From gnutls-devel at lists.gnutls.org Tue Mar 1 15:00:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 01 Mar 2022 14:00:50 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) References: Message-ID: Fabrice Fontaine created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1330 ## Description of problem Build failure without threads raised since version 3.7.3 and commit 482380e9eb78ee134ca985fd7d03306b07c457ce. ## Version of gnutls used: 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) buildroot ## How reproducible: Steps to Reproduce: * Build gnutls on a toolchain without threads support ## Actual results: ``` kx.c: In function '_gnutls_nss_keylog_write': kx.c:164:33: error: 'keylog_mutex' undeclared (first use in this function); did you mean 'keylog_once'? 164 | if (gnutls_static_mutex_lock(&keylog_mutex) < 0) { | ^~~~~~~~~~~~ | keylog_once ``` `keylog_mutex` is defined as: ``` GNUTLS_STATIC_MUTEX(keylog_mutex); ``` and `GNUTLS_STATIC_MUTEX` is defined as: ``` #define GNUTLS_STATIC_MUTEX(lock) gl_lock_define_initialized(static, lock) ``` This build failure is raised because `gl_rwlock_define_initialized` won't define `lock` if threads are unavailable, see extract of https://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/glthread/lock.h: ``` #if !(USE_ISOC_THREADS || USE_POSIX_THREADS || USE_ISOC_AND_POSIX_THREADS || USE_WINDOWS_THREADS) /* Provide dummy implementation if threads are not supported. */ # define gl_rwlock_define_initialized(STORAGECLASS, NAME) ``` Full build log: http://autobuild.buildroot.org/results/e09/e092bc11ce4b5908cb6285aa77a3594b8626eeec/build-end.log ## Expected results: Build should succeed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 1 18:18:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 01 Mar 2022 17:18:19 +0000 Subject: [gnutls-devel] GnuTLS | Add compress_certificate extension (RFC8879) (!1512) In-Reply-To: References: Message-ID: Merge request !1512 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1512 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 06:17:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 05:17:12 +0000 Subject: [gnutls-devel] GnuTLS | Add compress_certificate extension (RFC8879) (!1512) In-Reply-To: References: Message-ID: Merge request !1512 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1512 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 06:17:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 05:17:12 +0000 Subject: [gnutls-devel] GnuTLS | TLS certificate compression (RFC8879) (#1301) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1512 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1512) Issue #1301: https://gitlab.com/gnutls/gnutls/-/issues/1301 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 07:34:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 06:34:00 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.4 (Jan 15, 2022?Mar 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/33 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 07:36:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 06:36:40 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the MR; the change looks good, though I can't really test it as I don't have access to macOS. Could you increase the CI timeout following the GitLab [documentation](https://docs.gitlab.com/ee/ci/pipelines/settings.html#set-a-limit-for-how-long-jobs-can-run) so the static-analyzer task pass? I recomment 3h or 2h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543#note_859519356 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 07:36:48 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 06:36:48 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Merge request !1543 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 Project:Branches: ePirat/gnutls:epirat-fix-missing-frameworks-pc-file to gnutls/gnutls:master Author: ePirat Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 07:37:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 06:37:13 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.4 (Jan 15, 2022?Mar 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/33 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 08:20:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 07:20:16 +0000 Subject: [gnutls-devel] GnuTLS | tpm2: dynamically load tss2 libraries as needed (!1544) In-Reply-To: References: Message-ID: All discussions on merge request !1544 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1544 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 11:14:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 10:14:12 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: ePirat commented: Out of curiosity is there a reason you don't just define the [timeout](https://docs.gitlab.com/ee/ci/yaml/#timeout) in the `gitlab-ci.yml` if a higher one is always needed? Will adjust the repo setting and re-run. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543#note_859825412 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 11:58:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 10:58:50 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543#note_859898503 That sounds like a good idea! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543#note_859898503 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 11:59:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 10:59:12 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: All discussions on merge request !1543 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 11:59:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 10:59:22 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Merge request !1543 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 Project:Branches: ePirat/gnutls:epirat-fix-missing-frameworks-pc-file to gnutls/gnutls:master Author: ePirat Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 13:34:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 12:34:18 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: add missing Libs.private for macOS (!1543) In-Reply-To: References: Message-ID: Merge request !1543 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 Project:Branches: ePirat/gnutls:epirat-fix-missing-frameworks-pc-file to gnutls/gnutls:master Author: ePirat Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1543 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 15:19:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 14:19:37 +0000 Subject: [gnutls-devel] GnuTLS | tpm2: dynamically load tss2 libraries as needed (!1544) In-Reply-To: References: Message-ID: Merge request !1544 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1544 Project:Branches: dueno/gnutls:wip/dueno/libtss2-esys-dlopen to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Anderson Sasaki -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 2 21:48:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Mar 2022 20:48:18 +0000 Subject: [gnutls-devel] GnuTLS | Insecure OCSP signature should cause OCSP response to be ignored, not fail certificate verification (#1332) References: Message-ID: Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1332 ## Description of problem: Currently if a server provides a stapled OCSP response signed with an insecure signature (e.g. SHA-1), certificate verification will fail due to use of an insecure algorithm. Normally it makes sense to fail when we see something insecure, but in this case, the connection would have succeeded had the server not provided any OCSP response at all! It feels like we are punishing the user for the server's failed attempt to improve security by stapling an OCSP response. Moreover, all other TLS clients handle this properly (to my knowledge). Only GnuTLS on Fedora/RHEL fails. (Most non-GnuTLS clients do not even _look_ at stapled OCSP responses, at least not by default.) Downstream bug reports: https://bugzilla.redhat.com/show_bug.cgi?id=2003363, https://bugzilla.redhat.com/show_bug.cgi?id=2024296 ## Version of gnutls used: gnutls-3.7.2-3.fc35 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: Always Steps to Reproduce: `gnutls-cli dist.nuget.org` (with crypto policy set to DEFAULT) ## Actual results: ``` Processed 155 CA certificate(s). Resolving 'dist.nuget.org:443'... Connecting to '152.199.4.184:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=*.nuget.org,O=Microsoft Corporation,L=Redmond,ST=WA,C=US', issuer `CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US', serial 0x330017f392df3169646870385900000017f392, RSA key 2048 bits, signed using RSA-SHA384, activated `2021-08-03 22:49:43 UTC', expires `2022-07-29 22:49:43 UTC', pin-sha256="7gkSvGqS4XDwl3gp0t29UI4+DhjOIkr/NU86obw0bU4=" Public Key ID: sha1:1c54e6eb8d5d83fff91a98314a8430b578b38924 sha256:ee0912bc6a92e170f0977829d2ddbd508e3e0e18ce224aff354f3aa1bc346d4e Public Key PIN: pin-sha256:7gkSvGqS4XDwl3gp0t29UI4+DhjOIkr/NU86obw0bU4= - Certificate[1] info: - subject `CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0d7bede97d8209967a52631b8bdd18bd, RSA key 4096 bits, signed using RSA-SHA384, activated `2020-07-29 12:30:00 UTC', expires `2024-06-27 23:59:59 UTC', pin-sha256="4i4h0jN9NROr1xKJI+TQ1Q/ZIfUjPMXtmWUsDR3Pjiw=" - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` ## Expected results: No failure... probably. Possible solutions: * Simple solution: Ignore the insecure OCSP response. This would treat the insecure OCSP response as equivalent to no OCSP response, so the certificate would be trusted, which seems better than failing the certificate verification. * Alternative 1: Ignore the insecure OCSP response only if it indicates the certificate has _not_ been revoked. If it indicates the certificate _has_ been revoked, accept the response anyway and distrust the certificate. After all, it would be really weird for a security policy intended to improve security ("SHA-1 is insecure, do not use SHA-1") to result in lower security (trusting a certificate that we know to be revoked because we didn't like the OCSP response) * Alternative 2: fail the certificate verification, but do so using a new error code, so clients can choose to ignore this condition if desired. This seems less desirable, because it would require modifications in all clients that wish to be web-compatible. * Alternative 3: add a switch to choose the desired behavior, in case we want to be stricter in RHEL (which might want to adopt alternative 2) than in Fedora (which would really prefer alternative 1 IMO). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1332 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 3 13:49:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 03 Mar 2022 12:49:47 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 3 14:05:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 03 Mar 2022 13:05:37 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Before discussing the implementation, could you please explain the wider intentions of the change? Doesn't reintroducing algorithms to the arrays leave them usable? More globally, what intended definition of `--disable-gost` are you pursuing here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_861556893 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 3 14:27:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 03 Mar 2022 13:27:56 +0000 Subject: [gnutls-devel] GnuTLS | lib/system/certs.c: Add support for SSL_CERT_DIR, SSL_CERT_FILE (!1541) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1541 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_861590873 > + if (d != NULL && d->d_type == DT_REG) { > + snprintf(path, sizeof(path), > + "/data/misc/keychain/cacerts-removed/%s", I guess you intended to use `revoked_certs_dir` here. -- Alexander Sosedkin started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_861590880 > + do { > + d = readdir(dirp); > + if (d != NULL && d->d_type == DT_REG) { Why just `DT_REG`, by the way? -- Alexander Sosedkin started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_861590886 > + if (r == 0) { > + ret = > + gnutls_x509_trust_list_add_trust_file(list, Something strange here with the indentation. -- Alexander Sosedkin started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_861590895 > + > + if (r == 0) { > + const char *ssl_cert_dir = getenv("SSL_CERT_DIR"); I guess @dueno's [concern about getenv thread safety](https://gitlab.com/gnutls/gnutls/-/issues/1279#note_706682807) applies. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 3 18:52:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 03 Mar 2022 17:52:39 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_862006221 > Doesn't reintroducing algorithms to the arrays leave them usable? No. If `--disable-gost` is specified, all the GOST algorithms are compiled out, through conditionals like [this](https://gitlab.com/gnutls/gnutls/-/blob/aa11f1a0f80a039a8dc27912f178443a2b3bd069/lib/nettle/Makefile.am#L77) and the usage is also filtered [out](https://gitlab.com/gnutls/gnutls/-/blob/aa11f1a0f80a039a8dc27912f178443a2b3bd069/lib/nettle/mac.c#L317) internally. Therefore, if one tries to use a GOST algorithm, she will get an unsupported algorithm error, regardless of this and previous MRs. The problem I try to solve is sorely about the indication whether the GOST algorithms are supported: typically with `gnutls-cli --list`. There are two approaches: one (the previous MR) is to remove the algorithms entirely from the **known** algorithm list, and the other is to filter out the algorithms in the API functions (e.g., `_list`) which are supposed to work on the **supported** algorithm list. Both have pros and cons but the former approach has a more severe issue: we break the assumption that the functions that works on the **known** algorithm list, such as `gnutls_cipher_get_name`, should never return NULL or error, if the given algorithm ID is defined in ``. Note that we cannot easily remove GOST algorithm IDs from the public header as it breaks API compatibility. I believe the ideal situation is: 1. we make a clear distinction between the functions that works on the **known** or the **supported** algorithm list 1. the functions supposed to work on the **known** algorithm list should never return NULL or error for algorithm IDs defined in the public header 1. to check whether an algorithm is **supported**, a helper function is provided to complement (2) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_862006221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 4 16:02:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 04 Mar 2022 15:02:19 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report; I guess we probably need to turn `gnutls_static_mutex_lock` etc. into a macro so the call itself will be eliminated at compile time, something like: ```c #define gnutls_static_mutex_lock(NAME) \ unlikely(glthread_lock_lock(lock)) ? \ gnutls_assert_val(GNUTLS_E_LOCKING_ERROR) : 0 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_863132845 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 4 18:57:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 04 Mar 2022 17:57:55 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_863403123 OK, thank you for clarifying the goal and pointing at the lib/nettle layer of blocking. Makes sense, and makes sense to have `--list` / `_list` enumerate supported ones then. Nothing caught my eye in 7cc41f32f16e6571d04acac65b713318827bfc72. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_863403123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 4 18:58:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 04 Mar 2022 17:58:16 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Merge request !1542 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 Project:Branches: dueno/gnutls:wip/dueno/strcodes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 4 19:33:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 04 Mar 2022 18:33:44 +0000 Subject: [gnutls-devel] GnuTLS | jsonopts: make option description type-safe (!1535) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_863432696 > + "short-option": "V", > "desc": "More verbose output", > - "disabled": "", Since we no longer have `"disabled"`, we can get rid of its handling as well. -- Alexander Sosedkin started a new discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_863432700 > "desc": "Input file", > - "file-exists": "yes" > + "detail": "", Nit: could it be just omitted? -- Alexander Sosedkin started a new discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_863432703 > - "prog-name": "certtool", > + "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n", > + "explain": "", Doesn't seem to be handled anywhere, is it OK? -- Alexander Sosedkin started a new discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_863432707 > - "desc": "", > - "prog-name": "certtool", > + "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n", diff is rather noisy, wonder why -- Alexander Sosedkin started a new discussion on doc/scripts/gen-cmd-texi.py: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_863432710 > level: int, > - options: Sequence[Mapping[str, str]]) -> str: > + options: Sequence[Mapping[str, Any]]) -> str: Not sure if it'd be reasonable to ask for a `TypedDict` schema on everything, but could it be at least a `Mapping[str, Value]`, where `Value` is `Union[str, ValueRange]` and `ValueRange` is a `TypedDict`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 4 21:51:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 04 Mar 2022 20:51:28 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Fabrice Fontaine commented: Unfortunately, turning `gnutls_static_mutex_lock` into a macro doesn't fix the issue. `lock` will still be undefined. Indeed, the issue is due to `GNUTLS_STATIC_MUTEX`, not `gnutls_static_mutex_lock`. It should be noted that the same build failure is raised with `gnutls_rwlock_rdlock`: ``` priority.c: In function '_gnutls_update_system_priorities': priority.c:1857:30: error: 'system_wide_config_rwlock' undeclared (first use in this function); did you mean 'system_wide_config'? 1857 | ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock); | ^~~~~~~~~~~~~~~~~~~~~~~~~ | system_wide_config ``` A possible workaround is to guard all mutexes (i.e. `file_mutex`, `global_init_mutex`, `keylog_mutex`, `gnutls_rnd_ctx_list_mutex` and `system_wide_config_rwlock`) by `ifdef HAVE_PTHREAD_MUTEX_LOCK`. I can send a MR if this is acceptable. An other option is to disable gnutls on toolchains without threads. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_863539390 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 5 08:17:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Mar 2022 07:17:47 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: All discussions on merge request !1542 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 5 08:18:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Mar 2022 07:18:00 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542#note_863749566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 5 08:18:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Mar 2022 07:18:08 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: ensure _list() exclude non-existing algorithms (!1542) In-Reply-To: References: Message-ID: Merge request !1542 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 Project:Branches: dueno/gnutls:wip/dueno/strcodes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 5 08:50:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Mar 2022 07:50:24 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_863756047 As far as I can see, the kx.c compilation has been fixed after the macro rewrite (I could reproduce it with `--disable-threads`). I think `gnutls_rwlock_*lock` and `gnutls_once` need also to be rewritten as a macro. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_863756047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 5 10:35:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Mar 2022 09:35:44 +0000 Subject: [gnutls-devel] GnuTLS | The --seed option of certtool creates a possible security loophole (#1333) References: Message-ID: G?nther Brunthaler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1333 Under POSIX-like operating systems, the command line arguments of all executed commands are visible to all users on the system. If malicious user Eve watches the certtool invocation of a different user Alice who is using the --seed option, Eve will know what seed Alice's private key has been generated from. If Alice also used the --provable option, Eve will even be able to reconstruct Alice's private key, which is a very bad thing. Recommendation: The --seed option should either be removed or be explicitly documented to be suitable for debugging and testing only. A new option should be added which allows to read the seed from a file. In this case, Eve will only see the filename on the command line, but not the contents of the file. BTW: The --password option has quite a similar problem. But there is the possibility to read it from standard input or from the configuration file. Can the seed maybe read from the configuration file also? But if so, neither the documentation nor the example configuration file does mention it. Additional references: Other Downstream bug reports related to this issue: https://github.com/ShiftMediaProject/gnutls/issues/22 Known external projects blocked by this issue: https://github.com/guenther-brunthaler/tilde_anyone-someplace-ssl__pki-dajhgna82z9cx6kwy6yalncmt/commit/6fd5cc20bd3a70d8bc447c8f3532e2810218edf5 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 7 23:45:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 07 Mar 2022 22:45:27 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Fabrice Fontaine commented: If you're able to reproduce the issue and fixed it with the macro rewrite. Then, I'm probably doing something wrong. I would happily retrieve your commit or Merge Request and test it with buildroot. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_865986559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 01:24:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 00:24:34 +0000 Subject: [gnutls-devel] GnuTLS | fips: use GNUTLS_FIPS140_STRICT instead of magic number. (!1547) References: Message-ID: Tobias Heider created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 Project:Branches: tobhe/gnutls:fips to gnutls/gnutls:master Author: Tobias Heider Just a quick readability fix found while skimming through the code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 07:16:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 06:16:44 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno changed the draft status of merge request !1535 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 07:21:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 06:21:01 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin I've overhauled the JSON schema and moved the infrastructure to a separate [project](https://gitlab.com/gnutls/cligen). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_867868705 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 07:21:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 06:21:50 +0000 Subject: [gnutls-devel] GnuTLS | fips: use GNUTLS_FIPS140_STRICT instead of magic number. (!1547) In-Reply-To: References: Message-ID: Merge request !1547 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 Project:Branches: tobhe/gnutls:fips to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 07:26:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 06:26:49 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: prolong timeout for slow CI jobs (!1548) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1548 Project:Branches: dueno/gnutls:wip/dueno/ci-timeout to gnutls/gnutls:master Author: Daiki Ueno .. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1548 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 08:46:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 07:46:41 +0000 Subject: [gnutls-devel] GnuTLS | locks: define lock functions as a macro (!1549) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 Project:Branches: dueno/gnutls:wip/dueno/lock-macro to gnutls/gnutls:master Author: Daiki Ueno When threads are not supported, glthread_* functions are defined as no-op and thus dereferencing lock variables in inline functions will cause compilation error. This change fixes it by redefining our lock functions as a macro so it will also be compiled out. Reported by Fabrice Fontaine in: https://gitlab.com/gnutls/gnutls/-/issues/1330 Fixes: #1330 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 08:49:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 07:49:22 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_867949990 My previous response was actually based on your new build log, that indicated a different error ;-) but I have filed !1549. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_867949990 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 08:50:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 07:50:28 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.4 (Jan 15, 2022?Mar 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/33 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 09:15:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 08:15:24 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Fabrice Fontaine commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_867981727 Indeed, !1549 fixes the build failure, thanks for your help. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330#note_867981727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 09:45:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 08:45:46 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: prolong timeout for slow CI jobs (!1548) In-Reply-To: References: Message-ID: Daiki Ueno commented: I'm merging this without approval, as it is CI-only change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1548#note_868027137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 09:45:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 08:45:49 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: prolong timeout for slow CI jobs (!1548) In-Reply-To: References: Message-ID: Merge request !1548 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1548 Project:Branches: dueno/gnutls:wip/dueno/ci-timeout to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1548 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 09:47:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 08:47:52 +0000 Subject: [gnutls-devel] GnuTLS | fips: use GNUTLS_FIPS140_STRICT instead of magic number. (!1547) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! Sorry for the inconvenience but could you rebase to avoid CI timeout (!1548)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547#note_868030595 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 10:52:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 09:52:59 +0000 Subject: [gnutls-devel] GnuTLS | fips: use GNUTLS_FIPS140_STRICT instead of magic number. (!1547) In-Reply-To: References: Message-ID: Merge request !1547 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 Project:Branches: tobhe/gnutls:fips to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 12:08:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 11:08:43 +0000 Subject: [gnutls-devel] GnuTLS | fips: use GNUTLS_FIPS140_STRICT instead of magic number. (!1547) In-Reply-To: References: Message-ID: Merge request !1547 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 Project:Branches: tobhe/gnutls:fips to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 12:11:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 11:11:22 +0000 Subject: [gnutls-devel] GnuTLS | locks: define lock functions as a macro (!1549) In-Reply-To: References: Message-ID: Merge request !1549 was approved by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 Project:Branches: dueno/gnutls:wip/dueno/lock-macro to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 12:26:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 11:26:04 +0000 Subject: [gnutls-devel] GnuTLS | locks: define lock functions as a macro (!1549) In-Reply-To: References: Message-ID: Merge request !1549 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 Project:Branches: dueno/gnutls:wip/dueno/lock-macro to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 12:26:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 11:26:05 +0000 Subject: [gnutls-devel] GnuTLS | Build failure without threads (#1330) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1549 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1549) Issue #1330: https://gitlab.com/gnutls/gnutls/-/issues/1330 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 12:26:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 11:26:20 +0000 Subject: [gnutls-devel] GnuTLS | locks: define lock functions as a macro (!1549) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1549#note_868367524 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 13:55:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 12:55:15 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.16.3: building of guile bindings fails on macOS with Xcode 13: file not found (#1322) In-Reply-To: References: Message-ID: Ryan Schmidt commented: To emphasize: This is a new problem with Xcode 13. The problem does not happen when using earlier versions of Xcode. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1322#note_868497181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 15:17:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 14:17:12 +0000 Subject: [gnutls-devel] GnuTLS | `certtool` permits creation of certificates with "negative" serial numbers (#1237) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: This does not seem to be an issue anymore. This is the output while generating the certificate; ``` Enter the certificate's serial number in decimal (123) or hex (0xabcd) (default is 0x426e0c822330b02052a063c023d54987280d8c4f) value: 0 Integer out of range: `0' (min: 1, max: 9223372036854775806) error parsing certificate's serial number: 0 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237#note_868643125 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 15:17:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 14:17:44 +0000 Subject: [gnutls-devel] GnuTLS | `certtool` permits creation of certificates with "negative" serial numbers (#1237) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich Issue #1237: https://gitlab.com/gnutls/gnutls/-/issues/1237 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 16:34:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 15:34:17 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_868804434 > - "desc": "", > - "prog-name": "certtool", > + "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n", That's because we added ordering of the properties. -- Daiki Ueno commented on a discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_868804474 > - "prog-name": "certtool", > + "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n", > + "explain": "", Indeed, removed. -- Daiki Ueno commented on a discussion on doc/scripts/gen-cmd-texi.py: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_868804486 > level: int, > - options: Sequence[Mapping[str, str]]) -> str: > + options: Sequence[Mapping[str, Any]]) -> str: Now the options are defined in a stricter schema, so mapping is gone. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 16:34:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 15:34:59 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_868805555 > "desc": "Enable debugging", > - "arg-max": " 9999", > "detail": "Specifies the debug level.", > + "arg-range": { > + "min": 0, > + "max": 9999 > + }, > "arg-type": "number" > }, > { > - "short-option": "V", > - "max": "NOLIMIT", > "long-option": "verbose", > + "short-option": "V", > "desc": "More verbose output", > - "disabled": "", Removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_868805555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 9 16:38:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Mar 2022 15:38:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.16.3: building of guile bindings fails on macOS with Xcode 13: file not found (#1322) In-Reply-To: References: Message-ID: Daiki Ueno commented: @civodul any clue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1322#note_868812642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 10:59:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 09:59:16 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_869899263 > { > - "short-option": "V", > - "max": "NOLIMIT", > "long-option": "verbose", > + "short-option": "V", > "desc": "More verbose output", > - "disabled": "", > "detail": "" > }, > { > "long-option": "infile", > - "detail": "", > - "arg-type": "file", > "desc": "Input file", > - "file-exists": "yes" > + "detail": "", Removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_869899263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 10:59:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 09:59:18 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: All discussions on merge request !1535 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 11:20:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 10:20:32 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin I think it's ready for review -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_869935772 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 11:20:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 10:20:46 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 14:23:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 13:23:28 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich This patch should make GnuTLS more RFC5280 compliant 1. [ ] DirectoryString can not be empty 2. [ ] Prohibit IA5String in DirectoryString 3. [ ] Prohibit unnecessary bits in Key Usage extension 4. [ ] Prohibit random octet strings in extensions 5. [ ] Prohibit 1024b RSA pub keys 6. [ ] Prohibit invalid serial number 7. [ ] Prohibit invalid version number Closes: #181 #1218 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 14:23:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 13:23:27 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Reassigned merge request 1550 https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 14:24:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 13:24:07 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich This patch should make GnuTLS more RFC5280 compliant 1. [ ] DirectoryString can not be empty 2. [ ] Prohibit IA5String in DirectoryString 3. [ ] Prohibit unnecessary bits in Key Usage extension 4. [ ] Prohibit random octet strings in extensions 5. [ ] Prohibit 1024b RSA pub keys 6. [x] Prohibit invalid serial number 7. [x] Prohibit invalid version number Closes: #181 #1218 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 10 17:54:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Mar 2022 16:54:41 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_870569032 > fi > fi > > +AC_ARG_ENABLE(strict-x509, I think this is a good start; eventually it would be more useful to have a run-time flag in `gnutls_certificate_verify_flags` etc. as in `X509_V_FLAG_X509_STRICT` of OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_870569032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 11 18:28:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 11 Mar 2022 17:28:37 +0000 Subject: [gnutls-devel] GnuTLS | Fix global-ini-handler (!1551) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 Project:Branches: FrantisekKrenzelok/gnutls:config to gnutls/gnutls:master Author: Franti?ek Kren?elok Use string retrieved by `clear_spaces` ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 11 19:03:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 11 Mar 2022 18:03:02 +0000 Subject: [gnutls-devel] GnuTLS | Fix global-ini-handler (!1551) In-Reply-To: References: Message-ID: Merge request !1551 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 Project:Branches: FrantisekKrenzelok/gnutls:config to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 11 19:03:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 11 Mar 2022 18:03:09 +0000 Subject: [gnutls-devel] GnuTLS | Fix global-ini-handler (!1551) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551#note_872142832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 11 19:18:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 11 Mar 2022 18:18:57 +0000 Subject: [gnutls-devel] GnuTLS | Fix global-ini-handler (!1551) In-Reply-To: References: Message-ID: Merge request !1551 was scheduled to merge after pipeline succeeds by Franti?ek Kren?elok Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 Project:Branches: FrantisekKrenzelok/gnutls:config to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 12 07:55:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 12 Mar 2022 06:55:07 +0000 Subject: [gnutls-devel] GnuTLS | Fix global-ini-handler (!1551) In-Reply-To: References: Message-ID: Merge request !1551 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 Project:Branches: FrantisekKrenzelok/gnutls:config to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 12 13:44:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 12 Mar 2022 12:44:59 +0000 Subject: [gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1335 Hello, gnutls fails to verify ci.debian.net ~~~ *prompt*> gnutls-cli ci.debian.net *** Fatal error: Error in the certificate. Processed 127 CA certificate(s). Resolving 'ci.debian.net:443'... Connecting to '52.34.117.196:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" Public Key ID: sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa Public Key PIN: pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o= - Certificate[1] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... ~~~ Looking at the output there seems to be a minor configuration issue, the server certificate is sent twice. I have grabbed the certs with `gnutls-cli --save-cert` (which yields a file with different order than the one reported by gnutls-cli (ci.debian.net, R3, ci.debian.net, ISRG Root X1) and got a error with certtool, too: ~~~ ametzler at argenau:~$ certtool --infile=/tmp/ci.pem --verify Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded system trust (127 CAs available) Subject: CN=ci.debian.net Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=ci.debian.net Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. ~~~ Removing the second instance of ci.debian.net cert from the file lets certtool succeed: ~~~ ametzler at argenau:~$ certtool --infile=/tmp/ci-noduplicate.pem --verify Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded system trust (127 CAs available) Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Checked against: CN=ISRG Root X1,O=Internet Security Research Group,C=US Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=R3,O=Let's Encrypt,C=US Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US Checked against: CN=ISRG Root X1,O=Internet Security Research Group,C=US Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=ci.debian.net Issuer: CN=R3,O=Let's Encrypt,C=US Checked against: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ~~~ ISRG_Root_X1.pem is in the truststore, so the minimal fails/works testcases are ~~~ certtool --infile=/tmp/ci.pem --verify --load-ca-certificate=/etc/ssl/certs/ISRG_Root_X1.pem certtool --infile=/tmp/ci-noduplicate.pem --verify --load-ca-certificate=/etc/ssl/certs/ISRG_Root_X1.pem ~~~ [ci.pem](/uploads/c901d1e2a9eb4c13b5ab4acf1fe5e69d/ci.pem) [ci-noduplicate.pem](/uploads/c1652b030c7357ed2d741ba5600d85ae/ci-noduplicate.pem)[ISRG_Root_X1.pem](/uploads/1cd5f6fe2c92ad58398de3f14fd4241f/ISRG_Root_X1.pem) This looks very similar to #1131. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 12 15:02:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 12 Mar 2022 14:02:57 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on doc/manpages/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_872585555 > certtool.1: $(top_srcdir)/doc/certtool-see-also.texi $(top_srcdir)/doc/certtool-examples.texi $(top_srcdir)/doc/certtool-files.texi > certtool.1: $(top_srcdir)/src/certtool-options.json Could we compress these with pattern rules? I nettle, gnulib and guile bindings seem to use this make feature. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 12 15:03:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 12 Mar 2022 14:03:20 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Marvelous, that's quite a change. Only other remark I have now is: shouldn't cligen at least mention autogen in its README so that it's more discoverable? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_872585627 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 12 15:03:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 12 Mar 2022 14:03:27 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Merge request !1535 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 Project:Branches: dueno/gnutls:wip/dueno/options to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 00:12:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 13 Mar 2022 23:12:10 +0000 Subject: [gnutls-devel] GnuTLS | Always check calloc() return value for NULL (!1552) References: Message-ID: Tobias Heider created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 Project:Branches: tobhe/gnutls:calloc to gnutls/gnutls:master Author: Tobias Heider I noticed some calls to `calloc()` in `gnutls_openssl.c` are followed by `NULL` checks, others are not. This MR adds return value checks for the remaining `calloc()` calls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 09:47:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 08:47:13 +0000 Subject: [gnutls-devel] GnuTLS | Always check calloc() return value for NULL (!1552) In-Reply-To: References: Message-ID: Merge request !1552 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 Project:Branches: tobhe/gnutls:calloc to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 09:47:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 08:47:26 +0000 Subject: [gnutls-devel] GnuTLS | Always check calloc() return value for NULL (!1552) In-Reply-To: References: Message-ID: Merge request !1552 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 Project:Branches: tobhe/gnutls:calloc to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 09:47:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 08:47:24 +0000 Subject: [gnutls-devel] GnuTLS | Always check calloc() return value for NULL (!1552) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1552#note_873285694 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 09:58:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 08:58:00 +0000 Subject: [gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335) In-Reply-To: References: Message-ID: Daiki Ueno commented: I can't reproduce it with PKCS#11 trust store, so I guess the issue is in the non-PKCS#11 code path in `lib/x509/verify-high*.c`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_873300243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 11:30:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 10:30:42 +0000 Subject: [gnutls-devel] GnuTLS | VLA in _gnutls_dump_vector() (#1336) References: Message-ID: Gisle Vanem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1336 Compiling the `debug.c` file with `cl -c -DDEBUG ...` (with MSVC-2019), yields this error: ```c debug.c(47): error C2057: expected constant expression debug.c(47): error C2466: cannot allocate an array of constant size 0 debug.c(47): error C2133: 'buf_hex': unknown size debug.c(51): warning C4034: sizeof returns 0 ``` Wouldn't it be better by using `alloca()` for MSVC in this case: ```diff --- a/lib/debug.c 2022-03-13 16:34:15 +++ b/lib/debug.c 2022-03-14 11:28:50 @@ -44,7 +44,11 @@ void _gnutls_dump_vector(const char *prefix, const uint8_t * a, size_t a_size) { - char buf_hex[2 * a_size + 1]; +#ifdef _MSC_VER + char *buf_hex = alloca (2 * a_size + 1); +#else + char *buf_hex[2 * a_size + 1]; +#endif ``` But I cannot see this functions is called anywhere. So why is it there? I made a similar [issue](https://gitlab.com/gnutls/gnutls/-/issues/248) 4 years ago. And I'm amazed MSVC is still not fully supported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 13:27:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 12:27:07 +0000 Subject: [gnutls-devel] GnuTLS | VLA in _gnutls_dump_vector() (#1336) In-Reply-To: References: Message-ID: Daiki Ueno commented: > I made a similar issue 4 years ago. And I'm amazed MSVC is still not fully supported. I'd echo Nikos' comment 4 years back; I don't have access to the system with MSVC, and I don't have enough incentive to support self-build with MSVC given we support mingw cross build that should be used on such systems (e.g., with MSYS). If you contribute and maintain the port, that would be awesome (in this case I suggest using the [`vla`](https://www.gnu.org/software/gnulib/MODULES.html#module=vla) module to detect inability of VLA). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1336#note_873605810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 13:40:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 12:40:31 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion on lib/pkix.asn: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_873625886 > printableString PrintableString (SIZE (1..MAX)), > universalString UniversalString (SIZE (1..MAX)), > utf8String UTF8String (SIZE (1..MAX)), > - bmpString BMPString (SIZE(1..MAX)), > - -- IA5String is added here to handle old UID encoded as ia5String -- > - -- See tests/userid/ for more information. It shouldn't be here, -- > - -- so if it causes problems, considering dropping it. -- > - ia5String IA5String (SIZE(1..MAX)) } If we want to drop ia5String from DirectoryString structure in order to be RFC5280 compliant, I think just dropping the ia5String from DirectoryString is the correct and most natural way. No parsing error will be reported if somebody tries to use ia5String value in DirectoryString as type=DirectoryString is a CHOICE anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_873625886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 15:18:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 14:18:08 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on doc/manpages/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_873787267 > certtool.1: $(top_srcdir)/doc/certtool-see-also.texi $(top_srcdir)/doc/certtool-examples.texi $(top_srcdir)/doc/certtool-files.texi > certtool.1: $(top_srcdir)/src/certtool-options.json I would rather explicitly enumerate those files so that the make would fail if some of the files are accidentally removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_873787267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 15:37:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 14:37:57 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: All discussions on merge request !1535 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 15:38:23 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 14:38:23 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review (I'll update the cligen README later). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535#note_873827276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 15:38:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 14:38:30 +0000 Subject: [gnutls-devel] GnuTLS | Make option description type-safe (!1535) In-Reply-To: References: Message-ID: Merge request !1535 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 Project:Branches: dueno/gnutls:wip/dueno/options to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1535 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 16:05:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 15:05:32 +0000 Subject: [gnutls-devel] GnuTLS | cli, serv: allow multiple --compress-cert options (!1553) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 Project:Branches: dueno/gnutls:wip/dueno/compress-cert-cli to gnutls/gnutls:master Author: Daiki Ueno This eliminates the need of parsing the comma separated list manually. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 16:12:51 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 15:12:51 +0000 Subject: [gnutls-devel] GnuTLS | cli, serv: allow multiple --compress-cert options (!1553) In-Reply-To: References: Message-ID: Merge request !1553 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 Project:Branches: dueno/gnutls:wip/dueno/compress-cert-cli to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 16:13:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 15:13:19 +0000 Subject: [gnutls-devel] GnuTLS | cli, serv: allow multiple --compress-cert options (!1553) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553#note_873898886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 14 18:22:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Mar 2022 17:22:02 +0000 Subject: [gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335) In-Reply-To: References: Message-ID: Andreas Metzler commented: Daiki Ueno @dueno ? wrote 8 hours ago > I can't reproduce it with PKCS#11 trust store, so I guess the issue is in the non-PKCS#11 code path in lib/x509/verify-high*.c Indeed `certtool --infile=/tmp/ci.pem --verify --load-ca-certificate="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust"` succeds where `certtool --infile=/tmp/ci.pem --verify` failed. (gnutls built with --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt / p11-kit with --with-trust-paths=/etc/ssl/certs/ca-certificates.crt). ci.debian.net cannot be used as testcase with gnutls-cli anymore, the duplicate cert has been removed from its certificate list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_874071418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 11:52:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 10:52:41 +0000 Subject: [gnutls-devel] GnuTLS | RFC: Use custom free/realloc for GMP to safely delete temporary secrets (!1554) References: Message-ID: Tobias Heider created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 Project:Branches: tobhe/gnutls:gmp_alloc to gnutls/gnutls:master Author: Tobias Heider I am trying to figure out to make sure that all intermediate products of cryptographic operations (e.g. private key generation) are safely zeroized. FIPS140-3 requires zeroization of all intermediate key generation values as well as the internal RBG state, but I think this would also be useful hardening for normal operation. gnutls outsources these cryptographic operations to nettle, which in turn uses GMP internally to store a lot of sensitive data. The [nettle documentation](http://www.lysator.liu.se/~nisse/nettle/nettle.html#index-rsa_005fprivate_005fkey_005fclear) for the `rsa_private_key_clear()` function mentions that the caller can change the default behavior by overriding the GMP allocator as described [here](https://gmplib.org/manual/Custom-Allocation#Custom-Allocation). This MR replaces the GMP `realloc()` and `free()` functions with safe alternatives that use `explicit_bzero()` to zeroize any discarded memory. Feedback and ideas for improvement welcome -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 12:42:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 11:42:00 +0000 Subject: [gnutls-devel] GnuTLS | RFC: Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno commented: That sounds like a good idea. One thing to note is that GMP's default allocators terminate the program upon failure and Nettle relies on that behavior (i.e., no check on allocation failure). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_875113127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 14:48:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 13:48:00 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) References: Message-ID: Gisle Vanem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1337 Two of generated .h-files in `./src` does not work with MSVC; `certtool-options.h` and `psktool-options.h`: ``` psktool-options.h(55): error C2016: C requires that a struct or union have at least one member ``` I.e. for this code: ```c /* Option enablement status */ struct { } enabled; ``` A fix for was to modify `gen-getopt.py` to insert some `int dummy;` statements for such empty lists: ``` --- a/src/gen-getopt.py 2022-03-15 14:39:36 +++ b/src/gen-getopt.py 2022-03-13 16:34:15 @@ -501,7 +501,7 @@ global_name = f'{mangle(prog_name)}Options' list_struct_name = f'{mangle(prog_name)}_list' - for i, option in enumerate(options): + for option in options: long_opt = option['long-option'] arg_type = option.get('arg-type') lower_opt = mangle(long_opt) @@ -528,8 +528,6 @@ f'{global_name}.list.{lower_opt}.args\n' )) else: - if i == 0: - struct_members_list.write (f'{INDENT*2}int dummy;\n') struct_members_arg.write( f'{INDENT*2}const char *{lower_opt};\n' ) @@ -546,8 +544,6 @@ f'#define ENABLED_OPT_{upper_opt} ' f'{global_name}.enabled.{lower_opt}\n' )) - elif i == 0: - struct_members_enabled.write (f'{INDENT*2}int dummy;\n') have_opts.write(( f'#define HAVE_OPT_{upper_opt} ' ``` But I'm not sure how a proper fix would look like. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 14:52:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 13:52:29 +0000 Subject: [gnutls-devel] GnuTLS | VLA in _gnutls_dump_vector() (#1336) In-Reply-To: References: Message-ID: Gisle Vanem commented: I've no idea how to apply a Gnulib patch.
But what is `_gnutls_dump_vector()` there for? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1336#note_875380328 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 17:02:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 16:02:53 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; we've recently reworked the option handling in !1535 but the new code still had the same issue (for `list`; I don't see any empty `enabled` in the generated code), so I've fixed it in https://gitlab.com/gnutls/cligen/-/commit/a9d7e08c032a7ec496695fdb0bbe30a66d472206. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_875611280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 17:47:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 16:47:47 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/x509/x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677759 > + > +/* Check whether serial number is RFC5280 compliant */ > +static int check_serial(gnutls_x509_crt_t cert) If this function returns 0 or 1, I'd suggest changing the return type to `unsigned` (or better, `bool`, given this is an internal function). -- Daiki Ueno started a new discussion on lib/x509/x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677772 > > + /* enforce upper bound on certificate version (RFC5280 compliant) */ > + if (version > 3) { Can this be merged into the `if` block below, or perhaps this block should be enclosed with `#ifdef STRICT_X509` ... `#endif`? -- Daiki Ueno started a new discussion on lib/pkix.asn: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677779 > - -- so if it causes problems, considering dropping it. -- > - ia5String IA5String (SIZE(1..MAX)) } > + bmpString BMPString (SIZE(1..MAX)) } I think it's worth mentioning this change in NEWS. Also you might need to adjust or remove the `userid` test (which seems to have moved to `tests/cert-tests/userid.sh`)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 17:47:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 16:47:59 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Merge request !1550 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 17:48:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 16:48:49 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me overall; thanks! I've added some minor comments. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875679770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 15 23:17:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Mar 2022 22:17:36 +0000 Subject: [gnutls-devel] GnuTLS | RFC: Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented: A problem I'm running into with the current version is that mini-gmp.c always passes a 0 old_size to the reallocate function. Maybe we should handle the old_size == 0 case by just calling `realloc()`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_876061042 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 07:13:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 06:13:26 +0000 Subject: [gnutls-devel] GnuTLS | cli, serv: allow multiple --compress-cert options (!1553) In-Reply-To: References: Message-ID: Merge request !1553 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 Project:Branches: dueno/gnutls:wip/dueno/compress-cert-cli to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 07:13:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 06:13:40 +0000 Subject: [gnutls-devel] GnuTLS | cli, serv: allow multiple --compress-cert options (!1553) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1553#note_876334047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 08:57:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 07:57:30 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (#1338) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1338 When FIPS integrity check is enabled, the it currently opens 4 .hmac files: for libgnutls.so.* itself, libnettle.so.*, libhogweed.so.*, and libgmp.so.*. Given those files are part of individual packages (gnutls, nettle, and gmp), it is a bit harder to coordinate the package update. Therefore I propose consolidating those files into a single file, say .integrity with the following format: ```ini [global] format-version = ... [integrity] libgnutls = libnettle = libhogweed = libgmp = ``` We may also consider embedding those information in libgnutls.so.* itself, using a similar technique proposed in [integrity-notes](https://gitlab.com/dueno/integrity-notes). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 09:53:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 08:53:40 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: All discussions on merge request !1550 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 11:20:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 10:20:56 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update git submodule (!1555) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1555 Project:Branches: dueno/gnutls:wip/dueno/cligen-update to gnutls/gnutls:master Author: Daiki Ueno To avoid emitting empty "list" substruct in header files. Fixes: #1337 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 11:37:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 10:37:10 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550) In-Reply-To: References: Message-ID: Merge request !1550 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 11:37:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 10:37:11 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS accepts a certificate whose serial number is zero (#181) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich via merge request !1550 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1550) Issue #181: https://gitlab.com/gnutls/gnutls/-/issues/181 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 12:23:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 11:23:17 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option to globally enable/disable KTLS (#1298) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.5 (Mar 16, 2022?May 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/34 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 14:51:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 13:51:29 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) In-Reply-To: References: Message-ID: Gisle Vanem commented: > I've fixed it in https://gitlab.com/gnutls/cligen/-/commit/a9d7e08c032a7ec496695fdb0bbe30a66d472206. So this new (?) `cli-codegen.py` script is supposed to work on Windows? It seems highly POSIX centric.
Even a simple `py -3 ..\devel\cligen\cli-codegen.py -h`, gives: ``` ... ModuleNotFoundError: No module named 'pwd' ``` Yikes! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_877032569 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:29:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:29:55 +0000 Subject: [gnutls-devel] abi-dump | Regenerate from 3.7.4 release (!1) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:29:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:29:55 +0000 Subject: [gnutls-devel] abi-dump | Regenerate from 3.7.4 release (!1) In-Reply-To: References: Message-ID: Reassigned merge request 1 https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:29:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:29:55 +0000 Subject: [gnutls-devel] abi-dump | Regenerate from 3.7.4 release (!1) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 Project:Branches: ZoltanFridrich/gnutls-abi-dump:zfridric_devel to gnutls/abi-dump:main Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno Signed-off-by: Zoltan Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:31:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:31:35 +0000 Subject: [gnutls-devel] abi-dump | Regenerate from 3.7.4 release (!1) In-Reply-To: References: Message-ID: Merge request !1 was merged Merge request URL: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 Project:Branches: ZoltanFridrich/gnutls-abi-dump:zfridric_devel to gnutls/abi-dump:main Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/abi-dump/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:46:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:46:20 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:46:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:46:20 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Reassigned merge request 1556 https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:46:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:46:24 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:56:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:56:00 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556#note_877166241 > gnutls_compress_certificate_get_selected_method: Added > gnutls_compress_certificate_set_methods: Added > +get_ciphersuite_name: Added ```suggestion:-0+0 gnutls_ciphersuite_get: Added gnutls_record_send_file: Added ``` -- Daiki Ueno started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556#note_877166256 > and subject name to make DirectoryString RFC5280 compliant. > +** libgnutls: Added function to retrieve the name of current ciphersuite > + from session. Maybe good to add a reference to #1291? -- Daiki Ueno started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556#note_877166266 > ** API and ABI modifications: > gnutls_compress_certificate_get_selected_method: Added > gnutls_compress_certificate_set_methods: Added Maybe good to mention `GNUTLS_COMP_BROTLI` and `GNUTLS_COMP_ZSTD` as: ``` GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member ... ``` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 15:56:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 14:56:52 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556#note_877168112 > Copyright (C) 2013-2019 Nikos Mavrogiannopoulos > See the end for copying conditions. > > -* Version 3.7.4 (unreleased) > - > -** Added support for certificate compression as defined in RFC8879. > -** libgnutls: Added strict-x509 configure option to enforce stricter > - certificate sanity checks. > +* Version 3.7.4 (released 2022-03-16) > + > +** lignutls: Added support for certificate compression as defined in RFC8879. Typo: lignutls -> libgnutls Also maybe good to mention #1301? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556#note_877168112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 16:16:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 15:16:59 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: All discussions on merge request !1556 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 16:31:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 15:31:14 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Merge request !1556 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 18:08:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 17:08:44 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 was reviewed by Alexander Sosedkin -- Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877386489 ... but then we don't zeroize, do we? Rendering this a partial fix until it starts passing the correct values. -- Alexander Sosedkin started a new discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877386494 > + newptr = realloc(data, new_size); > + if (newptr == NULL) > + abort(); Why abort and not propagate? -- Alexander Sosedkin started a new discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877386496 > + newptr = malloc(new_size); > + if (newptr == NULL) > + abort(); Ditto. -- Alexander Sosedkin started a new discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877386498 > + newptr = malloc(new_size); > + if (newptr == NULL) > + abort(); Ditto. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 18:22:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 17:22:40 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented on a discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877415137 > + * @old_size: the size of memory before reallocation > + * @new_size: the size of memory after reallocation > + * > + * This function will operate similarly to realloc(), but will safely > + * zeroize discarded memory. > + * > + **/ > +void *gnutls_realloc_zero(void *data, size_t old_size, size_t new_size) > +{ > + void *newptr = NULL; > + > + /* mini-gmp always passes old_size of 0 */ > + if (old_size == 0) { > + newptr = realloc(data, new_size); > + if (newptr == NULL) > + abort(); In a previous comment @dueno noted that this is what GMP does by default. I copied what they are doing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877415137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 18:23:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 17:23:25 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877416079 Correct, in the mini-gmp case we can't because there is no way to know the size to zeroize. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877416079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 16 20:05:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Mar 2022 19:05:00 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877545808 > + * @old_size: the size of memory before reallocation > + * @new_size: the size of memory after reallocation > + * > + * This function will operate similarly to realloc(), but will safely > + * zeroize discarded memory. > + * > + **/ > +void *gnutls_realloc_zero(void *data, size_t old_size, size_t new_size) > +{ > + void *newptr = NULL; > + > + /* mini-gmp always passes old_size of 0 */ > + if (old_size == 0) { > + newptr = realloc(data, new_size); > + if (newptr == NULL) > + abort(); Uh, OK, sorry. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877545808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 07:10:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 06:10:57 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno commented: One more thing I have to mention is that Guile is [overriding](https://git.savannah.gnu.org/cgit/guile.git/commit/?id=00fbdfa7345765168e14438eed0b0b8c64c27ab9) the GMP allocators with a GC-capable ones and I remember there were some issues when the Guile binding of GnuTLS is used. I don't have a concrete idea on how to overcome such uses, but perhaps it might make sense to: - un-deprecate `gnutls_global_set_mem_functions` - if the function is called and any of our allocators (`gnutls_malloc` etc) is overridden, treat it as an indication that the application wants to handle allocations by themselves, i.e., we do not install GMP allocators -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_877936860 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 07:46:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 06:46:09 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_877962029 Thanks; it should be fixed in https://gitlab.com/gnutls/cligen/-/commit/3e3af3f4da242fec3588a28592f48925d730fbee -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_877962029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 09:05:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 08:05:01 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) In-Reply-To: References: Message-ID: Gisle Vanem commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_878032432 Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337#note_878032432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 10:03:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 09:03:54 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.4 (!1556) In-Reply-To: References: Message-ID: Merge request !1556 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 18:18:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 17:18:14 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) References: Message-ID: Adam Sampson created an issue: https://gitlab.com/gnutls/web-pages/-/issues/3 The [download page](https://www.gnutls.org/download.html) says that All the new releases are signed with either Dmitry's, Tim's, or Daiki's OpenPGP key. However: - 3.7.4 is signed with 7A75A648B3F9220C, which appears to be Zoltan's key; this isn't on the list. - The link to Dmitry's key is broken (although it's available from other keyservers). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 20:11:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 19:11:57 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Daiki Ueno commented: > * 3.7.4 is signed with 7A75A648B3F9220C, which appears to be Zoltan's key; this isn't on the list. 3.7.4 is also signed with my key 462225C3B46F34879FC8496CD605848ED7E69871, so the claim still holds :-) > * The link to Dmitry's key is broken (although it's available from other keyservers). Indeed, I'll point it to keys.openpgp.org once we confirm with him; @lumag is it okay? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3#note_878993539 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 21:43:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 20:43:36 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update git submodule (!1555) In-Reply-To: References: Message-ID: Daiki Ueno commented: Merging without approval, as it is only about git submodule. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1555#note_879072536 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 21:43:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 20:43:46 +0000 Subject: [gnutls-devel] GnuTLS | MSVC problem with gen-getopt.py (#1337) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1555 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1555) Issue #1337: https://gitlab.com/gnutls/gnutls/-/issues/1337 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 17 21:43:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Mar 2022 20:43:47 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update git submodule (!1555) In-Reply-To: References: Message-ID: Merge request !1555 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1555 Project:Branches: dueno/gnutls:wip/dueno/cligen-update to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 02:55:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 01:55:17 +0000 Subject: [gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (#1340) References: Message-ID: Benjamin Herrenschmidt created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1340 Hi ! I am a contributor to this "soft" token which talks to AWS KMS: https://github.com/JackOfMostTrades/aws-kms-pkcs11 A given slot with this token has just two objects: A private key and a certificate. Retrieving the certificate fails with p11tool consistently. The error seem to be a disconnect between those two functions in gnutls lib/pkcs11.c: * find_privkeys() It properly finds the private key and reaches the following code: ``` current = 0; while (pkcs11_find_objects (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK && count == 1) { a[0].type = CKA_ID; a[0].value = certid_tmp; a[0].value_len = sizeof(certid_tmp); _gnutls_buffer_init(&list->key_ids[current]); if (pkcs11_get_attribute_value (sinfo->module, sinfo->pks, ctx, a, 1) == CKR_OK) { ret = _gnutls_buffer_append_data(&list->key_ids[current], a[0].value, a[0].value_len); if (ret < 0) return gnutls_assert_val(ret); current++; } if (current > list->key_ids_size) break; } pkcs11_find_objects_final(sinfo); list->key_ids_size = current - 1; ``` There is only one iteration of the loop since there's only one object of type CKO_PRIVATE_KEY in the token. The retrieval of the attribute works fine, so we exist the loop with: ``` current = 1 ``` We thus return from the function with ``` list->key_ids_size = 0 ``` Now, this is called from this code in find_multi_objs_cb() (note: this is the only caller) ``` memset(&plist, 0, sizeof(plist)); if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) { ret = find_privkeys(sinfo, tinfo, &plist); if (ret < 0) { gnutls_assert(); return ret; } if (plist.key_ids_size == 0) { gnutls_assert(); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } } ``` As you can see, it will hit the case where plist.key_ids_size is 0 and fail. There seem to be a disconnect as to whether key_ids_size is 0 or 1 based between the caller and the callee.... Now I'm happy to send a pull request with a fix provided somebody can confirm that my analysis is correct. I can see two main approach to fix this: - Remove the "-1" when setting key_ids_size in find_privKeys(). This is IMHO the most obvious fix and provides the clearest semantic - Remvoe the second test in the caller Recommendations ? Did I get something very wrong ? :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 03:17:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 02:17:43 +0000 Subject: [gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (#1340) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: Note: subsequent use of plist.key_ids_size seems to indicates it really should be one, so this should be the fix: ``` --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2632,7 +2632,7 @@ find_privkeys(struct pkcs11_session_info *sinfo, pkcs11_find_objects_final(sinfo); - list->key_ids_size = current - 1; + list->key_ids_size = current; return 0; } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340#note_879283098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 04:24:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 03:24:54 +0000 Subject: [gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (#1340) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: So I must be missing something because with that change, testpkcs11.sh fails -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340#note_879315238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 06:06:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 05:06:54 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.4 tarball lacks gtk-doc macro (#1341) References: Message-ID: Sam James created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1341 Hi! Thanks for another release of GnuTLS :) 3.7.4's `./configure` lacks support for `--{enable,disable}-gtk-doc`. Noticed when working on packaging 3.7.4 for Gentoo. It took me a little while to figure it out given `configure.ac` still contains: ``` dnl dnl check for gtk-doc dnl m4_ifdef([GTK_DOC_CHECK], [ GTK_DOC_CHECK([1.14],[--flavour no-tmpl]) ],[ AM_CONDITIONAL([ENABLE_GTK_DOC], false) ]) # needed for some older versions of gtk-doc m4_ifdef([GTK_DOC_USE_LIBTOOL], [], [ AM_CONDITIONAL([GTK_DOC_USE_LIBTOOL], false) ]) ``` I realised after diffing 3.7.3 and 3.7.4's tarballs (I won't bore you with all the relevant snippets, just enough to show the issue): ``` --- /tmp/pkgdiff/portage/net-libs/gnutls-3.7.3-r1/work/gnutls-3.7.3/aclocal.m4 2022-01-18 07:07:52.000000000 +0000 +++ /tmp/pkgdiff/portage/net-libs/gnutls-3.7.4/work/gnutls-3.7.4/aclocal.m4 2022-03-17 10:11:32.000000000 +0000 @@ -1611,7 +1611,6 @@ m4_include([m4/gettext.m4]) m4_include([m4/gettimeofday.m4]) m4_include([m4/gnulib-common.m4]) m4_include([m4/gnulib-comp.m4]) -m4_include([m4/gtk-doc.m4]) m4_include([m4/guile.m4]) m4_include([m4/hooks.m4]) m4_include([m4/host-cpu-c-abi.m4]) [...] ``` As per the `configure.ac` extract quoted above, the presence of the option is "automagic" based on whether `gtk-doc` (or at least `gtk-doc-am`) is installed on the system used to produce the release tarball (`make dist`). I suspect what happened is @ZoltanFridrich didn't have `gtk-doc` installed in the environment used to generate the 3.7.4 release. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1341 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 06:09:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 05:09:12 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Sam James commented: I was on my way to file this bug then found this! Our tooling in Gentoo (for better or worse) assumes that all signatures on files will be known, but I didn't want to add Zoltan's key until it's on the site, but you are right of course - it's still got a valid signature from you :smile: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3#note_879355920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 06:32:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 05:32:26 +0000 Subject: [gnutls-devel] GnuTLS | configure description for brotli/zstd is wrong (#1342) References: Message-ID: Sam James created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1342 >From `./configure --help`: ``` [...] --without-brotli disable brotli compression support --without-zstd disable zstd compression support [...] ``` But `./configure --without-brotli --without-zstd` yields: ``` configure: WARNING: unrecognized options: --without-brotli, --without-zstd checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c [...] ``` In `configure.ac`, these options are defined as: ``` AC_ARG_WITH(libbrotli, AS_HELP_STRING([--without-brotli], [disable brotli compression support]), ac_brotli=$withval, ac_brotli=yes) [...] AC_ARG_WITH(libzstd, AS_HELP_STRING([--without-zstd], [disable zstd compression support]), ac_zstd=$withval, ac_zstd=yes) [...] ``` The first argument of `AC_ARG_WITH` corresponds to the `--{with,without}-*` argument, so it all needs to be consistently `libbrotli` (etc) or `brotli` (etc). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 06:53:23 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 05:53:23 +0000 Subject: [gnutls-devel] GnuTLS | configure finds-then-discards zstd (#1343) References: Message-ID: Sam James created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1343 `./configure` with zstd installed looks like this for me: ``` checking how to link with libz... -lz checking whether to include brotli compression support... no checking whether to include zstd compression support... yes checking for LIBZSTD... yes configure: WARNING: *** LIBZSTD was not found. You will not be able to use ZSTD compression. checking whether building Guile bindings... yes ``` It's finding zstd (and saying so) but then telling me it wasn't! `configure.ac` contains: ``` if test "${with_libzstd}" = "yes" && test "${has_zstd_h}" = "yes"; then ``` ... but `has_zstd_h` isn't defined by anything, so this test can never pass. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1343 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 06:56:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 05:56:53 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: fix brotli/zstd configure argument name; fix zstd searching (!1557) References: Message-ID: Sam James created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 Project:Branches: thesamesam/gnutls:configure-args-compression to gnutls/gnutls:master Author: Sam James Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [N/A] Test suite updated with functionality tests * [N/A] Test suite updated with negative tests * [TODO] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 07:22:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 06:22:43 +0000 Subject: [gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (with possible fix ?) (#1340) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: The above fix does make it work with my token -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340#note_879390453 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 07:55:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 06:55:24 +0000 Subject: [gnutls-devel] GnuTLS | NEWS: mention couple more changes in 3.7.4 release [ci-skip] (!1558) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1558 Project:Branches: dueno/gnutls:wip/dueno/3.7.4-followup to gnutls/gnutls:master Author: Daiki Ueno .. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1558 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 09:06:23 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 08:06:23 +0000 Subject: [gnutls-devel] GnuTLS | 3.7.4 tarball lacks gtk-doc macro (#1341) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the report; yeah, let's remove the `GTK_DOC_USE_LIBTOOL` fallback so this should be caught during `make distcheck`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1341#note_879463507 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 09:22:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 08:22:03 +0000 Subject: [gnutls-devel] web-pages | add notes from 3.7.4 release (!2) In-Reply-To: References: Message-ID: Reassigned merge request 2 https://gitlab.com/gnutls/web-pages/-/merge_requests/2 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/2 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 09:22:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 08:22:06 +0000 Subject: [gnutls-devel] web-pages | add notes from 3.7.4 release (!2) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/web-pages/-/merge_requests/2 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Signed-off-by: Zoltan Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/2 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 09:23:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 08:23:54 +0000 Subject: [gnutls-devel] web-pages | add notes from 3.7.4 release (!2) In-Reply-To: References: Message-ID: Merge request !2 was merged Merge request URL: https://gitlab.com/gnutls/web-pages/-/merge_requests/2 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/2 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 09:52:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 08:52:30 +0000 Subject: [gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (with possible fix ?) (#1340) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: Note: What fails specifically is p11tool --list-certs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340#note_879515338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 10:47:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 09:47:53 +0000 Subject: [gnutls-devel] GnuTLS | NEWS: mention couple more changes in 3.7.4 release [ci-skip] (!1558) In-Reply-To: References: Message-ID: Merge request !1558 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1558 Project:Branches: dueno/gnutls:wip/dueno/3.7.4-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1558 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 11:23:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 10:23:15 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented: @dueno conflicting overrides indeed seem to be a problem... In the guile case i think the following hack could solve the problem: ``` void (*reallocfunc) (void *, size_t); void (*freefunc) (void *, size_t); void (*defreallocfunc) (void *, size_t); void (*deffreefunc) (void *, size_t); /* Get previous allocators */ mp_get_memory_functions(NULL, &reallocfunc, &freefunc); /* Reset to defaults */ mp_set_memory_functions(NULL, NULL, NULL); /* Get default allocators */ mp_get_memory_functions(NULL, &defreallocfunc, &deffreefunc); /* See if free or realloc have been overriden before */ if (reallocfunc != defreallocfunc || freefunc != deffreefunc) goto donothing; /* Overload GMP allocators with safe alternatives */ mp_set_memory_functions(NULL, gnutls_realloc_zero, gnutls_free_zero); ``` This probably isn't the most elegant solution but reading the gmp code and documentation i think it should do the job. What i am really more worried about is applications overriding the allocators when you actually want FIPS compliance and secure deletion. The best solution in the long term would probably be sth like a `gmp_ctx` which can be passed to every gmp function call instead of a single global setting. The `gmp_ctx` then stores the pointers to the allocator functions so that every caller can pass their own allocators. I can't really think of an easy fix other than just saying: don't override gmp allocators if want things to be securely deleted for you, otherwise you are on yourself. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_879633463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 12:20:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 11:20:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: system config disable KTLS (!1559) In-Reply-To: References: Message-ID: Reassigned merge request 1559 https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 Assignee changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 18 12:20:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Mar 2022 11:20:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: system config disable KTLS (!1559) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 Project:Branches: FrantisekKrenzelok/gnutls:config to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Addresses: #1298 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 06:44:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 05:44:26 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Daiki Ueno commented: OK; now it reads: https://www.gnutls.org/download.html > All the new releases are signed with at least one OpenPGP key of the current maintainers, optionally with the keys of release managers. Those keys are found in the keyring file. Does it sound ok? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3#note_880747994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 09:24:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 08:24:39 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: fix brotli/zstd configure argument name; fix zstd searching (!1557) In-Reply-To: References: Message-ID: Merge request !1557 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 Project:Branches: thesamesam/gnutls:configure-args-compression to gnutls/gnutls:master Author: Sam James Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 09:24:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 08:24:49 +0000 Subject: [gnutls-devel] GnuTLS | configure finds-then-discards zstd (#1343) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit 33a9c32a31b246a10af5aaf413ae6e927810e723 Issue #1343: https://gitlab.com/gnutls/gnutls/-/issues/1343 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1343 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 09:24:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 08:24:50 +0000 Subject: [gnutls-devel] GnuTLS | configure description for brotli/zstd is wrong (#1342) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit 6b794e49d1a14e43f9e08023f958364712c3c89a Issue #1342: https://gitlab.com/gnutls/gnutls/-/issues/1342 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 09:24:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 08:24:49 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: fix brotli/zstd configure argument name; fix zstd searching (!1557) In-Reply-To: References: Message-ID: Merge request !1557 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 Project:Branches: thesamesam/gnutls:configure-args-compression to gnutls/gnutls:master Author: Sam James Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 09:25:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 08:25:15 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: fix brotli/zstd configure argument name; fix zstd searching (!1557) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you so much for the patches! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557#note_880779334 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 19 11:17:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 19 Mar 2022 10:17:32 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_880802158 The solution checking the default allocators with `mp_get_memory_functions` sounds reasonable to me. Would you amend this MR to include it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_880802158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 20 04:24:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 20 Mar 2022 03:24:14 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: fix brotli/zstd configure argument name; fix zstd searching (!1557) In-Reply-To: References: Message-ID: Sam James commented: Thank _you_ for merging them and maintaining the project! :smile: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1557#note_881056563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 20 04:33:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 20 Mar 2022 03:33:34 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Sam James commented: Thanks! The keyring is really useful (makes it a lot easier than having to grab various keys and shove them in a file on our end) and the change looks great. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3#note_881058167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 20 05:05:38 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 20 Mar 2022 04:05:38 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Adam Sampson commented: Yep, that's great - thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3#note_881062208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Mar 20 10:43:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 20 Mar 2022 09:43:31 +0000 Subject: [gnutls-devel] web-pages | Update list of release signing keys (#3) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #3: https://gitlab.com/gnutls/web-pages/-/issues/3 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/3 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 04:06:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 03:06:32 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) References: Message-ID: Benjamin Herrenschmidt created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 Project:Branches: ozbenh/gnutls:fix-find-pkcs11-keys to gnutls/gnutls:master Author: Benjamin Herrenschmidt Fix for https://gitlab.com/gnutls/gnutls/-/issues/1340 ## Checklist * [*] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 09:48:38 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 08:48:38 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (#1338) In-Reply-To: References: Message-ID: Daiki Ueno commented: Proposed Acceptance Criteria: * AC1: when building from the source (with `make`), `lib/fipshmac` produces a .hmac file with the HMACs for libgnutls.so (**not stripped**), libnettle.so (stripped), libhogweed.so (stripped), libgmp.so (stripped). The library integrity check as part of FIPS self-test should succeed if you run the compiled executables, e.g., `src/gnutls-cli --benchmark-ciphers` * AC2: when installing library to the system, `lib/fipshmac` produces a .hmac file with the HMACs for libgnutls.so (stripped), libnettle.so (stripped), libhogweed.so (stripped), libgmp.so (stripped). The library integrity check as part of FIPS self-test should succeed if you run the installed executables, e.g., `/usr/bin/gnutls-cli --benchmark-ciphers` AC2 can be satisfied by modifying either the Automake `install-exec-local` phase, or the RPM `%install` phase. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1338#note_881657481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 10:27:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 09:27:39 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881711609 > } > > if (current > list->key_ids_size) > break; I suspect this condition might have an off-by-one error (and might potentially cause out-of-bound write to `list->key_ids` array in a hypothetical case, i.e., the second C_FindObjects returns more results than the first call does). To make the loop invariant clear, maybe it could be merged into the `while` condition above, something like: ```c while (pkcs11_find_objects (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK && count == 1 && current < list->key_ids_size) { ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881711609 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 10:28:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 09:28:49 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the MR; looks good to me. The original code confuses me as well ;-( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881713041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 10:34:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 09:34:02 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented: The last update is something I forgot in the previous versions. We need to again set the previous allocators in the if we find them to be different to the default since they were reset to the default with `mp_set_memory_functions(NULL, NULL, NULL)`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_881719801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 11:18:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 10:18:42 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented on a discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881785889 > } > > if (current > list->key_ids_size) > break; Not entirely sure, we explicitely test that we only get 1 per C_FindObject, so I don't see the error you mention. That said, we could merge the exit condition yes, I was going for easiest to review/backport patch :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881785889 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 11:19:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 10:19:03 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: Thanks ! Everything in pkcs#11 land is confusing :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_881786340 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 21 14:39:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Mar 2022 13:39:24 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (#1338) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.5 (Mar 15, 2022?May 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/34 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 11:48:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 10:48:13 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented: Is there anything I can do about the CI failures? **UB+ASAN-Werror** seems to fail in a TLS fuzzer which is probably not related to this change. For **doc-dist.Fedora** I don't see what error causes the CI to fail. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_883713194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 13:12:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 12:12:32 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/safe-memfuncs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_883903238 > return status; > } > > +/** Given those functions are internal, we need to avoid their documentation being treated as a gtk-doc comment block; a common way to do that is to start the comment blocks with `/*-`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_883903238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 13:13:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 12:13:12 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) References: Message-ID: Pedro Monreal created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 Project:Branches: pmgdeb/gnutls:fips-pbkdf2-kat to gnutls/gnutls:master Author: Pedro Monreal lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. The IG 10.3.A and SP800-132 requires some minimum parameters for the salt length, password length and iteration count. The KAT for the PBKDF2 does not meet the requirements included in IG 10.3.A. Specifically, IG 10.3.A and SP800-132 requires some minimum parameters for the salt length, password length and iteration count. These parameters should be also used in the KAT: - salt must be at least 128 bits. - password should be at least 14 bytes, which represents the minimum approved key length used for the underlying HMAC (112 bits). - the iteration count must be >= 2 These are the values that the PBKDF KAT uses for this module: - GnuTLS (not OK) ! Plen=8 bytes ! Slen=32 bits - IterCount=1, 80000 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 16:11:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 15:11:20 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Merge request !1561 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 Project:Branches: pmgdeb/gnutls:fips-pbkdf2-kat to gnutls/gnutls:master Author: Pedro Monreal Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 16:17:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 15:17:05 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_884252508 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 17:06:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 16:06:31 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_884328766 > /* constant time memcmp */ > int gnutls_memcmp(const void *s1, const void *s2, size_t n); > > +/* a variant of free that also zeroizes freed memory */ > +void gnutls_free_zero(void *data, size_t size); These are internal functions and should not be in the public header (I guess that is causing the doc-dist CI failure, which my previous comment didn't help with). Since they are only used in `lib/nettle/init.c`, maybe you could make them a static function? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_884328766 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 18:22:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 17:22:11 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_884451700 fwiw: I have an experimental branch of nettle with mini-gmp.c respecting `old_size` at https://gitlab.com/tobhe/nettle/-/tree/freesize I think getting this working won't be too hard but we should probably consult with upstream gmp to check what they think. AFAIU nettle syncs their mini-gmp.c from gmp with each release. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_884451700 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 22 19:23:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Mar 2022 18:23:24 +0000 Subject: [gnutls-devel] GnuTLS | aarch64: lib/accelerated/aarch64/Makefile has hardcoded flag not supported by Clang (#1317) In-Reply-To: References: Message-ID: Marius Schamschula commented: I just ran into the same issue trying to build gnutls 3.6.16 using MacPorts on an M1 Mac running Mojave. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1317#note_884555902 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 23 06:45:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 23 Mar 2022 05:45:02 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Merge request !1554 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 Project:Branches: tobhe/gnutls:gmp_alloc to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 23 06:45:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 23 Mar 2022 05:45:12 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_885005760 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 23 16:58:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 23 Mar 2022 15:58:04 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Reassigned merge request 1562 https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 23 16:58:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 23 Mar 2022 15:58:05 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Closes #1338 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 12:28:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 11:28:40 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Tobias Heider commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_887204864 One last update: it looks like upstream gmp already passes the correct sizes to free/realloc, see https://gmplib.org/repo/gmp/rev/5c0356b63cf . I think it is safe to assume that once this made it into a release it will be synced to nettle at which point we could remove the workaround. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_887204864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 15:20:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 14:20:57 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Daiki Ueno commented: @pmgdeb could you add `Signed-off-by:` to the commit message (and also fill the text to 80 columns)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_887478886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 16:37:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 15:37:54 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Pedro Monreal commented: Done, I have also squashed the commits. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_887633817 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 17:38:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 16:38:55 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Merge request !1561 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 Project:Branches: pmgdeb/gnutls:fips-pbkdf2-kat to gnutls/gnutls:master Author: Pedro Monreal Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 20:17:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 19:17:33 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: All discussions on merge request !1554 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 20:17:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 19:17:39 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Merge request !1554 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 Project:Branches: tobhe/gnutls:gmp_alloc to gnutls/gnutls:master Author: Tobias Heider Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 24 20:17:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 24 Mar 2022 19:17:33 +0000 Subject: [gnutls-devel] GnuTLS | Use custom free/realloc for GMP to safely delete temporary secrets (!1554) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_887952676 Thanks for the update; let's get this merged then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1554#note_887952676 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 09:21:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 08:21:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: system config disable KTLS (!1559) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559#note_888617176 > * Since: 3.7.3 > */ > typedef enum { > - GNUTLS_KTLS_RECV = 1 << 0, > - GNUTLS_KTLS_SEND = 1 << 1, > + GNUTLS_KTLS_CONFIG_ENABLED = 1 << 0, > + GNUTLS_KTLS_RECV = 1 << 1, This way of changing enums is not backward compatible (the programs compiled with previous version of GnuTLS will be confused with `GNUTLS_KTLS_RECV` and `GNUTLS_KTLS_SEND`). I'd move `GNUTLS_KTLS_CONFIG_ENABLED` to the end (i.e., `1 << 2`), though I would rather suggest not touching this enum. If KTLS is disabled by the config, `gnutls_transport_is_ktls_enabled` will always return 0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559#note_888617176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 13:04:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 12:04:53 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (#1338) In-Reply-To: References: Message-ID: Reassigned Issue 1338 https://gitlab.com/gnutls/gnutls/-/issues/1338 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 13:54:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 12:54:22 +0000 Subject: [gnutls-devel] GnuTLS | WIP: system config disable KTLS (!1559) In-Reply-To: References: Message-ID: All discussions on merge request !1559 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 18:37:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 17:37:26 +0000 Subject: [gnutls-devel] GnuTLS | FIPS140: mark HKDF and AES-GCM as approved when used in TLS (#1311) In-Reply-To: References: Message-ID: Pedro Monreal commented: Since gnutls_hkdf_extract() is only called from lib/secrets.c:_tls13_update_secret(), we can push a new FIPS context before calling gnutls_hkdf_extract(). After it returns, we can pop the context and check the return state. Here is a patch with its possible implementation: [gnutls-FIPS-mark-HKDF-approved-in-TLS-context.patch](/uploads/367b3311d71b5dc58bae0656e9ad669d/gnutls-FIPS-mark-HKDF-approved-in-TLS-context.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1311#note_889426382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 19:49:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 18:49:08 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_889484463 @pmgdeb sorry for the hassle, but could you adjust the commit so that the committer and the `Signed-off-by:` address match? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_889484463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 19:56:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 18:56:01 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/file.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_889491724 > + * Returned pointer needs to be freed. > + * Returns NULL on error */ > +char *_gnutls_file_basename(const char *file) Maybe you could rely on the [`basename-lgpl`](https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=modules/basename-lgpl;h=f81898da85e0ecef3018dbd6f0aba5d57ec0703d;hb=HEAD) module from Gnulib? -- Daiki Ueno started a new discussion on lib/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_889491731 > > -hmac_files = .libs/.$(gnutls_so).hmac > +hmac_files = .libs/.hmac I'd keep the `.$(gnutls_so)` prefix unless the file is installed in a dedicated directory (e.g., `$(pkglibdir)`?). -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_889491736 > + while ((nread = getline(&line, &alloc, stream)) != -1) { > + line[nread - 1] = '\0'; > + if (!strcmp(line, "[global]")) { You could use the features from the `lib/inih/ini.h` header if we go with this format (I'd rather think it's a bit too much ;-). -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_889491740 > + snprintf(mac_file, mac_file_size, ".hmac"); > + else > + snprintf(mac_file, mac_file_size, "%.*s/.hmac", (int)(p - file), file); We probably need a check on the return value if the path name is too long (e.g., on Nix). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Mar 25 22:39:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 25 Mar 2022 21:39:00 +0000 Subject: [gnutls-devel] GnuTLS | clang crash when building lib/accelerated/aarch64/macosx/sha512-armv8.s (#1347) References: Message-ID: John Ralls created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1347 and sha1-armv8.s with Xcode 13.3 on Apple Silicon M1. I've reported the crash to Apple. Building with `--disable-hardware-acceleration` avoids the problem and allows gnutls to build. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1347 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 02:36:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 01:36:59 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Pedro Monreal commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_889735359 NP, should be corrected now. I edited the commit from a different account. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561#note_889735359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 06:49:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 05:49:59 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: All discussions on merge request !1561 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 06:50:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 05:50:05 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Merge request !1561 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 Project:Branches: pmgdeb/gnutls:fips-pbkdf2-kat to gnutls/gnutls:master Author: Pedro Monreal Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 16:36:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 15:36:50 +0000 Subject: [gnutls-devel] GnuTLS | clang crash when building lib/accelerated/aarch64/macosx/sha512-armv8.s (#1347) In-Reply-To: References: Message-ID: Daiki Ueno commented: Is this the same issue as #1317? If so, does Marius' [patch](https://gitlab.com/l2dy/macports-ports/-/commit/5cbb30562d3d15bb793618df5ac3b66171bda4db) help? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1347#note_890281037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 16:48:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 15:48:35 +0000 Subject: [gnutls-devel] GnuTLS | lib/crypto-selftests.c: Add a selftest for PBKDF2 that complies with FIPS 140-3. (!1561) In-Reply-To: References: Message-ID: Merge request !1561 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 Project:Branches: pmgdeb/gnutls:fips-pbkdf2-kat to gnutls/gnutls:master Author: Pedro Monreal Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1561 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 17:19:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 16:19:58 +0000 Subject: [gnutls-devel] GnuTLS | clang crash when building lib/accelerated/aarch64/macosx/sha512-armv8.s (#1347) In-Reply-To: References: Message-ID: John Ralls commented: Not exactly the same as it now crashes instead of complaining about a bad compiler flag, but I suppose that's either clang's or Apple's problem. Yes, getting rid of `-march` flag allows the build to succeed. I've updated my bug report to Apple with the additional information and I'll pinch that patch for [gtk-osx](https://gitlab.gnome.org/GNOME/gtk-osx). Thanks! Do you plan to update the gnutls build? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1347#note_890290171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Mar 26 21:31:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 26 Mar 2022 20:31:25 +0000 Subject: [gnutls-devel] GnuTLS | psk_ke_modes_recv_params() wrongly sets HSK_PSK_KE_MODE_INVALID (#1303) In-Reply-To: References: Message-ID: Matheus Delgado commented: Hello, Daiki Ueno. How are you? It seems Tim Kosse is not active in that forum anymore. Could't you apply the changes and commit it yourself as a hotfix? I think several applications would enjoy the fix, not only Filezilla. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1303#note_890348719 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 28 09:36:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 28 Mar 2022 07:36:12 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_890920868 > } > > if (current > list->key_ids_size) > break; Sorry for being pedantic, but if we keep the `if ... break`, I think we should at least change the condition `current > list->key_ids_size` to `current >= list->key_ids_size` to match your change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_890920868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 28 12:29:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 28 Mar 2022 10:29:56 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented on a discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_891176935 > } > > if (current > list->key_ids_size) > break; Ah yes, you are right, I missed that ! It's actually a somewhat different bug, ie, that code is buggy regardless of whether you apply my change or not. If for some obscure reason the first round of find_objects returns a smaller number of objects than the second one, the array will everflow even without my change. Hopefully that never happens. I can fold that fix in an updated version of this PR, though I'd rather make it a separate commit as I think it's fundamentally a different bug in that code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_891176935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Mar 28 18:25:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 28 Mar 2022 16:25:16 +0000 Subject: [gnutls-devel] GnuTLS | psk_ke_modes_recv_params() wrongly sets HSK_PSK_KE_MODE_INVALID (#1303) In-Reply-To: References: Message-ID: Tim Kosse commented: I'm sorry, missed Daiki's reply. I've now mailed the patch using `git send-email` including the `Signed-off-by:` line. > the logic seems to be correct, though I wonder if it could be simpler if we use `-1` as the indication of "unset", instead of `MAX_POS`, as in ext/supported_groups.c. Isn't this seeming simplicity an artifact from dealing specifically with just two options? How would this look like in the general case of _n_ options to choose from? Even in the case of just two options, I think it is more difficult to than it appears, hence this bug report. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1303#note_891730481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 12:57:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 10:57:03 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: All discussions on merge request !1562 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 12:57:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 10:57:47 +0000 Subject: [gnutls-devel] GnuTLS | Fix psk_ke_modes_recv_params() wrongly setting HSK_PSK_KE_MODE_INVALID (!1563) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1563 Project:Branches: dueno/gnutls:wip/dueno/psk-ke-mode to gnutls/gnutls:master Author: Daiki Ueno If the preferred side (as per session->internals.priorities->server_precedence) only supports one algorithm and if it is not the first in the other side's list of algorithms, then psk_ke_modes_recv_params did wrongly set session->internals.hsk_flags to HSK_PSK_KE_MODE_INVALID. Fixes #1303 This issue was originally discovered while analyzing https://forum.filezilla-project.org/viewtopic.php?t=54333 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 12:58:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 10:58:32 +0000 Subject: [gnutls-devel] GnuTLS | psk_ke_modes_recv_params() wrongly sets HSK_PSK_KE_MODE_INVALID (#1303) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1303#note_892766448 Thanks; I've opened !1563. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1303#note_892766448 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 15:23:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 13:23:04 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986046 > AC_MSG_RESULT($gmp_so) > AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library]) > +AC_SUBST([gmp_path], [`ldconfig -p | grep $gmp_so | tr ' ' '\n' | grep / | head -n1`]) Using `ldconfig` is handy but I'm not sure if it is portable. What about dynamically determining those paths with `dladdr` (`dli_fname`) as in `get_library_path`? -- Daiki Ueno started a new discussion on lib/fipshmac.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986066 > #include > #include > +#include `` has portability [problems](https://www.gnu.org/software/gnulib/manual/html_node/libgen_002eh.html); better use alternatives provided by Gnulib. You could pull in the `basename-lgpl` module through bootstrap.conf, and use the `last_component` function. -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986072 > - return; > + data.size = strlen(value); > + if (hex_data_size(data.size) != HMAC_SIZE) { Isn't hex-encoded data twice longer than the original bytes? -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986075 > + if (hex_data_size(data.size) != HMAC_SIZE) { > + _gnutls_debug_log("Invalid size of hmac data\n"); > + return -1; Use meaningful error code. -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986078 > + return gnutls_assert_val(-1); > + > + if (memcmp(hmac, new_hmac, HMAC_SIZE) != 0) { Not your problem nor security concern, but I'd use `gnutls_memcmp` for verifying HMACs. -- Daiki Ueno started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_892986080 > + if (ini_parse_file(stream, handler, p) < 0) { > + _gnutls_debug_log("Could not parse hmac file for MAC testing\n"); > + return -1; `stream` is leaking here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 15:34:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 13:34:07 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893006613 > -static void get_hmac_file(char *mac_file, size_t mac_file_size, const char* orig) > +/* Parses hmac data and copies hex value into dest. > + * dest must point to at least HMAC_SIZE amount of memory */ > +static int get_hmac(uint8_t *dest, const char *value) > { > -char* p; > + int ret; > + size_t hmac_size; > + gnutls_datum_t data; > > - p = strrchr(orig, '/'); > - if (p==NULL) { > - snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); > - return; > + data.size = strlen(value); > + if (hex_data_size(data.size) != HMAC_SIZE) { hex in character string is twice as long as hex in binary form. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893006613 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 15:36:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 13:36:03 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) References: Message-ID: Richard Frith-Macdonald created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1348 ## Description of problem: Unable to establish a connection ... the verification of the server certificate chain fails reporting an insecure algorithm in the root certificate when SECURE256 is used but not when SECURE128 is used. ## Version of gnutls used: Latest stable: 3.6.16 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Built from source on CentOS-7 64bit ## How reproducible: gnutls-cli --priority='SECURE256:!VERS-TLS1.0:!VERS-TLS1.1' --debug=1 smartpayivr1005.tstpaypoint.services:443 ## Actual results: Processed 133 CA certificate(s). Resolving 'smartpayivr1005.tstpaypoint.services:443'... Connecting to '81.93.230.131:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=*.tstpaypoint.services,O=Paypoint Network LTD,L=Welwyn Garden City,C=GB', issuer `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', serial 0x07468da604438a91d14e3e9e33d871b9, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-01-07 00:00:00 UTC', expires `2023-01-07 23:59:59 UTC', pin-sha256="Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M=" Public Key ID: sha1:d65bd7a88a3f5a554375b033bb3cbc98903935a2 sha256:4a9d6d20cd6750dc8340fff786b0b502589b02b59047220b834ad4384c746753 Public Key PIN: pin-sha256:Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M= - Certificate[1] info: - subject `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc=" - Certificate[2] info: - subject `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x083be056904246b1a1756ac95991c74a, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2006-11-10 00:00:00 UTC', expires `2031-11-10 00:00:00 UTC', pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=" - Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ## Expected results: Connection should be established ... I think the use of SECURE256 or SECURE128 should make no difference to the verification of the root certificate when that certificate provides a 2048 bit key. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 15:47:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 13:47:17 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893031987 > -static void get_hmac_file(char *mac_file, size_t mac_file_size, const char* orig) > +/* Parses hmac data and copies hex value into dest. > + * dest must point to at least HMAC_SIZE amount of memory */ > +static int get_hmac(uint8_t *dest, const char *value) > { > -char* p; > + int ret; > + size_t hmac_size; > + gnutls_datum_t data; > > - p = strrchr(orig, '/'); > - if (p==NULL) { > - snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); > - return; > + data.size = strlen(value); > + if (hex_data_size(data.size) != HMAC_SIZE) { Sorry I somehow missed the `hex_data_size` call. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893031987 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 16:08:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 14:08:21 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Daiki Ueno commented: Do you have the last certificate in your trust store? Maybe you could check with: ```console trust list --filter=ca-anchors trust dump --filter='pkcs11:id=%03%DE%50%35%56%D1%4C%BB%66%F0%A3%E2%1B%1B%C3%97%B2%3D%D1%55;type=cert' | certtool -i ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_893067596 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Mar 29 16:40:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 29 Mar 2022 14:40:12 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_893124739 > > Daiki Ueno commented: > > Do you have the last certificate in your trust store? Maybe you could check with: Yes, that was the first thing I checked. > trust list --filter=ca-anchors pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert type: certificate label: DigiCert Global Root CA trust: anchor category: authority X.509 Certificate Information: Version: 3 Serial Number (hex): 083be056904246b1a1756ac95991c74a Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Validity: Not Before: Fri Nov 10 00:00:00 UTC 2006 Not After: Mon Nov 10 00:00:00 UTC 2031 Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:8f 0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:cc:01 93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:e2:8d:22 dd:87:06:40:00:81:09:ce:ce:1b:83:bf:df:cd:3b:71 46:e2:d6:66:c7:05:b3:76:27:16:8f:7b:9e:1e:95:7d ee:b7:48:a3:08:da:d6:af:7a:0c:39:06:65:7f:4a:5d 1f:bc:17:f8:ab:be:ee:28:d7:74:7f:7a:78:99:59:85 68:6e:5c:23:32:4b:bf:4e:c0:e8:5a:6d:e3:70:bf:77 10:bf:fc:01:f6:85:d9:a8:44:10:58:32:a9:75:18:d5 d1:a2:be:47:e2:27:6a:f4:9a:33:f8:49:08:60:8b:d4 5f:b4:3a:84:bf:a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76 5e:a0:4b:37:91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb fe:cd:b3:14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3 0b:42:d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d 58:3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16 f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:af 27 Exponent (bits 24): 01:00:01 Extensions: Key Usage (critical): Digital signature. Certificate signing. CRL signing. Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Key Identifier (not critical): 03de503556d14cbb66f0a3e21b1bc397b23dd155 Authority Key Identifier (not critical): 03de503556d14cbb66f0a3e21b1bc397b23dd155 Signature Algorithm: RSA-SHA1 warning: signed using a broken signature algorithm that can be forged. Signature: cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4 df:ae:04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d b9:d5:c7:fe:f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98 29:ab:11:b5:e3:70:a0:a1:cd:4c:88:99:93:8c:91:70 e2:ab:0f:1c:be:93:a9:ff:63:d5:e4:07:60:d3:a3:bf 9d:5b:09:f1:d5:8e:e3:53:f4:8e:63:fa:3f:a7:db:b4 66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:ea:77:4a:9f 9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:79:54 92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9 36:53:cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18 d5:04:ad:78:3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8 89:c1:b9:38:6c:e2:91:6c:8a:ff:64:b9:77:25:57:30 c0:1b:24:a3:e1:dc:e9:df:47:7c:b5:b4:24:08:05:30 ec:2d:bd:0b:bf:45:bf:50:b9:a9:f3:eb:98:01:12:ad c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:95:95:6d:de Other Information: Fingerprint: sha1:a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 sha256:4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161 Public Key ID: sha1:d52e13c1abe349dae8b49594ef7c3843606466bd sha256:aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391 Public Key PIN: pin-sha256:r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
... > On 29 Mar 2022, at 15:08, Daiki Ueno (@dueno) wrote: Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
-- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_893124739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 08:00:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 06:00:28 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893837675 > + * dest must point to at least HMAC_SIZE amount of memory */ > +static int get_hmac(uint8_t *dest, const char *value) > { > -char* p; > + int ret; > + size_t hmac_size; > + gnutls_datum_t data; > > - p = strrchr(orig, '/'); > - if (p==NULL) { > - snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); > - return; > + data.size = strlen(value); > + if (hex_data_size(data.size) != HMAC_SIZE) { > + _gnutls_debug_log("Invalid size of hmac data\n"); > + return -1; I still see `-1` is returned in quite a few places. Could you fix them as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893837675 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 08:31:38 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 06:31:38 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Daiki Ueno commented: I have been thinking about this for a while and here are a couple of observations: firstly, until now we stored the `.hmac` file as `/usr/lib64/.lib.so.*.hmac` etc., where it was obvious that the `.hmac` file corresponds to `/usr/lib64/lib.so.*`. Now, in the new format, this information (mapping between `.hmac` files and actual library files) is missing. I suggest either extending the format like: ```ini [global] ... [libgnutls.so.30] path = ... hmac = ... [libnettle.so.8] path = ... hmac = ... ... ``` Note the section names are library SONAMEs. Secondly, instead of determining the library paths at `configure` time, `fipshmac` could resolve them at run time. That could be done either by taking the path to `libgnutls.so.*` only or taking SONAMEs instead of file paths, something like: ```makefile lib/fipshmac $(gnutls_so) $(nettle_so) $(hogweed_so) $(gmp_so) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_893869026 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 12:05:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 10:05:52 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: Trying again with the latest code (3.7.4) and with higher debug level set, I see that the certificate is found in the trust list, but rejected with 'security level is unacceptable' |<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:1034^M |<2>| issuer in verification was not found or insecure; trying against trust list^M |<3>| ASSERT: verify.c[verify_crt]:688^M |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60^M |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60^M |<3>| cert: subject `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc="^M |<2>| GNUTLS_SEC_PARAM_HIGH: certificate's security level is unacceptable^M |<3>| ASSERT: verify.c[is_level_acceptable]:504^M |<3>| ASSERT: verify.c[verify_crt]:811^M |<3>| ASSERT: verify.c[verify_crt]:840^M |<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:1034^M |<3>| ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615^M - Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. ^M *** PKI verification of server certificate failed...^M -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_894199116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 13:08:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 11:08:31 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: Running under gdb I find that after the log issuer in verification was not found or insecure; trying against trust list the code calls *voutput = _gnutls_verify_crt_status(list, cert_list, cert_list_size, list->node[hash].trusted_cas, list->node[hash].trusted_ca_size, flags, purpose, func); but in that function tcas_size is 1 and trusted_cas[0]->raw_dn show's it's not the the root certificate we are interested in, so I don't understand how this can be trying against the trust list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_894293704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 15:40:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 13:40:36 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_894590595 > + * dest must point to at least HMAC_SIZE amount of memory */ > +static int get_hmac(uint8_t *dest, const char *value) > { > -char* p; > + int ret; > + size_t hmac_size; > + gnutls_datum_t data; > > - p = strrchr(orig, '/'); > - if (p==NULL) { > - snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); > - return; > + data.size = strlen(value); > + if (hex_data_size(data.size) != HMAC_SIZE) { > + _gnutls_debug_log("Invalid size of hmac data\n"); > + return -1; sorry, I got confused for some reason. should be good now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_894590595 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 15:40:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 13:40:44 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: All discussions on merge request !1562 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 16:57:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 14:57:33 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: _gnutls_x509_cert_verify_peers() calls gnutls_x509_trust_list_verify_crt2() with a list of three certificates. This uses shorten_clist() to remove the last (root) certificate and then (at verify-high.c:1587) calls _gnutls_verify_crt_status() with the first and second certificates and using the trusted_cas from the issuer of the second certificate (the root). This then calls verify_crt() with the second (intermediate) certificate. The function gets the issuer (third cert) and at line 810 calls is_level_acceptable(), which calls _gnutls_sign_is_secure2(), which calls _gnutls_digest_is_insecure2() in the third (root/issuer) certificate, causing is_level_acceptable() to return false. When that happens, the local variable 'out' is set to 258 (marking the third certificate as having an invalid signature). Later on in verify_crt() (line 847) the bits in 'out' are returned to the caller where they become part of the failure status of the verification. Back in gnutls_x509_trust_list_verify_crt2() SIGNER_OLD_OR_UNKNOWN() returns true so we get to line 1601. It looks to me like the problem here is that the code is now looking for the second (intermediate) certificate in the trusted list rather than the third one. Either because it shortened the list earlier on, or because it is mistakenely calling hash_pjw_bare() using raw_dn rather than raw_issuer_dn So I'm pretty sure the bug is at that point, but I don't know how it should be fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_894761904 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:17:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:17:34 +0000 Subject: [gnutls-devel] GnuTLS | FIPS140: mark HKDF and AES-GCM as approved when used in TLS (#1311) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.5 (Mar 15, 2022?May 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/34 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:18:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:18:04 +0000 Subject: [gnutls-devel] GnuTLS | FIPS140: mark HKDF and AES-GCM as approved when used in TLS (#1311) In-Reply-To: References: Message-ID: Reassigned Issue 1311 https://gitlab.com/gnutls/gnutls/-/issues/1311 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:38:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:38:49 +0000 Subject: [gnutls-devel] GnuTLS | Increase length limit of PKCS#12 passwords (#1349) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1349 The library limits the length of PKCS#12 password to be less than [256](https://gitlab.com/gnutls/gnutls/-/blob/9860846b66e4c698c60a3b343dcb3ba49c77e096/lib/x509/pkcs12_encr.c#L30) bytes. Since passwords get encoded in UCS2, the limit for ASCII passwords is halved to 128 characters, which is not uncommon to exceed these days. Let's increase the limit to, say 4096 characters (8192 bytes). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:46:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:46:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli, gnutls-serv: "Channel binding error: The request is invalid" when TLS 1.3 is negotiated (#1350) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1350 gnutls-cli and gnutls-serv currently prints the "Channel binding error: The request is invalid" error unconditionally when TLS 1.3 is negotiated, because the `tls-unique` channel binding type is not supported in TLS 1.3. It would be nice to print other supported channel binding(s) or remove the logic to print it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1350 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:59:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:59:10 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Merge request !1562 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Mar 30 17:59:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 15:59:45 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562#note_894851255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 00:17:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 22:17:39 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Benjamin Herrenschmidt commented: Rebased to master, added fix for the loop exit condition -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_895224669 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 01:43:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 30 Mar 2022 23:43:33 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: All discussions on merge request !1560 were resolved by Benjamin Herrenschmidt https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:18:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:18:45 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:18:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:18:46 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Reassigned merge request 1564 https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:18:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:18:47 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel3 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:22:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:22:17 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:22:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:22:42 +0000 Subject: [gnutls-devel] GnuTLS | Increase length limit of PKCS#12 passwords (#1349) In-Reply-To: References: Message-ID: Reassigned Issue 1349 https://gitlab.com/gnutls/gnutls/-/issues/1349 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:22:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:22:47 +0000 Subject: [gnutls-devel] GnuTLS | Increase length limit of PKCS#12 passwords (#1349) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.5 (Mar 15, 2022?May 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/34 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:59:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:59:33 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560#note_895707415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 10:59:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 08:59:37 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Merge request !1560 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 Project:Branches: ozbenh/gnutls:fix-find-pkcs11-keys to gnutls/gnutls:master Author: Benjamin Herrenschmidt Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 11:00:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 09:00:07 +0000 Subject: [gnutls-devel] GnuTLS | Fix matching of last key of a pkcs#11 token (!1560) In-Reply-To: References: Message-ID: Merge request !1560 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 Project:Branches: ozbenh/gnutls:fix-find-pkcs11-keys to gnutls/gnutls:master Author: Benjamin Herrenschmidt Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 11:26:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 09:26:11 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/x509/pkcs12_encr.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564#note_895746494 > #include > #include > > -#define MAX_PASS_LEN 256 > +#define MAX_PASS_LEN 4096 8192 (as suggested on the issue)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564#note_895746494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 11:54:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 09:54:57 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Richard Frith-Macdonald commented: On further investigation ... the problem is actually caused by the intermediate certificate rather than the root certificate. Specifically SECURE256 implies high certificate security, and 2048bit is not high enough. More informative debug messages would have helped a lot here; something to say what criterion was used to decide that the certificate was not secure enough (and a clearer indication of which certificate caused the issue perhaps). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_895793169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 11:54:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 09:54:57 +0000 Subject: [gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348) In-Reply-To: References: Message-ID: Issue was closed by Richard Frith-Macdonald Issue #1348: https://gitlab.com/gnutls/gnutls/-/issues/1348 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 12:04:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 10:04:45 +0000 Subject: [gnutls-devel] GnuTLS | [WIP] Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: All discussions on merge request !1564 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 12:54:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 10:54:42 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (!1562) In-Reply-To: References: Message-ID: Merge request !1562 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 12:54:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 10:54:41 +0000 Subject: [gnutls-devel] GnuTLS | Consolidate FIPS .hmac files (#1338) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich via merge request !1562 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1562) Issue #1338: https://gitlab.com/gnutls/gnutls/-/issues/1338 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 14:36:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 12:36:37 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify library integrity checking (!1565) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 Project:Branches: dueno/gnutls:wip/dueno/fipshmac-followup to gnutls/gnutls:master Author: Daiki Ueno This removes code duplication by grouping the `path` and `hmac` fields in `hmac_file` structure. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 15:48:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 13:48:13 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify library integrity checking (!1565) In-Reply-To: References: Message-ID: Merge request !1565 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 Project:Branches: dueno/gnutls:wip/dueno/fipshmac-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 15:48:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 13:48:18 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify library integrity checking (!1565) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: looks good -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565#note_896121083 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 15:49:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 13:49:19 +0000 Subject: [gnutls-devel] GnuTLS | Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Merge request !1564 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel3 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 15:52:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 13:52:33 +0000 Subject: [gnutls-devel] GnuTLS | Increase length limit of PKCS#12 passwords (!1564) In-Reply-To: References: Message-ID: Merge request !1564 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel3 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1564 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 16:03:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 14:03:00 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1566) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1566 Project:Branches: dueno/gnutls:wip/dueno/minor to gnutls/gnutls:master Author: Daiki Ueno Related: #1341 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Mar 31 16:04:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 31 Mar 2022 14:04:27 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify library integrity checking (!1565) In-Reply-To: References: Message-ID: Merge request !1565 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 Project:Branches: dueno/gnutls:wip/dueno/fipshmac-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: