From gnutls-devel at lists.gnutls.org Tue Apr 7 07:56:12 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Apr 2026 05:56:12 +0000 Subject: [gnutls-devel] GnuTLS | ML-DSA: --key-info fails on expanded-only key encoding (ML-DSA-44, 65, 87) (#1830) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/work_items/1830#note_3225871496 I think this is the same issue as #1723. Once a private key is expanded, it is not trivial to derive a public key and one would need [this](https://github.com/aws/aws-lc/pull/2142) kind of recalculation, which leancrypto doesn't support. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1830#note_3225871496 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-8fhdfda6dlotrnu0bgke2f2ud-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 7 07:56:34 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Apr 2026 05:56:34 +0000 Subject: [gnutls-devel] GnuTLS | ML-DSA: --key-info fails on expanded-only key encoding (ML-DSA-44, 65, 87) (#1830) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1830: https://gitlab.com/gnutls/gnutls/-/work_items/1830 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1830 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-7rigjc5uzkfnw8iv0ssnv0esg-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 7 16:41:52 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Apr 2026 14:41:52 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_OCSP_Staple_Index_Confusion_?= =?utf-8?q?=E2=80=94_Certificate_Revocation_Bypass_=28=231837=29?= References: Message-ID: Zou Dikai created an issue: https://gitlab.com/gnutls/gnutls/-/work_items/1837 ## Description of problem: When processing a stapled OCSP response during TLS certificate verification, `check_ocsp_response()` first searches the OCSP response for the `SingleResponse` entry that matches the peer certificate. The matching search is performed by iterating `resp_indx`: ```c for (resp_indx = 0;; resp_indx++) { ret = gnutls_ocsp_resp_check_crt(resp, resp_indx, cert); if (ret == 0 || ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; } ``` At that point, `resp_indx` identifies the `SingleResponse` record whose certificate identifier matches the certificate currently being verified. However, the subsequent status lookup does not use the matched index. Instead, it always reads record `0`: ```c ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, &cert_status, &vtime, &ntime, &rtime, NULL); ``` As a result, the code can match certificate status information using one `SingleResponse` entry, but then read revocation and freshness information from another entry. This affects the handshake certificate verification path. The values returned by `gnutls_ocsp_resp_get_single()` are used to decide: * whether the certificate is revoked * whether the OCSP response is too old * whether the stapled OCSP check succeeds In other words, if a stapled OCSP response contains multiple `SingleResponse` records and the matching certificate record is not at index `0`, GnuTLS may apply the status of the wrong record to the certificate being verified. One concrete scenario is: * `SingleResponse[0]` corresponds to a different certificate and has status `GOOD` * `SingleResponse[1]` corresponds to the actual peer certificate and has status `REVOKED` * the search loop finds the peer certificate at `resp_indx == 1` * the later lookup still reads status from index `0` This can cause the peer certificate to be evaluated using the wrong OCSP status and timing data. ## Version of gnutls used: 3.8.12-73-g8b6731064-dirty ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Not distributor-specific in this report. ## How reproducible: Steps to Reproduce: * Inspect `check_ocsp_response()` and confirm that it first searches all `SingleResponse` entries using `resp_indx` and `gnutls_ocsp_resp_check_crt()`. * Confirm that after the matching index is found, the code still calls `gnutls_ocsp_resp_get_single(resp, 0, ...)` instead of using `resp_indx`. * Construct a valid stapled OCSP response containing multiple `SingleResponse` entries where the peer certificate matches an entry at index `1` or later, and make the first entry carry different certificate status or validity times. ## Actual results: The code identifies the `SingleResponse` entry matching the peer certificate, but later reads `cert_status`, `thisUpdate`, `nextUpdate`, and `revocationTime` from entry `0` regardless of which entry actually matched. This can lead to the wrong revocation or freshness result being applied to the peer certificate during the TLS handshake. ## Expected results: Once the matching `SingleResponse` entry is identified, all subsequent OCSP status and validity reads should use that same matched index. That is, the code should read certificate status and timing data from `resp_indx`, not from a hardcoded `0`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1837 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-49zbtg7kjim4b955myg6jvixx-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 9 08:17:18 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Apr 2026 06:17:18 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 Project:Branches: dueno/gnutls:wip/dueno/mldsa-pk-from-sk to gnutls/gnutls:master Author: Daiki Ueno This enables to derive ML-DSA public key from a secret key, using the new `lc_dilithium_pk_from_sk` function in leancrypto, through the following commits: * gnutls_x509_privkey_get_key_id: derive ML-DSA public key if needed * nettle: support deriving ML-DSA public key from expanded secret key * crypto-backend: turn privkey_to_pubkey into a backend API * privkey_to_pubkey: use constants to access public key parameters Fixes: #1723 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-4zzryyzuobp3gosfcf1wjv1ln-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 9 10:45:41 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Apr 2026 08:45:41 +0000 Subject: [gnutls-devel] GnuTLS | certtool fails to handle truncated SHA-512 variants (SHA-512/224 and SHA-512/256) in PKCS#12 and PBES2 (#1831) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/work_items/1831#note_3234570087 GnuTLS doesn't support the truncated variants (SHA512/224 and SHA512/256) at all, and this is not specific to PKCS#12. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1831#note_3234570087 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-5y6q5bgbg8b5o96z3ep87f4gu-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 9 15:08:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Apr 2026 13:08:48 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix unset $SEED (!2089) References: Message-ID: Ricardo M_ Correia created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089 Project:Branches: wizeman/gnutls:fix-seed to gnutls/gnutls:master Author: Ricardo M_ Correia A test script was using a shell variable `$SEED` without setting it first. This led to `certtool` using a random seed value rather than the intended fixed seed, which in turn led to random (rare) failures when generating 2048-bit DSA keys during the test, since random DSA key generation does not always succeed. Fixed the test by setting `$SEED` to the same fixed values that are set in `provable-privkey.sh`. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-03wv2ythomm83mkire65v6hoc-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 03:55:18 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 01:55:18 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3238535956 After discussion, it turned out to be easier to do the expansion at `pk_fixup` upon import, rather than adding `privkey_to_pubkey` backend function. I've reworked along these lines. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3238535956 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-6dv6zv204w9gog5vdij6f6b89-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 04:11:08 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 02:11:08 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-7eyhv6d3bqwhqgyeet9gl0ujz-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 11:44:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 09:44:05 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3239525189 > } > break; > > + case GNUTLS_PK_MLDSA44: > + case GNUTLS_PK_MLDSA65: > + case GNUTLS_PK_MLDSA87: > + if (params->raw_pub.data == NULL) { > + ret = ml_dsa_privkey_to_pubkey(algo, ¶ms->raw_priv, > + ¶ms->raw_pub); > + if (ret < 0 && ret != GNUTLS_E_UNIMPLEMENTED_FEATURE) Just making sure. Is it correct for the function to return 0 when GNUTLS_E_UNIMPLEMENTED_FEATURE is returned from ml_dsa_privkey_to_pubkey? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3239525189 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-802i9qbzt3otvd65z1u123wjv-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 11:45:59 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 09:45:59 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3239531593 Looks nice. No issues found. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3239531593 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-6xnfis63xt07tfbww1weqo0v6-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 11:46:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 09:46:00 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Merge request !2088 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 Project:Branches: dueno/gnutls:wip/dueno/mldsa-pk-from-sk to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 10 20:45:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Apr 2026 18:45:47 +0000 Subject: [gnutls-devel] GnuTLS | PKCS#11 Auto-Initialization Not Working (#1798) In-Reply-To: References: Message-ID: Claudio Ferreira commented: https://gitlab.com/gnutls/gnutls/-/work_items/1798#note_3241197019 @dueno, need any other info? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1798#note_3241197019 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-c0f5pk4x6d5767qkhcssrp2y9-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 01:34:49 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Apr 2026 23:34:49 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: All discussions on merge request !2088 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-7h17iinfperzln7gieqlnzxcq-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 01:34:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Apr 2026 23:34:48 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3243318549 > } > break; > > + case GNUTLS_PK_MLDSA44: > + case GNUTLS_PK_MLDSA65: > + case GNUTLS_PK_MLDSA87: > + if (params->raw_pub.data == NULL) { > + ret = ml_dsa_privkey_to_pubkey(algo, ¶ms->raw_priv, > + ¶ms->raw_pub); > + if (ret < 0 && ret != GNUTLS_E_UNIMPLEMENTED_FEATURE) Yes, that is intentional. Since `pk_fixup` is called upon importing private key, failing here means to prevent subsequent operations with expanded-only ML-DSA private keys. I added a debug log there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088#note_3243318549 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-2d3ld5pwunsc2aa8a10w0jkex-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 01:36:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Apr 2026 23:36:09 +0000 Subject: [gnutls-devel] GnuTLS | aarch64: Enable GCS (!2038) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2038#note_3243319131 Thank for fixing the git history. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2038#note_3243319131 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-1i6iq4r1n75zwxutph3nkfgbh-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 01:36:22 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Apr 2026 23:36:22 +0000 Subject: [gnutls-devel] GnuTLS | aarch64: Enable GCS (!2038) In-Reply-To: References: Message-ID: Merge request !2038 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2038 Project:Branches: ggardet/gnutls:master to gnutls/gnutls:master Author: GUILLAUME GARDET -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2038 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-4bezx6jnlwx2g52lcy0oe6rkm-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 03:56:57 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 13 Apr 2026 01:56:57 +0000 Subject: [gnutls-devel] GnuTLS | nettle: support deriving ML-DSA public key from expanded secret key (!2088) In-Reply-To: References: Message-ID: Merge request !2088 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 Project:Branches: dueno/gnutls:wip/dueno/mldsa-pk-from-sk to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2088 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-21is13xelh6fraff1u94fpz9m-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 09:16:11 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 13 Apr 2026 07:16:11 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS Security Disclosure: Non-Zeroizing Free of Shared Secret Buffers in Hybrid Key Exchange (#1841) References: Message-ID: liyue created an issue: https://gitlab.com/gnutls/gnutls/-/work_items/1841 ## Description of problem: GnuTLS Security Disclosure: Non-Zeroizing Free of Shared Secret Buffers in Hybrid Key Exchange ## Affected branch: master We are researchers conducting a systematic security study of hybrid post-quantum KEM implementations across open-source projects. During our analysis of GnuTLS's hybrid key share extension, we identified that shared secret buffers are freed using `_gnutls_free_datum()` instead of the secure `_gnutls_free_key_datum()` in two functions in `lib/ext/key_share.c`. ## Summary In `server_use_key_share_single()` and `client_use_key_share_single()`, KEM/ECDH shared secrets are stored in a local `gnutls_datum_t key` variable. After the shared secret is copied to `session->key.key` via `append_key_datum()`, the original buffer is freed with `_gnutls_free_datum(&key)`, which calls `gnutls_free()` without first clearing the buffer contents. The secure alternative `_gnutls_free_key_datum(&key)` calls `zeroize_key()` before `gnutls_free()`. ## Affected Code **Function `server_use_key_share_single()`** ? 3 locations: ```c // Line 464-465 (ECDH P-256/P-384 shared secret) ret = append_key_datum(&session->key.key, &key); _gnutls_free_datum(&key); // should be _gnutls_free_key_datum(&key) // Line 508-509 (X25519/X448 shared secret) ret = append_key_datum(&session->key.key, &key); _gnutls_free_datum(&key); // should be _gnutls_free_key_datum(&key) // Line 605-606 (ML-KEM/Kyber shared secret from _gnutls_pk_encaps) ret = append_key_datum(&session->key.key, &key); _gnutls_free_datum(&key); // should be _gnutls_free_key_datum(&key) ``` **Function `client_use_key_share_single()`** ? 4 locations: ```c // Lines 703, 742, 779, 800 ? same pattern for ECDH, X25519, DH, ML-KEM ret = append_key_datum(&session->key.key, &key); _gnutls_free_datum(&key); // should be _gnutls_free_key_datum(&key) ``` ## The Difference >From `lib/datum.h`: ```c // _gnutls_free_datum: does NOT clear buffer contents inline static void _gnutls_free_datum(gnutls_datum_t *dat) { gnutls_free(dat->data); // free only dat->size = 0; } // _gnutls_free_key_datum: clears buffer BEFORE freeing inline static void _gnutls_free_key_datum(gnutls_datum_t *dat) { zeroize_key(dat->data, dat->size); // zero first gnutls_free(dat->data); // then free dat->size = 0; } ``` ## Impact After `_gnutls_free_datum(&key)`, the shared secret bytes remain in freed heap memory until overwritten by a future allocation. In a hybrid key exchange (e.g., `mlkem768nistp256`), both the ECDH and ML-KEM shared secrets are affected. An attacker with memory read access (e.g., via a separate memory disclosure vulnerability, cold boot attack, or core dump) could recover the shared secret from freed heap pages. We note that this issue also affects non-hybrid key exchanges (pure ECDH, X25519, FFDHE) in the same functions, since the same `_gnutls_free_datum(&key)` pattern is used for all key agreement types. ## Suggested Fix Replace `_gnutls_free_datum(&key)` with `_gnutls_free_key_datum(&key)` at the 7 identified locations. The secure variant is already available in GnuTLS and is used elsewhere in the codebase for handling sensitive key material. ## Standard Reference - NIST SP 800-227: "Intermediate values used in any given KEM algorithm SHALL be destroyed before the algorithm terminates" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1841 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-bmyu10f248po2yhf3bwnzfcpv-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Apr 13 21:58:13 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 13 Apr 2026 19:58:13 +0000 Subject: [gnutls-devel] GnuTLS | Fixed some compilation warnings (!2090) References: Message-ID: David Dudas created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090 Project:Branches: d-Dudas/gnutls:dev/ddudas/debug/compilation-warnings to gnutls/gnutls:master Author: David Dudas * Fixed some compilation warnings, such as: - analyzer-possible-null-argument - zero-as-null-pointer-constant ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-cth4p0pabwgl6had801kq1kh1-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 02:26:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 00:26:05 +0000 Subject: [gnutls-devel] cligen | pacify -Wzero-as-null-pointer-constant (!8) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/cligen/-/merge_requests/8#note_3247380332 Looks good, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/8#note_3247380332 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-0t4vnjbsyeebfhay1lqav2p7n-a0ait/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 02:25:58 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 00:25:58 +0000 Subject: [gnutls-devel] cligen | pacify -Wzero-as-null-pointer-constant (!8) In-Reply-To: References: Message-ID: Merge request !8 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/8 Project:Branches: asosedkin/cligen:Wzero-as-null-pointer-constant to gnutls/cligen:main Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 02:26:08 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 00:26:08 +0000 Subject: [gnutls-devel] cligen | pacify -Wzero-as-null-pointer-constant (!8) In-Reply-To: References: Message-ID: Merge request !8 was merged Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/8 Project:Branches: asosedkin/cligen:Wzero-as-null-pointer-constant to gnutls/cligen:main Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/8 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-coss5wly6awb2t2vxk4kxxw9x-a0ait/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 02:52:44 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 00:52:44 +0000 Subject: [gnutls-devel] GnuTLS | Fixed some compilation warnings (!2090) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090#note_3247404439 Thanks! You might want to update `cligen` git submodule to pull in https://gitlab.com/gnutls/cligen/-/merge_requests/8, which should fix the issues in the generated code in `src/`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090#note_3247404439 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-bn59pz08pkfnri6n2ehfjf6ta-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 08:25:41 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 06:25:41 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix unset $SEED (!2089) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2089 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on tests/cert-tests/provable-privkey-dsa2048.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089#note_3247851094 > fi > > +if test "${FIPS140}" = 1; then I suspect we don't need to use a different seed depending on "FIPS140" value, given this test doesn't use any fixture. Maybe you could embed either value to the --generate-privkey command line, as in provable-privkey-rsa2048.sh? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-1yomc3roznjjjj5c4tlzwxzub-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 08:25:40 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 06:25:40 +0000 Subject: [gnutls-devel] GnuTLS | tests: fix unset $SEED (!2089) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089#note_3247851168 Thank you for catching this! This would work but I'd suggest using the same seed for both FIPS and non-FIPS cases. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2089#note_3247851168 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-9ium1zwzkgidvql356bgqsjbc-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 08:49:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 06:49:10 +0000 Subject: [gnutls-devel] GnuTLS | NEWS: add entries for 3.8.13 [ci skip] (!2091) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2091 Project:Branches: dueno/gnutls:wip/dueno/news-3.8.13 to gnutls/gnutls:master Author: Daiki Ueno * NEWS: add entries for 3.8.13 [ci skip] ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2091 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-0uox8gx1qyrx750cnka5pa2pz-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Apr 14 09:10:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Apr 2026 07:10:05 +0000 Subject: [gnutls-devel] GnuTLS | NEWS: add entries for 3.8.13 [ci skip] (!2091) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2091 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-enf8nls63jhhqcd33ccziyi5p-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 08:21:35 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 06:21:35 +0000 Subject: [gnutls-devel] GnuTLS | Fixed some compilation warnings (!2090) In-Reply-To: References: Message-ID: Merge request !2090 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090 Project:Branches: d-Dudas/gnutls:dev/ddudas/debug/compilation-warnings to gnutls/gnutls:master Author: David Dudas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-amna8oc5q3vb0bckxlpsq23u1-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 08:21:16 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 06:21:16 +0000 Subject: [gnutls-devel] GnuTLS | Fixed some compilation warnings (!2090) In-Reply-To: References: Message-ID: Merge request !2090 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2090 Project:Branches: d-Dudas/gnutls:dev/ddudas/debug/compilation-warnings to gnutls/gnutls:master Author: David Dudas Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 11:30:33 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 09:30:33 +0000 Subject: [gnutls-devel] GnuTLS | x509/name_constraints: minor fixes after !2083 (!2092) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2092 Project:Branches: dueno/gnutls:wip/dueno/nc-tree-followup to gnutls/gnutls:master Author: Daiki Ueno * x509/name_constraints: use stdbool more * x509/name_constraints: remove unnecessary manual cleanup There was a duplicate cleanup logic at the exit from namename_constraints_init: one done manually and the other with name_constraints_deinit. Remove the former as it's redundant. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2092 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-6rr4i9hogusgsosi5h6bnsgr2-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 11:39:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 09:39:10 +0000 Subject: [gnutls-devel] GnuTLS | nettle: sanity check ML-DSA private key in pk_fixup (!2093) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2093 Project:Branches: dueno/gnutls:wip/dueno/mldsa-pk-from-sk-followup to gnutls/gnutls:master Author: Daiki Ueno * nettle: sanity check ML-DSA private key in pk_fixup The caller should set raw_priv properly before calling pk_fixup. Add a sanity check following the EdDSA case. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2093 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-8guaiyno7vwgwdqcm7jsdu095-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 11:58:27 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 09:58:27 +0000 Subject: [gnutls-devel] GnuTLS | x509/name_constraints: minor fixes after !2083 (!2092) In-Reply-To: References: Message-ID: Merge request !2092 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2092 Project:Branches: dueno/gnutls:wip/dueno/nc-tree-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Apr 15 12:57:27 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Apr 2026 10:57:27 +0000 Subject: [gnutls-devel] GnuTLS | x509/name_constraints: minor fixes after !2083 (!2092) In-Reply-To: References: Message-ID: Merge request !2092 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2092 Project:Branches: dueno/gnutls:wip/dueno/nc-tree-followup to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2092 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-8el5j6xmqmm7qirxb6i9zvehr-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 16 11:31:55 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Apr 2026 09:31:55 +0000 Subject: [gnutls-devel] GnuTLS | nettle: sanity check ML-DSA private key in pk_fixup (!2093) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2093 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-10a3q12ftrlbxcul6zjy8gb1j-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 16 13:01:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Apr 2026 11:01:39 +0000 Subject: [gnutls-devel] GnuTLS | tests/pkcs11-provider/pkcs11-provider-hmac: uncomment SHA-3 tests (!2094) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2094 Project:Branches: asosedkin/gnutls:tests-kryoptic-sha3 to gnutls/gnutls:master Author: Alexander Sosedkin kryoptic supports SHA-3 now, uncommenting the tests in hopes that they'll just work. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2094 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-30w42oaubazzw6ap39f792n5k-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Apr 16 13:47:58 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Apr 2026 11:47:58 +0000 Subject: [gnutls-devel] GnuTLS | tests/pkcs11-provider/pkcs11-provider-hmac: uncomment SHA-3 tests (!2094) In-Reply-To: References: Message-ID: Merge request !2094 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2094 Project:Branches: asosedkin/gnutls:tests-kryoptic-sha3 to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 00:24:14 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Apr 2026 22:24:14 +0000 Subject: [gnutls-devel] GnuTLS | Client Authentication broken with Java 17.0.17+ (and recent versions of Java) (#1842) References: Message-ID: Romain Tarti?re created an issue: https://gitlab.com/gnutls/gnutls/-/work_items/1842 ## Description of problem: A few months ago, after a regular package update on our Debian systems from openjdk-17 (17.0.16+8-1 -> 17.0.17~5ea-1), our monitoring system stopped receiving logs from all our log clients (logs sent by a C program) but kept receiving metrics (from the same node) sent by our metric clients (metrics sent by a ruby program). Both systems are suing the same mTLS certificates to authenticate clients against the server. The ruby clients where fine, but the C client could not establish a TLS connection because handshake systematically failed. After reverting the java package to the previous version (17.0.17~5ea-1 -> 17.0.16+8-1), everything was working back as expected. ## More context Thanks to some git-bisect, the commit in openjdk that break authentication has been identified and is: https://github.com/openjdk/jdk17u/commit/fe850da38a3fc0c9ce6cf9348efca3c846e97143 It relates to this issue: https://bugs.openjdk.org/browse/JDK-8349583 Other versions of openjdk which include this change also trigger the issue with GnuTLS (tested with openjdk 21 and a few other versions). ## Version of gnutls used: Our production systems use the version of GnuTLS packaged in Debian (libgnutls30:amd64 3.7.9-2+deb12u6). The issue has also been reproduced on FreeBSD with the latest version of GnuTLS. ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) System packages from Debian and FreeBSD. ## How reproducible: Steps to Reproduce: * Setup a java service that offer mTLS authentication; * Use a GnuTLS client that rely on `gnutls_certificate_set_x509_key_file()` to setup client-side TLS key and certificate; * Attempt to connect with different versions of Java. ## Actual results: Handshake fails when using a version of Java that include the above code (newer versions of Java) but succeeds with older versions of Java. ## Expected results: Handshake should succeed regardless of the version of Java used. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1842 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-5rivylgycn5arjgwmj27u3egw-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 00:31:04 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Apr 2026 22:31:04 +0000 Subject: [gnutls-devel] GnuTLS | Client Authentication broken with Java 17.0.17+ (and recent versions of Java) (#1842) In-Reply-To: References: Message-ID: Romain Tarti?re commented: https://gitlab.com/gnutls/gnutls/-/work_items/1842#note_3259201612 > Use a GnuTLS client that rely on `gnutls_certificate_set_x509_key_file()` to setup client-side TLS key and certificate; This seems important as I could workaround the issue in the library that use GnuTLS by replacing the call to this function with the corresponding code used by `gnutls-cli(1)` (dozens of lines): https://git.madhouse-project.org/algernon/riemann-c-client/pulls/20/files (link to this workaround patch) Another workaround consist in passing `GNUTLS_FORCE_CLIENT_CERT` to `gnutls_init(3)`: https://git.madhouse-project.org/algernon/riemann-c-client/pulls/19/files (link to this workaround patch) But the issue seems to be in GnuTLS itself as other TLS implementation work the same way with all versions of java (tested with GnuTLS, OpenSSL and WolfSSL). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1842#note_3259201612 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-03phxfxjv6wc1er4vxelqhi9g-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 02:52:41 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 00:52:41 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) References: Message-ID: Romain Tarti?re created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 Project:Branches: smortex/gnutls:fix-tls-1.3-handshake to gnutls/gnutls:master Author: Romain Tarti?re Add the signature_algorithms_cert to the list of allowed algorithms if present, and fallback to the signature_algorithms otherwise. This better fit [RFC8446 section 4.2.3][1]: > If no "signature_algorithms_cert" extension is present, then the "signature_algorithms" extension also applies to signatures appearing in certificates. This fix TLS 1.3 handshake with Java after [JDK-8349583][2]. Closes: #1842 [1]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 [2]: https://bugs.openjdk.org/browse/JDK-8349583 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-54ssqsm39jmvrgzac9y2xj4ml-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 03:36:31 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 01:36:31 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/tls13/certificate_request.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3259476712 > continue; > > + gnutls_pk_algorithm_t algo = se->cert_pk || se->pk; I don't think this is correct; `algo` always end up with either `GNUTLS_PK_RSA` (= 1) or `GNUTLS_PK_UNKNOWN` (= 0). See https://www.open-std.org/jtc1/sc22/WG14/www/docs/n1256.pdf#page=101 for the explanation. Something like `se->cert_pk != GNUTLS_PK_UNKNOWN ? se->cert_pk : se->pk` should work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-csb49qwaqd5aj9jw3rg7ehjp7-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 05:43:38 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 03:43:38 +0000 Subject: [gnutls-devel] GnuTLS | Client Authentication broken with Java 17.0.17+ (and recent versions of Java) (#1842) In-Reply-To: References: Message-ID: Romain Tarti?re commented: https://gitlab.com/gnutls/gnutls/-/work_items/1842#note_3259697071 Tracing execution, in [parse_cert_extension()](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/tls13/certificate_request.c#L115) the following algorithms are added to `ctx->pk_algos`: * 4 (`GNUTLS_PK_ECDSA`); * 7 (`GNUTLS_PK_EDDSA_ED25519`); * 12 (`GNUTLS_PK_EDDSA_ED448`); * 6 (`GNUTLS_PK_RSA_PSS`). Algorithm 1 (`GNUTLS_PK_RSA`, present in `cert_pk`) is not added to this list, which seems to be the root cause of the issue. I opened !2095 to fix it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1842#note_3259697071 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-10i2g6ao71hutk5ujfkjcayfq-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 05:45:32 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 03:45:32 +0000 Subject: [gnutls-devel] GnuTLS | tests/pkcs11-provider/pkcs11-provider-hmac: uncomment SHA-3 tests (!2094) In-Reply-To: References: Message-ID: Merge request !2094 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2094 Project:Branches: asosedkin/gnutls:tests-kryoptic-sha3 to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2094 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-bh1yh2l8lohh80jg5lib8w0gc-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 09:34:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 07:34:23 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3260134885 Note that the `signature_algorithms_cert` extension is not widely used; none of OpenSSL, NSS, and GnuTLS handles the extension (OpenSSL does send it, but doesn't recognize it). In the [parse_cert_extension](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/tls13/certificate_request.c#L115) function you mentioned in #1842, the values come from the `signature_algorithms` extension (not the `signature_algorithms_cert` extension) attached to Certificate Request message, meaning that the server requests a cert signed with an algorithm listed in the extension, while the client has only RSA signed certificate. According to your comment on #1842, the server wants either ecdsa_*, ed25519, ed448, or rsa_pss*. If the server is indicating rsa_pss_rsae_* (not rsa_pss_pss_*), the client should be able to present the (non-restricted) RSA certificates. Could you check that, maybe using wireshark (see https://wiki.wireshark.org/TLS)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3260134885 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-8x4fsx2piqvw7g5bhrahc8pmu-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 20:57:24 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 18:57:24 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) In-Reply-To: References: Message-ID: All discussions on merge request !2095 were resolved by Romain Tarti?re https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-27gajk666inikabuaadq61tcp-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 20:57:20 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 18:57:20 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) In-Reply-To: References: Message-ID: Romain Tarti?re commented on a discussion on lib/tls13/certificate_request.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262591755 > if (se == NULL) > continue; > > + gnutls_pk_algorithm_t algo = se->cert_pk || se->pk; Wow! Happy incident `GNUTLS_PK_RSA` is 1 :rofl:. Fixed, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262591755 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-0u7brx0gql0s5uyaecx7ak2r9-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Apr 17 21:53:52 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Apr 2026 19:53:52 +0000 Subject: [gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095) In-Reply-To: References: Message-ID: Romain Tarti?re commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262702957 > Note that the `signature_algorithms_cert` extension is not widely used; none of OpenSSL, NSS, and GnuTLS handles the extension (OpenSSL does send it, but doesn't recognize it). Ah? That is the kind of basic things I am not aware of, I may have followed tracks that don't make sense during my investigation, and I also feel like I am mixing-up a lot of stuff, so all this is quite tough to me :sweat: > According to your comment on #1842, the server wants either `ecdsa_*`, `ed25519`, `ed448`, or `rsa_pss*`. If the server is indicating `rsa_pss_rsae_*` (not `rsa_pss_pss_*`), the client should be able to present the (non-restricted) RSA certificates. Could you check that, maybe using wireshark (see https://wiki.wireshark.org/TLS)? If I am looking at the right thing, I see both: ![screenshot-2026-04-17T09_51_02-1000](/uploads/824ea6345116cc9a975a7eacdc522578/screenshot-2026-04-17T09_51_02-1000.png){width=607 height=600} In order to make it easier for anybody to test, I setup a public-facing riemann server that can be used against the client to reproduce the issue. [Also, all certificates are available here](https://agrajag.blogreen.org/~romain/riemann) in case there is an issue with them. If it can help, this should put you on track: ``` git clone https://git.madhouse-project.org/algernon/riemann-c-client/ cd riemann-c-client autoreconf -is mkdir build cd build ../configure make curl https://agrajag.blogreen.org/~romain/riemann/ca.crt > /tmp/ca.crt curl https://agrajag.blogreen.org/~romain/riemann/gnutls-client.crt > /tmp/gnutls-client.cr curl https://agrajag.blogreen.org/~romain/riemann/gnutls-client.key > /tmp/gnutls-client.key ./src/riemann-client send -D hello --tls -o cafile=/tmp/ca.crt -o certfile=/tmp/gnutls-client.crt -o keyfile=/tmp/gnutls-client.key agrajag.blogreen.org 5555 ``` No output and and exit code of 0 means it is fine. Otherwise, you will probably have a return code of 1 and a message "Error when asking for a message receipt: Protocol error". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262702957 You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-9cx7tkiphe91t5a4xbivyex8o-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help -------------- next part -------------- An HTML attachment was scrubbed... URL: