From gnutls-devel at lists.gnutls.org Wed Dec 1 05:03:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Dec 2021 04:03:54 +0000 Subject: [gnutls-devel] GnuTLS | Build of samba-4.15.0 on Linux for x86_64 target is failing with gnutls (#1278) In-Reply-To: References: Message-ID: GnuTLS bot commented: @debananda.pal This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1278#note_748588980 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 1 05:03:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Dec 2021 04:03:54 +0000 Subject: [gnutls-devel] GnuTLS | pk: remove unnecessary constant-time protection for RSA decryption (!1454) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dueno This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1454#note_748588988 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 1 05:03:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Dec 2021 04:03:54 +0000 Subject: [gnutls-devel] GnuTLS | Build of samba-4.15.0 on Linux for x86_64 target is failing with gnutls (#1278) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1278: https://gitlab.com/gnutls/gnutls/-/issues/1278 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 1 05:03:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Dec 2021 04:03:54 +0000 Subject: [gnutls-devel] GnuTLS | pk: remove unnecessary constant-time protection for RSA decryption (!1454) In-Reply-To: References: Message-ID: Merge request !1454 was closed by GnuTLS bot Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1454 Project:Branches: dueno/gnutls:wip/dueno/unnecessary-ct to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 2 07:22:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Dec 2021 06:22:50 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: fix CPU feature detection for Intel CPUs (!1487) In-Reply-To: References: Message-ID: Reviewer changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1487 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 2 12:13:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Dec 2021 11:13:45 +0000 Subject: [gnutls-devel] GnuTLS | build: stop running abi-dump-latest at "make files-update" (!1491) In-Reply-To: References: Message-ID: Merge request !1491 was approved by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1491 Project:Branches: dueno/gnutls:wip/dueno/abi-check-latest to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 2 12:14:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Dec 2021 11:14:43 +0000 Subject: [gnutls-devel] GnuTLS | build: stop running abi-dump-latest at "make files-update" (!1491) In-Reply-To: References: Message-ID: Merge request !1491 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1491 Project:Branches: dueno/gnutls:wip/dueno/abi-check-latest to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 2 21:10:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Dec 2021 20:10:01 +0000 Subject: [gnutls-devel] GnuTLS | Build of samba-4.15.0 on Linux for x86_64 target is failing with gnutls (#1278) In-Reply-To: References: Message-ID: Andreas Schneider commented: Which version of GnuTLS are you trying to build? We do not know about any issues with GnuTLS, with and without FIPS support. For example Ubuntu builds without FIPS support ans Fedora and openSUSE build with FIPS support. All of those are part of the Samba CI. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1278#note_750984664 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 3 08:25:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Dec 2021 07:25:41 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: fix CPU feature detection for Intel CPUs (!1487) In-Reply-To: References: Message-ID: Daiki Ueno commented: I tried to set breakpoint on `sha256_block_data_order` to see whether the expected path is taken, but realized that `_gnutls_x86_cpuid_s` is cleared at that point, because of the re-detection in `register_x86_padlock_crypto`. Let me adjust it before merging: after fixing this SHA2 will become 4 times faster on my system :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1487#note_751383442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 3 13:06:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Dec 2021 12:06:01 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_751757225 > + > +/** > + * gnutls_transport_ktls_enable_flags: Suffix `_t`, as suggested in https://gitlab.com/gnutls/gnutls/-/blob/master/CONTRIBUTING.md#constructed-types -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_751757242 > **/ > -int _gnutls_ktls_enable(gnutls_session_t session, int sockin, int sockout) > +unsigned gnutls_transport_is_ktls_enabled(gnutls_session_t session){ Now that this returns flags (instead of a boolean), using the enum type (`gnutls_transport_ktls_enable_flags`) as a return type would be more appropriate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 5 10:41:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 Dec 2021 09:41:04 +0000 Subject: [gnutls-devel] GnuTLS | x509: check maximum for constructed pathnames (!1493) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 Project:Branches: dueno/gnutls:wip/dueno/ca-path to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1280 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 5 12:36:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 Dec 2021 11:36:17 +0000 Subject: [gnutls-devel] GnuTLS | Git access issues due to long CA bundle filename (#1280) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1280#note_752749336 On a second thought, it would be better not to allocate the path on stack. I've updated the MR to calculate the path using asprintf. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1280#note_752749336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 5 17:53:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 Dec 2021 16:53:04 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot maybe you could take a look? :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_752808750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 5 17:53:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 Dec 2021 16:53:56 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Reviewer changed to Tim R?hsen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 07:46:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 06:46:11 +0000 Subject: [gnutls-devel] GnuTLS | sockets: fixed building for Windows with compilers without VLA support (alternative version) (!1490) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1490 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 07:46:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 06:46:44 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 07:46:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 06:46:32 +0000 Subject: [gnutls-devel] GnuTLS | priority: rework config reloading logic and locking (!1483) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 07:47:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 06:47:17 +0000 Subject: [gnutls-devel] GnuTLS | API function to get ciphersuite name (#1291) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 07:47:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 06:47:38 +0000 Subject: [gnutls-devel] GnuTLS | Git access issues due to long CA bundle filename (#1280) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 08:18:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 07:18:31 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 08:25:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 07:25:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_hash_copy() fails on SHA384 after gnutls_hash_output(). (#1257) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 08:28:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 07:28:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_ocsp_resp_verify() requires signer in trust list to have id-kp-OCSPSigning (#1254) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 08:28:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 07:28:47 +0000 Subject: [gnutls-devel] GnuTLS | TLSv1.3 RSA-PSS allows truncated salt in violation of RFC8446 (#1258) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 09:19:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 08:19:58 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Reassigned Issue 1282 https://gitlab.com/gnutls/gnutls/-/issues/1282 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 09:20:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 08:20:14 +0000 Subject: [gnutls-devel] GnuTLS | Git access issues due to long CA bundle filename (#1280) In-Reply-To: References: Message-ID: Reassigned Issue 1280 https://gitlab.com/gnutls/gnutls/-/issues/1280 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 15:42:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 14:42:47 +0000 Subject: [gnutls-devel] GnuTLS | test for gnutls_protocol_set_enabled, TCP (!1494) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 Project:Branches: asosedkin/gnutls:test-allowlisting-proto-tcp to gnutls/gnutls:master Author: Alexander Sosedkin I wrote a test for gnutls_protocol_set_enabled where the shell part of it feeds commands into a small C interpreter. Feels overengineered to me, but I can't figure out how to slim it down reasonably either. Only TCP is tested so far. A portion of the scenarios currently fail, they're commented out in the current version. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 17:34:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 16:34:18 +0000 Subject: [gnutls-devel] GnuTLS | test for gnutls_protocol_set_enabled, TCP (!1494) In-Reply-To: References: Message-ID: Merge request !1494 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 Project:Branches: asosedkin/gnutls:test-allowlisting-proto-tcp to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 8 17:34:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Dec 2021 16:34:30 +0000 Subject: [gnutls-devel] GnuTLS | test for gnutls_protocol_set_enabled, TCP (!1494) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494#note_757310910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 07:34:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 06:34:37 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 07:43:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 06:43:54 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option to globally enable/disable KTLS (#1298) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1298 Currently whether to enable/disable KTLS support is determined at build time. It would be nice if the system administrators was able to turn it off at run-time. Now that the `[global]` section has been [added](https://gitlab.com/gnutls/gnutls/-/blob/0ecce7191dfd78387f2994253d37ed1df50d563d/lib/priority.c#L1231) to the config file, maybe we could add a new option, say `ktls = false` to that section. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 07:44:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 06:44:49 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option to globally enable/disable KTLS (#1298) In-Reply-To: References: Message-ID: Daiki Ueno commented: @FrantisekKrenzelok is this something you would like to work on? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1298#note_759427659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 07:54:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 06:54:19 +0000 Subject: [gnutls-devel] GnuTLS | Handle post-handshake messages when KTLS is enabled (#1299) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1299 Currently, when a Handshake message is received as a control message, it's simply [ignored](https://gitlab.com/gnutls/gnutls/-/blob/29eee975a62400231db28e3d0e0a53414e795ebd/lib/system/ktls.c#L382). It would be nice if it actually drives the state machine, maybe using `gnutls_handshake_write` and the callbacks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 07:54:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 06:54:35 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option to globally enable/disable KTLS (#1298) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 08:09:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 07:09:36 +0000 Subject: [gnutls-devel] GnuTLS | Allow merging of configuration files (#1300) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1300 When the algorithm allowlisting mode is used, the configuration file is typically managed by a script and shall not be edited manually. To allow system administrators to express site-local configuration, it would be nice if the multiple configuration files are merged in a safe way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 09:34:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 08:34:41 +0000 Subject: [gnutls-devel] GnuTLS | TLS certificate compression (RFC8879) (#1301) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1301 [RFC8879](https://datatracker.ietf.org/doc/rfc8879/) defines means to compress Certificate message when agreed in TLS 1.3. It would be nice to support this mechanism natively in GnuTLS. The work would comprise: - signalling/handling of the new extension (compress_certificate) - sending/receiving the new Handshake message (CompressedCertificate, replacing Certificate) - API to select compression algorithm -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 9 11:34:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Dec 2021 10:34:50 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 Project:Branches: dueno/gnutls:wip/dueno/sct to gnutls/gnutls:master Author: Daiki Ueno .. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 11:38:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 10:38:40 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Daiki Ueno commented: @juaristi would you mind checking if this change is ok? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495#note_763051642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 12:55:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 11:55:53 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763228436 > } > } > > hmac_size = hex_data_size(data.size); > > /* trim eventual newlines from the end of the data read from file */ > - while ((data.size > 0) && (data.data[data.size - 1] == '\n')) { > + while (data.size > 0 && data.data[data.size - 1] == '\n') { > data.data[data.size - 1] = 0; > data.size--; > } > > ret = gnutls_hex_decode(&data, hmac, &hmac_size); > - gnutls_free(data.data); > - > + _gnutls_free_datum(&data); `data` is freed in cleanup code a second time, so IMO you can remove this line. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763228436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 13:04:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 12:04:13 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/datum.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763246990 > { > if (dat != NULL) { > gnutls_free(dat->data); > + dat->data = NULL; `gnutls_free` should already set the argument to NULL. Though the macro is wrapped into `GNUTLS_INTERNAL_BUILD`, which is currently always set (see `configure.ac`). Not sure how the future plan for this is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763246990 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 13:18:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 12:18:10 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Tim R?hsen commented: Using PATH_MAX (from gnulib) vs an unbound heap allocation should at least considered. The pros are - no costly heap memory allocation for temporary strings - less overhead (free) / no need to track pointers when prematurly exiting a function - no risk of double free or NULL pointer access - bounded (stack) allocation seems to be more "secure" than an unbounded heap allocation (that might turn into a DOS attack vector) - library functions that do not allocate memory are preferable; there are situations where runtime allocations are just not allowed in an application except for the initialization phase The cons are - possibly stack overflow on system with a small stack (not sure, but doesn't Windows have a small stack by default ?) - GNU/Hurd has no limits on the path size. But IMO it seems to be ok to limit PATH_MAX to 4096. So my question clearly is: why did you decide against the gnulib module ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763282104 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 14:44:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 13:44:32 +0000 Subject: [gnutls-devel] GnuTLS | test for gnutls_protocol_set_enabled, TCP (!1494) In-Reply-To: References: Message-ID: Merge request !1494 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 Project:Branches: asosedkin/gnutls:test-allowlisting-proto-tcp to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 14:47:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 13:47:11 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix out of tree builds with ASAN (!1496) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 Project:Branches: asosedkin/gnutls:fix-asan-out-of-tree to gnutls/gnutls:master Author: Alexander Sosedkin I believe this fixes ASAN with out of tree builds; otherwise it aborts at not finding the suppressions file. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 16:51:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 15:51:18 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763824715 It was considered; see the description of this MR and the linked comment to Gnulib's maint.mk, which I'm expanding it for handy: ```make # Even if you use pathmax.h to guarantee that PATH_MAX is defined, it might # not be constant, or might overflow a stack. In general, use PATH_MAX as # a limit, not an array or alloca size. sc_prohibit_path_max_allocation: @prohibit='(\balloca *\([^)]*|\[[^]]*)\bPATH_MAX' \ halt='Avoid stack allocations of size PATH_MAX' \ $(_sc_search_regexp) ``` So if we go that way, you will get the error at `make syntax-check`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_763824715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 16:52:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 15:52:10 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix out of tree builds with ASAN (!1496) In-Reply-To: References: Message-ID: Merge request !1496 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 Project:Branches: asosedkin/gnutls:fix-asan-out-of-tree to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 16:52:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 15:52:25 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix out of tree builds with ASAN (!1496) In-Reply-To: References: Message-ID: Daiki Ueno commented: Good catch, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496#note_763828614 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 17:06:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 16:06:25 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 17:06:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 16:06:47 +0000 Subject: [gnutls-devel] GnuTLS | test for gnutls_protocol_set_enabled, TCP (!1494) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 10 17:07:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Dec 2021 16:07:02 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix out of tree builds with ASAN (!1496) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 13 20:59:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 13 Dec 2021 19:59:21 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Ander Juaristi commented: Hi @dueno Looks good to me! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495#note_772005673 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 07:06:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 06:06:35 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Reviewer changed to Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 07:06:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 06:06:36 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Reassigned merge request 1495 https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 07:06:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 06:06:47 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Merge request !1495 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 Project:Branches: dueno/gnutls:wip/dueno/sct to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 07:06:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 06:06:59 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495#note_773176103 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 12:27:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 11:27:43 +0000 Subject: [gnutls-devel] GnuTLS | Minor cleanup on the new X509 CT code (!1495) In-Reply-To: References: Message-ID: Merge request !1495 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 Project:Branches: dueno/gnutls:wip/dueno/sct to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 14 15:19:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Dec 2021 14:19:09 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option to globally enable/disable KTLS (#1298) In-Reply-To: References: Message-ID: Reassigned Issue 1298 https://gitlab.com/gnutls/gnutls/-/issues/1298 Assignee changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 15 11:16:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Dec 2021 10:16:29 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_776871316 > +gnutls_transport_is_ktls_enabled(gnutls_session_t session){ > + if (unlikely(!session->internals.initial_negotiation_completed)) > + return gnutls_assert_val(GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE); I think here is a type mismatch with the return type. Maybe just return 0 (logging with `_gnutls_debug_log` might be helpful). -- Daiki Ueno started a new discussion on tests/gnutls_ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_776871338 > #define MAX_BUF 1024 > -#define MSG "Hello world!" > +#define MSG "Hello world!\0" I don't think this change is needed; a NUL character is automatically appended at the end of string literals (see 6 at [the spec](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf#page=89)). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 15 11:17:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Dec 2021 10:17:23 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me, except the couple of minor comments. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_776873450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 15 13:06:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Dec 2021 12:06:17 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix out of tree builds with ASAN (!1496) In-Reply-To: References: Message-ID: Merge request !1496 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 Project:Branches: asosedkin/gnutls:fix-asan-out-of-tree to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1496 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 15 16:17:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Dec 2021 15:17:10 +0000 Subject: [gnutls-devel] GnuTLS | psk_ke_modes_recv_params() wrongly sets HSK_PSK_KE_MODE_INVALID (#1303) References: Message-ID: Tim Kosse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1303 ## Description of problem: If the preferred side (as per session->internals.priorities->server_precedence) only supports one algorithm and it is not the first in the other side's list of algorithms, psk_ke_modes_recv_params wrongly sets session->internals.hsk_flags to HSK_PSK_KE_MODE_INVALID. Observed in GnuTLS 3.7.2 compiled from the official source tarball without any special configure arguments. The issue was discovered while analyzing https://forum.filezilla-project.org/viewtopic.php?t=54333 ## How to reproduce: You can easily reproduce this issue: * Applying the attached [reproducer.diff](/uploads/e553e1da4aacce21eccca71f898fbe3f/reproducer.diff), which just swaps the algorithms in the psk_key_exchange_modes extension Client Hello. * Run `gnutls-serv -d9999` * Connect to it with `gnutls-cli 127.0.0.1 -p 5556` * In the output of gnutls-serv look for `|<3>| ASSERT: psk_ke_modes.c[psk_ke_modes_recv_params]:192` which is printed when HSK_PSK_KE_MODE_INVALID is set. In this scenario the following happens in psk_ke_modes.c: * Line 156 is reached. * By line 174, the following values are held: * session->internals.priorities->server_precedence is false * dhpsk_pos is 0 * psk_pos is MAX_POS * cli_dhpsk_pos is 1 * cli_psk_pos is 0 * As result, neither mode is set in session->internals.hsk_flags and line 191 is reached. ## Proposed patch: I have attached a simple fix for the issue in [psk_ke_modes_send_params.diff](/uploads/305bdcc93e5af97051116813e06dfbaa/psk_ke_modes_send_params.diff) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 16 12:58:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Dec 2021 11:58:54 +0000 Subject: [gnutls-devel] GnuTLS | use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384 (!1497) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 Project:Branches: asosedkin/gnutls:aarch64-sha384 to gnutls/gnutls:master Author: Alexander Sosedkin [Can't say I've looked deeply into this](https://i.kym-cdn.com/photos/images/original/000/234/767/8d0.jpg), consider it filed for tracking purposes. But if https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 was a problem, then this one probably also is. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 16 13:15:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Dec 2021 12:15:03 +0000 Subject: [gnutls-devel] GnuTLS | use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384 (!1497) In-Reply-To: References: Message-ID: Merge request !1497 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 Project:Branches: asosedkin/gnutls:aarch64-sha384 to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 16 13:20:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Dec 2021 12:20:23 +0000 Subject: [gnutls-devel] GnuTLS | use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384 (!1497) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you. We might want to extend the test to cover the scenario (init ? update ? digest ? copy ? digest). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497#note_780369522 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 16 14:13:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Dec 2021 13:13:37 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Merge request !1477 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 Project:Branches: FrantisekKrenzelok/gnutls:ktls_api to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 16 14:13:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Dec 2021 13:13:58 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: All discussions on merge request !1477 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 14:58:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 13:58:42 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: `%NO_TICKETS` is documented as "will prevent the advertizing of the TLS session ticket extension", so I'm afraid we'll have to introduce a new flag to restrict resumption to TLS 1.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_783687496 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 15:31:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 14:31:26 +0000 Subject: [gnutls-devel] GnuTLS | Null pointer dereference in MD_UPDATE (#1306) References: Message-ID: zhengxiong luo created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1306 ## Description of problem: Using gnutls with guile disabled, null pointer may passed to `memcpy` as argument 2, causing null pointer dereference. ## How to reproduce: You can easily reproduce this issue: * Build gnutls with UBSan: ```shell CC=clang CXX=clang++ CFLAGS="-fsanitize=undefined -g" CXXFLAGS="-fsanitize=undefined -g" ./bootstrap CC=clang CXX=clang++ CFLAGS="-fsanitize=undefined -g" CXXFLAGS="-fsanitize=undefined -g" ./configure --disable-guile --disable-doc CC=clang CXX=clang++ CFLAGS="-fsanitize=undefined -g" CXXFLAGS="-fsanitize=undefined -g" make ``` * Run server: ```shell ./gnutls/src/.libs/gnutls-serv -p 7834 -d 9999 ``` * Run client: ```shell $ UBSAN_OPTIONS=print_stacktrace=1 LD_LIBRARY_PATH="../../lib/.libs:/usr/lib64" ./gnutls-cli -p 7834 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK ``` Then the program will crash with the following log: ```shell Processed 128 CA certificate(s). Resolving 'localhost:7834'... Connecting to '127.0.0.1:7834'... sha256.c:100:3: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:44:28: note: nonnull attribute specified here #0 0x7f9a7c53f146 in nettle_sha256_update /root/projects/bleem/nettle-3.6/sha256.c:100:3 #1 0x7f9a7d935f7d in wrap_nettle_hash_fast /root/projects/bleem/gnutls/lib/nettle/mac.c:791:2 #2 0x7f9a7d2bc1fd in _gnutls_hash_fast /root/projects/bleem/gnutls/lib/hash_int.c:141:8 #3 0x7f9a7d3b8faa in gnutls_hash_fast /root/projects/bleem/gnutls/lib/crypto-api.c:690:9 #4 0x7f9a7d455ee2 in _tls13_derive_secret2 /root/projects/bleem/gnutls/lib/secrets.c:98:8 #5 0x7f9a7d7ed3d0 in compute_binder_key /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:86:8 #6 0x7f9a7d7ebec1 in compute_psk_binder /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:170:8 #7 0x7f9a7d7f18af in client_send_params /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:486:9 #8 0x7f9a7d7e4820 in _gnutls_psk_send_params /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:797:10 #9 0x7f9a7d2df26b in hello_ext_send /root/projects/bleem/gnutls/lib/hello_ext.c:369:8 #10 0x7f9a7d45aa69 in _gnutls_extv_append /root/projects/bleem/gnutls/lib/extv.c:218:8 #11 0x7f9a7d2dd41a in _gnutls_gen_hello_extensions /root/projects/bleem/gnutls/lib/hello_ext.c:437:9 #12 0x7f9a7d261e96 in send_client_hello /root/projects/bleem/gnutls/lib/handshake.c:2342:8 #13 0x7f9a7d23c6db in handshake_client /root/projects/bleem/gnutls/lib/handshake.c:3043:9 #14 0x7f9a7d23b47f in gnutls_handshake /root/projects/bleem/gnutls/lib/handshake.c:2873:10 #15 0x4df28d in do_handshake /root/projects/bleem/gnutls/src/cli.c:1837:9 #16 0x4ff797 in socket_open2 /root/projects/bleem/gnutls/src/socket.c:602:10 #17 0x4d3f43 in main /root/projects/bleem/gnutls/src/cli.c:1363:2 #18 0x7f9a7ca310b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #19 0x42127d in _start (/root/projects/bleem/gnutls/src/.libs/gnutls-cli+0x42127d) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior sha256.c:100:3 in *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed ``` Here is the debug information: ```shell $ UBSAN_OPTIONS=print_stacktrace=1 LD_LIBRARY_PATH="./gnutls/lib/.libs:/usr/lib64" gdb --args ./gnutls-cli -p 7834 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK 127.0.0.1 GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./gnutls-cli... (gdb) b /root/projects/bleem/nettle-3.6/sha256.c:100 No source file named /root/projects/bleem/nettle-3.6/sha256.c. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (/root/projects/bleem/nettle-3.6/sha256.c:100) pending. (gdb) r Starting program: /root/projects/bleem/gnutls/src/.libs/gnutls-cli -p 7834 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK 127.0.0.1 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".. Processed 128 CA certificate(s). Resolving 'localhost:7834'... Connecting to '127.0.0.1:7834'... Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff5620, length=64, data=0x7fffffff52a0 '\\' , "\301\315\001\202\214q\250") at sha256.c:100 100 sha256.c (gdb) c Continuing. Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff5690, length=64, data=0x7fffffff52a0 '6' , "\301\315\001\202\214q\250") at sha256.c:100 100 in sha256.c (gdb) Continuing. Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff5700, length=20, data=0x603000029830 "\210\363\202K>VY\365-") at sha256.c:100 100 in sha256.c (gdb) Continuing. Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff5700, length=32, data=0x7fffffff53c0 "\224(\204\365\362W\002\331\327+\200\250\257\234\017\256m8(q5\267\200x\236\332<\023\004\305\067X") at sha256.c:100 100 in sha256.c (gdb) Continuing. Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff6720, length=0, data=0x0) at sha256.c:100 100 in sha256.c (gdb) Continuing. sha256.c:100:3: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:44:28: note: nonnull attribute specified here [Detaching after fork from child process 3176009] #0 0x7ffff6799146 in nettle_sha256_update /root/projects/bleem/nettle-3.6/sha256.c:100:3 #1 0x7ffff7b8ff7d in wrap_nettle_hash_fast /root/projects/bleem/gnutls/lib/nettle/mac.c:791:2 #2 0x7ffff75161fd in _gnutls_hash_fast /root/projects/bleem/gnutls/lib/hash_int.c:141:8 #3 0x7ffff7612faa in gnutls_hash_fast /root/projects/bleem/gnutls/lib/crypto-api.c:690:9 #4 0x7ffff76afee2 in _tls13_derive_secret2 /root/projects/bleem/gnutls/lib/secrets.c:98:8 #5 0x7ffff7a473d0 in compute_binder_key /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:86:8 #6 0x7ffff7a45ec1 in compute_psk_binder /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:170:8 #7 0x7ffff7a4b8af in client_send_params /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:486:9 #8 0x7ffff7a3e820 in _gnutls_psk_send_params /root/projects/bleem/gnutls/lib/ext/pre_shared_key.c:797:10 #9 0x7ffff753926b in hello_ext_send /root/projects/bleem/gnutls/lib/hello_ext.c:369:8 #10 0x7ffff76b4a69 in _gnutls_extv_append /root/projects/bleem/gnutls/lib/extv.c:218:8 #11 0x7ffff753741a in _gnutls_gen_hello_extensions /root/projects/bleem/gnutls/lib/hello_ext.c:437:9 #12 0x7ffff74bbe96 in send_client_hello /root/projects/bleem/gnutls/lib/handshake.c:2342:8 #13 0x7ffff74966db in handshake_client /root/projects/bleem/gnutls/lib/handshake.c:3043:9 #14 0x7ffff749547f in gnutls_handshake /root/projects/bleem/gnutls/lib/handshake.c:2873:10 #15 0x4df28d in do_handshake /root/projects/bleem/gnutls/src/cli.c:1837:9 #16 0x4ff797 in socket_open2 /root/projects/bleem/gnutls/src/socket.c:602:10 #17 0x4d3f43 in main /root/projects/bleem/gnutls/src/cli.c:1363:2 #18 0x7ffff6c8b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #19 0x42127d in _start (/root/projects/bleem/gnutls/src/.libs/gnutls-cli+0x42127d) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior sha256.c:100:3 in Breakpoint 1, nettle_sha256_update (ctx=0x7fffffff5240, length=64, data=0x7fffffff4ec0 "\310:\216\341j\177\224\020?qs\225\372\tV\230\357\242$*\271\003\026\\\234n?\343]\231", '\\' , "\001") at sha256.c:100 100 in sha256.c ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 17:13:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 16:13:56 +0000 Subject: [gnutls-devel] GnuTLS | use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384 (!1497) In-Reply-To: References: Message-ID: Merge request !1497 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 Project:Branches: asosedkin/gnutls:aarch64-sha384 to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1497 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 17:14:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 16:14:20 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Merge request !1477 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 Project:Branches: FrantisekKrenzelok/gnutls:ktls_api to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 18:21:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 17:21:58 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_784130759 That statement technically still holds: the `session_ticket` extension is only meaningful in TLS 1.2. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_784130759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 18:27:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 17:27:29 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_784141977 Maybe, yes, but that still leaves us with * the name that doesn't clearly signal the meaning you're proposing and * the likely existing usage of disabling all resumption for unspecified reasons. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_784141977 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 18:54:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 17:54:33 +0000 Subject: [gnutls-devel] GnuTLS | README: document tpm2-tss-engine test dependency (!1498) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 Project:Branches: asosedkin/gnutls:tpm2-dep-correction to gnutls/gnutls:master Author: Alexander Sosedkin `tests/tpm2.sh` needs `tpm2tss-genkey` from tpm2-tss-engine, which is not reflected in the README. Or, if we could get rid of it, that'd be even better. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 17 19:22:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Dec 2021 18:22:34 +0000 Subject: [gnutls-devel] GnuTLS | README: document tpm2-tss-engine test dependency (!1498) In-Reply-To: References: Message-ID: Merge request !1498 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 Project:Branches: asosedkin/gnutls:tpm2-dep-correction to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 18 17:37:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Dec 2021 16:37:59 +0000 Subject: [gnutls-devel] GnuTLS | README: document tpm2-tss-engine test dependency (!1498) In-Reply-To: References: Message-ID: Merge request !1498 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 Project:Branches: asosedkin/gnutls:tpm2-dep-correction to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 16:19:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 15:19:03 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 Project:Branches: dueno/gnutls:wip/dueno/pkcs12 to gnutls/gnutls:master Author: Daiki Ueno Currently certtool uses PKCS12-3DES-SHA1 for encrypting keys in PKCS#12, while it is suggested to migrate to more modern algorithms, namely AES-128-CBC with PBKDF2 and SHA-256: https://bugzilla.redhat.com/show_bug.cgi?id=1759982 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 16:37:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 15:37:02 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) In-Reply-To: References: Message-ID: Reviewer changed to Hubert Kario (@mention me if you need reply) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 18:06:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 17:06:28 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: r+ on changes, but I'd like to see a bit more testing. First: just to double check, the addition of --with-pkcs12-iter-count=10000 in test scripts is just there to speed up CI? Second, shouldn't we verify that 600000 is indeed the new default? Third, what's the HMAC used for PBKDF2? Doesn't GnuTLS default to SHA1 there? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499#note_790261803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 18:19:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 17:19:01 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 was reviewed by Hubert Kario (@mention me if you need reply) -- Hubert Kario (@mention me if you need reply) started a new discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_790292249 > const version_entry_st *p, *max = NULL; > > + if (!session->internals.priorities) { if we need to check `priorities` shouldn't we also check `session`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 18:19:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 17:19:40 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: r+, I won't insist on checking for NULL on `session` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_790294081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 18:19:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 17:19:44 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Merge request !1475 was approved by Hubert Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 Project:Branches: dueno/gnutls:wip/dueno/session-ticket-tls13-only to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Hubert Kario (@mention me if you need reply) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 19:00:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 18:00:03 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_790348720 Yeah, I get this. And I agree with that comment in regards to application code. Though it needs to take special care as "not a constant" may also overflow (or at least stress) the amount of RAM that you have. And IMO, for library code the pros and cons listed are still valid. So I wonder if we should discuss other possibilities as well, like supporting only a defined upper path length of e.g. 4095 bytes (excl. 0-byte). This would allow either stack allocation or careful pre-allocation during init phase. An alternative would be a macro that does stack allocation if path length < 4096, else fall back to heap allocation. A MALLOC and a FREE macro could be used to hide the details. Maybe you have other ideas ? And 4096 is just an arbitrary values - it could as well be 1024 or 512, as we likely never see such path length in reality. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_790348720 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 20 20:55:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Dec 2021 19:55:18 +0000 Subject: [gnutls-devel] GnuTLS | Extend system-override-curves-allowlist test with key generation (!1500) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1500 Project:Branches: asosedkin/gnutls:curve-keygen-allowlist-test to gnutls/gnutls:master Author: Alexander Sosedkin This extends the existing system-override-curves-allowlist to also attempt key generation in addition to connecting with TLS. The primary goal was to test gnutls_ecc_curve_set_enabled. The test doesn't stop at get_id failing and passes curve values to privkey_generate anyway, expecting it to fail as well. The subsequent blocking seems incidental (e.g., most blocking here relies on a looping `gnutls_ecc_curve_get_pk` returning `GNUTLS_PK_UNKNOWN` and `GNUTLS_PK_UNKNOWN` not matching the requested pk), but let's start small. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1500 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 06:50:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 05:50:55 +0000 Subject: [gnutls-devel] GnuTLS | Extend system-override-curves-allowlist test with key generation (!1500) In-Reply-To: References: Message-ID: Merge request !1500 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1500 Project:Branches: asosedkin/gnutls:curve-keygen-allowlist-test to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1500 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 06:51:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 05:51:25 +0000 Subject: [gnutls-devel] GnuTLS | Extend system-override-curves-allowlist test with key generation (!1500) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me; thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1500#note_790813596 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 07:18:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 06:18:38 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_790832054 I would agree with you if this was a general purpose memory allocation logic. However, in this specific change, all the allocations are immediately followed by accessing the filesystem, which I guess could have far larger latency than malloc. There are several factors that may affect this assumption (e.g., disk cache, malloc implementation may end up with sbrk/brk syscalls), but I am not sure if it is a good idea to optimize at this level, unless we find it really a bottleneck. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_790832054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 09:00:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 08:00:54 +0000 Subject: [gnutls-devel] GnuTLS | tls: make GNUTLS_NO_TICKETS no-op in TLS 1.3 (!1475) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_790915139 > * the name that doesn't clearly signal the meaning you're proposing and I agree. > * the likely existing usage of disabling all resumption for unspecified reasons. I'm skeptical about this, as: * NO_TICKETS doesn't disable all resumption in TLS 1.2 (session ID based resumption cannot be turned off) * resumption requires special API calls (e.g., `gnutls_session_set_data`); if the client program doesn't want resumption, it can simply skip those calls That said, if we add a middle ground for compatibility, it would be an option to explicitly disable non-forward-secret session tickets; maybe NO_TICKETS_TLS12? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475#note_790915139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 13:49:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 12:49:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_protocol_set_enabled struggles with enabling originally disabled protocols (#1307) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1307 This is to track the findings from !1494. When started with an allowlisting configuration file that blocks a certain TLS protocol, reenabling it with `gnutls_protocol_set_enabled` isn't sufficient to allow connecting with it. Reproducing scenarios are available in `tests/protocol-set-allowlist.sh`, commented out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1307 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 13:53:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 12:53:58 +0000 Subject: [gnutls-devel] GnuTLS | Draft: priority: partial fix for gnutls_protocol_set_enabled enabling (!1501) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1501 Project:Branches: asosedkin/gnutls:protocol-set-fixing to gnutls/gnutls:master Author: Alexander Sosedkin Reviewer: Daiki Ueno This is a straightforward hack to fix the most of `gnutls_protocol_set_enabled` misbehaving scenarios from #1307. I made it lock global config and recalculate the effective priority string. Can't say this is clean in any way, so consider carefully. Also, looking into that made me scared of config reload interplay. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1501 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 13:53:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 12:53:57 +0000 Subject: [gnutls-devel] GnuTLS | Draft: priority: partial fix for gnutls_protocol_set_enabled enabling (!1501) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1501 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 15:24:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 14:24:53 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499#note_791467931 I've added a test that compares the `--p12-info` with the expected output. > First: just to double check, the addition of --with-pkcs12-iter-count=10000 in test scripts is just there to speed up CI? Yes, the number is based on https://searchfox.org/mozilla-central/source/security/nss/lib/pkcs7/p7create.c#21 > Second, shouldn't we verify that 600000 is indeed the new default? I think it's now covered by the new test. > Third, what's the HMAC used for PBKDF2? Doesn't GnuTLS default to SHA1 there? Good point; I've updated it to SHA256. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499#note_791467931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 15:52:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 14:52:05 +0000 Subject: [gnutls-devel] GnuTLS | Allocate pathname on heap instead of on stack (!1493) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_791505299 There are a bunch of other 'pros' (in the list above) that have nothing to do with performance optimzations (it sounds like you are referring to perf opt only). As it is hard to get test coverage for every possibly error case, I'd try to avoid heap allocations in C/C++ as much as possible. That reduces future maintenance, especially when thinking of future code changes or extensions. We could consider keeping the dirname and the basename separate, so that we could use openat (at least on POSIX systems). Hm, I think this requires some kind of redesign. BTW, looking at `gnutls_x509_trust_list_add_trust_file()`, there is a memory leak if both `ca_file` and `crl_file` are set but `read_file(crl_file, ...)` returns NULL. Less heap allocations means less memory faults - that's why I am a bit hesitant regarding this PR. But please feel free to merge. We can discuss any redesign at a later time. I didn't want to "capture" this PR :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_791505299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 15:53:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 14:53:51 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 16:24:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 15:24:47 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) References: Message-ID: bleem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1308 Hi! I'm using ubuntu 20.04. I build latest gnutls with latest nettle, and I installed gnutls using `make install`. The gnutls replaced the original in my system. But when I restart my computer, the Network Manager start failed with logging "lib nettle.so.8 can not found". But the nettle.so.8 is installed to `/usr/lib64`. What can I do to recover my system? Thanks for you help! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 16:36:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 15:36:17 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: Daiki Ueno commented: As far as I know, Debian based distribution looks up shared libs in `/usr/lib/x86_64-linux-gnu/` instead of `/usr/lib64`. Maybe you could check how the .deb packages do? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_791570193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 16:56:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 15:56:56 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: bleem commented: Do you mean `PKG_CONFIG_PATH`? I've already set `PKG_CONFIG_PATH=/usr/lib64/pkgconfig` in `/etc/profile` but it also doesn't work. Btw, in Debian based system, can I solve the problem by changing the install path of nettle? Thanks for your help! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_791597784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 17:58:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 16:58:16 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_791687887 No, `PKG_CONFIG_PATH` is only meaningful at build time. You will have to install .so files in a directory which the dynamic linker searches for. See the files at `/etc/ld.so.conf.d/*`. > Btw, in Debian based system, can I solve the problem by changing the install path of nettle? When building gnutls and nettle from source, you can change it with `./configure --libdir` option. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_791687887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 21 19:10:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Dec 2021 18:10:51 +0000 Subject: [gnutls-devel] GnuTLS | certtool: --to-p12: use modern algorithms by default (!1499) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/x509/pkcs12.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499#note_791769432 > int gnutls_pkcs12_generate_mac(gnutls_pkcs12_t pkcs12, const char *pass) > { > return gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, pass); How about gnutls_pkcs12_generate_mac defaulting to GNUTLS_MAC_SHA1, do we update that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 01:59:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 00:59:18 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: bleem commented: > When building gnutls and nettle from source, you can change it with `./configure --libdir` option. In my case, is it using `./configure --libdir=/usr/lib/x86_64-linux-gnu/`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_792078279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 07:17:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 06:17:20 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: bleem commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_792214231 Hi, I've solve the problem by adding `/usr/lib64` to `/etc/ld.so.conf.d/x86_64-linux-gnu.conf`. Thank you! :smile: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_792214231 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 08:26:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 07:26:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_{hash, hmac}_copy: mention the functions do not always work (!1502) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-doc to gnutls/gnutls:master Author: Daiki Ueno It is known that some built-in accelerated implementation, such as AF_ALG, does not support copying hash/hmac contexts. This expands the documentation to suggest checking the return value of those functions. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 08:29:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 07:29:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_{hash, hmac}_copy: mention the functions do not always work (!1502) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 09:15:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 08:15:08 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_fast: avoid calling _update with zero-length input (!1503) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 Project:Branches: dueno/gnutls:wip/dueno/nettle-hash to gnutls/gnutls:master Author: Daiki Ueno As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 10:09:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 09:09:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_{hash, hmac}_copy: mention the functions do not always work (!1502) In-Reply-To: References: Message-ID: Merge request !1502 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-doc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 10:37:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 09:37:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_{hash, hmac}_copy: mention the functions do not always work (!1502) In-Reply-To: References: Message-ID: Merge request !1502 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 Project:Branches: dueno/gnutls:wip/dueno/hash-copy-doc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 10:38:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 09:38:04 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1308: https://gitlab.com/gnutls/gnutls/-/issues/1308 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 10:38:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 09:38:03 +0000 Subject: [gnutls-devel] GnuTLS | Help: Network Manager can not start (#1308) In-Reply-To: References: Message-ID: Daiki Ueno commented: Glad to hear it works; closing now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1308#note_792397001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 11:31:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 10:31:38 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_fast: avoid calling _update with zero-length input (!1503) In-Reply-To: References: Message-ID: Merge request !1503 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 Project:Branches: dueno/gnutls:wip/dueno/nettle-hash to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 16:16:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 15:16:04 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_fast: avoid calling _update with zero-length input (!1503) In-Reply-To: References: Message-ID: Merge request !1503 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 Project:Branches: dueno/gnutls:wip/dueno/nettle-hash to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 22 18:49:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Dec 2021 17:49:00 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: fix CPU feature detection for Intel CPUs (!1487) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1487#note_792991153 I think this should be fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1487#note_792991153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 08:38:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 07:38:33 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794977771 > > break; > } > case GNUTLS_PK_EC: I think the `get_supported_nist_curve` below on line 414 mostly does that (by making it a hard error), except P192 (which is [hobbled](https://src.fedoraproject.org/rpms/nettle/blob/rawhide/f/hobble-nettle) in Fedora/RHEL at Nettle level). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794977771 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 09:55:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 08:55:02 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794989073 > mpz_clear(ypowq); > > if (ret < 0) > - goto fail; > + goto cleanup; > > break; > } > case GNUTLS_PK_RSA_PSS: > case GNUTLS_PK_RSA: KeyGen uses a special logic for RSA in FIPS mode, which only [allows](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/int/rsa-keygen-fips186.c#L432) 2048 and 3072-bit key sizes. So I don't think we need an additional check. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794989073 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 10:04:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 09:04:10 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794990351 > > break; > } > case GNUTLS_PK_EC: I've added an explicit check for P-192 after calling that function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794990351 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 10:14:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 09:14:52 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794991744 > ecc_point_clear(&pub); > break; > } > case GNUTLS_PK_DSA: Good idea, I've added `not_approved = true` for DSA operations. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_794991744 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 11:46:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 10:46:48 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795005826 > > break; > } > case GNUTLS_PK_RSA: I've added a check for key size; the hash algorithm is checked in the [caller](https://gitlab.com/gnutls/gnutls/-/merge_requests/1465/diffs#3459859ca597f508896beb5447c951f4979231a1_1203_1205). By the way, currently do we need a similar check for encrypt/decrypt? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795005826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 11:52:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 10:52:24 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795006600 > > break; > } > case GNUTLS_PK_RSA_PSS: Added key size check; hash algorithm check is not needed as Nettle only supports RSA-PSS with SHA256, SHA384, and SHA512. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795006600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 13:02:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 12:02:37 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795016933 > } > > switch (algo) { > case GNUTLS_PK_DSA: Added `not_approved = true;` to all DSA operations. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795016933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 13:05:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 12:05:19 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795017330 > mpz_clear(y); > > if (ret < 0) > - goto fail; > + goto cleanup; > > break; > } > #endif > FALLTHROUGH; > case GNUTLS_PK_DH: Added a size check in the loop condition, to ensure that the resulting X is always >= 2048 bits. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795017330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 13:05:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 12:05:41 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795017360 > } > break; > } > case GNUTLS_PK_DSA: Added `not_approved = true;` to the DSA operation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795017360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 14:06:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 13:06:47 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795028172 > > break; > } > case GNUTLS_PK_RSA: Also: while it is guaranteed that generated keys are >= 2048 bits, it is possible to import a shorter key and create a signature with it. Should it be a hard error, or it is sufficient to report it as "non-approved"? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795028172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 17:53:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 16:53:21 +0000 Subject: [gnutls-devel] GnuTLS | p11tool cannot generate ed25519 keys (#1309) References: Message-ID: Chih-Hsuan Yen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1309 ## Description of problem: I'm testing PKCS#11 via SoftHSM, and I noticed p11tool failed to generate Ed25519 keys. Digging a little, it seems a GnuTLS issue instead of a SoftHSM one - apparently GnuTLS uses a wrong mechanism for generating Ed25519 keys? Specifically, GnuTLS uses `CKM_EDDSA` [1], while this mechanism is for sign/verify instead of key generation [2]. [1] https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/pkcs11_int.h#L295 [2] https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/csprd01/pkcs11-curr-v3.0-csprd01.pdf, table 33 ## Version of gnutls used: 3.7.2, with SoftHSM 2.6.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Arch Linux ## How reproducible: Steps to Reproduce: ``` $ softhsm2-util --init-token --free --label MyToken $ p11tool --login --generate-privkey Ed25519 --label Ed25519 --outfile key.pem "pkcs11:model=SoftHSM%20v2;token=MyToken" ``` ## Actual results: ``` Generating an EdDSA (Ed25519) key... Token 'MyToken' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6e5932b8da7f62f0;token=MyToken' requires user PIN Enter PIN: Error in pkcs11_generate:1355: PKCS #11 unsupported feature ``` ## Expected results: Key generation succeeds -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 25 20:19:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 Dec 2021 19:19:50 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795078315 > unsigned int flags) > { > int ret; > + bool not_approved = false; > > switch (algo) { > case GNUTLS_PK_DH: { After second thought, do we still need this check as we restrict the DH primes to >= 2048 bits (i.e., RFC 7919 and RFC 3526 >= 2048)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_795078315 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 28 16:34:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Dec 2021 15:34:20 +0000 Subject: [gnutls-devel] GnuTLS | fips: add functions to inspect thread-local FIPS operation state (!1465) In-Reply-To: References: Message-ID: Daiki Ueno commented: @smuellerDD thank you for the review. So far, I've made the following changes based on the suggestions from @pmgdeb: - DH now checks if the prime is 2048-bit (otherwise mark the op as non-approved), ECDH now additionally checks P-192 - RSA and RSA-PSS now have explicit check on the key length in KeyGen, SigGen, and SigVer - RSA and RSA-PSS now have explicit check on the hash algorithm in KeyGen, SigGen, and SigVer (SHA-2 only for KeyGen and SigGen, SHA-1 is also marked as approved for SigVer) - DSA is marked as non-approved for all uses - ECDSA now additionally checks P-192 - GCM is marked as non-approved for all uses including TLS - HKDF is marked as non-approved for all uses including TLS For the last two we plan to mark the TLS uses as approved, but I think it covers most of the certification requirements now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1465#note_796799143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: