From gnutls-devel at lists.gnutls.org Tue Sep 2 00:02:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Sep 2025 22:02:49 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: try to initialize modules in thread-safe mode (!2014) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2014 Project:Branches: dueno/gnutls:wip/dueno/trust-list to gnutls/gnutls:master Author: Daiki Ueno When modules are initialized without CKF_OS_LOCKING_OK nor custom locking functions, they may skip their internal locking assuming that the applications will take care of thread-safety, which is costly and GnuTLS currently doesn't do that. To mitigate this, this patch changes the module initialization code to tell the modules to guarantee thread-safety by themselves. If they are unable to do that, this falls back to the normal initialization without C_Initialize parameters. This also omits the custom_init flag, which indicated whether the module is initialized with p11_kit_module_initialize or a direct call to C_Initialize, now that modules are always initialized with C_Initialize. Fixes: #1212 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2014 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 05:34:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 03:34:37 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: align private key signing operations with PKCS #11 specification (!2015) References: Message-ID: Di Wang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2015 Project:Branches: crrs666/gnutls:master to gnutls/gnutls:master Author: Di Wang * pkcs11: align private key signing operations with PKCS#11 specification According to PKCS#11 specification 5.13.1, to start another C_Sign() operation, C_SignInit() must be called again, otherwise the operation may return with CKR_OPERATION_NOT_INITIALIZED. Modifies the private key signing workflow to follow PKCS #11 specification. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2015 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 05:36:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 03:36:58 +0000 Subject: [gnutls-devel] GnuTLS | tls13/key_update: Expose a manual KeyUpdate function (!1965) In-Reply-To: References: Message-ID: Alistair Francis commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1965#note_2731508297 Done! I have modified `tests/handshake-write.c` to manually trigger a KeyUpdate using the new `gnutls_handshake_update_receiving_key()` function -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1965#note_2731508297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 05:43:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 03:43:48 +0000 Subject: [gnutls-devel] GnuTLS | tls13/key_update: Expose a manual KeyUpdate function (!1965) In-Reply-To: References: Message-ID: Alistair Francis started a new discussion on tests/handshake-write.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1965#note_2731512655 > TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); > TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); > > + /* Trigger a KeyUpdate that won't actually be sent to the client, > + * as handshake_read_func() will drop the message. > + */ > + gnutls_session_key_update(server, GNUTLS_KU_PEER); > + > + /* Manually update the client keys */ > + gnutls_handshake_update_receiving_key(client); As a easy test if you comment this line out the test will fail as the key isn't updated on the client -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1965#note_2731512655 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 06:14:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 04:14:51 +0000 Subject: [gnutls-devel] GnuTLS | record: Allow setting all record state (!1968) In-Reply-To: References: Message-ID: Alistair Francis marked merge request !1968 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 06:26:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 04:26:23 +0000 Subject: [gnutls-devel] GnuTLS | record: Allow setting all record state (!1968) In-Reply-To: References: Message-ID: Alistair Francis commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2731569790 Updated with unit tests and removed the draft status. This is now ready to go -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2731569790 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 5 08:14:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Sep 2025 06:14:59 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: align private key signing operations with PKCS #11 specification (!2015) In-Reply-To: References: Message-ID: Merge request !2015 was closed by Di Wang Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2015 Project:Branches: crrs666/gnutls:master to gnutls/gnutls:master Author: Di Wang Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2015 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 6 02:49:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 06 Sep 2025 00:49:22 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: try to initialize modules in thread-safe mode (!2014) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2014 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 8 04:08:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 08 Sep 2025 02:08:31 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: ensure C_SignInit is called before C_Sign (!2016) References: Message-ID: Di Wang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016 Project:Branches: crrs666/gnutls:master to gnutls/gnutls:master Author: Di Wang * pkcs11: ensure C_SignInit is called before C_Sign According to PKCS#11 specification v3.1 part 5.13.1, C_SignInit must be called before every C_Sign operation, otherwise the operation may return with CKR_OPERATION_NOT_INITIALIZED. Signed-off-by: Di Wang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 8 05:22:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 08 Sep 2025 03:22:49 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: ensure C_SignInit is called before C_Sign (!2016) In-Reply-To: References: Message-ID: Merge request !2016 was closed by Di Wang Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016 Project:Branches: crrs666/gnutls:master to gnutls/gnutls:master Author: Di Wang Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 8 11:38:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 08 Sep 2025 09:38:15 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: ensure C_SignInit is called before C_Sign (!2016) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016#note_2735741109 > According to PKCS#11 specification v3.1 part 5.13.1, C_SignInit must be called before every C_Sign operation, otherwise the operation may return with CKR_OPERATION_NOT_INITIALIZED. I know it's already closed, but I don't think this is the case; the [spec](https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.2/pkcs11-spec-v3.2.html#_Toc195693140) says "**To process additional data** (in single or multiple parts), the application MUST call C_SignInit again." In this case, the application calls C_Sign twice, first to determine the length of the signature, and then obtain the signature itself, calculated over the same data. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2016#note_2735741109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: