload - hence breaking any binding implementation). And then again is the expectation the binding will be wrapped into existing binding call (which kind of makes sense) as currently it gives only unique and only for 1.2 hence to get other bindings one would need to use lower-level APIs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561345771 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 11:46:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 09:46:19 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Daiki Ueno commented: > The related MR is empty and closed, 1.3's finished is still not copied. Sorry, I mistakenly clicked the "Create merge request" button instead of "Comment", so please ignore that MR. > Or at the very least handled properly to return error (instead of empty payload - hence breaking any binding implementation). Yes, my (vague) expectation was that the library implements `tls-exporter` for TLS 1.3 and below, keeping `tls-unique` for TLS 1.2 and earlier (the use of `tls-unique` in TLS 1.3 will be an error). Would that make sense, or is there anything we will have to consider? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561383442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 11:52:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 09:52:28 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Ruslan Marchenko commented: No that's ok, just need to return `GNUTLS_E_UNIMPLEMENTED_FEATURE` for 1.3 calling for `GNUTLS_CB_TLS_UNIQUE`. Do you want me to try to draft an MR or you prefer doing it yourself? I'll probably add server-end-point re-using the code from glib-networking. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561389660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 12:36:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 10:36:59 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561434335 It would be awesome if you could submit an MR :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214#note_561434335 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 13:39:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 11:39:08 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) References: Message-ID: PAVEL FOMIN created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1215 Dear Contributors, when I do `./configure`, I have the error: ``` checking for NETTLE... no configure: error: *** *** Libnettle 3.6 was not found. ``` while I have nettle 3.7 already installed. Does that mean that for gnutls 3.7.1 I **must** have nettle 3.6 ONLY ? i.e. erase nettle 3.7 and downgrade to nettle 3.6 ? Can these kinds of dependencies be specified somewhere in top of [Download](https://www.gnutls.org/download.html) page ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 14:32:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 12:32:23 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: Daiki Ueno commented: It should work with any nettle version greater than or equal to 3.6. How did you install nettle? If you install it manually alongside a distro package, `configure` might be detecting the packaged version instead. Could you attach the `config.log` file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215#note_561531837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 16:31:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 14:31:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key_file - private key (#1123) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 16:31:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 14:31:53 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Tatsuhiro Tsujikawa commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146#note_561674276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 16:46:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 14:46:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key_file - private key (#1123) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1123#note_561689512 While I initially thought that it is straightforward to fix this in the decoding logic, it turned out to be affecting many other parts, as it breaks invariant held in the current implementation. If the only use-case of this is `gnutls_certificate_set_x509_*`, we could copy the public parameters from the certificate(s) given as the argument (or PKCS#12 file). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1123#note_561689512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 17:16:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 15:16:01 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key_file - private key (#1123) In-Reply-To: References: Message-ID: Achim Kraus commented: Thanks for putting an eye on it! For me it's just for testing interoperability between gnutls and Eclipse/Californium. It's not that important. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1123#note_561720831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 17:28:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 15:28:49 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: PAVEL FOMIN commented: Hi, thanks for fast reaction, sure, [config.log](/uploads/286c9456975469d9375bf1e4b760656f/config.log) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215#note_561733772 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 17:43:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 15:43:48 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) References: Message-ID: Tatsuhiro Tsujikawa created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1216 It looks like there are several issues regarding early data in QUIC use. 1. GnuTLS does not call secret_func if gnutls_record_send_early_data is not called with non-empty data. But QUIC does not send early data in TLS message, and never call this function. 2. Even if secret_func is called, secret_write is NULL. 3. GnuTLS sends EndOfEarlyData, but QUIC prohibits it. 4. There is no way to get resumed cipher and prf has function from gnutls_session_t. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 18:02:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 16:02:13 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: Andreas Metzler commented: Looking at the log we find that no version of nettle is found on the system: ~~~ configure:11470: checking for NETTLE configure:11477: $PKG_CONFIG --exists --print-errors "nettle >= $NETTLE_MINIMUM" Package nettle was not found in the pkg-config search path. Perhaps you should add the directory containing `nettle.pc' to the PKG_CONFIG_PATH environment variable No package 'nettle' found configure:11480: $? = 1 configure:11494: $PKG_CONFIG --exists --print-errors "nettle >= $NETTLE_MINIMUM" Package nettle was not found in the pkg-config search path. Perhaps you should add the directory containing `nettle.pc' to the PKG_CONFIG_PATH environment variable No package 'nettle' found configure:11497: $? = 1 configure:11511: result: no No package 'nettle' found configure:11528: error: *** *** Libnettle 3.6 was not found. ~~~ cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215#note_561765784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 27 18:06:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Apr 2021 16:06:21 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 28 11:11:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Apr 2021 09:11:12 +0000 Subject: [gnutls-devel] GnuTLS | certtool: don't copy CRL distribution point from CA cert (!1420) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1420 Project:Branches: dueno/gnutls:wip/dueno/certtool-cdp to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1126 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 28 12:57:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Apr 2021 10:57:26 +0000 Subject: [gnutls-devel] GnuTLS | Allow changing key of SIV AEAD ciphers (#1217) References: Message-ID: Miroslav Lichvar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1217 In gnutls-3.6.14 were added the GNUTLS_CIPHER_AES_*_SIV ciphers. It would be nice to have a function to set the key of an existing cipher instance to avoid having to destroy and create a new instance when the key is changing frequently. This is useful on Network Time Security (NTS) servers. They don't have any client-specific state and use keys provided by the client in the request. When I compare the server performance with GnuTLS and Nettle, there is a difference of about 12%. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 28 16:50:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Apr 2021 14:50:07 +0000 Subject: [gnutls-devel] GnuTLS | Wrong CDP in certificate (#1126) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1420 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1420) Issue #1126: https://gitlab.com/gnutls/gnutls/-/issues/1126 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 28 16:50:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Apr 2021 14:50:06 +0000 Subject: [gnutls-devel] GnuTLS | certtool: don't copy CRL distribution point from CA cert (!1420) In-Reply-To: References: Message-ID: Merge request !1420 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1420 Project:Branches: dueno/gnutls:wip/dueno/certtool-cdp to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 29 08:04:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Apr 2021 06:04:02 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) In-Reply-To: References: Message-ID: Daiki Ueno commented: For (4) we should probably add a couple of functions dedicated for those: `gnutls_early_cipher_get` and `gnutls_early_prf_hash_get` for example. (2) was a oversight; I didn't realize there will be a use-case of getting early write key on the client side. For the others, I'm thinking to reuse the `GNUTLS_ENABLE_EARLY_DATA` flag for client, with a new flag to suppress EndOfEarlyData: ```c gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA); ``` then even if `gnutls_record_send_early_data` is not called, early data will be indicated. Would that suffice the use with QUIC? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216#note_563304680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 29 16:47:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Apr 2021 14:47:06 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: PAVEL FOMIN commented: All worked, clear, it was about *.pc file.. Forgot that it needs `pkg-config` file as well! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215#note_563862634 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 29 19:09:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Apr 2021 17:09:42 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1216 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: