From gnutls-devel at lists.gnutls.org Mon Mar 1 01:37:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 00:37:27 +0000 Subject: [gnutls-devel] GnuTLS | Master (!1395) References: Message-ID: Nicolas Mora created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395 Project:Branches: babelouest/gnutls:master to gnutls/gnutls:master Author: Nicolas Mora Add ecdh compute function `gnutls_ecdh_compute_key` which generates a shared secret between 2 ecc keys ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 06:32:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 05:32:08 +0000 Subject: [gnutls-devel] GnuTLS | RFC: ephemeral-api: add a mechanism to define ephemeral API (!1199) In-Reply-To: References: Message-ID: Merge Request !1199 was closed by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 Branches: tmp-ephemeral-api to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 08:22:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 07:22:31 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!73) In-Reply-To: References: Message-ID: Merge Request !73 was closed by ihsinme Merge Request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/73 Project:Branches: ihsinme/libtasn1:ihsinme-master-patch-12809 to gnutls/libtasn1:master Author: ihsinme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/73 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 08:22:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 07:22:30 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!73) In-Reply-To: References: Message-ID: ihsinme commented: sorry i will try to create a repeat request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/73#note_519035279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 08:32:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 07:32:14 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) References: Message-ID: ihsinme created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 Project:Branches: ihsinme/libtasn1:ihsinme-master-patch-00221 to gnutls/libtasn1:master Author: ihsinme I believe your checks are not correct. in my opinion they are equivalent to checks !=. I suggest a simple fix. only fix! ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 08:33:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 07:33:49 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: ihsinme commented: this copy https://gitlab.com/gnutls/libtasn1/-/merge_requests/73 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_519041030 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 08:49:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 07:49:40 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: ihsinme commented: @dueno look at this PR I was unable to make update 73. ( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_519049544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 1 16:29:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Mar 2021 15:29:14 +0000 Subject: [gnutls-devel] GnuTLS | tests: enable all tests to run under valgrind (!1383) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Hi, sorry for the late review. Looks mostly fine to me, I have just two questions: 1) I don't understand the reason for dropping tests/init_fds.c in 5589765. My impression is, it'd be still useful to test that an application can close all fds in between implicit and explicit init. I don't see why the test is irrelevant to "only open /dev/urandom when gnutls_global_init() is called and not before" of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476 I'd appreciate some clarification here. 2) What's the policy of what to call and not call under valgrind in shell script tests? I've picked one test at random (`tests/cert-tests/certtool.sh`) and I see a mixture of calls to certtool, some do call valgrind, some don't. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_519494090 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 2 15:57:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Mar 2021 14:57:01 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm sorry for the long silence on this issue. I now suspect that this might be the same cause as the libtasn1 UB reported in: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252548 Would you like to check if using the latest libtasn1 port fixes the issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078#note_520369975 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 3 22:32:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Mar 2021 21:32:08 +0000 Subject: [gnutls-devel] GnuTLS | Provide a better way to upload Windows artifacts upon release (#1182) In-Reply-To: References: Message-ID: silvioprog commented: Currently, the page for downloading the binaries for Windows returns 404: ![image](/uploads/eabde3dd7e6be930971832a49be2e8a3/image.png) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1182#note_521547991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 04:34:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 03:34:09 +0000 Subject: [gnutls-devel] GnuTLS | tests: enable all tests to run under valgrind (!1383) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521658462 > I don't see why the test is irrelevant to "only open /dev/urandom when gnutls_global_init() is called and not before" of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476 I'd appreciate some clarification here. I generally agree with you, though the test didn't properly exercise the scenario on some cases, because it assumes that /dev/urandom is always associated with fd 3. I guess one way to reliably do that check would be to (1) replace gnutls_rnd as other tests do and (2) in that replacement function, call stat and compare the inode number against a newly opened /dev/urandom. > What's the policy of what to call and not call under valgrind in shell script tests? I've picked one test at random (tests/cert-tests/certtool.sh) and I see a mixture of calls to certtool, some do call valgrind, some don't. That sounds like a bug ;-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521658462 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 08:40:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 07:40:48 +0000 Subject: [gnutls-devel] GnuTLS | tests: enable all tests to run under valgrind (!1383) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521749519 I also wonder why we keep the fd open for such a long time in the first place. Both OpenSSL and NSS has a similar fallback to `/dev/urandom` if `getrandom` is not available, but opens the device in one-shot, when reseeding is needed (and that's pretty rare). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521749519 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 09:27:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 08:27:51 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: Merge Request !75 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 Project:Branches: ihsinme/libtasn1:ihsinme-master-patch-00221 to gnutls/libtasn1:master Author: ihsinme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 09:27:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 08:27:52 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: Merge Request !75 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 Project:Branches: ihsinme/libtasn1:ihsinme-master-patch-00221 to gnutls/libtasn1:master Author: ihsinme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 09:28:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 08:28:07 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the update! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_521784240 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 09:38:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 08:38:24 +0000 Subject: [gnutls-devel] GnuTLS | Do not keep fd open for /dev/urandom (#1188) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1188 On Unix, if `getrandom` syscall is not available, `/dev/urandom` is used as a random seed. For some reason, we keep the file descriptor open during the process lifetime and that caused [issues](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476) in the past. In the first place, however, `read` from that device is rare: only for the initial seeding and reseeding after the limit of DRBG. We probably should make the device access one-shot (i.e., do `open`/`close` every time), like other libraries do. See https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_519494090 for the discussion. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 11:08:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 10:08:38 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 Project:Branches: asosedkin/gnutls:oneshot-urandom to gnutls/gnutls:master Author: Alexander Sosedkin Prompted by [the following comment](https://gitlab.com/gnutls/gnutls/-/merge_requests/1383#note_521749519) by @dueno: > I also wonder why we keep the fd open for such a long time in the first > place. Both OpenSSL and NSS have a similar fallback to /dev/urandom > if getrandom is not available, but opens the device in one-shot, > when reseeding is needed (and that's pretty rare). I thought that could be easier to switch to such one-shot opening than to resurrect and fix `tests/init_fds.c`. I'm not exactly sure about all the benefits and drawbacks of going that way though, so, please, treat that as a suggestion, not a request. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 12:34:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 11:34:27 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Merge Request !1396 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 Project:Branches: asosedkin/gnutls:oneshot-urandom to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 12:36:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 11:36:29 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396#note_521971906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 16:46:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 15:46:43 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) References: Message-ID: Steffen Jaeckel created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 Project:Branches: jaeckel/gnutls:fix-id-on-xmppAddr to gnutls/gnutls:master Author: Steffen Jaeckel ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code `gnutls_x509_crt_get_subject_alt_name()` makes a promise [1] "If an otherName OID is known, the data will be decoded. ... RFC 3920 id-on-xmppAddr SAN is recognized." which it didn't hold. Before this patch the output was still in DER format, e.g. for a id-on-xmppAddr which is always UTF-8 (0x0c): `0x0c ` This patch fixes the issue and now it returns the decoded string. [1] https://www.gnutls.org/manual/gnutls.html#gnutls_005fx509_005fcrt_005fget_005fsubject_005falt_005fname -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 18:28:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 17:28:47 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Merge Request !1397 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 Project:Branches: jaeckel/gnutls:fix-id-on-xmppAddr to gnutls/gnutls:master Author: Steffen Jaeckel Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 4 18:31:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Mar 2021 17:31:06 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you; the change looks correct. If it is not too much burden, it would be nice to add a unit test that covers this part. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397#note_522316330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 12:19:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 11:19:10 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duped certs for PKCS11 too (!1398) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 Project:Branches: dueno/gnutls:wip/dueno/duplicate-certs-pkcs11 to gnutls/gnutls:master Author: Daiki Ueno The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of !1370) didn't cover the case where the trust store is backed by PKCS#11, because it used `_gnutls_trust_list_get_issuer`, which only works with file based trust store. This patch replaces the call with more generic `gnutls_x509_trust_list_get_issuer` so it also works with other trust store implementations. Reported by Michal Ruprich. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 12:32:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 11:32:52 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Steffen Jaeckel commented: Fine like that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397#note_522989905 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 12:38:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 11:38:49 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: All discussions on Merge Request !1397 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 12:38:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 11:38:55 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Merge Request !1397 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 Project:Branches: jaeckel/gnutls:fix-id-on-xmppAddr to gnutls/gnutls:master Author: Steffen Jaeckel Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 12:38:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 11:38:44 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397#note_522994070 That's perfect, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397#note_522994070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 13:06:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 12:06:36 +0000 Subject: [gnutls-devel] GnuTLS | x86:add detection of instruction set on Zhaoxin CPU (!1335) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/accelerated/x86/x86-common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1335#note_523016428 > } > > /* We are actually checking for SHA512 */ > static int check_phe_sha512(unsigned edx) > { > - return ((edx & via_bit_PADLOCK_PHE_SHA512) == via_bit_PADLOCK_PHE_SHA512); > + return ((edx & bit_PADLOCK_PHE_SHA512) == bit_PADLOCK_PHE_SHA512); > +} > + > +/* On some of the Zhaoxin CPUs, pclmul has a faster acceleration effect */ > +static int check_fast_pclmul(void) > +{ > + unsigned int a,b,c,d; > + unsigned int family,model; > + > + if (__get_cpuid(1, &a, &b, &c, &d)) @zzjianhui sorry, I failed to spot this during the review, but shouldn't this condition be `!__getcpuid(...)`? We have `#define __getcpuid(...) 0` as a fallback, and in that case GCC reports: ```console x86-common.c: In function 'register_x86_crypto': x86-common.c:314:15: warning: 'a' may be used uninitialized in this function [-Wmaybe-uninitialized] 314 | family = ((a >> 8) & 0x0F); | ~~~^~~~~ x86-common.c:308:15: note: 'a' was declared here 308 | unsigned int a,b,c,d; | ^ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1335#note_523016428 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 18:04:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 17:04:01 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: Andreas Metzler commented: I do not understand the pipeline failures. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398#note_523340948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 18:42:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 17:42:25 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Merge Request !1397 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 Project:Branches: jaeckel/gnutls:fix-id-on-xmppAddr to gnutls/gnutls:master Author: Steffen Jaeckel Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 5 18:42:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Mar 2021 17:42:50 +0000 Subject: [gnutls-devel] GnuTLS | output UTF-8 decoded id-on-xmppAddr SAN's (!1397) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the follow-up on the CI failures :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1397#note_523365823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 07:09:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 06:09:21 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Daiki Ueno commented: Maybe we could also remove the `.check` operation and the usage all together, which was introduced sorely to keep the fd? 684b825f5f78cc7ad1f61be232fd20ee0bc5b56f -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396#note_523587195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 07:24:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 06:24:52 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398#note_523588419 Seems like an intermittent failure or timeout; I've retried and they are gone. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398#note_523588419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 08:11:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 07:11:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: All discussions on Merge Request !1398 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 08:16:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 07:16:54 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: Merge Request !1398 was approved by Andreas Metzler Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 Project:Branches: dueno/gnutls:wip/dueno/duplicate-certs-pkcs11 to gnutls/gnutls:master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 08:24:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 07:24:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398#note_523594632 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 6 08:24:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Mar 2021 07:24:24 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_verify_crt2: skip duplicated certs for PKCS#11 too (!1398) In-Reply-To: References: Message-ID: Merge Request !1398 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 Project:Branches: dueno/gnutls:wip/dueno/duplicate-certs-pkcs11 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 8 15:32:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 08 Mar 2021 14:32:04 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Rebased, removed `_gnutls_rnd_check` and `_rnd_system_entropy_check`, please review. I haven't removed `.check` from `gnutls_crypto_rnd_st` because that was done in fea6c3ca8f869752f4f79f724fbb8736e961fd88. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396#note_524399064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 15:00:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 14:00:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 Project:Branches: dueno/gnutls:wip/dueno/realloc to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1151 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 15:25:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 14:25:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 1 alert** when merging 42b4fb00314f141db0928db729822f03da138588 into ba6e4b17bf74e58a8101f825011434b497eacbaa - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-52cd38ac946c6aae68fe2af44ca905f025121db8) **new alerts:** * 1 for Missing return statement --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525264736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 16:47:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 15:47:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Anderson Sasaki started a new discussion on lib/str.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525345767 > if (unlikely(dest->data != NULL && dest->allocd == NULL)) > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + /* When running under valgrind, use a simpler logic for reallocation; > + * i.e., always call gnutls_realloc_fast() and do not reclaim the > + * no-longer-used area which has been removed from the beginning of > + * buffer with _gnutls_buffer_pop_datum(). > + */ > +#ifdef HAVE_VALGRIND_MEMCHECK_H The idea here is to always trigger the reallocation even when it wouldn't be necessary, right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525345767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 16:56:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 15:56:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/str.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525353833 > if (unlikely(dest->data != NULL && dest->allocd == NULL)) > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + /* When running under valgrind, use a simpler logic for reallocation; > + * i.e., always call gnutls_realloc_fast() and do not reclaim the > + * no-longer-used area which has been removed from the beginning of > + * buffer with _gnutls_buffer_pop_datum(). > + */ > +#ifdef HAVE_VALGRIND_MEMCHECK_H Yes; that makes the issue happen more reliably. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525353833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 17:22:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 16:22:34 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 was reviewed by Anderson Sasaki -- Anderson Sasaki started a new discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525378738 > > ret = > _gnutls_buffer_append_prefix(extdata, 16, 0); Here you reserve room for the size of everything that is appended after the previously existing data, right? -- Anderson Sasaki started a new discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525378745 > /* copy actual length */ > - _gnutls_write_uint16(extdata->length - cur_length, lengthp); > + _gnutls_write_uint16(extdata->length - length_pos - 2, Then here you calculate the size of everything that was appended and write to the reserved room (2 bytes)? -- Anderson Sasaki started a new discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525378750 > > - /* write the total length later */ > - lengthp = &extdata->data[extdata->length]; The problem is that when things are reallocated, this `lengthp` pointer turns invalid, right? -- Anderson Sasaki started a new discussion on lib/ext/pre_shared_key.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525378759 > + gnutls_datum_t client_hello; > + > + client_hello.data = extdata->data+sizeof(mbuffer_st); And here (and the next case) we have to get the pointers after the possible reallocation, right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 17:31:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 16:31:54 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on lib/str.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525386639 > if (unlikely(dest->data != NULL && dest->allocd == NULL)) > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + /* When running under valgrind, use a simpler logic for reallocation; > + * i.e., always call gnutls_realloc_fast() and do not reclaim the > + * no-longer-used area which has been removed from the beginning of > + * buffer with _gnutls_buffer_pop_datum(). > + */ > +#ifdef HAVE_VALGRIND_MEMCHECK_H OK! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525386639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 18:13:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 17:13:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525422352 > if (!have_creds_for_tls13(session)) > return 0; > > - /* write the total length later */ > - lengthp = &extdata->data[extdata->length]; > + length_pos = extdata->length; > > ret = > _gnutls_buffer_append_prefix(extdata, 16, 0); Yes, the extension itself has a 2-byte length field, which we are adding here (with 0 as the content). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525422352 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 18:24:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 17:24:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525430010 > } > > /* copy actual length */ > - _gnutls_write_uint16(extdata->length - cur_length, lengthp); > + _gnutls_write_uint16(extdata->length - length_pos - 2, Yes, exactly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525430010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 18:27:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 17:27:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525432181 > if (!have_creds_for_tls13(session)) > return 0; > > - /* write the total length later */ > - lengthp = &extdata->data[extdata->length]; Yes; there are several calls to `_gnutls_buffer_append*` between here and the place where the length is actually assigned, if `realloc` (called underneath) allocates a new memory, `lengthp` can be invalid. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525432181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 20:32:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 19:32:29 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 Project:Branches: dueno/gnutls:wip/dueno/getcpuid to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 20:33:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 19:33:41 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: Daiki Ueno commented: I actually can't say this is correct; @zzjianhui could you take a look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400#note_525517842 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 20:40:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 19:40:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 was reviewed by Anderson Sasaki -- Anderson Sasaki commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525521960 > > ret = > _gnutls_buffer_append_prefix(extdata, 16, 0); OK, thanks for the clarification! -- Anderson Sasaki commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525521961 > /* copy actual length */ > - _gnutls_write_uint16(extdata->length - cur_length, lengthp); > + _gnutls_write_uint16(extdata->length - length_pos - 2, OK! -- Anderson Sasaki commented on a discussion on lib/ext/pre_shared_key.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525521963 > + gnutls_datum_t client_hello; > + > + client_hello.data = extdata->data+sizeof(mbuffer_st); I think this is clear now. -- Anderson Sasaki commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525521965 > > - /* write the total length later */ > - lengthp = &extdata->data[extdata->length]; OK! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 20:40:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 19:40:57 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: All discussions on Merge Request !1399 were resolved by Anderson Sasaki https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 20:41:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 19:41:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Anderson Sasaki commented: @dueno Thank you for the clarification! For me the changes make sense and the code LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525522324 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 21:03:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 20:03:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525534138 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525534138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 21:10:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 20:10:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: I don't like taking a different codepath under valgrind, so I propose to have a separate job for that: https://gitlab.com/asosedkin/gnutls/-/commit/cbcdce99b5b31173b6a654481c468a4519c66f15 Maybe later we could also try an allocator that'd do unnecessary moving all the time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525537315 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 9 21:29:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 09 Mar 2021 20:29:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525546037 That looks much better; I've incorporated it in 8aace6b539627ff25d16eaaf6fcb95276f63a34e. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525546037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 03:53:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 02:53:20 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 was reviewed by zzjianhui -- zzjianhui commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400#note_525697306 Yes, this is correct. After I test it, it will execute pclmul. Can have higher performance -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 05:32:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 04:32:24 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: All discussions on Merge Request !1400 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 05:32:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 04:32:24 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400#note_525730640 Thank you for checking. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400#note_525730640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 05:32:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 04:32:51 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: Merge Request !1400 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 Project:Branches: dueno/gnutls:wip/dueno/getcpuid to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 06:15:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 05:15:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: All discussions on Merge Request !1399 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 06:16:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 05:16:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Merge Request !1399 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 Project:Branches: dueno/gnutls:wip/dueno/realloc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 06:20:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 05:20:25 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm merging it to see if the valgrind checks really work (they are only triggered on the upstream branches). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399#note_525748201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 10:37:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 09:37:52 +0000 Subject: [gnutls-devel] GnuTLS | x86: toggle polarity of check_fast_pclmul (!1400) In-Reply-To: References: Message-ID: Merge Request !1400 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 Project:Branches: dueno/gnutls:wip/dueno/getcpuid to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 11:20:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 10:20:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_buffer_append_data: avoid use-after-free in the callers (!1399) In-Reply-To: References: Message-ID: Merge Request !1399 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 Project:Branches: dueno/gnutls:wip/dueno/realloc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 16:18:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 15:18:31 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 Project:Branches: dueno/gnutls:wip/dueno/aggressive-realloc-fixes to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 17:28:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 16:28:35 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/str.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401#note_526400066 > > unused = MEMSUB(dest->data, dest->allocd); > dest->allocd = > - gnutls_realloc_fast(dest->allocd, new_size); > + gnutls_realloc_fast(dest->allocd, new_size + unused); > if (dest->allocd == NULL) { > gnutls_assert(); > return GNUTLS_E_MEMORY_ERROR; > } > dest->max_length = new_size; `new_size` or `new_size + unused`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401#note_526400066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 18:50:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 17:50:36 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) In-Reply-To: References: Message-ID: All discussions on Merge Request !1401 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 19:52:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 18:52:55 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: change looks fine. `tests/srp` times out on my machine, rest passed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401#note_526511576 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 20:03:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 19:03:02 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) In-Reply-To: References: Message-ID: Merge Request !1401 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 Project:Branches: dueno/gnutls:wip/dueno/aggressive-realloc-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 10 20:02:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 10 Mar 2021 19:02:37 +0000 Subject: [gnutls-devel] GnuTLS | Fix issues with AGGRESSIVE_REALLOC (!1401) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review and for checking. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1401#note_526516509 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 11 07:22:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 11 Mar 2021 06:22:45 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you; looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396#note_526787988 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 11 07:23:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 11 Mar 2021 06:23:04 +0000 Subject: [gnutls-devel] GnuTLS | Do not keep fd open for /dev/urandom (#1188) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1396 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1396) Issue #1188: https://gitlab.com/gnutls/gnutls/-/issues/1188 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 11 07:23:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 11 Mar 2021 06:23:05 +0000 Subject: [gnutls-devel] GnuTLS | sysrng-linux: re-open /dev/urandom every time (!1396) In-Reply-To: References: Message-ID: Merge Request !1396 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 Project:Branches: asosedkin/gnutls:oneshot-urandom to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1396 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 11 18:04:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 11 Mar 2021 17:04:02 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (#308) In-Reply-To: References: Message-ID: Reassigned Issue 308 https://gitlab.com/gnutls/gnutls/-/issues/308 Assignee changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 11 18:11:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 11 Mar 2021 17:11:33 +0000 Subject: [gnutls-devel] GnuTLS | Add Linux kernel AF_ALG backend (#308) In-Reply-To: References: Message-ID: Daiki Ueno commented: @FrantisekKrenzelok, who is currently looking at the patches, noticed that some functions get stuck in some occasions. It seems that the output size specified as function argument must match the exact size returned. @smuellerDD is it an expected change in libkcapi/kernel? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/308#note_527421502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 13 02:20:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 13 Mar 2021 01:20:52 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: L?o Le Bouter commented: Hello, Does this impact `3.6.x`? Thank you -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528567535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 13 08:51:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 13 Mar 2021 07:51:59 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528632948 Yes. Do you think a new release on the 3.6.x branch would also be necessary? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528632948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 13 09:11:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 13 Mar 2021 08:11:53 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: L?o Le Bouter commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528639258 If there's a CVE out, then yes, it seems to me the low impact evaluation may not hold up if there's further discoveries and study by some exploit writers, so better be safe. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528639258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 13 11:52:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 13 Mar 2021 10:52:25 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: L?o Le Bouter commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528671144 Over at GNU Guix, we applied a patch from the commit on `3.6.x` series. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528671144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 13 19:48:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 13 Mar 2021 18:48:26 +0000 Subject: [gnutls-devel] GnuTLS | Port shell-script tests to init.sh (#1064) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin FYI. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1064#note_528738750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 14 08:56:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 14 Mar 2021 07:56:52 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.1: test failure on NetBSD (#1190) References: Message-ID: Thomas Klausner created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1190 When running the self tests for gnutls-3.7.1 on NetBSD 9.99.81/amd64, gcc 9.3.0, I see one test failure: FAIL: test-parse-datetime ========================= test-parse-datetime.c:434: assertion 'parse_datetime (&result, "TZ=\"\\\\\"", &now)' failed FAIL test-parse-datetime (exit status: 134) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 14 09:14:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 14 Mar 2021 08:14:44 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.1: test failure on NetBSD (#1190) In-Reply-To: References: Message-ID: Daiki Ueno commented: The test comes from Gnulib; would you mind checking if the latest upstream version fails as well? ```console git clone --depth=1 https://git.sv.gnu.org/git/gnulib.git cd gnulib ./gnulib-tool --create-testdir --dir=t parse-datetime cd t ./configure && make && make check ``` If that fails, I would suggest reporting it to [bug-gnulib](https://lists.gnu.org/mailman/listinfo/bug-gnulib). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1190#note_528802421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 14 12:05:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 14 Mar 2021 11:05:59 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.1: test failure on NetBSD (#1190) In-Reply-To: References: Message-ID: Thomas Klausner commented: Thanks for the recipe. That does indeed fail for me, and I've reported it to gnulib. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1190#note_528838944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 05:08:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 04:08:30 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails (#1150) In-Reply-To: References: Message-ID: GnuTLS bot commented: @mtodescato This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1150#note_529010280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 05:08:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 04:08:30 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails (#1150) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1150: https://gitlab.com/gnutls/gnutls/-/issues/1150 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 08:40:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 07:40:25 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.1: test failure on NetBSD (#1190) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1190#note_529094829 Thanks; the offending tests are now skipped on NetBSD: https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=35f8ff2e1162bf3ee60d99b6812f2ae10f3f2898 I'll file an MR to update the Gnulib submodule to incorporate it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1190#note_529094829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 10:10:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 09:10:23 +0000 Subject: [gnutls-devel] GnuTLS | gnulib: update git submodule (!1402) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1402 Project:Branches: dueno/gnutls:wip/dueno/tzalloc-tests to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1190 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 11:17:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 10:17:03 +0000 Subject: [gnutls-devel] GnuTLS | Fix resource leaks spotted by coverity (!1403) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1403 Project:Branches: dueno/gnutls:wip/dueno/coverity to gnutls/gnutls:master Author: Daiki Ueno This fixes potential resource leaks in error paths. That said, all those leaks are in tools and examples, and do not affect the library. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 13:47:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 12:47:40 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.1: test failure on NetBSD (#1190) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1402 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1402) Issue #1190: https://gitlab.com/gnutls/gnutls/-/issues/1190 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1190 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 15 13:47:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Mar 2021 12:47:42 +0000 Subject: [gnutls-devel] GnuTLS | gnulib: update git submodule (!1402) In-Reply-To: References: Message-ID: Merge Request !1402 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1402 Project:Branches: dueno/gnutls:wip/dueno/tzalloc-tests to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 03:12:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 02:12:00 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: Daiki Ueno commented: This is probably a stupid idea, but I was thinking to allow multiple named `[overrides]` sections, e.g., `[overrides.EXAMPLE]`. The name (`EXAMPLE`) can be referred to in the `[priorities]` section. That way, we can overcome the limitation of priority strings and also define soft-disablement in a declarative manner in a single place. For example: ```ini [overrides.EXAMPLE1] insecure-sig = rsa-sha1 [overrides.EXAMPLE2] insecure-sig = rsa-sha256 [priorities] EXAMPLE1 = EXAMPLE1 EXAMPLE2 = EXAMPLE2 SYSTEM = NORMAL ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172#note_529897405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 06:42:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 05:42:46 +0000 Subject: [gnutls-devel] GnuTLS | Fix resource leaks spotted by coverity (!1403) In-Reply-To: References: Message-ID: Merge Request !1403 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1403 Project:Branches: dueno/gnutls:wip/dueno/coverity to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 07:47:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 06:47:10 +0000 Subject: [gnutls-devel] GnuTLS | Ensure array allocations overflow safe (#1179) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 07:47:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 06:47:34 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 07:48:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 06:48:11 +0000 Subject: [gnutls-devel] GnuTLS | Wrong CDP in certificate (#1126) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 07:47:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 06:47:54 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS client sends early data after receiving Server Hello (#1146) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 07:49:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 06:49:40 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_NO_EXPLICIT_INIT should be named GNUTLS_NO_IMPLICIT_INIT (#1178) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 08:13:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 07:13:26 +0000 Subject: [gnutls-devel] GnuTLS | fipshmac calculation needs to be done after library strip (#1191) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1191 The newly introduced `fipshmac` helper program currently runs in the `make` phase, where the libraries are not stripped. This should be done at the `make install` phase instead. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 12:32:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 11:32:45 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 Project:Branches: FrantisekKrenzelok/gnutls:af_alg to gnutls/gnutls:master Author: Franti?ek Kren?elok Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 16 14:30:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Mar 2021 13:30:18 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: So, the effective configuration now, with a config specifying "hard-disabled" and "config-priority" is: * for non-TLS: "everything - hard-disabled", * for TLS not using `@SYSTEM`: "_priority_", * for TLS using `@SYSTEM:extra-priority`: "config-priority +- _extra-priority_ - hard-disabled". And what we're aiming for given a config that specifies "soft-disabled", "hard-disabled" and "config-priority": * for non-TLS: "everything - soft-disabled +- _new-api_ - hard-disabled", * for TLS not using @SYSTEM: "_priority_ +- _new-api_", * for TLS using @SYSTEM:extra-priority: "config-priority - soft-disabled +- _extra-priority_ +- _new-api_ - hard-disabled". (italics signify what's under the application control) Questions: * did I get your proposal right? * do we want new API to affect TLS or not? why? * will we have everything soft-disabled reenableable with either priority strings or new-api? * will we have priority-string-format keywords for everything, so that a TLS app could forego new-api and only use priority string? * if we will have priority-string keywords for everything, can we simplify it somehow? The "priority - soft-disabled +- _extra-priority_ +- _new-api_ - hard-disabled" might be not that hard to merge, but sounds hard to comprehend. * how orthogonal are new-api and adding soft-disablement? And now for something completely different: maybe my original request is misguided. Now I'm not sure why vendors go the disabling way at all (https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/issues/22). Maybe we should do soft-enabling instead, for writing future-proof config files that don't change effective configuration on gnutls adding new algorithms? Or allow both with smth like `default=everything / default=nothing`? This is hard =) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172#note_530521992 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 07:58:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 06:58:50 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531104041 > + /* Set PT buffer to be filled by kernel */ > + iov[1].iov_base = plain; > + iov[1].iov_len = plain_size; ```suggestion:-0+0 iov[1].iov_len = kcapi_aead_outbuflen_dec(ctx->handle, encr_size - tag_size, auth_size, tag_size) - auth_size; ``` -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531104044 > + /* Set CT buffer to be filled by kernel */ > + iov[1].iov_base = encr; > + iov[1].iov_len = plain_size + tag_size; ```suggestion:-0+0 iov[1].iov_len = kcapi_aead_outbuflen_enc(ctx->handle, plain_size, auth_size, tag_size) - auth_size; ``` -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531104045 > + } > + > + ctx->ccm = !strncmp(gnutls_aead_map[algorithm], "ccm", 3); As we only support a couple of CCM ciphers, I'd suggest just use a `switch` rather than string comparison, something like: ```c switch (algorithm) { case GNUTLS_CIPHER_AES_128_CCM: case GNUTLS_CIPHER_AES_256_CCM: ... } ``` -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531104046 > + struct kcapi_ctx *ctx = _ctx; > + > + if (kcapi_cipher_encrypt(ctx->handle, src, src_size, ctx->iv, >From my experiment, `src_size` needs to be exactly the block size for CBC (or perhaps there might be an alignment issue). I haven't tried but maybe you could rewrite this (and `afalg_cipher_decrypt`) either in the following ways: - loop over `src_size`, by the block size retrieved with `kcapi_cipher_blocksize`, - use the stream API in a similar way to AEAD: https://www.chronox.de/libkcapi/html/ch03s06.html @smuellerDD thoughts? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:08:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:08:40 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm skeptical about the "Allow registering ciphers with higher priority" commit, because it would reverse the current logic of cipher lookup. Perhaps you could just drop this commit and adjust the priority at registration (currently it's 90, but it can be 80 or lower). Maybe also change the title of MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531108759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:13:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:13:44 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531111814 > + struct kcapi_ctx *ctx = _ctx; > + > + if (iv_size > kcapi_cipher_ivsize(ctx->handle)) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + > + memcpy(ctx->iv, iv, iv_size); > + > + return 0; > +} > + > +static int afalg_cipher_encrypt(void *_ctx, const void *src, size_t src_size, > + void *dst, size_t dst_size) > +{ > + struct kcapi_ctx *ctx = _ctx; > + > + if (kcapi_cipher_encrypt(ctx->handle, src, src_size, ctx->iv, Are you saying that src_size could be not a multiple of the block size? Also, there should not be an alignment issue because the data would either be spliced by the kernel or copied into the kernel. And when using splice the kernel implementations should not require any specific alignment. What is the error your see? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531111814 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:16:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:16:54 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531113363 > + * read-only > + */ > + iov[1].iov_base = (void *)encr; > + iov[1].iov_len = encr_size; > + > + if (kcapi_aead_stream_update_last(ctx->handle, iov, 2) < 0) { > + gnutls_assert(); > + return GNUTLS_E_ENCRYPTION_FAILED; > + } > + > + /* The kernel may set the AAD, avoid modification of auth */ > + iov[0].iov_base = authtmp; > + > + /* Set PT buffer to be filled by kernel */ > + iov[1].iov_base = plain; > + iov[1].iov_len = plain_size; May I ask for the motivation to use `kcapi_aead_outbuflen_dec`? I fear that you can easily introduce a buffer overflow this way as `kcapi_aead_outbuflen_dec` returns the size needed in user space to fulfill the request. Are you sure that plain is of sufficient size? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531113363 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:17:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:17:45 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531113788 > + iov[2].iov_base = encr; > + iov[2].iov_len = tag_size; > + iovlen = 3; > + } > + > + if (kcapi_aead_stream_update_last(ctx->handle, iov, iovlen) < 0) { > + gnutls_assert(); > + return GNUTLS_E_ENCRYPTION_FAILED; > + } > + > + /* The kernel may set the AAD, avoid modification of auth */ > + iov[0].iov_base = authtmp; > + > + /* Set CT buffer to be filled by kernel */ > + iov[1].iov_base = encr; > + iov[1].iov_len = plain_size + tag_size; Same concerns here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531113788 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:21:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:21:37 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531115596 > + struct kcapi_aead_ctx *ctx; > + > + if (kcapi_aead_init(&handle, gnutls_aead_map[algorithm], 0) < 0) { > + gnutls_assert(); > + return GNUTLS_E_MEMORY_ERROR; > + } > + > + ctx = (struct kcapi_aead_ctx *)gnutls_calloc(1, > + sizeof(struct kcapi_aead_ctx)); > + if (ctx == NULL) { > + gnutls_assert(); > + kcapi_aead_destroy(handle); > + return GNUTLS_E_MEMORY_ERROR; > + } > + > + ctx->ccm = !strncmp(gnutls_aead_map[algorithm], "ccm", 3); Yes, that is much more sane, thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531115596 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:23:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:23:14 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531116324 > + } > + > + return 0; > +} > + > +static int afalg_aead_decrypt(void *_ctx, > + const void *nonce, size_t nonce_size, > + const void *auth, size_t auth_size, > + size_t tag_size, > + const void *encr, size_t encr_size, > + void *plain, size_t plain_size) > +{ > + struct kcapi_aead_ctx *ctx = _ctx; > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; I recommend changing that - VLAs are not good. E.g. use the maximum auth_size for the stack buffer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531116324 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:23:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:23:33 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531116470 > + > + return 0; > +} > + > +static int afalg_aead_decrypt(void *_ctx, > + const void *nonce, size_t nonce_size, > + const void *auth, size_t auth_size, > + size_t tag_size, > + const void *encr, size_t encr_size, > + void *plain, size_t plain_size) > +{ > + struct kcapi_aead_ctx *ctx = _ctx; > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; > + uint8_t tagtmp[tag_size]; Dto, use the max tag size and not a VLA. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531116470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:24:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:24:55 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Stephan Mueller started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531117191 > + if (kcapi_aead_stream_op(ctx->handle, iov, iovlen) < 0) > + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); > + > + return 0; > +} > + > +static int afalg_aead_encrypt(void *_ctx, const void *nonce, size_t nonce_size, > + const void *auth, size_t auth_size, > + size_t tag_size, > + const void *plain, size_t plain_size, > + void *encr, size_t encr_size) > +{ > + struct kcapi_aead_ctx *ctx = _ctx; > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; Same issue as above. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531117191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 08:28:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 07:28:53 +0000 Subject: [gnutls-devel] GnuTLS | Allow registering ciphers with higher priority (!1404) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531119301 > + struct kcapi_ctx *ctx = _ctx; > + > + if (iv_size > kcapi_cipher_ivsize(ctx->handle)) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + > + memcpy(ctx->iv, iv, iv_size); > + > + return 0; > +} > + > +static int afalg_cipher_encrypt(void *_ctx, const void *src, size_t src_size, > + void *dst, size_t dst_size) > +{ > + struct kcapi_ctx *ctx = _ctx; > + > + if (kcapi_cipher_encrypt(ctx->handle, src, src_size, ctx->iv, Let's take AES-128-CBC as an example: first encrypt 32-byte data with two calls to `afalg_cipher_encrypt` (backed by `kcapi_cipher_encrypt`), 16-byte each time, and then decrypt the resulting 32-byte data in one-shot. After that, the latter half of the plaintext is garbled. Here is a reproducer: [test-cbc.c](/uploads/04d43ace12adf58d41a837566f361bea/test-cbc.c). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531119301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 09:08:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 08:08:34 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531145303 > + struct kcapi_ctx *ctx = _ctx; > + > + if (iv_size > kcapi_cipher_ivsize(ctx->handle)) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + > + memcpy(ctx->iv, iv, iv_size); > + > + return 0; > +} > + > +static int afalg_cipher_encrypt(void *_ctx, const void *src, size_t src_size, > + void *dst, size_t dst_size) > +{ > + struct kcapi_ctx *ctx = _ctx; > + > + if (kcapi_cipher_encrypt(ctx->handle, src, src_size, ctx->iv, Ahh, yes - the issue is not an alignment, the issue is that each encrypt call is a standalone cipher operation. Thus, the cipher state (i.e. the IV update by CBC) is not "carried over" to the next encrypt operation. Here is the example using your code that fixes the issue: ``` assert(kcapi_cipher_init(&handle, "cbc(aes)", 0) == 0); assert(kcapi_cipher_setkey(handle, KEY, sizeof(KEY)) == 0); iov.iov_base = PLAINTEXT; iov.iov_len = 16; assert(kcapi_cipher_stream_init_enc(handle, IV, &iov, 1) == 16); iov.iov_base = PLAINTEXT + 16; assert(kcapi_cipher_stream_update_last(handle, &iov, 1) == 16); iov.iov_base = ciphertext; iov.iov_len = sizeof(ciphertext); assert(kcapi_cipher_stream_op(handle, &iov, 1) == 32); kcapi_cipher_destroy(handle); ``` Take a note on kcapi_cipher_stream_update vs kcapi_cipher_stream_update_last! The _last MUST always be invoked as the final operation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531145303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 09:11:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 08:11:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531147824 > + struct kcapi_ctx *ctx = _ctx; > + > + if (iv_size > kcapi_cipher_ivsize(ctx->handle)) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + > + memcpy(ctx->iv, iv, iv_size); > + > + return 0; > +} > + > +static int afalg_cipher_encrypt(void *_ctx, const void *src, size_t src_size, > + void *dst, size_t dst_size) > +{ > + struct kcapi_ctx *ctx = _ctx; > + > + if (kcapi_cipher_encrypt(ctx->handle, src, src_size, ctx->iv, Side note, if we need the stream API, take care on the documentation, the update call cannot be invoked endlessly without a stream_op inbetween. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531147824 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 11:05:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 10:05:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531258264 > + > + /* > + * Older kernels require tag as input. This buffer data is unused I wonder if this still makes sense; is there a minimum version requirement of the Kernel that libkcapi requires? -- Daiki Ueno commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531258267 > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; Afaik the maximum of AAD for GCM is quite large; maybe we will have to use heap for that? -- Daiki Ueno commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531258269 > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; > + uint8_t tagtmp[tag_size]; Here we can use `MAX_HASH_SIZE`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 11:11:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 10:11:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531265170 > + } > + > + return 0; > +} > + > +static int afalg_aead_decrypt(void *_ctx, > + const void *nonce, size_t nonce_size, > + const void *auth, size_t auth_size, > + size_t tag_size, > + const void *encr, size_t encr_size, > + void *plain, size_t plain_size) > +{ > + struct kcapi_aead_ctx *ctx = _ctx; > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; Or a combo of stack and heap? For example, we could use something like the following that I used in a kernel patch: ``` u8 tmpbuf[LRNG_DRNG_BLOCKSIZE] __aligned(LRNG_KCAPI_ALIGN); u8 *tmp_large = NULL, *tmp = tmpbuf; u32 tmplen = sizeof(tmpbuf); /* * Satisfy large read requests -- as the common case are smaller * request sizes, such as 16 or 32 bytes, avoid a kmalloc overhead for * those by using the stack variable of tmpbuf. */ if (!CONFIG_BASE_SMALL && (nbytes > sizeof(tmpbuf))) { tmplen = min_t(u32, nbytes, LRNG_DRNG_MAX_REQSIZE); tmp_large = kmalloc(tmplen + LRNG_KCAPI_ALIGN, GFP_KERNEL); if (!tmp_large) tmplen = sizeof(tmpbuf); else tmp = PTR_ALIGN(tmp_large, LRNG_KCAPI_ALIGN); } ... /* Wipe data just returned from memory */ if (tmp_large) kfree_sensitive(tmp_large); else memzero_explicit(tmpbuf, sizeof(tmpbuf)); ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531265170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 11:15:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 10:15:46 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531270177 > + /* > + * Set AAD: IOVECs do not support const, this buffer is guaranteed to be > + * read-only > + */ > + iov[0].iov_base = (void *)auth; > + iov[0].iov_len = auth_size; > + > + /* > + * Set PT: IOVECs do not support const, this buffer is guaranteed to be > + * read-only > + */ > + iov[1].iov_base = (void *)plain; > + iov[1].iov_len = plain_size; > + > + /* > + * Older kernels require tag as input. This buffer data is unused I recommend leaving it. This "older kernel" references: ``` uint32_t len = inlen + assoclen; if (!handle->flags.ge_v4_9 == true) len += taglen; return len; ``` I think it is not wise to require a minimum kernel version for GnuTLS/AF_ALG. IMHO this check is cheap, we should leave this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531270177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 15:20:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 14:20:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531527217 > + * read-only > + */ > + iov[1].iov_base = (void *)encr; > + iov[1].iov_len = encr_size; > + > + if (kcapi_aead_stream_update_last(ctx->handle, iov, 2) < 0) { > + gnutls_assert(); > + return GNUTLS_E_ENCRYPTION_FAILED; > + } > + > + /* The kernel may set the AAD, avoid modification of auth */ > + iov[0].iov_base = authtmp; > + > + /* Set PT buffer to be filled by kernel */ > + iov[1].iov_base = plain; > + iov[1].iov_len = plain_size; The initial motivation of this change is: https://gitlab.com/gnutls/gnutls/-/issues/308#note_527421502 i.e., `kcapi_aead_stream_op` blocks if the requested output size didn't match. According to the libkcapi documentation, it seems like a legitimate behavior. I agree that it could cause a buffer overflow; maybe we could tighten the length check, and also merge it with the next `if` block. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531527217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 17 15:49:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 17 Mar 2021 14:49:44 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add Linux kernel AF_ALG backend (!1404) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531579331 > + } > + > + return 0; > +} > + > +static int afalg_aead_decrypt(void *_ctx, > + const void *nonce, size_t nonce_size, > + const void *auth, size_t auth_size, > + size_t tag_size, > + const void *encr, size_t encr_size, > + void *plain, size_t plain_size) > +{ > + struct kcapi_aead_ctx *ctx = _ctx; > + struct iovec iov[3]; > + uint32_t iovlen = 2; > + uint8_t authtmp[auth_size]; I guess we could use [malloca](https://www.gnu.org/software/gnulib/MODULES.html#module=malloca) from Gnulib, if we go with this direction. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1404#note_531579331 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 18 19:09:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 18 Mar 2021 18:09:28 +0000 Subject: [gnutls-devel] GnuTLS | Make use of MADV_DONTDUMP for protecting sensitive data (#1192) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1192 We currently don't have any protection against sensitive data being leaked in a coredump. Perhaps it might worth considering the use of `madvise(MADV_DONTDUMP)`, as in [gnome-keyring](https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/30). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 19 14:23:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Mar 2021 13:23:04 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi changed the draft status of merge request !1367 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 19 14:23:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Mar 2021 13:23:28 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Reassigned Merge Request 1367 https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 Assignee changed to Ander Juaristi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 19 16:57:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Mar 2021 15:57:40 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1395 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729481 > + gnutls_ecc_curve_t curve_pub = GNUTLS_ECC_CURVE_INVALID, curve_priv = GNUTLS_ECC_CURVE_INVALID; > + unsigned int bits_pub = 0, bits_priv = 0; > + gnutls_datum_t priv_x = {NULL, 0}, priv_y = {NULL, 0}, priv_k = {NULL, 0}, pub_x = {NULL, 0}, pub_y = {NULL, 0}; Are those initializers really needed? Also, unlike nettle, we do use Linux kernel coding style with hard tabs :-) -- Daiki Ueno started a new discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729486 > + gnutls_free(priv_k.data); > + gnutls_free(pub_x.data); > + gnutls_free(pub_y.data); I suggest clearing the values with `zeroize_key` or `gnutls_memset` (at least for the private ones). -- Daiki Ueno started a new discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729489 > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ Is this comment relevant? -- Daiki Ueno started a new discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729491 > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) Would be nice to have a gtk-doc comment, explaining the usage of this function. -- Daiki Ueno started a new discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729495 > + Z->size = 0; > + > + if (gnutls_privkey_get_pk_algorithm(privkey, &bits_priv) != GNUTLS_PK_ECDSA) For FIPS, we deliberately don't support Curve25519/Curve448 (because they are not approved in FIPS140-2), but it might be worth adding support for them in the generic API. -- Daiki Ueno started a new discussion on tests/ecdh-compute.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_533729497 > * WITHOUT ANY WARRANTY; without even the implied warranty of > - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU I suppose this whitespace change is not intended? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 07:03:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 06:03:13 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965196 > +{ > + switch (sigalg) { > + case GNUTLS_SIGN_RSA_MD5: Is this code path performance critical? If not, I would suggest using a table (variable) instead of `switch`s in this function and `get_sigalg*`. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965197 > + memcpy(sct->logid, ptr, SCT_V1_LOGID_SIZE); > + ptr += SCT_V1_LOGID_SIZE; > + length -= SCT_V1_LOGID_SIZE; Although I don't see any use of it under `lib/x509`, perhaps we could use `DECR_LENGTH_RET`? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965198 > + * Check that there are actually no extensions - the following two bytes should be zero. > + */ > + if (*ptr != 0 || *(ptr+1) != 0) { Shouldn't we check `length >= 2` before dereferencing `ptr` and `ptr + 1`? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965200 > + length -= 2; > + > + sct->sigalg = get_sigalg(hash_algo, sig_algo); `get_sigalg` can return an error code outside of the `gnutls_signature_algorithm_t` enum range, so I suspect some static analyzers would complain this part. I suggest rewriting this to: ```c ret = get_sigalg(hash_algo, sig_algo); if (ret < 0) { goto cleanup; } sct->sigalg = ret; ``` -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965202 > + > + /* Signature, length and content */ > + sig_length = _gnutls_read_uint16(ptr); Missing `length >= 2` check before accessing `ptr`? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965203 > + struct ct_sct_st *new_scts; > + > + new_scts = gnutls_realloc(*scts, (*size + 1) * sizeof(struct ct_sct_st)); Missing overflow check in multiplication (see !1392). -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965207 > +} > + > +static int _gnutls_export_ct_v1_sct(const struct ct_sct_st *sct, size_t base_size, uint8_t *out) Can we assume that `out` always has enough room for writing? If so, you could add a comment why we can omit bounds-check in this function. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965209 > + ptr = &scts_content.data[2]; > + while (length > 0) { > + sct_length = _gnutls_read_uint16(ptr); Missing `length >= 2` check? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965210 > + } > + > + gnutls_free(scts_content.data); nit: `_gnutls_free_datum(&scts_content)`. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965211 > +struct gnutls_x509_ct_scts_st { > + struct ct_sct_st *scts; > + unsigned int size; I suggest using `size_t` everywhere for sizes, unless there is a good reason. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965212 > + > +cleanup: > + if (out) No need for this `if`, if you initialize out as NULL. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965213 > + version = scts->scts[idx].version; > + if (version != 0 || version_out == NULL) > + return -1; No predefined error code? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965214 > + sct = &scts->scts[idx]; > + if (sct->version != 0) > + return -1; No predefined error code? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965215 > + sct->signature.data, > + sct->signature.size); > + if (retval < 0) nit: what about moving this check inside the `if (signature) { ... }` block? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965216 > + sct->logid, > + SCT_V1_LOGID_SIZE); > + if (retval < 0) { nit: what about moving this check inside the if (logid) { ... } block? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533965217 > + } > + if (timestamp) > + *timestamp = (sct->timestamp / 1000); nit: no need for parentheses in RHS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 11:44:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 10:44:10 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996244 > + * In version 1, it has a fixed length of 32 bytes. > + */ > + if (length <= SCT_V1_LOGID_SIZE) { Why this comparison is `<=`, not `<`? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996247 > + > + /* Timestamp */ > + if (length <= sizeof(uint64_t)) { Ditto, use `<`. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996248 > + > + length -= sig_length; > + if (length) { Check `length > sig_length` before subtracting; otherwise unsigned arithmetic wraps around. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996249 > + * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error value. > + **/ > +int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext, gnutls_x509_ct_scts_t scts) I suggest swapping the order of arguments, to match other `_import` functions. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996250 > + > + length = _gnutls_read_uint16(scts_content.data); > + if (length <= 4) { Use `<`. -- Daiki Ueno started a new discussion on tests/x509cert-ct.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_533996251 > +void doit(void) > +{ > + int ret, scts_printed = 0; nit: better use `bool` for `scts_printed`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 13:55:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 12:55:46 +0000 Subject: [gnutls-devel] GnuTLS | build: doc: install missing image file gnutls-crypto-layers.png (!1405) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 Project:Branches: ametzler/gnutls:tmp-missing-gnutls-crypto-layers_png to gnutls/gnutls:master Author: Andreas Metzler gnutls-crypto-layer.png is referenced in texinfo docs but is not installed. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 14:17:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 13:17:16 +0000 Subject: [gnutls-devel] GnuTLS | build: doc: install missing image file gnutls-crypto-layers.png (!1405) In-Reply-To: References: Message-ID: Merge Request !1405 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 Project:Branches: ametzler/gnutls:tmp-missing-gnutls-crypto-layers_png to gnutls/gnutls:master Author: Andreas Metzler Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 15:28:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 14:28:50 +0000 Subject: [gnutls-devel] GnuTLS | build: doc: install missing image file gnutls-crypto-layers.png (!1405) In-Reply-To: References: Message-ID: Merge Request !1405 was scheduled to merge after pipeline succeeds by Andreas Metzler Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 Project:Branches: ametzler/gnutls:tmp-missing-gnutls-crypto-layers_png to gnutls/gnutls:master Author: Andreas Metzler Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 17:09:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 16:09:27 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534039593 > + /* Timestamp */ > + if (length <= sizeof(uint64_t)) { > + gnutls_assert(); > + ret = GNUTLS_E_PREMATURE_TERMINATION; > + goto cleanup; > + } > + > + sct->timestamp = (uint64_t) _gnutls_read_uint64(ptr); > + ptr += sizeof(uint64_t); > + length -= sizeof(uint64_t); > + > + /* > + * There are no extensions defined in SCT v1. > + * Check that there are actually no extensions - the following two bytes should be zero. > + */ > + if (*ptr != 0 || *(ptr+1) != 0) { I've rewritten it as: ```c if (length < 2 || *ptr != 0 || *(ptr+1) != 0) { gnutls_assert(); ret = GNUTLS_E_UNEXPECTED_EXTENSIONS_LENGTH; goto cleanup; } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534039593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 17:11:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 16:11:30 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534040514 > + ptr += sizeof(uint16_t); > + length -= sizeof(uint16_t); > + if (sig_length == 0) { > + gnutls_assert(); > + ret = GNUTLS_E_PREMATURE_TERMINATION; > + goto cleanup; > + } > + > + if (_gnutls_set_datum(&sct->signature, ptr, sig_length) < 0) { > + gnutls_assert(); > + ret = GNUTLS_E_MEMORY_ERROR; > + goto cleanup; > + } > + > + length -= sig_length; > + if (length) { I've rewritten it as: ```c if (length != sig_length) { gnutls_assert(); ret = GNUTLS_E_ASN1_DER_OVERFLOW; goto cleanup; } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534040514 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 17:41:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 16:41:02 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/x509/output.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534043860 > > print_aia(str, der); > + } else if (strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0) { What about using `GNUTLS_X509EXT_OID_CT_SCT`? -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534043862 > + * and return them as a gnutls_sign_algorithm_t enum value. > + */ > + if (length <= 2) { Use `<`. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534043863 > + return gnutls_assert_val(retval); > + > + length = _gnutls_read_uint16(scts_content.data); Check `scts_content.size >= 2`. -- Daiki Ueno started a new discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534043864 > + while (length > 0) { > + sct_length = _gnutls_read_uint16(ptr); > + if (sct_length == 0 || sct_length > length) I think `sct_length == 0` indicates the end of data, while `sct_length > length` seems to be an error. Maybe better handle them separately? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 17:45:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 16:45:41 +0000 Subject: [gnutls-devel] GnuTLS | build: doc: install missing image file gnutls-crypto-layers.png (!1405) In-Reply-To: References: Message-ID: Merge Request !1405 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 Project:Branches: ametzler/gnutls:tmp-missing-gnutls-crypto-layers_png to gnutls/gnutls:master Author: Andreas Metzler Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:31:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:31:17 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534049763 > + * along with this program. If not, see > + * > + */ > + > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) > +{ > + gnutls_ecc_curve_t curve_pub = GNUTLS_ECC_CURVE_INVALID, curve_priv = GNUTLS_ECC_CURVE_INVALID; > + unsigned int bits_pub = 0, bits_priv = 0; > + gnutls_datum_t priv_x = {NULL, 0}, priv_y = {NULL, 0}, priv_k = {NULL, 0}, pub_x = {NULL, 0}, pub_y = {NULL, 0}; On lines 52 and 58, I use `gnutls_privkey_export_ecc_raw` and `gnutls_pubkey_export_ecc_raw` to fill those `gnutls_datum_t` variables, if one fails, then there's a `goto cleanup` with `gnutls_free` for them. I assume that if one of the `*_export_ecc_raw` fails and the `gnutls_datum_t` data are undefined, `gnutls_free` may segfault. I can split cleanup goto step into 2 steps instead if you don't want `gnutls_datum_t` values to be initialized with `{NULL, 0}`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534049763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:31:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:31:59 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534049826 > + * as published by the Free Software Foundation; either version 2.1 of > + * the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, but > + * WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public License > + * along with this program. If not, see > + * > + */ > + > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ nope, probably a wrong ^C^V :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534049826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:42:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:42:25 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534050838 > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) > +{ > + gnutls_ecc_curve_t curve_pub = GNUTLS_ECC_CURVE_INVALID, curve_priv = GNUTLS_ECC_CURVE_INVALID; > + unsigned int bits_pub = 0, bits_priv = 0; > + gnutls_datum_t priv_x = {NULL, 0}, priv_y = {NULL, 0}, priv_k = {NULL, 0}, pub_x = {NULL, 0}, pub_y = {NULL, 0}; > + int ret = GNUTLS_E_SUCCESS, res; > + > + Z->data = NULL; > + Z->size = 0; > + > + if (gnutls_privkey_get_pk_algorithm(privkey, &bits_priv) != GNUTLS_PK_ECDSA) Curve25519/Curve448 don't have a 'y' coordinate, so `_gnutls_ecdh_compute_key` wouldn't work. I can use `_gnutls_dh_compute_key` for Curve25519/Curve448 if I assume it's the right way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534050838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:42:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:42:55 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on tests/ecdh-compute.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534050877 > * > * GnuTLS is distributed in the hope that it will be useful, but > * WITHOUT ANY WARRANTY; without even the implied warranty of > - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU indeed, thanks -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534050877 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:47:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:47:45 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534051343 > + ret = res; > + goto cleanup; > + } > + > + if ((res = _gnutls_ecdh_compute_key(curve_priv, &priv_x, &priv_y, &priv_k, &pub_x, &pub_y, Z)) != GNUTLS_E_SUCCESS) > + { > + ret = res; > + goto cleanup; > + } > + > +cleanup: > + gnutls_free(priv_x.data); > + gnutls_free(priv_y.data); > + gnutls_free(priv_k.data); > + gnutls_free(pub_x.data); > + gnutls_free(pub_y.data); Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534051343 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 20 18:48:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 20 Mar 2021 17:48:05 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534051401 > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public License > + * along with this program. If not, see > + * > + */ > + > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) gtk-doc comment added -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534051401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 06:51:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 05:51:26 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534106169 > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public License > + * along with this program. If not, see > + * > + */ > + > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) The comment not very helpful it just avoids a warning about undocumented functions. The comment should the decribe inputs, outputs and and the actual point of the function. (When to call?) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_534106169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 13:31:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 12:31:27 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534197947 > + goto cleanup; > + } > + > + return 0; > + > +cleanup: > + _gnutls_free_datum(&sct->signature); > + return ret; > +} > + > +static int _gnutls_ct_sct_add(struct ct_sct_st *sct, > + struct ct_sct_st **scts, unsigned int *size) > +{ > + struct ct_sct_st *new_scts; > + > + new_scts = gnutls_realloc(*scts, (*size + 1) * sizeof(struct ct_sct_st)); Okay, but wouldn't it be better to wait until !1392 is merged? Right now I don't see any `_gnutls_reallocarray`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534197947 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 16:59:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 15:59:29 +0000 Subject: [gnutls-devel] GnuTLS | Disable GOSTR341194 and GOST R 34.10-2001 by default (#1193) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1193 According to @dbelyavsky, GOSTR341194 provides <112 bits of security. Maybe we should consider disabling this algorithm by default, along with GOST R 34.10-2001 which internally uses it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 17:21:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 16:21:36 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate ways to enforce bounds check (#1194) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1194 We currently have bounds check logic in several places where data is read or written. A typical pattern is using one of the `DECR_LEN` macros: ```c uint8_t *p = data; size_t data_size = _data_size; ... DECR_LEN(data_size, 3); size = _gnutls_read_uint24(p); p += 3; ``` While this is better than manual checks like `if (data_size < 3) goto error; data_size -= 3;`, it doesn't provide a way to enforce the check in new code. I would suggest providing a simpler (internal) API, and discouraging direct access to pointer and the length. Maybe we could reuse the existing `gnutls_buffer_st`, with a couple of new constructors for statically provided data buffers: ```c void _gnutls_buffer_static_for_read(gnutls_buffer_st *buffer, const uint8_t *data, size_t size); void _gnutls_buffer_static_for_write(gnutls_buffer_st *buffer, const uint8_t *data, size_t max_size); ``` then the above example can be rewritten as: ```c gnutls_buffer_st buf; ... _gnutls_buffer_static_for_read(&buf, data, _data_size); ... size_t size; ret = _gnutls_buffer_pop_prefix24(&buf, &size, 1); if (ret < 0) { goto cleanup; } ``` Writing is similarly done: ```c gnutls_buffer_st buf; ... _gnutls_buffer_static_for_write(&buf, ptr, max_size); ... ret = _gnutls_buffer_append_prefix(&buf, 3, size); if (ret < 0) { goto cleanup; } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 17:34:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 16:34:30 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the update. I am not sure if I can manually spot all the missing bounds checks; on the other hand, if we overlook any, that would lead to a security issue. I've filed a proposal doing that in a safer way (#1194). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534232609 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 19:31:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 18:31:38 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534253834 > + return get_sigalg_for_sha1(sig_algo); > + case 3: /* sha224 */ > + return get_sigalg_for_sha224(sig_algo); > + case 4: /* sha256 */ > + return get_sigalg_for_sha256(sig_algo); > + case 5: /* sha384 */ > + return get_sigalg_for_sha384(sig_algo); > + case 6: /* sha512 */ > + return get_sigalg_for_sha512(sig_algo); > + } > +} > + > +static int write_sigalg(gnutls_sign_algorithm_t sigalg, uint8_t *out) > +{ > + switch (sigalg) { > + case GNUTLS_SIGN_RSA_MD5: I was thinking something like below, similar to the arrays defined in `lib/algorithms/*`: ```c struct sct_sign_algorithm_st { uint8_t codepoint[2]; gnutls_sign_algorithm_t sign_algo; gnutls_hash_algorithm_t hash_algo; }; const struct sct_sign_algorithm_st[] = { ... { .codepoint = { 0x05, 0x01 }, .sign_algo = GNUTLS_SIGN_RSA_SHA384, .hash_algo = GNUTLS_DIG_SHA384, }, ... }; ``` It would be slower than the accessing 2-dimensional matrix, as it requires searching on the array, but given the fact that there is only 18 (= 6 * 3) elements, that wouldn't affect performance much. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534253834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 21:37:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 20:37:37 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/x509/x509_ext.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534270512 > + > +/** > + * gnutls_x509_ext_ct_import_scts: > + * @ext: a DER-encoded extension > + * @scts: The SCT list > + * > + * This function will read a SignedCertificateTimestampList structure > + * from the DER data of the X.509 Certificate Transparency SCT extension > + * (OID 1.3.6.1.4.1.11129.2.4.2). > + * > + * The list of SCTs (Signed Certificate Timestamps) is placed on @scts, > + * which must be previously initialized with gnutls_x509_ext_ct_scts_init(). > + * > + * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error value. > + **/ > +int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext, gnutls_x509_ct_scts_t scts) I'm seeing in other `_import` functions the data comes last, but this function follows the order of the other `_import` functions defined in `x509_ext.c`. Looks like in the functions that read X.509 extensions the data (`ext`) comes first. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534270512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 21 21:53:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 21 Mar 2021 20:53:46 +0000 Subject: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534272440 That's great. I'll have a closer look anyway now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1367#note_534272440 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 22 09:14:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Mar 2021 08:14:46 +0000 Subject: [gnutls-devel] libtasn1 | Revert "bootstrap.conf: require bison 3.6 or later" (!76) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 Project:Branches: dueno/libtasn1:wip/dueno/bison-bootstrap to gnutls/libtasn1:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 22 09:14:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Mar 2021 08:14:52 +0000 Subject: [gnutls-devel] libtasn1 | Revert "bootstrap.conf: require bison 3.6 or later" (!76) In-Reply-To: References: Message-ID: Merge Request !76 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 Project:Branches: dueno/libtasn1:wip/dueno/bison-bootstrap to gnutls/libtasn1:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 22 10:11:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Mar 2021 09:11:45 +0000 Subject: [gnutls-devel] libtasn1 | Revert "bootstrap.conf: require bison 3.6 or later" (!76) In-Reply-To: References: Message-ID: Merge Request !76 was merged Merge Request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 Project:Branches: dueno/libtasn1:wip/dueno/bison-bootstrap to gnutls/libtasn1:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/76 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 16:35:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 15:35:42 +0000 Subject: [gnutls-devel] GnuTLS | `make` error :parse-datetime.c: No such file or directory (#1196) References: Message-ID: David Hu created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1196 ## Description of problem: I am building GnuTLS from source as of Mar 24th 23:31 GMT, and `make -j9` produces the `fatal error: parse-datetime.c: No such file or directory` ## Version of gnutls used: Latest GitHub commit `857543c` ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) N/A, straight from the GitHub mirror ## How reproducible: Steps to Reproduce: * `git clone` the GitHub mirror commit `857543c` * Do `./configure` with default settings * Run `make -j9` ## Actual results: `make` returned fatal error: ```CC glthread/threadlib.lo cc1: fatal error: parse-datetime.c: No such file or directory compilation terminated. ...... make: *** [Makefile:1800: all] Error 2 ``` ## Expected results: `make` finished with return code 0 without errors -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 17:09:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 16:09:45 +0000 Subject: [gnutls-devel] libtasn1 | Cross compilation issue (#28) In-Reply-To: References: Message-ID: Jeffrey Walton commented: This is still broken, even with the patch in 69... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/28#note_536850229 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 18:58:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 17:58:39 +0000 Subject: [gnutls-devel] GnuTLS | `make` returned fatal error : parse-datetime.c: No such file or directory (#1196) In-Reply-To: References: Message-ID: Daiki Ueno commented: I think you need [bison](https://gitlab.com/gnutls/gnutls/-/blob/master/README.md#L42) to build from the git checkout. We probably should add it to `buildreq` in `bootstrap.conf`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1196#note_536984756 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 19:32:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 18:32:14 +0000 Subject: [gnutls-devel] GnuTLS | `make` returned fatal error : parse-datetime.c: No such file or directory (#1196) In-Reply-To: References: Message-ID: David Hu commented: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ok, I will retry after installing bison and see if the issue persisits. Also this time I will use the git branch straight from GitLab instead of the GitHub mirror to see exclude mirror issues. \-------- Original Message -------- [publickey_-_EmailAddress_s_D4v1d_4n0_protonmail.ch__-_0x340A848D.asc](/uploads/2c4bbb40fc2446a45fda0643dd5927d6/publickey_-_EmailAddress_s_D4v1d_4n0_protonmail.ch__-_0x340A848D.asc) [publickey_-_EmailAddress_s_D4v1d_4n0_protonmail.ch__-_0x340A848D.asc.sig](/uploads/81b2b78b90fd56adc243efbf275f20d0/publickey_-_EmailAddress_s_D4v1d_4n0_protonmail.ch__-_0x340A848D.asc.sig) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1196#note_537022878 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 19:51:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 18:51:28 +0000 Subject: [gnutls-devel] GnuTLS | `make` returned fatal error : parse-datetime.c: No such file or directory (#1196) In-Reply-To: References: Message-ID: David Hu commented: OK. Now the issue is fixed after I install `bison` and `bison-devel`. Can I close this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1196#note_537034120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 24 19:54:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Mar 2021 18:54:04 +0000 Subject: [gnutls-devel] GnuTLS | `make` returned fatal error : parse-datetime.c: No such file or directory (#1196) In-Reply-To: References: Message-ID: Issue was closed by David Hu Issue #1196: https://gitlab.com/gnutls/gnutls/-/issues/1196 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 26 16:33:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 26 Mar 2021 15:33:31 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) References: Message-ID: David Hu created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1198 ## Description of problem: I compiled GnuTLS from source with nghttp3 and ngtcp2, but when I try connecting to a domain with HTTP3 specified, GnuTLS exited with `Segmentation fault core dumped` ## Version of gnutls used: Commit `38b25e19` ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) N/A, straight from GitHub ## How reproducible: Steps to Reproduce: * Git clone `GnuTLS` from here, nghttp3, ngtcp2 and curl from GitHub * Compile GnuTLS (with docs disabled) * Compile `nghttp3` with libs only * Compile `ngtcp2` with nghttp3 and GnuTLS * Compile `curl` with the option of choosing GnuTLS and nghttp3 and no OpenSSL ## Actual results: Tried to connect to `https://cloudflare.com` but the connection failed very fast Last few lines of error output: ``` * connect to 104.16.132.229 port 443 failed: Resource temporarily unavailable * Trying 104.16.133.229:443... * Connect socket 7 over QUIC to 104.16.133.229:443 gnutls[5]: REC[0x1b035d0]: Allocating epoch #0 gnutls[2]: added 1 protocols, 4 ciphersuites, 16 sig algos and 4 groups into priority list Segmentation fault (core dumped) ``` While my network is completely normal without UDP port 443 filtered. ## Expected results: Connect to the domain with HTTP3 (QUIC) support successfully without errors -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 27 18:43:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 27 Mar 2021 17:43:45 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) In-Reply-To: References: Message-ID: Daiki Ueno commented: For the meantime, could you also provide the commit IDs of those projects (ngtcp2/nghttp3/curl)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198#note_539398619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 27 18:53:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 27 Mar 2021 17:53:22 +0000 Subject: [gnutls-devel] GnuTLS | Segfaults when connecting via HTTP3 (#1198) In-Reply-To: References: Message-ID: David Hu commented: OK. Sure. `curl` : `95cbcec`(GitHub) `nghttp3`: `9858f6d`(GitHub) `ngtcp2`: `daa2d73` (GitHub) This issue was reported yesterday and GitHub repos, especially `curl` upgrade master branch really fast, so it may not reproduce on your side. :frowning2: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1198#note_539399615 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 13:21:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 11:21:15 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: ihsinme commented: good day. tell me what I have to do to get the PR accepted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_539998841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 14:12:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 12:12:31 +0000 Subject: [gnutls-devel] GnuTLS | keys-win: free certificate context in gnutls_system_key_iter_deinit (!1406) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 Project:Branches: dueno/gnutls:wip/dueno/system-keys-w32 to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1197 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 14:20:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 12:20:20 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_540059902 Sorry, I enabled automatic merge but didn't notice the pipeline has failed (due to timeout). Could you increase the CI timeout through your repository settings? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_540059902 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 14:44:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 12:44:33 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392#note_540093533 I've added checks for additions as well. Could you check? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392#note_540093533 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 15:57:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 13:57:27 +0000 Subject: [gnutls-devel] GnuTLS | keys-win: free certificate context in gnutls_system_key_iter_deinit (!1406) In-Reply-To: References: Message-ID: Merge Request !1406 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 Project:Branches: dueno/gnutls:wip/dueno/system-keys-w32 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 16:48:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 14:48:36 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: ihsinme commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_540213800 I did. it's probably my fault. you are telling me about this a second time. sorry.( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75#note_540213800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 16:48:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 14:48:59 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: All discussions on Merge Request !75 were resolved by ihsinme https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 16:49:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 14:49:00 +0000 Subject: [gnutls-devel] libtasn1 | fix invalid unsigned arithmetic. (!75) In-Reply-To: References: Message-ID: Merge Request !75 was merged Merge Request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 Project:Branches: ihsinme/libtasn1:ihsinme-master-patch-00221 to gnutls/libtasn1:master Author: ihsinme Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/75 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 18:12:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 16:12:30 +0000 Subject: [gnutls-devel] GnuTLS | keys-win: free certificate context in gnutls_system_key_iter_deinit (!1406) In-Reply-To: References: Message-ID: Merge Request !1406 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 Project:Branches: dueno/gnutls:wip/dueno/system-keys-w32 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 29 18:12:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Mar 2021 16:12:31 +0000 Subject: [gnutls-devel] GnuTLS | Windows System Keys handle leak (#1197) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1406 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1406) Issue #1197: https://gitlab.com/gnutls/gnutls/-/issues/1197 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 11:45:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 09:45:01 +0000 Subject: [gnutls-devel] GnuTLS | SECURITY: use-after-free in PSK binder calculation (#1151) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_540854223 Afaict all that is needed is cherry-picking 15beb4b193b2714d88107e7dffca781798684e7e 75a937d97f4fefc6f9b08e3791f151445f551cb3 (plus 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d to fix the testsuite time bomb)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1151#note_540854223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 13:26:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 11:26:45 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 was reviewed by Stanislav ?idek -- Stanislav ?idek started a new discussion on lib/mem.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392#note_540965778 > +void *_gnutls_reallocarray_fast(void *ptr, size_t nmemb, size_t size); > > void *_gnutls_calloc(size_t nmemb, size_t size); Should we remove this function? Everything should use `_gnutls_reallocarray...`. Does initial `_` indicate this is not part of API? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 13:51:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 11:51:14 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: All discussions on Merge Request !1392 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 13:51:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 11:51:13 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/mem.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392#note_540986223 > > #include > > -/* this realloc function will return ptr if size==0, and > - * will free the ptr if the new allocation failed. > +/* These realloc functions will return ptr if size==0, and will free > + * the ptr if the new allocation failed. > */ > void *gnutls_realloc_fast(void *ptr, size_t size); > +void *_gnutls_reallocarray_fast(void *ptr, size_t nmemb, size_t size); > > void *_gnutls_calloc(size_t nmemb, size_t size); Well spotted, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392#note_540986223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 14:21:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 12:21:32 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: Merge Request !1392 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 Project:Branches: dueno/gnutls:wip/dueno/reallocarray to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 14:54:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 12:54:06 +0000 Subject: [gnutls-devel] GnuTLS | build: avoid potential integer overflow in array allocation (!1392) In-Reply-To: References: Message-ID: Merge Request !1392 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 Project:Branches: dueno/gnutls:wip/dueno/reallocarray to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 30 14:54:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Mar 2021 12:54:05 +0000 Subject: [gnutls-devel] GnuTLS | Ensure array allocations overflow safe (#1179) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1392 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1392) Issue #1179: https://gitlab.com/gnutls/gnutls/-/issues/1179 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: