From gnutls-devel at lists.gnutls.org Fri Jan 1 05:08:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Jan 2021 04:08:48 +0000 Subject: [gnutls-devel] GnuTLS | Wrong CDP in certificate (#1126) In-Reply-To: References: Message-ID: GnuTLS bot commented: @thka This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1126#note_476554330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 1 05:08:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Jan 2021 04:08:49 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1141) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1141 The following issues require labels: - [ ] [Service Desk (from dinh at flic.net): gnutls-cli bug?](https://gitlab.com/gnutls/gnutls/-/issues/1128) - [ ] [Wrong CDP in certificate](https://gitlab.com/gnutls/gnutls/-/issues/1126) - [ ] [Service Desk (from wojciech.pasieka at zielona-polska.org): gnutls-cli 3.6.13 and Ubuntu 20.04 focal](https://gitlab.com/gnutls/gnutls/-/issues/1121) - [ ] [Service Desk (from wojciech.pasieka at zielona-polska.org): gnutls-cli 3.6.13 and Ubuntu 20.04 focal](https://gitlab.com/gnutls/gnutls/-/issues/1120) - [ ] [Update predefined priority keywords](https://gitlab.com/gnutls/gnutls/-/issues/1098) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 2 15:27:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 02 Jan 2021 14:27:56 +0000 Subject: [gnutls-devel] GnuTLS | Rethink the use of GitHub CI integration (#1140) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476838787 That's great. Regarding Xcode versions, although a quick web search suggests the use of envvars such as `DEVELOPER_DIR`, I couldn't find normative reference in the GitHub documentation either. > Other than that (or if those questions can be deferred) I'd say it's ready to merge. I agree; would you mind filing an MR for this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476838787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 2 15:36:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 02 Jan 2021 14:36:28 +0000 Subject: [gnutls-devel] GnuTLS | Rethink the use of GitHub CI integration (#1140) In-Reply-To: References: Message-ID: Airtower commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476839606 Sure, will do. Should I remove the Travis build in that MR, too, or just add the Github Actions one? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476839606 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 2 16:10:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 02 Jan 2021 15:10:44 +0000 Subject: [gnutls-devel] GnuTLS | Rethink the use of GitHub CI integration (#1140) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476844786 I guess we can remove it. I was thinking to use Travis for FreeBSD CI (it's still free of charge, while the GitLab FreeBSD CI runner needs hosting), but we can reconsider that later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1140#note_476844786 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 2 18:28:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 02 Jan 2021 17:28:55 +0000 Subject: [gnutls-devel] GnuTLS | Use Github Actions for MacOS CI (!1375) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1375 Project:Branches: airtower-luna/gnutls:github-macos to gnutls/gnutls:master Author: Airtower Replace the Travis build on MacOS with a Github Actions job doing essentially the same. Note that currently only a single OS/Xcode version combination is used. Fixes #1140. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1375 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 3 09:50:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 03 Jan 2021 08:50:46 +0000 Subject: [gnutls-devel] GnuTLS | Use Github Actions for MacOS CI (!1375) In-Reply-To: References: Message-ID: Merge Request !1375 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1375 Project:Branches: airtower-luna/gnutls:github-macos to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1375 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 3 09:53:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 03 Jan 2021 08:53:11 +0000 Subject: [gnutls-devel] GnuTLS | Use Github Actions for MacOS CI (!1375) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1375#note_476952301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 6 17:03:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 06 Jan 2021 16:03:08 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: Stanislav ?idek commented: @dueno What is the best way forward with this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366#note_479640979 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 07:51:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 06:51:30 +0000 Subject: [gnutls-devel] GnuTLS | build fails at "./bootstrap: getting translations into po/.reference for gnutls..." (#1143) References: Message-ID: Vincent Grande created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1143 When tryin to cpmile gnutls from master, the build will fail at this step. Here is the log. [gnutls-git-3.7.0.r9.gf6b4695cc-1-x86_64-build.log](/uploads/ab29da08b8cb721b92477a0229a37168/gnutls-git-3.7.0.r9.gf6b4695cc-1-x86_64-build.log) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 08:12:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 07:12:42 +0000 Subject: [gnutls-devel] GnuTLS | build fails at "./bootstrap: getting translations into po/.reference for gnutls..." (#1143) In-Reply-To: References: Message-ID: Andreas Metzler commented: Missing wget/rsync? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1143#note_480028982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 09:08:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 08:08:11 +0000 Subject: [gnutls-devel] GnuTLS | build fails at "./bootstrap: getting translations into po/.reference for gnutls..." (#1143) In-Reply-To: References: Message-ID: Vincent Grande commented: I do have both those packages installed. What?s odd is I build libidn2 from master, which has a very similar build system, and it compiles successfully. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1143#note_480054408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 11:34:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 10:34:59 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366#note_480167037 @ep69 I think this change is already perfect. Kudos on the simplification you've made with `extends`. Maybe we can just merge it now, once the other approved MRs land? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366#note_480167037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 11:35:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 10:35:02 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: Merge Request !1366 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 Project:Branches: ep69/gnutls:ci-rework to gnutls/gnutls:master Author: Stanislav ?idek Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 12:03:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 11:03:02 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366#note_480189807 Sure, whatever works. Let me know if I can help with anything. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366#note_480189807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 13:28:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 12:28:26 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) References: Message-ID: Martin Storsj? created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 Project:Branches: mstorsjo/gnutls:no-weak to gnutls/gnutls:master Author: Martin Storsj? This fixes #966 in a different way, without reintroducing #142. Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 13:31:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 12:31:08 +0000 Subject: [gnutls-devel] GnuTLS | configure: check that -no_weak_links works with FD_SET (!1266) In-Reply-To: References: Message-ID: Martin Storsj? commented: FWIW, this effectively reintroduces #146 (by not adding `-no_weak_imports` when testing for function availability) on newer Xcode versions. I sent a new MR fixing the issue differently, see !1376. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1266#note_480244178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 7 20:12:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 07 Jan 2021 19:12:21 +0000 Subject: [gnutls-devel] GnuTLS | certtool --generate-self-signed returns crt_sign: ASN1 parser: Value is not valid. (#1144) References: Message-ID: Eirik ?verby created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1144 ## Description of problem: When using --generate-privkey with subsequent --generate-self-signed, certtool returns crt_sign: ASN1 parser: Value is not valid. ## Version of gnutls used: gnutls-3.6.15 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) FreeBSD (official package repos for 12.2, and self-built for 12.2 and CURRENT) ## How reproducible: Every time Steps to Reproduce: * echo "cn = localhost" > foo * certtool --generate-privkey --outfile key.pem * certtool --generate-self-signed --load-privkey key.pem --template foo --outfile cert.pem ## Actual results: Adding -d 9999 -VVVVV, we get: ``` Generating a 3072 bit RSA private key... Setting log level to 9999 Generating a self signed certificate... |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: x509.c[gnutls_x509_crt_get_issuer_unique_id]:3995 |<3>| ASSERT: x509.c[gnutls_x509_crt_get_subject_unique_id]:3945 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 X.509 Certificate Information: Version: 3 Serial Number (hex): 1fbcd9fed9ca1aaedb8882209f96bcded324d777 Validity: Not Before: Thu Jan 07 19:10:27 UTC 2021 Not After: Fri Jan 07 19:10:27 UTC 2022 Subject: CN=localhost Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Modulus (bits 3072): 00:bd:80:78:84:48:61:ab:3b:5d:72:55:4f:af:88:9b 17:0c:04:f9:13:b8:b1:89:d0:e2:9b:f2:dc:49:91:a5 8f:f8:11:f0:06:40:c0:25:d5:43:a3:5b:99:fa:f6:a2 06:00:7f:4c:c2:7c:6e:e5:3d:dd:7f:75:b9:71:83:7a a8:62:69:03:b1:2f:76:a1:21:bb:05:34:05:be:67:e2 ed:be:ed:e0:c6:2f:18:7a:4e:85:97:81:50:79:9c:d9 af:b1:ab:27:68:d1:3f:a9:94:22:ff:a8:eb:72:45:90 c1:ac:ca:ef:c9:da:bb:2c:6d:a3:a4:f6:d1:3b:9d:bf d9:1a:c4:2f:2e:ed:8a:96:1c:fb:14:03:ca:8e:f5:51 94:76:08:e0:75:d0:3d:36:ae:95:4f:56:73:4f:18:6f 58:2b:94:01:a9:df:06:f0:c4:07:be:3e:bb:20:c6:dc 7a:bb:6a:04:20:d4:9d:37:59:8c:47:cd:49:37:f7:cc 18:92:4f:3c:6b:38:23:87:14:14:26:ff:98:b3:e0:9e a2:29:32:4f:27:1d:85:02:62:05:7d:45:a8:e4:eb:10 dc:75:55:9a:32:d1:30:fb:a8:e2:3d:a9:05:85:38:c1 0c:8d:c6:6d:10:3a:bc:9b:21:a9:21:c7:3a:21:be:b0 e0:83:4c:35:44:dd:8b:4d:34:ac:18:d7:14:e6:64:fb 43:cc:57:bd:d1:d6:85:73:16:25:e9:f0:3f:12:22:27 51:ca:0c:85:b6:01:e1:60:4b:14:29:e3:41:0c:aa:b0 48:c7:86:be:02:1a:36:87:b6:69:41:dd:ea:74:ee:41 f7:2d:9e:1b:0d:c2:b9:5f:8c:d2:3a:e1:40:57:3f:2d 51:bf:e1:12:92:ef:cb:b7:b8:05:2c:0c:e8:a9:66:1c b3:ea:64:90:d7:8b:24:c8:c1:e5:0f:15:94:63:46:ef a6:e8:9a:5f:80:34:26:b3:fc:73:fe:74:12:48:f3:83 a7 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Key Identifier (not critical): 2d3b81b3d6373615164f93815555d2858201da81 Other Information: Public Key ID: sha1:2d3b81b3d6373615164f93815555d2858201da81 sha256:eec2fd786efb96250a8ba29bfa132ec60aedd8e15eb650eb030a28866ef7fe60 Public Key PIN: pin-sha256:7sL9eG77liUKi6Kb+hMuxgrt2OFetlDrAwoohm73/mA= Signing certificate... |<2>| signing structure using RSA-SHA256 |<3>| ASSERT: common.c[_gnutls_x509_der_encode]:855 |<3>| ASSERT: sign.c[_gnutls_x509_pkix_sign]:174 |<3>| ASSERT: x509_write.c[gnutls_x509_crt_privkey_sign]:1834 crt_sign: ASN1 parser: Value is not valid. ``` ## Expected results: A self-signed certificate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 04:02:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 03:02:47 +0000 Subject: [gnutls-devel] GnuTLS | build fails at "./bootstrap: getting translations into po/.reference for gnutls..." (#1143) In-Reply-To: References: Message-ID: Vincent Grande commented: If I use the --skip-po flag for bootstrap, I can bypass this bit of the build. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1143#note_480750114 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 04:43:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 03:43:32 +0000 Subject: [gnutls-devel] GnuTLS | build fails - ./configure: line 6805: syntax error near unexpected token `ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89' (#1145) References: Message-ID: Vincent Grande created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1145 I encounter a build error during compile. It states the following error. ./configure: line 6805: syntax error near unexpected token `ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89' ./configure: line 6805: ` ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89' Here is the full log. [gnutls-git-3.7.0.r9.gf6b4695cc-1-x86_64-build.log](/uploads/93b71cfc6afbba08d82828beabfd723a/gnutls-git-3.7.0.r9.gf6b4695cc-1-x86_64-build.log) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 08:42:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 07:42:07 +0000 Subject: [gnutls-devel] GnuTLS | Rethink the use of GitHub CI integration (#1140) In-Reply-To: References: Message-ID: Issue was closed by Airtower via merge request !1375 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1375) Issue #1140: https://gitlab.com/gnutls/gnutls/-/issues/1140 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 10:10:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 09:10:24 +0000 Subject: [gnutls-devel] GnuTLS | build fails - ./configure: line 6805: syntax error near unexpected token `ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89' (#1145) In-Reply-To: References: Message-ID: Daiki Ueno commented: This looks like a duplicate of #1138, which should be fixed with !1374 (if anyone could approve that MR that would be appreciated). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1145#note_480901508 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 10:10:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 09:10:25 +0000 Subject: [gnutls-devel] GnuTLS | build fails - ./configure: line 6805: syntax error near unexpected token `ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89' (#1145) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1145: https://gitlab.com/gnutls/gnutls/-/issues/1145 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 10:24:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 09:24:39 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates (!1370) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1370#note_480914492 Thank you for testing; could you (or anyone) take a review of this MR so we can merge? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1370#note_480914492 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 11:12:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 10:12:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates (!1370) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1370#note_480952232 This change fixes my reproducer as well (applied to 3.7.0). I can't do a real review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1370#note_480952232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 11:19:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 10:19:28 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: All discussions on Merge Request !1366 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 11:19:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 10:19:44 +0000 Subject: [gnutls-devel] GnuTLS | CI pipeline rework - using stages and inheritance (!1366) In-Reply-To: References: Message-ID: Merge Request !1366 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 Project:Branches: ep69/gnutls:ci-rework to gnutls/gnutls:master Author: Stanislav ?idek Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1366 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 16:34:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 15:34:27 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481182075 > + dnl weakly linked function __darwin_check_fd_set_overflow. We only > + dnl need it above to make sure that we don't detect functions that > + dnl can are linked weakly (and can end up null at runtime) unless typo: "can are" -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481182080 > AC_MSG_CHECKING([whether the linker supports -Wl,-no_weak_imports]) > - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds);])], > + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], Can we then just save the original LDFLAGS (without `-Wl,-no_weak_imports` added here) and restore it in your change below? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 16:37:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 15:37:34 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 was reviewed by Martin Storsj? -- Martin Storsj? commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481184927 > + dnl weakly linked function __darwin_check_fd_set_overflow. We only > + dnl need it above to make sure that we don't detect functions that > + dnl can are linked weakly (and can end up null at runtime) unless Thanks, fixed. -- Martin Storsj? commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481184928 > AC_MSG_CHECKING([whether the linker supports -Wl,-no_weak_imports]) > - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds);])], > + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], Yeah that's also an option. If there's a lot of code before the restoration, there's a risk that we try to add something else to it, which we then end up accidentally dropping, in some cases (macos only). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 17:54:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 16:54:53 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: All discussions on Merge Request !1376 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 17:54:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 16:54:52 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481238028 > dnl intended minimum runtime version. > LDFLAGS="$LDFLAGS -Wl,-no_weak_imports" > AC_MSG_CHECKING([whether the linker supports -Wl,-no_weak_imports]) > - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds);])], > + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], Indeed, that makes sense. I was concerned that `-Wl,-no_weak_links` is removed even if the user manually sets it on the configure command line, but maybe I'm too picky :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481238028 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 17:54:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 16:54:58 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge Request !1376 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 Project:Branches: mstorsjo/gnutls:no-weak to gnutls/gnutls:master Author: Martin Storsj? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 17:55:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 16:55:14 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge Request !1376 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 Project:Branches: mstorsjo/gnutls:no-weak to gnutls/gnutls:master Author: Martin Storsj? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 17:55:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 16:55:30 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the patch! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481238386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 18:46:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 17:46:06 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Daiki Ueno commented: Sorry, could you rebase against the master to resolve the CI failure (not related to this MR)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481267200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 19:02:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 18:02:08 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge Request !1376 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 Project:Branches: mstorsjo/gnutls:no-weak to gnutls/gnutls:master Author: Martin Storsj? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 19:23:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 18:23:51 +0000 Subject: [gnutls-devel] GnuTLS | gnulib: update git submodule (!1374) In-Reply-To: References: Message-ID: Merge Request !1374 was approved by Andreas Metzler Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1374 Project:Branches: dueno/gnutls:wip/dueno/autoconf-2.70 to gnutls/gnutls:master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1374 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 20:20:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 19:20:56 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 was reviewed by Martin Storsj? -- Martin Storsj? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481313702 Still one CI failure, unrelated to this MR ``` maint.mk: out of date copyright in doc/gnutls.texi; update it make: *** [maint.mk:1279: sc_copyright_check] Error 1 ``` -- Martin Storsj? commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376#note_481313704 > AC_MSG_CHECKING([whether the linker supports -Wl,-no_weak_imports]) > - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds);])], > + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], Yeah that's the potential case where this isn't ideal. One could of course make it only remove one occurrance of it (the last one) too - but as one simply can't use `-Wl,-no_weak_links` with code that uses `FD_SET` with modern Xcode at all anyway, it's probably not much of a concern, so it's probably best to just go with the simplest code, with least risk of collateral breakage. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 20:27:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 19:27:40 +0000 Subject: [gnutls-devel] GnuTLS | Build fails with autoconf 2.70 (#1138) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1374 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1374) Issue #1138: https://gitlab.com/gnutls/gnutls/-/issues/1138 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 20:27:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 19:27:40 +0000 Subject: [gnutls-devel] GnuTLS | gnulib: update git submodule (!1374) In-Reply-To: References: Message-ID: Merge Request !1374 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1374 Project:Branches: dueno/gnutls:wip/dueno/autoconf-2.70 to gnutls/gnutls:master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1374 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 8 20:27:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 08 Jan 2021 19:27:49 +0000 Subject: [gnutls-devel] GnuTLS | gnulib: update git submodule (!1374) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1374#note_481316652 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 9 03:42:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 09 Jan 2021 02:42:24 +0000 Subject: [gnutls-devel] GnuTLS | certtool --generate-self-signed returns crt_sign: ASN1 parser: Value is not valid. (#1144) In-Reply-To: References: Message-ID: libbin commented: **Similar result in MacOS** Severity: breaks basic gnutls operation (\--generate-self-signed) Environment: MacOS: 11.1 (20C69) Brew: brew install gnutls ``` $ gnutls-certtool --generate-privkey --outfile key.pem -d3 1>/dev/null Generating a 3072 bit RSA private key... |<3>| ASSERT: privkey.c[gnutls_x509_privkey_get_seed]:1925 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: privkey.c[gnutls_x509_privkey_get_seed]:1925 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: privkey.c[gnutls_x509_privkey_get_seed]:1925 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 $ gnutls-certtool --generate-self-signed --load-privkey key.pem --template foo --outfile cert.pem -d3 1>/dev/null Generating a self signed certificate... |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: x509.c[gnutls_x509_crt_get_issuer_unique_id]:3995 |<3>| ASSERT: x509.c[gnutls_x509_crt_get_subject_unique_id]:3945 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 X.509 Certificate Information: Signing certificate... |<2>| signing structure using RSA-SHA256 |<3>| ASSERT: common.c[_gnutls_x509_der_encode]:855 |<3>| ASSERT: sign.c[_gnutls_x509_pkix_sign]:174 |<3>| ASSERT: x509_write.c[gnutls_x509_crt_privkey_sign]:1834 crt_sign: ASN1 parser: Value is not valid. $ ls foo key.pem ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1144#note_481434187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 9 09:07:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 09 Jan 2021 08:07:24 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: All discussions on Merge Request !1376 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 9 09:07:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 09 Jan 2021 08:07:30 +0000 Subject: [gnutls-devel] GnuTLS | configure: Remove -no_weak_links from LDFLAGS after detecting function availability (!1376) In-Reply-To: References: Message-ID: Merge Request !1376 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 Project:Branches: mstorsjo/gnutls:no-weak to gnutls/gnutls:master Author: Martin Storsj? Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 02:53:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 01:53:21 +0000 Subject: [gnutls-devel] libtasn1 | fail to parse certificate then build with clang (#31) References: Message-ID: rim created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/31 ## Description of problem: Not sure that this is a libtasn1 error or clang. I am update my desktop to current and claws-mail show me certs errors, I dig inside and found that gnutls_x509_crt_get_fingerprint() fails. At next step I found that if I rebuild libtasn1 with debug then it fixes errors. I wrote test app to reproduce error and check on other systems. On my home server (12.2) gnutls+libtasn1 was already installed and no errors happen. But after I rebuild libtasn1 - test app show error. Now I can not fix because even with -O0 it produces error. With: clang version 11.0.1 (git at github.com:llvm/llvm-project.git llvmorg-11.0.1-rc2-0-g43ff75f2c3f) 13.0-CURRENT FreeBSD 13.0-CURRENT even -O2 gives code that does not work. -O1, -O0 - work. With: clang version 10.0.1 (git at github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2) 12.2-STABLE 5586a4e13931(stable/12) does not work with any -O values. ## Version of libtasn1 used: libtasn1-4.16.0 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) FreeBSD ## How reproducible: Build test tool: cc gnutls_test.c -O0 -DDEBUG -I/usr/local/include -L/usr/local/lib -lm -lgnutls -o gnutls_test Run test: ./gnutls_test ./pop.mail.ru.995.cert -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/31 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 02:53:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 01:53:55 +0000 Subject: [gnutls-devel] libtasn1 | fail to parse certificate then build with clang (#31) In-Reply-To: References: Message-ID: rim commented: Test tool can be obtained here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252548 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/31#note_481709639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 03:49:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 02:49:50 +0000 Subject: [gnutls-devel] libtasn1 | fail to parse certificate then build with clang (#31) In-Reply-To: References: Message-ID: rim commented: Probably duplicates: https://gitlab.com/gnutls/libtasn1/-/issues/30 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/31#note_481735601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 08:54:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 07:54:01 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) References: Message-ID: Tatsuhiro Tsujikawa created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1146 ## Description of problem: GnuTLS client sends TLSv1.3 early data after receiving Server Hello. That is, sending early data with weaker cryptographic property after 1RTT. RFC 8446 says early data are sent along with Client Hello without waiting for Server first flight: ``` Client Server ClientHello + early_data + key_share* + psk_key_exchange_modes + pre_shared_key (Application Data*) --------> ServerHello + pre_shared_key + key_share* {EncryptedExtensions} + early_data* {Finished} <-------- [Application Data*] (EndOfEarlyData) {Finished} --------> [Application Data] <-------> [Application Data] ``` https://tools.ietf.org/html/rfc8446#section-2.3 gnutls-cli debug output shows that EARLY KEY and IV are generated after receiving Server Hello. I used wireshark capture and observed that gnutls-cli sent early data and EOED after receiving Server first flight. ## Version of gnutls used: 3.7.0 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Steps to Reproduce: * gnutls-cli --port 443 -d 9999 -r --earlydata http.txt ANY-SITE-WHICH-ENABLES-EARLY-DATA * http.txt contains HTTP/1.1 request ## Actual results: Early data are sent after receiving Server Hello. ## Expected results: Early data should send along with Client Hello without waiting for Server Hello. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 19:47:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 18:47:40 +0000 Subject: [gnutls-devel] GnuTLS | Sockets: implement sendmsg()-like function on Win32 (!1377) References: Message-ID: Evgeny Grin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377 Project:Branches: karlson2k/gnutls:w32_sendmsg to gnutls/gnutls:master Author: Evgeny Grin Finally unify sending on POSIX and Win32. Used WSASend() to send multiple buffers on W32, like it done on POSIX with sendmsg()/writev(). Some logic was added to prevent overflows of parameters/return value (mostly hypothetical as all TLS packets must fit, but it's better to implement it now so code is future-proof). Made some testing on W32 x64, walked code with debugger. Looks fine. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 20:24:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 19:24:23 +0000 Subject: [gnutls-devel] GnuTLS | certtool --generate-self-signed returns crt_sign: ASN1 parser: Value is not valid. (#1144) In-Reply-To: References: Message-ID: Eirik ?verby commented: This seems to be an issue with libtasn1, which when built with CLANG and certain options, fails to parse ASN1 structures. See https://gitlab.com/gnutls/libtasn1/-/issues/31 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252548 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1144#note_482126189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 10 20:25:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 10 Jan 2021 19:25:45 +0000 Subject: [gnutls-devel] libtasn1 | Test_tree and copynode test failures on clang 10+ (#30) In-Reply-To: References: Message-ID: Eirik ?verby commented: I can confirm this finding on FreeBSD, any version. As mentioned in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252548, CFLAGS+=-O1 is a valid workaround. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/30#note_482126339 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 11 08:06:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 11 Jan 2021 07:06:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key(): deinitialize pcerts array elements during cleanup (!1378) References: Message-ID: Tom Carroll created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 Project:Branches: incentive.design/gnutls:pcert_deinit_on_cleanup to gnutls/gnutls:master Author: Tom Carroll The cleanup path of gnutls_certificate_set_x509_key() does not deinitialize the elements of the pcert array. The gnutls_pcert_st has two fields, pubkey and cert, that should be freed or else a memory leak will occur. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 11 08:14:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 11 Jan 2021 07:14:50 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) References: Message-ID: Tom Carroll created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 Project:Branches: incentive.design/gnutls:check_cert_list_argument to gnutls/gnutls:master Author: Tom Carroll cert_list_size (similarly, ca_list_size) are signed integers that specify the length of cert_list (ca_list). As the size variable is used for compute a memory allocation, there is an implicit assumption that it is greater than zero. This patch makes the assumption explicit by checking that cert_list_size > 0. Additionally, cert_list cannot be NULL as cert_list_size > 0. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 15 05:08:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Jan 2021 04:08:57 +0000 Subject: [gnutls-devel] GnuTLS | Enable PSK by default (#680) In-Reply-To: References: Message-ID: GnuTLS bot commented: @npmccallum This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/680#note_486003601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 15 05:08:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Jan 2021 04:08:55 +0000 Subject: [gnutls-devel] GnuTLS | Remove SRP support (#943) In-Reply-To: References: Message-ID: GnuTLS bot commented: @nmav This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/943#note_486003597 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 15 05:08:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Jan 2021 04:08:56 +0000 Subject: [gnutls-devel] GnuTLS | Consider dropping heartbeat support (#743) In-Reply-To: References: Message-ID: GnuTLS bot commented: @nmav This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/743#note_486003599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 15 05:08:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Jan 2021 04:08:54 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1148) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1148 The following issues require labels: - [ ] [Service Desk (from andrea_trevi at hotmail.com):](https://gitlab.com/gnutls/gnutls/-/issues/1130) - [ ] [Service Desk (from Neu.Markus at web.de): installation error](https://gitlab.com/gnutls/gnutls/-/issues/1129) - [ ] [Remove SRP support](https://gitlab.com/gnutls/gnutls/-/issues/943) - [ ] [Consider dropping heartbeat support](https://gitlab.com/gnutls/gnutls/-/issues/743) - [ ] [Enable PSK by default](https://gitlab.com/gnutls/gnutls/-/issues/680) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 19 08:25:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Jan 2021 07:25:17 +0000 Subject: [gnutls-devel] GnuTLS | DTLS (#1149) References: Message-ID: huangyu6572 created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1149 How does the server detect the status of the client when the client exits abnormally? the packet is shakehand or useful data? I'm using gnutls_record_recv() to recv the client's data. if client exits abnormally,and send handshake Info, Server recv shakehand data, gnutls_record_recv() return GNUTLS_E_INTERRUPTED.This is no fatal data. Gnutls Version 3.3.8 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 19 08:33:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Jan 2021 07:33:42 +0000 Subject: [gnutls-devel] GnuTLS | EPOLL (#1122) In-Reply-To: References: Message-ID: huangyu6572 commented: thank you,I had solve the problem. ------------------ ???? ------------------ ???: "gnutls / GnuTLS" From gnutls-devel at lists.gnutls.org Tue Jan 19 09:08:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Jan 2021 08:08:38 +0000 Subject: [gnutls-devel] GnuTLS | DTLS (#1149) In-Reply-To: References: Message-ID: huangyu6572 commented: gnutls_record_recv return GNUTLS_E_AGAIN when client reconnect after exit abnormally -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1149#note_488438899 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 21 21:01:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Jan 2021 20:01:43 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails (#1150) References: Message-ID: Matteo Todescato created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1150 Running ./bootstrap fails on ubuntu 18.04 with the following output: Copying file ./lib/nettle/backport/block-internal.h Copying file ./lib/minitasn1/coding.c Copying file ./lib/minitasn1/decoding.c Copying file ./lib/minitasn1/element.c Copying file ./lib/minitasn1/element.h Copying file ./lib/minitasn1/errors.c Copying file ./lib/minitasn1/gstr.c Copying file ./lib/minitasn1/gstr.h Copying file ./lib/minitasn1/int.h Copying file ./lib/minitasn1/parser_aux.c Copying file ./lib/minitasn1/parser_aux.h Copying file ./lib/minitasn1/structure.c Copying file ./lib/minitasn1/structure.h Copying file ./lib/minitasn1/version.c Copying file ./lib/minitasn1/libtasn1.h running: AUTOPOINT=true LIBTOOLIZE=true autoreconf --verbose --install --force -I m4 --no-recursive autoreconf: Entering directory `.' autoreconf: running: true --force autoreconf: running: aclocal -I m4 --force -I m4 -I src/libopts/m4 -I src/gl/m4 -I lib/unistring/m4 --install autoreconf: configure.ac: tracing autoreconf: running: true --copy --force autoreconf: running: /usr/bin/autoconf --include=m4 --force configure.ac:450: error: possibly undefined macro: AC_MSG_ERROR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 ./bootstrap: autoreconf failed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 22 14:45:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 22 Jan 2021 13:45:05 +0000 Subject: [gnutls-devel] GnuTLS | fips: avoid memleak in (EC)DH internal APIs (!1380) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1380 Project:Branches: dueno/gnutls:wip/dueno/fips-dh-memleak to gnutls/gnutls:master Author: Daiki Ueno There were some confusions of gnutls_pk_params_clear and gnutls_pk_params_release, as well as the number of parameters to scan in the gnutls_pk_params_st structure. Flagged by address sanitizer: ```console ==354688==ERROR: LeakSanitizer: detected memory leaks Direct leak of 192 byte(s) in 12 object(s) allocated from: #0 0x7f13506163cf in __interceptor_malloc (/lib64/libasan.so.6+0xab3cf) #1 0x7f13503b94de in wrap_nettle_mpi_init /home/ueno/devel/gnutls/lib/nettle/mpi.c:79 #2 0x7ffcb8495f07 ([stack]+0x1ef07) Direct leak of 160 byte(s) in 10 object(s) allocated from: #0 0x7f13506163cf in __interceptor_malloc (/lib64/libasan.so.6+0xab3cf) #1 0x7f13503b94de in wrap_nettle_mpi_init /home/ueno/devel/gnutls/lib/nettle/mpi.c:79 ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1380 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 22 15:27:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 22 Jan 2021 14:27:23 +0000 Subject: [gnutls-devel] GnuTLS | fips: avoid memleak in (EC)DH internal APIs (!1380) In-Reply-To: References: Message-ID: Simo Sorce commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1380#note_491802166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 22 18:20:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 22 Jan 2021 17:20:00 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.0 errors against (old TLS 1.0?) FTPS (FTP/TLS) servers (#1152) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1152 Hello, this was reported in https://bugs.debian.org/980119 Data transfer (including ls) from an older version FTPS (FTP/TLS) servers results in a generic gnutls error: > In FileZilla, this shows as a number of red error messages ending with "GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received." In lftp, this shows as a single filure line: "Fatal error: gnutls_record_recv: An unexpected TLS packet was received." gnutls-cli --starttls-proto=ftp works, only a data connection triggers the error. ~~~ - Status: The certificate is trusted. - Successfully sent 0 certificate(s) to server. - Description: (TLS1.0-X.509)-(ECDHE-SECP256R1)-(AES-128-CBC)-(SHA1) - Session ID: 78:CC:6C:F1:66:01:CA:0C:7A:4E:FC:FF:DA:04:59:30:44:7C: 81:B7:59:44:6D:44:71:56:72:62:EA:DA:0E:41 - Options: safe renegotiation, - Handshake was completed ~~~ Using wget gnutls debug data was generated: ~~~ Yes, Wget also failed, it actually SIGABRTed. WARNING lots of data. I skipped to where the data transfer actually started. Changing directories worked as far as I could tell. ---8<--- 227 Entering Passive Mode (8,48,33,7,5,0). trying to connect to 8.48.33.7 port 1280 Created socket 4. done. ==> RETR whitelist.json ... --> RETR whitelist.json gnutls[5]: REC[0x55baf0c5d760]: Preparing Packet Application Data(23) with length: 21 and min pad: 0 gnutls[9]: ENC[0x55baf0c5d760]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1 gnutls[11]: WRITE: enqueued 53 bytes for 0x3. Total 53 bytes. gnutls[11]: WRITE FLUSH: 53 bytes in buffer. gnutls[11]: WRITE: wrote 53 bytes, 0 bytes left. gnutls[5]: REC[0x55baf0c5d760]: Sent Packet[12] Application Data(23) in epoch 1 and length: 53 gnutls[10]: READ: -1 returned from 0x3, errno=11 gerrno=0 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589 gnutls[3]: ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776 gnutls[10]: READ: Got 5 bytes from 0x3 gnutls[10]: READ: read 5 bytes from 0x3 gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes. gnutls[10]: RB: Requested 5 bytes gnutls[5]: REC[0x55baf0c5d760]: SSL 3.1 Application Data packet received. Epoch 1, length: 96 gnutls[5]: REC[0x55baf0c5d760]: Expected Packet Application Data(23) gnutls[5]: REC[0x55baf0c5d760]: Received Packet Application Data(23) with length: 96 gnutls[10]: READ: Got 96 bytes from 0x3 gnutls[10]: READ: read 96 bytes from 0x3 gnutls[10]: RB: Have 5 bytes into buffer. Adding 96 bytes. gnutls[10]: RB: Requested 101 bytes gnutls[5]: REC[0x55baf0c5d760]: Decrypted Packet[11] Application Data(23) with length: 71 gnutls[13]: BUF[REC]: Inserted 71 bytes of Data(23) 150 Opening BINARY mode data connection for whitelist.json (2 bytes). done. Length: 2 (unauthoritative) gnutls[5]: REC[0x55baf0f22d60]: Allocating epoch #0 gnutls[2]: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list gnutls[5]: REC[0x55baf0f22d60]: Allocating epoch #1 gnutls[4]: HSK[0x55baf0f22d60]: Adv. version: 3.1 gnutls[2]: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) gnutls[2]: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) gnutls[2]: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (OCSP Status Request/5) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension OCSP Status Request/5 (5 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Client Certificate Type/ 19) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Server Certificate Type/ 20) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported Groups/10) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP256R1 (0x17) gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP384R1 (0x18) gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP521R1 (0x19) gnutls[4]: EXT[0x55baf0f22d60]: Sent group X25519 (0x1d) gnutls[4]: EXT[0x55baf0f22d60]: Sent group X448 (0x1e) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE2048 (0x100) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE3072 (0x101) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE4096 (0x102) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE6144 (0x103) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE8192 (0x104) gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported Groups/10 (22 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported EC Point Formats/11) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported EC Point Formats/ 11 (2 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (SRP/12) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Signature Algorithms/13) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (SRTP/14) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Heartbeat/15) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (ALPN/16) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Extended Master Secret/ 23) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Session Ticket/35) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Session Ticket/35 (192 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Key Share/51) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: sending key share for SECP256R1 gnutls[4]: EXT[0x55baf0f22d60]: sending key share for X25519 gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Key Share/51 (107 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported Versions/43) for 'client hello' gnutls[2]: Advertizing version 3.4 gnutls[2]: Advertizing version 3.3 gnutls[2]: Advertizing version 3.2 gnutls[2]: Advertizing version 3.1 gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported Versions/43 (9 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Post Handshake Auth/49) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Post Handshake Auth/49 (0 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Safe Renegotiation/65281) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Safe Renegotiation/65281 (1 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Server Name Indication/0) for 'client hello' gnutls[2]: HSK[0x55baf0f22d60]: sent server name: 'bos-sr-2-36.akliz.net' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Server Name Indication/0 (26 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Cookie/44) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Early Data/42) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (PSK Key Exchange Modes/ 45) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension PSK Key Exchange Modes/45 (3 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Record Size Limit/28) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Record Size Limit/28 (2 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Maximum Record Size/1) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (ClientHello Padding/21) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Pre Shared Key/41) for 'client hello' gnutls[4]: HSK[0x55baf0f22d60]: CLIENT HELLO was queued [548 bytes] gnutls[11]: HWRITE: enqueued [CLIENT HELLO] 548. Total 548 bytes. gnutls[11]: HWRITE FLUSH: 548 bytes in buffer. gnutls[5]: REC[0x55baf0f22d60]: Preparing Packet Handshake(22) with length: 548 and min pad: 0 gnutls[9]: ENC[0x55baf0f22d60]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 gnutls[11]: WRITE: enqueued 553 bytes for 0x4. Total 553 bytes. gnutls[5]: REC[0x55baf0f22d60]: Sent Packet[1] Handshake(22) in epoch 0 and length: 553 gnutls[11]: HWRITE: wrote 1 bytes, 0 bytes left. gnutls[11]: WRITE FLUSH: 553 bytes in buffer. gnutls[11]: WRITE: wrote 553 bytes, 0 bytes left. gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: -1 returned from 0x4, errno=11 gerrno=0 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589 gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: Got 5 bytes from 0x4 gnutls[10]: READ: read 5 bytes from 0x4 gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes. gnutls[10]: RB: Requested 5 bytes gnutls[5]: REC[0x55baf0f22d60]: SSL 3.1 Handshake packet received. Epoch 0, length: 81 gnutls[5]: REC[0x55baf0f22d60]: Expected Packet Handshake(22) gnutls[5]: REC[0x55baf0f22d60]: Received Packet Handshake(22) with length: 81 gnutls[10]: READ: Got 81 bytes from 0x4 gnutls[10]: READ: read 81 bytes from 0x4 gnutls[10]: RB: Have 5 bytes into buffer. Adding 81 bytes. gnutls[10]: RB: Requested 86 bytes gnutls[5]: REC[0x55baf0f22d60]: Decrypted Packet[0] Handshake(22) with length: 81 gnutls[13]: BUF[REC]: Inserted 81 bytes of Data(22) gnutls[4]: HSK[0x55baf0f22d60]: SERVER HELLO (2) was received. Length 77[77], frag offset 0, frag length: 77, sequence: 0 gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1176 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1428 gnutls[4]: HSK[0x55baf0f22d60]: Server's version: 3.1 gnutls[4]: HSK[0x55baf0f22d60]: SessionID length: 32 gnutls[4]: HSK[0x55baf0f22d60]: SessionID: 0e858e4d3c95cb52c76acd4aa2a15d110e6436905b6ce04f06ecf62f7caeb4c0 gnutls[4]: HSK[0x55baf0f22d60]: Selected cipher suite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 gnutls[4]: EXT[0x55baf0f22d60]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) gnutls[4]: HSK[0x55baf0f22d60]: Safe renegotiation succeeded gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: Got 5 bytes from 0x4 gnutls[10]: READ: read 5 bytes from 0x4 gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes. gnutls[10]: RB: Requested 5 bytes gnutls[5]: REC[0x55baf0f22d60]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1 gnutls[5]: REC[0x55baf0f22d60]: Expected Packet Handshake(22) gnutls[5]: REC[0x55baf0f22d60]: Received Packet ChangeCipherSpec(20) with length: 1 gnutls[10]: READ: Got 1 bytes from 0x4 gnutls[10]: READ: read 1 bytes from 0x4 gnutls[10]: RB: Have 5 bytes into buffer. Adding 1 bytes. gnutls[10]: RB: Requested 6 bytes gnutls[5]: REC[0x55baf0f22d60]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1 gnutls[3]: ASSERT: ../../lib/record.c[record_add_to_buffers]:907 gnutls[3]: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1467 gnutls[3]: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1556 gnutls[3]: ASSERT: ../../lib/kx.c[_gnutls_recv_server_certificate]:749 gnutls[3]: ASSERT: ../../lib/handshake.c[handshake_client]:3008 gnutls[13]: BUF[HSK]: Emptied buffer GnuTLS: An unexpected TLS packet was received. gnutls[13]: BUF[HSK]: Emptied buffer gnutls[5]: REC[0x55baf0f22d60]: Start of epoch cleanup gnutls[5]: REC[0x55baf0f22d60]: End of epoch cleanup gnutls[5]: REC[0x55baf0f22d60]: Epoch #0 freed gnutls[5]: REC[0x55baf0f22d60]: Epoch #1 freed Server does not want to resume the SSL session. Trying with a new one. gnutls[5]: REC[0x55baf0f22d60]: Allocating epoch #0 gnutls[2]: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list gnutls[5]: REC[0x55baf0f22d60]: Allocating epoch #1 gnutls[4]: HSK[0x55baf0f22d60]: Adv. version: 3.3 gnutls[2]: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) gnutls[2]: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) gnutls[2]: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) gnutls[2]: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) gnutls[2]: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) gnutls[2]: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) gnutls[2]: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) gnutls[2]: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) gnutls[2]: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (OCSP Status Request/5) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension OCSP Status Request/5 (5 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Client Certificate Type/ 19) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Server Certificate Type/ 20) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported Groups/10) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP256R1 (0x17) gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP384R1 (0x18) gnutls[4]: EXT[0x55baf0f22d60]: Sent group SECP521R1 (0x19) gnutls[4]: EXT[0x55baf0f22d60]: Sent group X25519 (0x1d) gnutls[4]: EXT[0x55baf0f22d60]: Sent group X448 (0x1e) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE2048 (0x100) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE3072 (0x101) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE4096 (0x102) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE6144 (0x103) gnutls[4]: EXT[0x55baf0f22d60]: Sent group FFDHE8192 (0x104) gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported Groups/10 (22 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported EC Point Formats/11) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported EC Point Formats/ 11 (2 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (SRP/12) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Signature Algorithms/13) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (4.1) RSA-SHA256 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.9) RSA-PSS-SHA256 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (4.3) ECDSA-SHA256 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.7) EdDSA-Ed25519 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (5.1) RSA-SHA384 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.10) RSA-PSS-SHA384 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (5.3) ECDSA-SHA384 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.8) EdDSA-Ed448 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (6.1) RSA-SHA512 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.11) RSA-PSS-SHA512 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (6.3) ECDSA-SHA512 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (2.1) RSA-SHA1 gnutls[4]: EXT[0x55baf0f22d60]: sent signature algo (2.3) ECDSA-SHA1 gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Signature Algorithms/13 (34 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (SRTP/14) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Heartbeat/15) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (ALPN/16) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Extended Master Secret/ 23) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Session Ticket/35) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Session Ticket/35 (0 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Key Share/51) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: sending key share for SECP256R1 gnutls[4]: EXT[0x55baf0f22d60]: sending key share for X25519 gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Key Share/51 (107 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Supported Versions/43) for 'client hello' gnutls[2]: Advertizing version 3.4 gnutls[2]: Advertizing version 3.3 gnutls[2]: Advertizing version 3.2 gnutls[2]: Advertizing version 3.1 gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Supported Versions/43 (9 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Post Handshake Auth/49) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Post Handshake Auth/49 (0 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Safe Renegotiation/65281) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Safe Renegotiation/65281 (1 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Server Name Indication/0) for 'client hello' gnutls[2]: HSK[0x55baf0f22d60]: sent server name: 'bos-sr-2-36.akliz.net' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Server Name Indication/0 (26 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Cookie/44) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Early Data/42) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (PSK Key Exchange Modes/ 45) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension PSK Key Exchange Modes/45 (3 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Record Size Limit/28) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension Record Size Limit/28 (2 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Maximum Record Size/1) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (ClientHello Padding/21) for 'client hello' gnutls[4]: EXT[0x55baf0f22d60]: Sending extension ClientHello Padding/21 (114 bytes) gnutls[4]: EXT[0x55baf0f22d60]: Preparing extension (Pre Shared Key/41) for 'client hello' gnutls[4]: HSK[0x55baf0f22d60]: CLIENT HELLO was queued [512 bytes] gnutls[11]: HWRITE: enqueued [CLIENT HELLO] 512. Total 512 bytes. gnutls[11]: HWRITE FLUSH: 512 bytes in buffer. gnutls[5]: REC[0x55baf0f22d60]: Preparing Packet Handshake(22) with length: 512 and min pad: 0 gnutls[9]: ENC[0x55baf0f22d60]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 gnutls[11]: WRITE: enqueued 517 bytes for 0x4. Total 517 bytes. gnutls[5]: REC[0x55baf0f22d60]: Sent Packet[1] Handshake(22) in epoch 0 and length: 517 gnutls[11]: HWRITE: wrote 1 bytes, 0 bytes left. gnutls[11]: WRITE FLUSH: 517 bytes in buffer. gnutls[11]: WRITE: wrote 517 bytes, 0 bytes left. gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: Got 5 bytes from 0x4 gnutls[10]: READ: read 5 bytes from 0x4 gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes. gnutls[10]: RB: Requested 5 bytes gnutls[5]: REC[0x55baf0f22d60]: SSL 3.1 Handshake packet received. Epoch 0, length: 48 gnutls[5]: REC[0x55baf0f22d60]: Expected Packet Handshake(22) gnutls[5]: REC[0x55baf0f22d60]: Received Packet Handshake(22) with length: 48 gnutls[10]: READ: Got 48 bytes from 0x4 gnutls[10]: READ: read 48 bytes from 0x4 gnutls[10]: RB: Have 5 bytes into buffer. Adding 48 bytes. gnutls[10]: RB: Requested 53 bytes gnutls[5]: REC[0x55baf0f22d60]: Decrypted Packet[0] Handshake(22) with length: 48 gnutls[13]: BUF[REC]: Inserted 48 bytes of Data(22) gnutls[4]: HSK[0x55baf0f22d60]: KEY_UPDATE (24) was received. Length 15468356[44], frag offset 0, frag length: 44, sequence: 0 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_parse_record_buffered_msgs]: 1317 gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: Got 5 bytes from 0x4 gnutls[10]: READ: read 5 bytes from 0x4 gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes. gnutls[10]: RB: Requested 5 bytes gnutls[5]: REC[0x55baf0f22d60]: SSL 3.1 Alert packet received. Epoch 0, length: 32 gnutls[5]: REC[0x55baf0f22d60]: Expected Packet Handshake(22) gnutls[5]: REC[0x55baf0f22d60]: Received Packet Alert(21) with length: 32 gnutls[10]: READ: Got 32 bytes from 0x4 gnutls[10]: READ: read 32 bytes from 0x4 gnutls[10]: RB: Have 5 bytes into buffer. Adding 32 bytes. gnutls[10]: RB: Requested 37 bytes gnutls[5]: REC[0x55baf0f22d60]: Decrypted Packet[1] Alert(21) with length: 32 gnutls[5]: REC[0x55baf0f22d60]: Alert[109|103] - (null) - was received gnutls[3]: ASSERT: ../../lib/record.c[record_add_to_buffers]:892 gnutls[3]: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1467 gnutls[3]: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1556 GnuTLS: A TLS warning alert has been received. GnuTLS: received alert [103]: (unknown) gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: -1 returned from 0x4, errno=11 gerrno=0 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589 gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1185 gnutls[10]: READ: Got 0 bytes from 0x4 gnutls[10]: READ: read 0 bytes from 0x4 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:593 gnutls[3]: ASSERT: ../../lib/record.c[recv_headers]:1184 gnutls[3]: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1310 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1467 gnutls[3]: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1556 gnutls[3]: ASSERT: ../../lib/handshake.c[handshake_client]:2968 gnutls[13]: BUF[HSK]: Emptied buffer GnuTLS: The TLS connection was non-properly terminated. gnutls[13]: BUF[HSK]: Emptied buffer gnutls[5]: REC[0x55baf0f22d60]: Start of epoch cleanup gnutls[5]: REC[0x55baf0f22d60]: End of epoch cleanup gnutls[5]: REC[0x55baf0f22d60]: Epoch #0 freed gnutls[5]: REC[0x55baf0f22d60]: Epoch #1 freed gnutls[13]: BUF[HSK]: Emptied buffer gnutls[5]: REC[0x55baf0c5d760]: Start of epoch cleanup gnutls[5]: REC[0x55baf0c5d760]: End of epoch cleanup gnutls[5]: REC[0x55baf0c5d760]: Epoch #1 freed gnutls[13]: BUF[HSK]: Emptied buffer gnutls[5]: REC[0x55baf0c5d760]: Start of epoch cleanup gnutls[5]: REC[0x55baf0c5d760]: End of epoch cleanup gnutls[5]: REC[0x55baf0c5d760]: Epoch #1 freed Closed fd 4 Could not perform SSL handshake. ~~~ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 23 09:35:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 23 Jan 2021 08:35:20 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Issue was reopened by GOODPWDCETCSZ Issue 991: https://gitlab.com/gnutls/gnutls/-/issues/991 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 23 09:35:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 23 Jan 2021 08:35:46 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not recognize the DirName and serial of the extension AKI (#991) In-Reply-To: References: Message-ID: Issue was closed by GOODPWDCETCSZ Issue #991: https://gitlab.com/gnutls/gnutls/-/issues/991 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 23 13:36:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 23 Jan 2021 12:36:59 +0000 Subject: [gnutls-devel] GnuTLS | A certificate which has no subject public key is parsed by GnuTLS with inconsistent notifications between v3.5.5 and v.3.6.13. (#1154) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1154 ## Description of problem: A certificate which has no subject public key is parsed by GnuTLS. GnuTLS v3.5.5 notifies that "error: get_key_id: ASN1 parser: Element was not found." while GnuTLS v3.6.13 gives no warning or error. OpenSSL and ZCertificate report error in parsing this certificate. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * certtool -in --infile seed-0u0.pem ## Actual results: v3.5.5 ``` X.509 Certificate Information: Version: 3 Serial Number (hex): 02 Issuer: C=UN,ST=NYS,O=UNGA,OU=UNSC,CN=DT Validity: Not Before: Tue Jun 25 19:55:19 UTC 2019 Not After: Mon Jan 21 03:29:38 UTC 2030 Subject: C=UN,ST=NYS,O=UNGA,OU=UNSC-peace,CN=DT-peace Extensions: Authority Key Identifier (not critical): ead39df2fa12151d6b90011f1ddb277fafd165d7 Subject Key Identifier (not critical): bc93a7c14d51a1b11e5dc9c191eadb5b53d5bc58 Key Usage (critical): Certificate signing. Basic Constraints (critical): Certificate Authority (CA): FALSE Signature Algorithm: RSA-SHA256 Signature: 9f:71:46:8f:ce:62:f2:05:59:b4:38:c1:d1:d8:40:3e 34:33:07:7a:57:42:5c:96:27:9f:b9:fe:5c:5f:40:71 d5:d7:7d:01:4c:07:cd:2c:28:12:cd:07:ca:9b:a3:f2 14:8f:c3:42:84:bb:d4:7b:18:17:b7:e5:25:96:32:1c 25:c3:12:5c:46:53:f0:5d:99:9f:e8:7a:c7:d4:c9:fa 90:c0:15:b9:ce:e2:0c:34:18:35:2b:d8:0b:8a:75:b3 9e:cf:02:14:d2:c2:1a:4f:3b:9c:0f:70:a8:92:c2:a5 be:f4:54:54:b2:63:a1:54:22:7d:f4:d6:04:e3:78:1e f4:83:a5:a2:b2:d7:de:31:47:13:c7:1b:8f:28:f2:07 d4:27:45:39:89:e5:73:e2:37:ae:d5:8d:59:d8:03:08 94:10:65:9c:5b:54:95:e8:73:f3:04:d3:65:83:71:1e 57:0b:95:68:a4:f3:9e:b5:9e:ad:fb:54:92:df:75:a4 5d:aa:19:41:a8:bb:bb:96:22:90:82:a6:34:7d:3a:ae 42:07:20:81:39:4f:4d:04:28:1e:a7:6e:92:b3:26:f1 21:47:46:48:99:3f:a9:16:39:e4:49:af:30:da:6b:83 b7:ee:0f:0c:f8:42:32:b7:46:98:01:20:d1:5e:76:0c ee:74:57:34:9d:37:3a:87:eb:ca:b8:cc:c2:58:64:b7 aa:c9:62:7e:48:42:ee:e6:bf:8b:cc:b8:ef:f0:7c:59 ff:0c:53:e3:e9:2e:61:7c:fb:2d:03:a9:3d:10:22:d6 2e:6e:79:68:7b:ac:47:a8:4b:30:cf:fb:11:c7:6a:eb 59:47:ea:51:33:4c:4c:07:73:a6:12:b7:15:85:9c:69 1e:9b:c0:0a:7d:9e:15:85:57:38:7c:f6:51:4a:c7:a5 91:e6:00:86:bf:1a:f3:9d:6f:99:b4:a9:78:e1:1a:10 c0:15:6b:fc:69:6a:bc:02:eb:ab:d7:22:d4:6c:69:e1 22:11:85:90:e6:97:6b:d5:c0:89:86:63:81:db:df:3f 48:4f:be:11:a2:30:b7:bf:bd:5b:2c:3f:0e:49:e6:1c 94:be:52:48:64:35:4c:71:22:9c:a7:21:8b:8e:5d:c5 a4:80:34:25:e1:29:ac:41:ab:6a:85:5b:b0:3e:3c:18 cc:15:72:75:80:9d:1d:76:b2:97:b3:d7:b6:48:ca:e3 37:b1:45:55:69:b6:1d:d8:92:82:01:68:2a:36:a1:24 df:88:0f:bc:32:86:79:c3:f8:09:8b:c2:15:30:96:90 64:81:fc:8a:54:e5:cf:de:0e:fc:14:52:03:8d:c6:00 Other Information: SHA1 fingerprint: 7ce3cb5c9182e83dee93c7a54fd2c59e63b0f537 SHA256 fingerprint: 676b4d86cca0a5421201013c295ae584fa2fa359cfcf4f7a9dc713b8dca3d892 error: get_key_id: ASN1 parser: Element was not found. -----BEGIN CERTIFICATE----- MIIDWDCCAUCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVTjEM MAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMQ0wCwYDVQQLDARVTlNDMQswCQYD VQQDDAJEVDAiGA8yMDE5MDYyNTE5NTUxOVoYDzIwMzAwMTIxMDMyOTM4WjBSMQsw CQYDVQQGEwJVTjEMMAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMRMwEQYDVQQL DApVTlNDLXBlYWNlMREwDwYDVQQDDAhEVC1wZWFjZTAFMAADAQCjYDBeMB8GA1Ud IwQYMBaAFOrTnfL6EhUda5ABHx3bJ3+v0WXXMB0GA1UdDgQWBBS8k6fBTVGhsR5d ycGR6ttbU9W8WDAOBgNVHQ8BAf8EBAMCAgQwDAYDVR0TAQH/BAIwADANBgkqhkiG 9w0BAQsFAAOCAgEAn3FGj85i8gVZtDjB0dhAPjQzB3pXQlyWJ5+5/lxfQHHV130B TAfNLCgSzQfKm6PyFI/DQoS71HsYF7flJZYyHCXDElxGU/BdmZ/oesfUyfqQwBW5 zuIMNBg1K9gLinWzns8CFNLCGk87nA9wqJLCpb70VFSyY6FUIn301gTjeB70g6Wi stfeMUcTxxuPKPIH1CdFOYnlc+I3rtWNWdgDCJQQZZxbVJXoc/ME02WDcR5XC5Vo pPOetZ6t+1SS33WkXaoZQai7u5YikIKmNH06rkIHIIE5T00EKB6nbpKzJvEhR0ZI mT+pFjnkSa8w2muDt+4PDPhCMrdGmAEg0V52DO50VzSdNzqH68q4zMJYZLeqyWJ+ SELu5r+LzLjv8HxZ/wxT4+kuYXz7LQOpPRAi1i5ueWh7rEeoSzDP+xHHautZR+pR M0xMB3OmErcVhZxpHpvACn2eFYVXOHz2UUrHpZHmAIa/GvOdb5m0qXjhGhDAFWv8 aWq8Auur1yLUbGnhIhGFkOaXa9XAiYZjgdvfP0hPvhGiMLe/vVssPw5J5hyUvlJI ZDVMcSKcpyGLjl3FpIA0JeEprEGraoVbsD48GMwVcnWAnR12spez17ZIyuM3sUVV abYd2JKCAWgqNqEk34gPvDKGecP4CYvCFTCWkGSB/IpU5c/eDvwUUgONxgA= -----END CERTIFICATE----- ``` **v3.6.13** ``` X.509 Certificate Information: Version: 3 Serial Number (hex): 02 Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Validity: Not Before: Tue Jun 25 19:55:19 UTC 2019 Not After: Mon Jan 21 03:29:38 UTC 2030 Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN Extensions: Authority Key Identifier (not critical): ead39df2fa12151d6b90011f1ddb277fafd165d7 Subject Key Identifier (not critical): bc93a7c14d51a1b11e5dc9c191eadb5b53d5bc58 Key Usage (critical): Certificate signing. Basic Constraints (critical): Certificate Authority (CA): FALSE Signature Algorithm: RSA-SHA256 Signature: 9f:71:46:8f:ce:62:f2:05:59:b4:38:c1:d1:d8:40:3e 34:33:07:7a:57:42:5c:96:27:9f:b9:fe:5c:5f:40:71 d5:d7:7d:01:4c:07:cd:2c:28:12:cd:07:ca:9b:a3:f2 14:8f:c3:42:84:bb:d4:7b:18:17:b7:e5:25:96:32:1c 25:c3:12:5c:46:53:f0:5d:99:9f:e8:7a:c7:d4:c9:fa 90:c0:15:b9:ce:e2:0c:34:18:35:2b:d8:0b:8a:75:b3 9e:cf:02:14:d2:c2:1a:4f:3b:9c:0f:70:a8:92:c2:a5 be:f4:54:54:b2:63:a1:54:22:7d:f4:d6:04:e3:78:1e f4:83:a5:a2:b2:d7:de:31:47:13:c7:1b:8f:28:f2:07 d4:27:45:39:89:e5:73:e2:37:ae:d5:8d:59:d8:03:08 94:10:65:9c:5b:54:95:e8:73:f3:04:d3:65:83:71:1e 57:0b:95:68:a4:f3:9e:b5:9e:ad:fb:54:92:df:75:a4 5d:aa:19:41:a8:bb:bb:96:22:90:82:a6:34:7d:3a:ae 42:07:20:81:39:4f:4d:04:28:1e:a7:6e:92:b3:26:f1 21:47:46:48:99:3f:a9:16:39:e4:49:af:30:da:6b:83 b7:ee:0f:0c:f8:42:32:b7:46:98:01:20:d1:5e:76:0c ee:74:57:34:9d:37:3a:87:eb:ca:b8:cc:c2:58:64:b7 aa:c9:62:7e:48:42:ee:e6:bf:8b:cc:b8:ef:f0:7c:59 ff:0c:53:e3:e9:2e:61:7c:fb:2d:03:a9:3d:10:22:d6 2e:6e:79:68:7b:ac:47:a8:4b:30:cf:fb:11:c7:6a:eb 59:47:ea:51:33:4c:4c:07:73:a6:12:b7:15:85:9c:69 1e:9b:c0:0a:7d:9e:15:85:57:38:7c:f6:51:4a:c7:a5 91:e6:00:86:bf:1a:f3:9d:6f:99:b4:a9:78:e1:1a:10 c0:15:6b:fc:69:6a:bc:02:eb:ab:d7:22:d4:6c:69:e1 22:11:85:90:e6:97:6b:d5:c0:89:86:63:81:db:df:3f 48:4f:be:11:a2:30:b7:bf:bd:5b:2c:3f:0e:49:e6:1c 94:be:52:48:64:35:4c:71:22:9c:a7:21:8b:8e:5d:c5 a4:80:34:25:e1:29:ac:41:ab:6a:85:5b:b0:3e:3c:18 cc:15:72:75:80:9d:1d:76:b2:97:b3:d7:b6:48:ca:e3 37:b1:45:55:69:b6:1d:d8:92:82:01:68:2a:36:a1:24 df:88:0f:bc:32:86:79:c3:f8:09:8b:c2:15:30:96:90 64:81:fc:8a:54:e5:cf:de:0e:fc:14:52:03:8d:c6:00 Other Information: Fingerprint: sha1:7ce3cb5c9182e83dee93c7a54fd2c59e63b0f537 sha256:676b4d86cca0a5421201013c295ae584fa2fa359cfcf4f7a9dc713b8dca3d892 -----BEGIN CERTIFICATE----- MIIDWDCCAUCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVTjEM MAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMQ0wCwYDVQQLDARVTlNDMQswCQYD VQQDDAJEVDAiGA8yMDE5MDYyNTE5NTUxOVoYDzIwMzAwMTIxMDMyOTM4WjBSMQsw CQYDVQQGEwJVTjEMMAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMRMwEQYDVQQL DApVTlNDLXBlYWNlMREwDwYDVQQDDAhEVC1wZWFjZTAFMAADAQCjYDBeMB8GA1Ud IwQYMBaAFOrTnfL6EhUda5ABHx3bJ3+v0WXXMB0GA1UdDgQWBBS8k6fBTVGhsR5d ycGR6ttbU9W8WDAOBgNVHQ8BAf8EBAMCAgQwDAYDVR0TAQH/BAIwADANBgkqhkiG 9w0BAQsFAAOCAgEAn3FGj85i8gVZtDjB0dhAPjQzB3pXQlyWJ5+5/lxfQHHV130B TAfNLCgSzQfKm6PyFI/DQoS71HsYF7flJZYyHCXDElxGU/BdmZ/oesfUyfqQwBW5 zuIMNBg1K9gLinWzns8CFNLCGk87nA9wqJLCpb70VFSyY6FUIn301gTjeB70g6Wi stfeMUcTxxuPKPIH1CdFOYnlc+I3rtWNWdgDCJQQZZxbVJXoc/ME02WDcR5XC5Vo pPOetZ6t+1SS33WkXaoZQai7u5YikIKmNH06rkIHIIE5T00EKB6nbpKzJvEhR0ZI mT+pFjnkSa8w2muDt+4PDPhCMrdGmAEg0V52DO50VzSdNzqH68q4zMJYZLeqyWJ+ SELu5r+LzLjv8HxZ/wxT4+kuYXz7LQOpPRAi1i5ueWh7rEeoSzDP+xHHautZR+pR M0xMB3OmErcVhZxpHpvACn2eFYVXOHz2UUrHpZHmAIa/GvOdb5m0qXjhGhDAFWv8 aWq8Auur1yLUbGnhIhGFkOaXa9XAiYZjgdvfP0hPvhGiMLe/vVssPw5J5hyUvlJI ZDVMcSKcpyGLjl3FpIA0JeEprEGraoVbsD48GMwVcnWAnR12spez17ZIyuM3sUVV abYd2JKCAWgqNqEk34gPvDKGecP4CYvCFTCWkGSB/IpU5c/eDvwUUgONxgA= -----END CERTIFICATE----- ``` OpenSSL ``` unable to load certificate 139647535469888:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR 139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=algor, Type=X509_PUBKEY 139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=key, Type=X509_CINF 139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509 139647535469888:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33: ``` ZCertificate: ``` INFO[0000] reading from seed-0u0.pem INFO[0000] writing to stdout ERRO[0000] could not parse certificate: asn1: syntax error: sequence truncated ``` [seed-0u0.pem](/uploads/060d3deb0910ffa3882436217d763e9d/seed-0u0.pem) ## Expected results: Consistent warning and error notification. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 24 07:42:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 24 Jan 2021 06:42:24 +0000 Subject: [gnutls-devel] GnuTLS | handshake: TLS 1.3: don't generate session ID in resumption mode (!1381) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1381 Project:Branches: dueno/gnutls:wip/dueno/hrr-resumption to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 24 07:55:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 24 Jan 2021 06:55:26 +0000 Subject: [gnutls-devel] GnuTLS | safe-memfuncs: rely on explicit_bzero implementation from gnulib (!1382) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1382 Project:Branches: dueno/gnutls:wip/dueno/memset to gnutls/gnutls:master Author: Daiki Ueno Also remove nonsensical tests. Fixes: #1125 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 10:37:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 09:37:52 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you so much for the report, and sorry for the long delay. Yes, it's indeed bad (as that means the 0-RTT in client doesn't work at all, sigh...), though the fix wouldn't be trivial, because: - the session data stored by the client needs to record the previously negotiated version and ciphersuites; which is not the case currently and it's determined only after the server advertises those - the epoch management mechanism doesn't take into account of those parameters as well, so we need to save/restore the parameters around sending early data I'll pick this up in the next release (3.7.1) anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146#note_492973603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 14:24:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 13:24:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key(): deinitialize pcerts array elements during cleanup (!1378) In-Reply-To: References: Message-ID: Merge Request !1378 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 Project:Branches: incentive.design/gnutls:pcert_deinit_on_cleanup to gnutls/gnutls:master Author: Tom Carroll Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 14:24:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 13:24:26 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key(): deinitialize pcerts array elements during cleanup (!1378) In-Reply-To: References: Message-ID: Merge Request !1378 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 Project:Branches: incentive.design/gnutls:pcert_deinit_on_cleanup to gnutls/gnutls:master Author: Tom Carroll Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 14:24:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 13:24:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_certificate_set_x509_key(): deinitialize pcerts array elements during cleanup (!1378) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1378#note_493200228 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 14:26:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 13:26:39 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Freshest CRL (#1156) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1156 ## Description of problem: GnuTLS cannot parse the extension Freshest CRL ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * certtool -i --infile seed-7s35-9s14-10s18-26s21.pem ## Actual results: Unknown extension 2.5.29.46 (not critical): ASCII: 0K0I....0...U....kioxia.com......+..g at h.com..www.example.com..www.b.com/c.ext Hexdump: 304b3049a015a113301106035504030c0a6b696f7869612e636f6d8103077f80a22b81076740682e636f6d820f7777772e6578616d706c652e636f6d860f7777772e622e636f6d2f632e657874 ## Expected results: similar to the following: X509v3 Freshest CRL: [seed-7s35-9s14-10s18-26s21.zip](/uploads/4e0e35777ef5d4417a010a0051cc63bb/seed-7s35-9s14-10s18-26s21.zip) Relative Name: CN = kioxia.com Reasons: Key Compromise, CA Compromise, Affiliation Changed, Superseded, Cessation Of Operation, Certificate Hold, Privilege Withdrawn, AA Compromise CRL Issuer: email:g at h.com DNS:www.example.com URI:www.b.com/c.ext -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 14:28:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 13:28:32 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/cert-cred-x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379#note_493204236 > int ca_list_size) > { > int ret, i, j; > - gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); > + gnutls_x509_crt_t *new_list; > + > + if (ca_list == NULL || ca_list_size < 1) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); Although it's unlikely in this case, it might be a good practice to use `gnutls_calloc` here to avoid overflow: https://redhat-crypto.gitlab.io/defensive-coding-guide/#sect-Defensive_Coding-C-Allocators-Arrays -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379#note_493204236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 15:09:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 14:09:13 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Policy Constraints (#1157) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1157 ## Description of problem: GnuTLS cannot parse the extension Policy Constraints ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-7s35-9s14-37s37-55s29-750s39.pem` ## Actual results: > Unknown extension 2.5.29.36 (not critical): ASCII: 0....... Hexdump: 3006800101810102 ## Expected results: similar to the following. > X509v3 Policy Constraints: Require Explicit Policy:1, Inhibit Policy Mapping:2 [seed-7s35-9s14-37s37-55s29-750s39.zip](/uploads/38821b6e0b509e78c7dc8adcd130a2d3/seed-7s35-9s14-37s37-55s29-750s39.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 15:13:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 14:13:49 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Subject Information Access (#1158) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1158 ## Description of problem: GnuTLS cannot parse the extension Subject Information Access ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-7s35-9s14-37s37-55s29-750s39.pem` * `openssl asn1parse -genstr OID:1.3.6.1.5.5.7.1.11 0:d=0 hl=2 l= 8 prim: OBJECT :Subject Information Access` ## Actual results: > Unknown extension 1.3.6.1.5.5.7.1.11 (critical): ASCII: 0y0...+.....0...ldap://http:/un.org0/..+.....0..#https://www.ca-issuer.com/ca-issuer0%..+.....0...https://ocsp.com/ocsp.ext Hexdump: 3079301f06082b0601050507300186136c6461703a2f2f687474703a2f756e2e6f7267302f06082b06010505073002862368747470733a2f2f7777772e63612d6973737565722e636f6d2f63612d697373756572302506082b06010505073001861968747470733a2f2f6f6373702e636f6d2f6f6373702e657874 ## Expected results: sth. like this: > Subject Information Access: critical OCSP - URI:ldap://http:/un.org CA Issuers - URI:https://www.ca-issuer.com/ca-issuer OCSP - URI:https://ocsp.com/ocsp.ext [seed-7s35-9s14-37s37-55s29-750s39.zip](/uploads/6d6d8665c2b9144b88691e02e1c2a45d/seed-7s35-9s14-37s37-55s29-750s39.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 15:15:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 14:15:09 +0000 Subject: [gnutls-devel] GnuTLS | Sockets: implement sendmsg()-like function on Win32 (!1377) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1377 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/system/sockets.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493250985 > + ++to_send_cnt) { > + if (to_send_bytes + iovec[to_send_cnt].iov_len > SSIZE_MAX || > + iovec[to_send_cnt].iov_len > SSIZE_MAX) { Aren't those two conditions around `||` redundant (i.e. given `to_send_bytes` is non-negative, the former condition is stricter than the latter)? -- Daiki Ueno started a new discussion on lib/system/sockets.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493250993 > + (space_left > ULONG_MAX ? > + ULONG_MAX : space_left); > + ovrflwn = true; Can't it simply `break`? -- Daiki Ueno started a new discussion on lib/system/sockets.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493250999 > + bufs[to_send_cnt].len = > + (unsigned long) iovec[to_send_cnt].iov_len; > + to_send_bytes += iovec[to_send_cnt].iov_len; I'm lost on this `to_send_bytes` tracking: do I understand correct that `WSASend` only accepts total bytes < `SSIZE_MAX`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 15:15:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 14:15:48 +0000 Subject: [gnutls-devel] GnuTLS | Sockets: implement sendmsg()-like function on Win32 (!1377) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks like a great improvement overall, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493251671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 15:22:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 14:22:00 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the extension Netscape Cert Type (#1159) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1159 ## Description of problem: GnuTLS cannot parse the extension Netscape Cert Type. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-7s35-9s14-37s37-55s29-750s39.pem` ## Actual results: ``` Unknown extension 2.16.840.1.113730.1.1 (critical): ASCII: .... Hexdump: 030206c0 ``` ## Expected results: similar to the following ``` Netscape Cert Type: critical SSL Client, SSL Server ``` [seed-7s35-9s14-37s37-55s29-750s39.zip](/uploads/d87f45714888b814aae9a78d585e18f5/seed-7s35-9s14-37s37-55s29-750s39.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 16:23:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 15:23:13 +0000 Subject: [gnutls-devel] GnuTLS | fips: avoid memleak in (EC)DH internal APIs (!1380) In-Reply-To: References: Message-ID: Merge Request !1380 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1380 Project:Branches: dueno/gnutls:wip/dueno/fips-dh-memleak to gnutls/gnutls:master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1380 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 16:23:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 15:23:47 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) In-Reply-To: References: Message-ID: Merge Request !1379 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 Project:Branches: incentive.design/gnutls:check_cert_list_argument to gnutls/gnutls:master Author: Tom Carroll Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 25 16:24:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 25 Jan 2021 15:24:13 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.1 release (Dec 2, 2020?Feb 3, 2021) ( https://gitlab.com/gnutls/gnutls/-/milestones/29 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 02:04:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 01:04:03 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS accpepts a certificate wihtout subject public key (#1160) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1160 ## Description of problem: GnuTLS accpepts a certificate wihtout subject public key. However, OpenSSL, mbedTLS, wolfSSL and NSS reject it. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-0u0.pem` ## Actual results: ``` Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: The certificate is rejected. [ca.zip](/uploads/36a5ca8cb1ebb7f2a2d80064355c50bc/ca.zip) [seed-0u0.zip](/uploads/a064167e52e13aa8b7c30c72ab5d2844/seed-0u0.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 02:35:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 01:35:58 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS rejects a certificate since it parsed the critical extension policyConstraints to unknown ext (#1161) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1161 ## Description of problem: GnuTLS rejects a certificate since it parsed the critical extension policyConstraints to unknown ext. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-16s31-255s21-363s29.pem` ## Actual results: ``` Chain verification output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension. ``` ## Expected results: The cert is accepted.[ca.zip](/uploads/23d12386efd880eb0b97305c33132885/ca.zip) [seed-16s31-255s21-363s29.zip](/uploads/a531d43366524deae328531f4fc077ec/seed-16s31-255s21-363s29.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 07:59:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 06:59:54 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS cannot parse the ext Netscape Comment (#1162) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1162 ## Description of problem: GnuTLS cannot parse the ext Netscape Comment. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-7s35-9s14-37s37-55s29-184s38.pem` ## Actual results: ``` Unknown extension 2.16.840.1.113730.1.13 (critical): ASCII: ..here is the nsComment content Hexdump: 161d6865726520697320746865206e73436f6d6d656e7420636f6e74656e74 ``` ## Expected results: sth. similar to the following. ``` Netscape Comment: critical here is the nsComment content ``` [seed-7s35-9s14-37s37-55s29-184s38.zip](/uploads/659720fbf76ade5e1632d2cc2db50b0a/seed-7s35-9s14-37s37-55s29-184s38.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 08:00:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 07:00:07 +0000 Subject: [gnutls-devel] GnuTLS | Sockets: implement sendmsg()-like function on Win32 (!1377) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/system/sockets.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493858036 > } > + > +ssize_t > +system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, > + int iovec_cnt) > +{ > + WSABUF bufs[iovec_cnt]; > + DWORD bytes_sent; > + int to_send_cnt; > + size_t to_send_bytes = 0; > + bool ovrflwn = false; > + > + for (to_send_cnt = 0; to_send_cnt < iovec_cnt && !ovrflwn; > + ++to_send_cnt) { > + if (to_send_bytes + iovec[to_send_cnt].iov_len > SSIZE_MAX || > + iovec[to_send_cnt].iov_len > SSIZE_MAX) { By the way, given those limits (`SSIZE_MAX`, `ULONG_MAX`, etc) are known at compile time, could the `if`s be turned into preprocessor directives, like `#if SSIZE_MAX > ULONG_MAX ... #endif`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1377#note_493858036 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 08:36:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 07:36:08 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS appects a cert with critical issuerAltName (#1163) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1163 ## Description of problem: GnuTLS appects a cert with critical issuerAltName. However, OpenSSL, mbedTLS, wolfSSL, and NSS reject it. According to RFC 5280, the ext issuerAltName should be marked as non-critical. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-73s19-723s32 .pem` ## Actual results: ``` Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: The cert is rejected due to its critical issuerAltName. ## Attachement [seed-73s19-723s32.zip](/uploads/3735b2a160f0ef1b93ce3cf24203660e/seed-73s19-723s32.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1163 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 09:26:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 08:26:08 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS and OpenSSL accept a cert while mbedTLS, wolfSSL and NSS reject it. (#1164) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1164 ## Description of problem: GnuTLS and OpenSSL accept a cert while mbedTLS, wolfSSL and NSS reject it. wolfSSL reports nameConstraints error. ## Version of gnutls used: 3.5.3, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-16s31-206s38.pem` ## Actual results: ``` Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: Consistent verification results among the TLS implementations above. ## Attachments: [ca.zip](/uploads/a1825931ba3c809d01898dffe596d855/ca.zip) [seed-16s31-206s38.zip](/uploads/7c1250ad606dc229feaefe3bd25e4af1/seed-16s31-206s38.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 09:51:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 08:51:59 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not represent the userNotice in the ext certificatePolicies (#1165) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1165 ## Description of problem: GnuTLS does not represent the userNotice in the ext certificatePolicies. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-4s18-107s39-129s28-386s32-409s26-544s38.pem` ## Actual results: ``` Certificate Policies (critical): 2.23.140.1.2.1 URI: https://www.a.com/b.ext URI: https://www.c.com/d.ext Note: here is the explicit text ``` ## Expected results: similar to: ``` X509v3 Certificate Policies: critical Policy: 2.23.140.1.2.1 CPS: https://www.a.com/b.ext CPS: https://www.c.com/d.ext User Notice: Organization: Org A Numbers: 1, 3, 5 Explicit Text: here is the explicit text[seed-4s18-107s39-129s28-386s32-409s26-544s38.zip] ``` ## Attachments: (/uploads/7493d35467859c0e9b0d78c95ab09c44/seed-4s18-107s39-129s28-386s32-409s26-544s38.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1165 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 26 10:20:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Jan 2021 09:20:08 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not parse the ext policyMappings (#1166) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1166 ## Description of problem: GnuTLS does not parse the ext name policyMappings or full information about it. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool -i --infile seed-5s26-41s18-189s27.pem` ## Actual results: ``` Unknown extension 2.5.29.33 (not critical): ASCII: 0.0...U. ...+.. Hexdump: 300d300b0604551d200106032b0508 ``` ## Expected results: similar to ``` X509v3 Policy Mappings: 2.5.29.32.1:1.3.5.8 ``` ## Attachments: [seed-5s26-41s18-189s27.zip](/uploads/441dc1fb2b1d3a4152ded68ef38ba26f/seed-5s26-41s18-189s27.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 27 08:49:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Jan 2021 07:49:07 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS accepts a cert whose basicConstraints.cA==False but keyUsage.keyCertSign is set (#1167) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1167 ## Description of problem: GnuTLS accepts a cert whose basicConstraints.cA==False but keyUsage.keyCertSign is set. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-16s31-206s38.pem` ## Actual results: ``` certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-16s31-206s38.pem Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded CAs (1 available) Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: The cert should be rejectd since it has no right (it cA==False) to verify certSign (keyUsage.keyCertSign is set). ## Attachments: [ca.zip](/uploads/a1b6138e694221150409c508e44dd696/ca.zip) [seed-16s31-206s38.zip](/uploads/946477b3be76d26aa0f2e62ee26778d2/seed-16s31-206s38.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 27 09:25:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Jan 2021 08:25:41 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS accepts a critical Authority Information Access (#1168) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1168 ## Description of problem: GnuTLS accepts a critical Authority Information Access. OpenSSL and mbedTLS reject it. RFC 5280 requires the ext AIA must be marked as non-critical. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-7s35-59s37-384s28-468s36.pem.pem` ## Actual results: ``` certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-7s35-59s37-384s28-468s36.pem Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded CAs (1 available) Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: Consistent verification results among GnuTLS and other TLS implementations. ## Attachments: [ca.zip](/uploads/1ab497740062c7970e8ca0d038eeae33/ca.zip) [seed-7s35-59s37-384s28-468s36.zip](/uploads/975d54f719387e8d82de13cceac96327/seed-7s35-59s37-384s28-468s36.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 27 09:32:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Jan 2021 08:32:42 +0000 Subject: [gnutls-devel] GnuTLS | www.gnutls.org API reference is empty (#1169) References: Message-ID: Sergei Trofimovich created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1169 https://www.gnutls.org/reference/intro.html does not contain the API reference. I see the following output: ``` GnuTLS API Reference Manual GnuTLS implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols for the GNU project. More up to date information can be found at https://www.gnutls.org/. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 27 09:37:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Jan 2021 08:37:12 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS rejects a cert since it cannot parse the critical ext Netscape Cert Type (#1170) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1170 ## Description of problem: GnuTLS rejects a cert since it cannot parse the critical ext Netscape Cert Type. OpenSSL, mbedTLS, and WolfSSL accept it. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-4s18-107s39-405s19.pem.pem` ## Actual results: ``` certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-4s18-107s39-405s19.pem Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded CAs (1 available) Subject: serialNumber=serialNumber2,CN=Susan Housley2,DC=DC2,dnQualifier=dnQ2,OU=network security\, Counter-Terrorism Committee,O=Counter-Terrorism Committee,ST=New York State,C=UN Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension. Chain verification output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension. ``` ## Expected results: Consistent verification results among GnuTLS and other TLS implementations. ## Attachments: [ca.zip](/uploads/1453fcdb5d86499c85a4e213883a12a1/ca.zip) [seed-4s18-107s39-405s19.zip](/uploads/d68c8156273f91da86a950ea84aa0a64/seed-4s18-107s39-405s19.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 27 10:01:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Jan 2021 09:01:39 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS accepts a non-CA cert with a critical ext nameConstraints (#1171) References: Message-ID: GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1171 ## Description of problem: GnuTLS accepts a non-CA cert with a critical ext nameConstraints. mbedTLS and wolfSSL reject it. ## Version of gnutls used: 3.5.5, 3.6.13 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu x64 ## How reproducible: Steps to Reproduce: * `certtool --verify --load-ca-certificate ca.pem --infile seed-5s26-174s36-353s31.pem` ## Actual results: ``` certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-5s26-174s36-353s31.pem Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded CAs (1 available) Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` ## Expected results: Consistent verification results among GnuTLS and other TLS implementations. ## Attachments: [ca.zip](/uploads/ac8adb996d08147af90f484c1a02a48d/ca.zip) [seed-5s26-174s36-353s31.zip](/uploads/47986e966b06f7bd1c444fe843f39c7b/seed-5s26-174s36-353s31.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 28 12:42:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Jan 2021 11:42:58 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1172 This request is driven by the needs of crypto-policies, a tool to configure system-wide defaults of cryptographic software. While the new configuration mechanism introduced in !1013 does achieve the [announced goal of hard-disabling algorithms](https://gitlab.com/gnutls/gnutls/-/issues/587#note_107211054), it doesn't offer matching soft-disabling capabilities. An operating system vendor should be allowed to disable contentious algorithms by default, but still allow applications to reenable them back on a case-by-case basis, without blanket-enabling the algorithm for all applications and usages. Priority strings are the established way to soft-disable algorithms, and are sometimes even exposed all the way to the configuration files. But priority strings cannot readily satisfy this request, as they have two limitations in comparison with the new configuration format: 1. [priority strings definition](https://gnutls.org/manual/html_node/Priority-Strings.html) limits them to TLS only, so priority strings don't cover the `insecure-sig`, `insecure-sig-for-cert` or `insecure-hash` controls range 2. priority strings don't possess the granularity available with the new format: there's `%VERIFY_ALLOW_SIGN_WITH_SHA1`, but, besides that, `insecure-sig-for-cert` doesn't seem to have a generic priority string counterpart. Thus the request for feature-parity between soft-disabling and hard-disabling capabilities of gnutls configuration. For that, I guess we should first clarify and establish whether it's OK to extend priority strings beyond TLS usage. If it is ruled fine, then adding new keywords to priority strings seems to be the solution. If it's not, I suppose extending the configuration format to allow soft-disabling is also an option, though there still remains a question of how exactly should applications relax the defaults tightened with those hypothetical new options. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 30 05:24:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Jan 2021 04:24:33 +0000 Subject: [gnutls-devel] GnuTLS | www.gnutls.org API reference is empty (#1169) In-Reply-To: References: Message-ID: Daiki Ueno commented: I actually don't know which documentation was hosted on that link, but the complete manual, including the API reference, is available at: https://gnutls.gitlab.io/web-pages/documentation.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1169#note_497604406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 30 06:20:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Jan 2021 05:20:09 +0000 Subject: [gnutls-devel] GnuTLS | enable valgrind tests for full testsuite (#1174) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1174 As we are adopting valgrind instruments more and [more](3d7fae761e65e9d0f16d7247ee8a464d4fe002da), it would make sense to run all the tests under valgrind in CI. However, for some reason it's disabled when `--disable-full-test-suite` is specified and that's the case with the "fedora-valgrind/build" job. I tried to enable it but found quite a few roadblocks: - the gnulib `valgrind-tests` module usage is incorrect and the current code exercises also for shell-scripts (i.e. bash binary) - we should properly set `TEST_EXTENSIONS = .sh` - there are actual memleaks in some code e.g., `tests/tls13/no-auto-send-ticket.c` - the FIPS library state check is done too late (I don't know why), and the tests manually invalidating the state (e.g., `tests/x509sign-verify-error.c`) causes memory error deep under nettle primitives, because the gnutls random functions refuses to produce proper value in that case, resulting in the dest memory area uninitialized - some tests (e.g., `tests/memset.c`) are poorly written, violating the C ABI assumption (those are removed in !1382) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 30 10:51:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Jan 2021 09:51:45 +0000 Subject: [gnutls-devel] GnuTLS | tests: enable all tests to run under valgrind (!1383) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383 Project:Branches: dueno/gnutls:wip/dueno/valgrind to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1174 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 30 10:53:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Jan 2021 09:53:41 +0000 Subject: [gnutls-devel] GnuTLS | tests: enable all tests to run under valgrind (!1383) In-Reply-To: References: Message-ID: Daiki Ueno commented: This contains changes from !1382; maybe it should land first (or this could supersede it). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_497641727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 31 12:49:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 31 Jan 2021 11:49:34 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) In-Reply-To: References: Message-ID: All discussions on Merge Request !1379 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 31 12:49:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 31 Jan 2021 11:49:34 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/cert-cred-x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379#note_497876940 > int ca_list_size) > { > int ret, i, j; > - gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); > + gnutls_x509_crt_t *new_list; > + > + if (ca_list == NULL || ca_list_size < 1) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); Let's do that later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379#note_497876940 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 31 12:49:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 31 Jan 2021 11:49:38 +0000 Subject: [gnutls-devel] GnuTLS | Verify that cert_list_size > 0 and cert_list != NULL (!1379) In-Reply-To: References: Message-ID: Merge Request !1379 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 Project:Branches: incentive.design/gnutls:check_cert_list_argument to gnutls/gnutls:master Author: Tom Carroll Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: