From gnutls-devel at lists.gnutls.org Wed Sep 1 06:04:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 04:04:15 +0000 Subject: [gnutls-devel] GnuTLS | pk: Use 'mpz_init_set' instead of 'memcpy'. (!1415) In-Reply-To: References: Message-ID: GnuTLS bot commented: @civodul This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415#note_665826884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 06:04:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 04:04:15 +0000 Subject: [gnutls-devel] GnuTLS | pk: Use 'mpz_init_set' instead of 'memcpy'. (!1415) In-Reply-To: References: Message-ID: Merge request !1415 was closed by GnuTLS bot Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415 Project:Branches: civodul/gnutls:mpz-init-set to gnutls/gnutls:master Author: civodul Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 12:51:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 10:51:40 +0000 Subject: [gnutls-devel] GnuTLS | tests/tls13/post-handshake-with-cert: avoid a race condition (!1464) In-Reply-To: References: Message-ID: Merge request !1464 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1464 Project:Branches: asosedkin/gnutls:fix-tls13-post-hanshake-with-cert to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 12:51:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 10:51:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/tls13/post-handshake-with-cert: avoid a race condition (!1464) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; looks good to me, though my preference is to rewrite it as a single process :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1464#note_666170291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 16:02:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 14:02:11 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) References: Message-ID: Miroslav Lichvar created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 Project:Branches: mlichvar/gnutls:ssse3-sha384 to gnutls/gnutls:master Author: Miroslav Lichvar The output function called sha512_digest() instead of sha384_digest(), which caused the hash context to be reinitialized for SHA512 instead of SHA384 and all following digests using the hash handle were wrong. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 16:15:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 14:15:09 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) In-Reply-To: References: Message-ID: Daiki Ueno commented: Great catch, thanks! I guess this fixes #1257. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466#note_666403693 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 16:15:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 14:15:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/tls13/post-handshake-with-cert: avoid a race condition (!1464) In-Reply-To: References: Message-ID: Merge request !1464 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1464 Project:Branches: asosedkin/gnutls:fix-tls13-post-hanshake-with-cert to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 1 16:37:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Sep 2021 14:37:40 +0000 Subject: [gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255) In-Reply-To: References: Message-ID: Roman Kulikov commented: > the dup-exts.pem is there only for the [negative test case](https://gitlab.com/gnutls/gnutls/-/blob/master/tests/cert-tests/x509-duplicate-ext.sh) Sure. I've just used it to illustrate the problem. > but I think it's an issue in the trust store setup; i.e., all the contained certs must be in a valid form Well, this is may be the main question: do we really need to treat _every_ certificate as invalid if trust store contains _only one_ invalid root? From my point as a regular user this should not happen and evert certificate should be treated as valid if its trust chain goes to valid root certificate in trust store. > Wouldn't it be possible to adjust the trust store not to include such certs (I'm not sure how it's done on macOS)? Yes, it is possible. And I've submitted pull request to Homebrew project fixing this. But nevertheless it would be great to make GnuTLS a bit more robust in such error condition. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255#note_666437024 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 3 17:59:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Sep 2021 15:59:17 +0000 Subject: [gnutls-devel] GnuTLS | mini-dtls-eagain has a chance to hang under valgrind (#1274) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1274 ## Description of problem: mini-dtls-eagain has a chance to hang under valgrind ## Version of gnutls used: 4989ed12f8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL): observed on Fedora 33 x86_64 ## How reproducible probabilistically, can take hundreds of iterations to manifest Steps to Reproduce: `while true; do valgrind --leak-check=full ./tests/mini-eagain-dtls -v 2>&1 | tee mini-eagain-dtls.log; sleep 2; done` ## Actual results: execution sometimes hangs way past the normal execution times with server|<9>| ENC[0x50c41e0]: cipher: AES-256-CBC, MAC: SHA1, Epoch: 1 server|<11>| WRITE: enqueued 77 bytes for 0x50c41e0. Total 91 bytes. server|<5>| REC[0x50c41e0]: Sent Packet[281474976710657] Handshake(22) in epoch 1 and length: 77 server|<11>| WRITE FLUSH: 91 bytes in buffer. server|<3>| ASSERT: buffers.c[_gnutls_writev_emu]:464 server|<2>| WRITE: -1 returned from 0x50c41e0, errno: 11 server|<11>| WRITE interrupted: 91 bytes left. server|<3>| ASSERT: dtls.c[_dtls_transmit]:348 server|<3>| ASSERT: handshake.c[send_handshake_final]:3340 client|<11>| WRITE FLUSH: 0 bytes in buffer. client|<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:696 client|<3>| ASSERT: dtls.c[_dtls_transmit]:263 client|<3>| ASSERT: dtls.c[_dtls_transmit]:420 client|<3>| ASSERT: dtls.c[_dtls_wait_and_retransmit]:440 client|<3>| ASSERT: handshake.c[recv_handshake_final]:3383 server|<11>| HWRITE FLUSH: 25 bytes in buffer. server|<11>| WRITE FLUSH: 91 bytes in buffer. server|<3>| ASSERT: buffers.c[_gnutls_writev_emu]:464 -- keeps repeating from here on -- ## Expected results: execution doesn't hang -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 4 07:23:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 04 Sep 2021 05:23:24 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: replace valgrind checks with ASan (!1467) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467 Project:Branches: dueno/gnutls:wip/dueno/ci-remove-valgrind to gnutls/gnutls:master Author: Daiki Ueno Running the full test suite under valgrind wastes a lot of time and may cause intermittent failures due to timeout. We have them mainly for VALGRIND_MAKE_MEM_UNDEFINED client request, though the ASan tests now cover the equivalent after f23c3a6cba43706a6ebb3f9b0018cd658dcc0a72. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 4 07:23:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 04 Sep 2021 05:23:45 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: replace valgrind checks with ASan (!1467) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin any opinions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467#note_669405889 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 5 07:25:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 Sep 2021 05:25:43 +0000 Subject: [gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255) In-Reply-To: References: Message-ID: Roman Kulikov commented: If I got it right this logic has been implemented from the very beginning. In commit d02e7a1d22f73 `gnutls_x509_crt_list_import` was added with such chunk of code: ``` +int gnutls_x509_crt_list_import(gnutls_x509_crt_t *certs, unsigned int cert_max, + const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format, unsigned int flags) +{ ... + do { ... + ret = gnutls_x509_crt_import( certs[count], &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + goto error; + } ... + } while (cert_max > count && ptr != NULL); + + return count; + +error: + CLEAR_CERTS; + return ret; +} ``` Sanity check of any certificate in list results in import abort of the whole list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255#note_669553228 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 6 10:59:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Sep 2021 08:59:38 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: replace valgrind checks with ASan (!1467) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: re f23c3a6cba43706a6ebb3f9b0018cd658dcc0a72: good to have it! re this MR: not particularly convinced on the time saving side. Quoting select competing stage 3 job durations from the [latest pipeline of master at the time of writing](https://gitlab.com/gnutls/gnutls/-/pipelines/363372618/builds): ``` passed debian-cross/aarch64-linux-gnu/test 00:53:03 passed debian-cross/arm-linux-gnueabihf/test 00:50:56 failed fedora-notools/test 03:00:02 passed fedora-static-analyzers/test 01:40:34 passed fedora-valgrind-aggressive/test 00:29:23 passed fedora-valgrind/test 00:28:36 ``` Doesn't look like valgrind jobs are on the critical path. If timeouts are caused by hanging tests and not raw performance considerations, I'd prefer test fixing and both checkks coexisting. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467#note_669980027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 10:01:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 08:01:55 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl-tls13-cli.sh: early data testing against OpenSSL server is flaky (#1275) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1275 While it's intermittent, the test fails frequently. I suspect the reason might be that the connection is not gracefully closed (with a `close_notify` alert) and thus the server cannot resume with stateful resumption (see https://github.com/openssl/openssl/issues/16066) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1275 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 10:05:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 08:05:14 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl-tls13-cli.sh: disable early data testing for CI stability (!1468) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1468 Project:Branches: dueno/gnutls:wip/dueno/disable-0rtt-tests to gnutls/gnutls:master Author: Daiki Ueno This temporarily disables early data testing against OpenSSL server for CI stability. Investigation of the actual cause is tracked at #1275. This also improves port locking logic to be more lightweight to allow parallel runs of `testcompat*` and `tls-fuzzer/*` tests. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 14:20:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 12:20:27 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl-tls13-cli.sh: early data testing against OpenSSL server is flaky (#1275) In-Reply-To: References: Message-ID: Panos Kalorogiannis commented: Review is done. Seems good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1275#note_671141637 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 15:38:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 13:38:36 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl-tls13-cli.sh: disable early data testing for CI stability (!1468) In-Reply-To: References: Message-ID: Merge request !1468 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1468 Project:Branches: dueno/gnutls:wip/dueno/disable-0rtt-tests to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 15:38:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 13:38:07 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl-tls13-cli.sh: disable early data testing for CI stability (!1468) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you @pkalorog for the review (per [comment](https://gitlab.com/gnutls/gnutls/-/issues/1275#note_671141637))! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1468#note_671238485 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 15:39:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 13:39:41 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) In-Reply-To: References: Message-ID: Merge request !1466 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 Project:Branches: mlichvar/gnutls:ssse3-sha384 to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 15:39:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 13:39:37 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) In-Reply-To: References: Message-ID: Daiki Ueno commented: @mlichvar sorry for the CI flakiness; it should now work if you rebase against the master branch. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466#note_671240549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 15:59:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 13:59:15 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) In-Reply-To: References: Message-ID: Merge request !1466 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 Project:Branches: mlichvar/gnutls:ssse3-sha384 to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 17:41:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 15:41:24 +0000 Subject: [gnutls-devel] GnuTLS | fix SSSE3 SHA384 to work more than once (!1466) In-Reply-To: References: Message-ID: Merge request !1466 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 Project:Branches: mlichvar/gnutls:ssse3-sha384 to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 17:58:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 15:58:16 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 Project:Branches: dueno/gnutls:wip/dueno/pythonpath to gnutls/gnutls:master Author: Daiki Ueno Also stop creating symlinks inside the tlsfuzzer git submodule. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 18:06:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 16:06:22 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) In-Reply-To: References: Message-ID: Merge request !1469 was approved by Hubert Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 Project:Branches: dueno/gnutls:wip/dueno/pythonpath to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 18:06:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 16:06:29 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469#note_671415723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 18:13:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 16:13:22 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469#note_671422681 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 18:13:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 16:13:26 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) In-Reply-To: References: Message-ID: Merge request !1469 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 Project:Branches: dueno/gnutls:wip/dueno/pythonpath to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 18:22:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 16:22:52 +0000 Subject: [gnutls-devel] GnuTLS | mini-eagain-dtls has a chance to hang under valgrind (#1274) In-Reply-To: References: Message-ID: Daiki Ueno commented: I suppose it's a timing issue as the test program does not set timeout explicitly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1274#note_671431549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 7 19:51:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Sep 2021 17:51:12 +0000 Subject: [gnutls-devel] GnuTLS | tls-fuzzer: update submodules to the latest (!1469) In-Reply-To: References: Message-ID: Merge request !1469 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 Project:Branches: dueno/gnutls:wip/dueno/pythonpath to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1469 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 8 18:21:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Sep 2021 16:21:57 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_hash_copy() fails on SHA384 after gnutls_hash_output(). (#1257) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1257: https://gitlab.com/gnutls/gnutls/-/issues/1257 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 8 18:21:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Sep 2021 16:21:56 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_hash_copy() fails on SHA384 after gnutls_hash_output(). (#1257) In-Reply-To: References: Message-ID: Daiki Ueno commented: Should be fixed now with !1466. Feel free to reopen if the problem persists. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1257#note_672519111 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 9 10:01:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Sep 2021 08:01:13 +0000 Subject: [gnutls-devel] GnuTLS | Suppress warnings spotted by LGTM (!1470) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1470 Project:Branches: dueno/gnutls:wip/dueno/lgtm to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 9 13:27:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Sep 2021 11:27:47 +0000 Subject: [gnutls-devel] GnuTLS | Suppress warnings spotted by LGTM (!1470) In-Reply-To: References: Message-ID: Daiki Ueno commented: As this is trivial, I'm merging it without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1470#note_673305261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 9 13:27:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Sep 2021 11:27:49 +0000 Subject: [gnutls-devel] GnuTLS | Suppress warnings spotted by LGTM (!1470) In-Reply-To: References: Message-ID: Merge request !1470 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1470 Project:Branches: dueno/gnutls:wip/dueno/lgtm to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 9 19:01:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Sep 2021 17:01:29 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: allow multiple definitions of gnutls_rnd in oss-fuzz (!1471) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-muldefs to gnutls/gnutls:master Author: Daiki Ueno This should fix the recent coverage build failure. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 9 19:01:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Sep 2021 17:01:52 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: allow multiple definitions of gnutls_rnd in oss-fuzz (!1471) In-Reply-To: References: Message-ID: Merge request !1471 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-muldefs to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 10 06:43:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Sep 2021 04:43:36 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: allow multiple definitions of gnutls_rnd in oss-fuzz (!1471) In-Reply-To: References: Message-ID: Merge request !1471 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-muldefs to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 10 15:47:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Sep 2021 13:47:34 +0000 Subject: [gnutls-devel] GnuTLS | devel: provide external git diff driver for *.abi files (!1214) In-Reply-To: References: Message-ID: Merge request !1214 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214 Branches: tmp-abi-check to master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 10 15:47:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Sep 2021 13:47:28 +0000 Subject: [gnutls-devel] GnuTLS | devel: provide external git diff driver for *.abi files (!1214) In-Reply-To: References: Message-ID: Daiki Ueno commented: Since this is minor and opt-in is needed, I'm merging this without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1214#note_674721978 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 10 17:17:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Sep 2021 15:17:18 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: new ASan job with -DAGGRESSIVE_REALLOC (!1472) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1472 Project:Branches: dueno/gnutls:wip/dueno/asan-aggressive to gnutls/gnutls:master Author: Daiki Ueno This would exercise the same logic currently only covered with fedora-valgrind-aggressive per MR. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1472 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 10 17:18:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Sep 2021 15:18:29 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: replace valgrind checks with ASan (!1467) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467#note_674811349 Thanks for pointing that out; it's a bit of a surprise that the amount of time used by valgrind tests are comparable with ASan tests. Perhaps we have a bottleneck somewhere else? Anyway I've opened !1472 to add `-DAGGRESSIVE_REALLOC` in ASan tests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1467#note_674811349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 11 07:04:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 11 Sep 2021 05:04:45 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: new ASan job with -DAGGRESSIVE_REALLOC (!1472) In-Reply-To: References: Message-ID: Merge request !1472 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1472 Project:Branches: dueno/gnutls:wip/dueno/asan-aggressive to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1472 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 15 06:03:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Sep 2021 04:03:20 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1276) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1276 The following issues require labels: - [ ] [Bring support for TPM 2.0](https://gitlab.com/gnutls/gnutls/-/issues/594) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 15 07:04:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Sep 2021 05:04:47 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1276) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1276: https://gitlab.com/gnutls/gnutls/-/issues/1276 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 15 09:16:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Sep 2021 07:16:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP Insertion usdt trace points for crypto auditing (!1340) In-Reply-To: References: Message-ID: Merge request !1340 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1340 Project:Branches: sahprasa/gnutls:dtrace to gnutls/gnutls:master Author: Sahana Prasad Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1340 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 15 09:18:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Sep 2021 07:18:54 +0000 Subject: [gnutls-devel] GnuTLS | WIP: CMS support (RFC 5652) (!1248) In-Reply-To: References: Message-ID: Merge request !1248 was reopened by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1248 Branches: tmp-cms-support to master Author: Dmitry Baryshkov Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1248 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 17 10:50:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Sep 2021 08:50:19 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_680344357 > + */ > + > +#include "config.h" > +#include "system/ktls.h" > + > +#ifdef ENABLE_KTLS > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +/** > + * gnutls_transport_set_ktls: This is kind of brainstorming, but I guess we should make it clear when this function is called and what would be the desired behavior. For example: - If this function is called *before* handshake, and a ciphersuite incompatible with KTLS is negotiated, maybe it makes sense to automatically fall back to non-KTLS implementation - On the other hand, if this function is called *after* handshake is completed, it would be probably more useful to just return an error @berrange do you have any opinion on the API? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_680344357 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 17 11:16:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Sep 2021 09:16:32 +0000 Subject: [gnutls-devel] GnuTLS | nettle: indicate SHAKE implementation exists (!1473) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 Project:Branches: dueno/gnutls:wip/dueno/shake to gnutls/gnutls:master Author: Daiki Ueno While SHAKEs are not a hash algorithm but an XOF, it would be consistent to report they are implemented. The simple test is expanded to exercise the code path (gnutls_digest_get_id ? wrap_nettle_hash_exists). ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 17 11:23:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Sep 2021 09:23:40 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Richard W_M_ Jones commented: >From the point of view of a potential user of the API, it would be best to have a way to allow ktls to be used, but not fail if it cannot be used (it is, after all, an optimization). And if we have that, then why do we need a `set_ktls` option at all? Just make it happen if it's possible, otherwise fall back to software. Another way to think about this: If you add the `set_ktls` API, then why **wouldn't** everyone use it all the time? However it would be nice to have a `get_ktls` function which tells us if kTLS is being used. We could report that in debugging output in libnbd for example (https://gitlab.com/nbdkit/libnbd/-/blob/72ad5b2ab41e5253901a6e1c8309350a58602462/lib/crypto.c#L699) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_680381199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 18 07:27:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Sep 2021 05:27:43 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: explicitly supply LDFLAGS to clang++ command line (!1474) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-focal to gnutls/gnutls:master Author: Daiki Ueno This prevented fuzzer programs being linked in Ubuntu 20.03, used in oss-fuzz. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 18 07:29:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Sep 2021 05:29:17 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: explicitly supply LDFLAGS to clang++ command line (!1474) In-Reply-To: References: Message-ID: Merge request !1474 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-focal to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 18 09:12:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Sep 2021 07:12:06 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: explicitly supply LDFLAGS to clang++ command line (!1474) In-Reply-To: References: Message-ID: Merge request !1474 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 Project:Branches: dueno/gnutls:wip/dueno/oss-fuzz-focal to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1474 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 18 10:15:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Sep 2021 08:15:35 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin would you like to review? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_681152332 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 12:19:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 10:19:08 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/nettle/mac.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_681858863 > + case GNUTLS_DIG_SHAKE_128: > + case GNUTLS_DIG_SHAKE_256: > + return 1; I'd prefer a simplified flow with only two returns: ``` switch (algo) { case A: case B: #ifdef cond CD case C: case D: #endif #ifdef cond EF case E: case F: #endif return 1; default: return 0; } ``` Should be shorter as well. -- Alexander Sosedkin started a new discussion on tests/simple.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_681858864 > fail("gnutls_sign id's doesn't match\n"); > + > + if (gnutls_sign_is_secure(algs[i])) { Why is that check needed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 13:38:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 11:38:37 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: All discussions on merge request !1473 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 13:38:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 11:38:34 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/nettle/mac.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_681935287 > + case GNUTLS_DIG_SHAKE_128: > + case GNUTLS_DIG_SHAKE_256: > + return 1; Makes sense; updated -- Daiki Ueno commented on a discussion on tests/simple.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_681935289 > fail("gnutls_sign id's doesn't match\n"); > + > + if (gnutls_sign_is_secure(algs[i])) { It was intended for extra safety (as `gnutls_digest_get_id` only succeeds with implemented algorithms), but as the test still succeeds without this check, I have removed it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 14:34:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 12:34:57 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request !1473 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 Project:Branches: dueno/gnutls:wip/dueno/shake to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 14:34:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 12:34:46 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on tests/simple.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_682002886 > + const char *name = gnutls_digest_get_name(hash); > + if (gnutls_digest_get_id(name) != hash) > + fail("gnutls_digest id's for %s doesn't match %s\n", If it's a pluralization, there's a plurality mismatch, I think it should be either "id doesn't match" or "id's don't match" + x3 times in the file. -- Alexander Sosedkin commented on a discussion on tests/simple.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_682002888 > fail("gnutls_sign id's doesn't match\n"); > + > + if (gnutls_sign_is_secure(algs[i])) { > gnutls_digest_get_id only succeeds with implemented algorithms I only see `gnutls_digest_get_id` checking `_gnutls_digest_exists` checking `is_mac_algo_forbidden` (FIPS restrictions only) and `wrap_nettle_mac_exists` (from the above chunk). -- Alexander Sosedkin commented: LGTM with one more nitpick. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 14:42:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 12:42:50 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: All discussions on merge request !1473 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 14:43:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 12:43:06 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473#note_682012622 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 14:43:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 12:43:26 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request !1473 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 Project:Branches: dueno/gnutls:wip/dueno/shake to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 17:24:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 15:24:06 +0000 Subject: [gnutls-devel] GnuTLS | wrap_nettle_hash_exists: add missing hash algorithms (!1473) In-Reply-To: References: Message-ID: Merge request !1473 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 Project:Branches: dueno/gnutls:wip/dueno/shake to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 19:17:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 17:17:16 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? started a new discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682335583 > #endif > /* *INDENT-ON* */ > > + > + > void gnutls_transport_set_fastopen(gnutls_session_t session, > int fd, > struct sockaddr *connect_addr, > socklen_t connect_addrlen, > unsigned int flags); > > +int gnutls_transport_set_ktls(gnutls_session_t session, > + int sockin, int sockout); Does this actually need to have the socket FDs passed in ? IIUC, there are two common ways to use gnutls. * Use gnutls_transport_set_{push,pull}_function to install callbacks to handle I/O * Use gnutls_transport_set_int2 (or its variants) to set the file descriptor for gnutls to use directly For apps using the latter case, there's no need to pass the same FDs into gnutls again to enable KTLS For apps using the former case with custom callbacks, it is unlikely they'll want to pass FDs in for KTLS, unless they can refactor their code to use gnutls_transport_set_int2 instead. IOW can this method for enabling KTLS simply take the session object and nothing more and it simply be an error to use it if gnutls_transport_set_int2 was not used ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682335583 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 19:22:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 17:22:29 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? commented on a discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682339027 > + */ > + > +#include "config.h" > +#include "system/ktls.h" > + > +#ifdef ENABLE_KTLS > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +/** > + * gnutls_transport_set_ktls: If I was using this method, then I expect it would be upfront at the same time as initializing the transport. IOW before handshake. WRT to whether to return an error or do automatic fallback, personally I'd tend towards "do the right thing". I tend to view KTLS as a "nice to have" optimization, rather than a "must have" feature, so want it to be tried, but if not possible, transparently fallback. If there are people, however, that view KTLS as something more critical, then they might want strong guarantees. Perhaps it could motivate a extra param @required: 1 if KTLS is mandatory, 0 if KTLS is optional ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682339027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 20 19:24:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Sep 2021 17:24:52 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682340565 The only reason for something stronger would be if there are non-optimization reasons for preferring KTLS ? eg some scenario in which using a NIC hardware offload was a critical/must-have feature for the workload, and they don't want any risk of it silently falling back to a software impl ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682340565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 10:34:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 08:34:12 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682818397 > #endif > /* *INDENT-ON* */ > > + > + > void gnutls_transport_set_fastopen(gnutls_session_t session, > int fd, > struct sockaddr *connect_addr, > socklen_t connect_addrlen, > unsigned int flags); > > +int gnutls_transport_set_ktls(gnutls_session_t session, > + int sockin, int sockout); - setting gnutls_transport_set_{push,pull}_function will not do as the received data is handled as encrypted but with ktls and recvmsg we get unencrypted data - gnutls_transport_set_int2 will not work for instances where gnutls_transport_set_ptr function is used (for example gnutls-cli) Perhaps there is another way, but we didn't find any -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682818397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 10:48:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 08:48:00 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? commented on a discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682833280 > #endif > /* *INDENT-ON* */ > > + > + > void gnutls_transport_set_fastopen(gnutls_session_t session, > int fd, > struct sockaddr *connect_addr, > socklen_t connect_addrlen, > unsigned int flags); > > +int gnutls_transport_set_ktls(gnutls_session_t session, > + int sockin, int sockout); If the user has called 'gnutls_transport_set_{push,pull}_function', then just refuse to enable KTLS, on the basis that this requires access to the FDs directly and so we can't let the user replace the push/pull functions. If the user has not called 'gnutls_transport_set_{push,pull}_function', then the pull_func/vec_push_func must be 'system_read' / 'system_writev', and those functions expect a socket FD to be set via gnutls_transport_set_int2 / gnutls_transport_set_ptr2. IOW, if pull_func/vec_push_func are on their defaults, you can safely assume you have FDs and not need to ask for more FDs to enable KTLS. The alternative is to avoid directly using FDs at all in this code, and introduce yet another push function variant that allows you to pass the control data too: * ssize_t (*gnutls_msg_push_func) (gnutls_transport_ptr_t, const giovec_t * iov, int iovcnt, const void *control, int *controllen); which the impl can pack into a 'struct msghdr' and call sendmsg on themselves. You'd also need a callback for purpose of enabling socket options. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682833280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 11:19:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 09:19:44 +0000 Subject: [gnutls-devel] GnuTLS | tls: enable session tickets always in TLS 1.3 (!1475) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 Project:Branches: dueno/gnutls:wip/dueno/session-ticket-tls13-only to gnutls/gnutls:master Author: Daiki Ueno The GNUTLS_NO_TICKETS flag and %NO_TICKETS priority string modifier previously had effect even in TLS 1.3, while TLS 1.3 does not provide any other means to resume sessions. This change introduces a slight incompatilibity with the previous behavior in TLS 1.2, where session ticket support was re-enabled with gnutls_session_ticket_enable_server(), though the library now considers the contradiction between the options and API usage as a configuration error. Fixes: #477 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 13:39:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 11:39:32 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683031408 What about we create a option in `/etc/crypto-policies/back-ends/gnutls.config` file to enable/disable ktls by default and for per connection exception we will have `gnutls_{enable,disable}_ktls` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683031408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 13:45:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 11:45:56 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Richard W_M_ Jones commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683037744 Consider the users. They want things to go as fast as possible, and to break as little as possible. I think we expect kTLS to be faster in every case, which argues for trying to enable it always. But if it's not available, don't fail, fall back to userspace. If this is true then no configuration should be necessary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683037744 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 14:31:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 12:31:40 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683085934 BTW, we should bear in mind that MAC systems like SELinux might block access to KTLS, so any automatic fallback needs to robust against the scenarios in which KTLS can fail - both because kernel is too old, and because it is blocked by policy -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683085934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 14:56:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 12:56:01 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683114098 I think that both of these cases would fail on `setsockopt (sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")` which is already handled. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683114098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 14:57:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 12:57:42 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683116716 If we want to enable ktls by default then it will not work with connections that use gnutls_transport_set_{push,pull}_function as mention bellow by Daniel -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683116716 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 21 15:01:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Sep 2021 13:01:33 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683122463 Regarding that ktls would be in some cases critical/must-have feature, would it be sufficient to call the "is ktls enabled API" after handshake and decide there to either continue the connection or abort it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_683122463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 22 17:14:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Sep 2021 15:14:24 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_684443839 > Another way to think about this: If you add the set_ktls API, then why wouldn't everyone use it all the time? at the current time the KTLS on kernel side doesn't support TLS 1.2 renegotiation or TLS 1.3 KeyUpdate -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_684443839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 22 17:19:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Sep 2021 15:19:57 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daniel P_ Berrang? commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_684449959 Feels like this pushes towards making this a default that can be exposed in the crypto policy files. Even if the distro doesn't enable it for all by default, it still gives the admin to turn it on for individual apps via the app specific crypto policy overrides. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_684449959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 23 09:11:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Sep 2021 07:11:35 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 Project:Branches: robUx4/gnutls:mingw64-detection to gnutls/gnutls:master Author: Steve Lhomme When building for mingw64 i686, `CertEnumCRLsInStore` is used via LoadLibrary, even though it's available in the toolchain. The `#ifdef` in the original code was intended to only do it for old versions of `mingw32` and never for `mingw64`. But the check for `__MINGW64__` is incorrect as it only matches 64-bits versions of `mingw64`. This patch uses `__MINGW64_VERSION_MAJOR` instead of `__MINGW64__`. This was not a problem so far as `LoadLibrary` is available on regular Windows builds. But it's not available in UWP builds, system calls have to be linked directly, not called indirectly via `LoadLibrary`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 23 09:15:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Sep 2021 07:15:55 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) In-Reply-To: References: Message-ID: Steve Lhomme commented: Related issues in UWP builds of VLC * https://code.videolan.org/videolan/LibVLCSharp/-/issues/370 * https://code.videolan.org/videolan/LibVLCSharp/-/issues/295 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476#note_684988524 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 23 09:52:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Sep 2021 07:52:09 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) In-Reply-To: References: Message-ID: Merge request !1476 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 Project:Branches: robUx4/gnutls:mingw64-detection to gnutls/gnutls:master Author: Steve Lhomme Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 23 09:52:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Sep 2021 07:52:25 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) In-Reply-To: References: Message-ID: Merge request !1476 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 Project:Branches: robUx4/gnutls:mingw64-detection to gnutls/gnutls:master Author: Steve Lhomme Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 23 09:52:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Sep 2021 07:52:17 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476#note_685024825 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 07:45:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 05:45:12 +0000 Subject: [gnutls-devel] GnuTLS | fix mingw64 detection (!1476) In-Reply-To: References: Message-ID: Merge request !1476 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 Project:Branches: robUx4/gnutls:mingw64-detection to gnutls/gnutls:master Author: Steve Lhomme Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 14:01:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 12:01:35 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno changed the draft status of merge request !1460 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 14:19:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 12:19:16 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented: @dwmw2 @nmav I think this is almost ready for review (and I would appreciate it). I've tested that it works at least with server certificate authentication in TLS 1.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686417118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 14:24:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 12:24:02 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse started a new discussion on lib/tpm2.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686422170 > +/* > + * Copyright ? 2018 David Woodhouse. Strictly 2018-2021 I suppose. I ought to be better about updating that in my own version :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686422170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 14:38:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 12:38:10 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented: We're using `Esys_RSA_Decrypt` for a signature. Which is mathematically correct, of course, but is it the right thing to do? If we have signature-only keys, might the TPM refuse to let us *decrypt* with them, having trusted us to do the padding for it? If we were to actually ask the TPM to *sign* for us, would I then not have needed to implement all the PSS padding in the first place? :) I suspect we might need both. Using Esys_RSA_Decrypt() will let us use TLSv1.3 with unrestricted RSA keys even when the TPM knows nothing about PSS, but maybe we should fall back to asking for a signature if the key is restricted? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686438493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 14:40:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 12:40:22 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented: Thanks for doing this, btw. Are there changes I should be taking back into the OpenConnect code base? You mention 'cleanups'... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686441866 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 24 15:03:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Sep 2021 13:03:01 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686466671 I filed minor fixes at https://gitlab.com/openconnect/openconnect/-/merge_requests/268. Aside from them, most prominent is that `primaryTemplate{_legacy}` is only defined for ECC, so RSA keys cannot be loaded. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_686466671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 16:43:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 14:43:48 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687150528 The primary key is always EC. It can still be used as the parent for RSA keys. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687150528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 16:47:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 14:47:45 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1460 was reviewed by David Woodhouse -- David Woodhouse started a new discussion on lib/tpm2_esys.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687150994 > + &primary_sensitive, > + info->pub.publicArea.type == TPM2_ALG_RSA ? > + &primary_template_rsa : That is going to make you incompatible with OpenConnect and the TPM2 engines. The ephemeral primary used as the parent should *always* be EC, regardless of the type of the child key. You ought to be able to use the keys from the OpenConnect swtpm test suite (and that would have failed). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 18:24:20 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 16:24:20 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687164467 I tried, but it was not possible; maybe I'm missing something. See the reproducer at https://gitlab.com/gnutls/gnutls/-/issues/594#note_651399228. Also the latest tpm2-tss-engine has this (actually a bit more advanced) [logic](https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-common.c#L478). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687164467 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 19:25:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 17:25:01 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687174001 Argh! That is introducing a fundamental incompatiblity. The parent keys need to stick to the precise settings which are actually defined. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687174001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 20:36:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 18:36:43 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687188764 @jejb -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687188764 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 21:44:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 19:44:49 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: James Bottomley commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687196747 Well, I don't know what to say. The main reason for using an EC parent for RSA keys is that TPM2_CreatePrimary for an RSA primary can take minutes to run on a slow TPM ... you never want to have that happen because the primary is generated on the fly for most key operations; whereas an EC primary is an easy calculation and takes milliseconds even on the slowest of TPMs. I didn't think anyone would be stupid enough to try to do an ephemeral RSA primary, so I never bothered even mentioning it in the docs. James -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687196747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 26 21:56:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 Sep 2021 19:56:33 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: James Bottomley commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687197994 The correct way to get a functional RSA primary, if you insist on one for RSA keys, is to create it and then deposit it in the well known persistent index 81000001 which is reserved for the RSA primary. Then you specify that index as parent of your RSA key and it means the TPM never has to generate the RSA primary again James -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687197994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 27 10:18:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Sep 2021 08:18:16 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687452816 Ah, what the tpm2-tss-engine does in https://github.com/tpm2-software/tpm2-tss-engine/commit/4ba57cb1 is subtly different. It falls back to an ephemeral RSA parent if the TPM hardware doesn't support ECC at all. Not just if the child key being handled right now *happens* to be RSA, which is very wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687452816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 27 11:40:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Sep 2021 09:40:14 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687549233 Indeed. So perhaps it's a limitation of swtpm; does the current OpenConnect test suite cover the usage of RSA child keys under swtpm? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687549233 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 27 11:48:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Sep 2021 09:48:34 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687560611 Yes, it does. And swtpm *does* support ECC, so RSA child keys use an ECC generated primary parent. Looks like your code would fail if you try to use `tests/certs/swtpm-rsa-key-tpm.pem` from the OpenConnect tests. OpenConnect and both engine would generate an ECC parent for that as they should, while you'll try to generate an RSA parent. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_687560611 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 28 13:25:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Sep 2021 11:25:56 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_688887982 > I tried, but it was not possible; maybe I'm missing something. See the reproducer at https://gitlab.com/gnutls/gnutls/-/issues/594#note_651399228 Er, I don't think that "reproducer" is showing what you think it is. That's just demonstrating what I'm *complaining* about here. In that link we see you creating a key with a parent generated one way, and then failing to load it when you generated the parent differently. Yes, that is well known; you can only load the key using the *same* parent. If you try to use *different* parent, that doesn't work. Even if you keep the key type the same and just vary the flags, like the FixedTPM and FixedParent flags, that still results in a different and incompatible key. That incompatibility is precisely *why* you have to stick to the exact parameters (including key type) that is defined as part of the key storage format! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_688887982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: