From gnutls-devel at lists.gnutls.org Thu Aug 1 05:35:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 03:35:31 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known (#812) References: Message-ID: Will Tan created an issue: ENV, - CentOS Linux release 7.6.1810 (Core) - gnutls-3.6.9.tar.xz Error message, ``` CC pkcs11_privkey.lo pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known struct ck_rsa_pkcs_pss_params rsa_pss_params; ^ pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-var iable] make[4]: *** [pkcs11_privkey.lo] Error 1 make[4]: Leaving directory `/root/gnutls-3.6.9/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.9/lib' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.9/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.9' make: *** [all] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 06:31:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 04:31:18 +0000 Subject: [gnutls-devel] GnuTLS | Deadlock in _gnutls_epoch_get on mutex epoch_lock with msmtp and gnutls 3.6.7 (#758) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #758: https://gitlab.com/gnutls/gnutls/issues/758 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 06:31:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 04:31:18 +0000 Subject: [gnutls-devel] GnuTLS | Deadlock in _gnutls_epoch_get on mutex epoch_lock with msmtp and gnutls 3.6.7 (#758) In-Reply-To: References: Message-ID: GnuTLS bot commented: @YmrDtnJu This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/758#note_198519811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 07:01:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 05:01:02 +0000 Subject: [gnutls-devel] GnuTLS | WIP: nettle: use deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented: After pondering a bit, I realized that this would be better implemented sorely in gnutls, because the only thing we rely on nettle is to extract the curve parameter q, which is a constant but only available in a private struct in nettle. Marking as WIP. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_198524471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 08:22:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 06:22:20 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for reporting this, it is very interesting. If you have the setup still available could you repeat the test with -d 6? Does this exist in the latest version, 3.6.9? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_198538781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 08:26:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 06:26:39 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on fuzz/libtasn1_parser2tree_fuzzer.c: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198539930 > +#include > + > +#include // malloc, free > +#include // strcmp, memcpy > + > +#include "libtasn1.h" > +#include "fuzzer.h" > + > +static const uint8_t *g_data; > +static size_t g_size; > + > +//#if defined HAVE_DLFCN_H && defined HAVE_FMEMOPEN > +#include > +#ifdef RTLD_NEXT /* Not defined e.g. on CygWin */ > + > +FILE *fopen(const char *pathname, const char *mode) { A better fix makes sense to me. Yes lets open a bug -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198539930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 08:27:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 06:27:32 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Merge Request !38 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/38 Branches: tmp-fuzzing to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 10:49:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 08:49:59 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle: fix carry flag in Streebog code (c1441665) In-Reply-To: References: Message-ID: Gisle Vanem commented: @lumag Sorry, I'm a noob when it comes to Git and merge requests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/commit/c1441665abe761536b3ed67d36b12f2198be6b12#note_198621414 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:36:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:36:49 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/structure.c: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198643372 > **/ > int > asn1_delete_structure2 (asn1_node * structure, unsigned int flags) > +{ > + return _asn1_delete_structure (NULL, structure, flags); > +} > + > +int > +_asn1_delete_structure (list_type *e_list, asn1_node * structure, unsigned int flags) What I find confusing most is that 1 and l are looking the same in many fonts (e.g. in my console). We can't change the naming of exposed symbols, but maybe the naming of internal symbols - e.g. leading underscore in file scope is also against C99 standards. I suggest you open an issue with an exact list/description of what and how to change. But that is prety low priority, IMO. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198643372 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:41:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:41:35 +0000 Subject: [gnutls-devel] GnuTLS | WIP: nettle: use deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 5ec4c710 - nettle: add functions for deterministic ECDSA/DSA * 04a77b58 - privkey_sign_raw_data: remove unnecessary local variable * b81900d3 - pk: implement deterministic ECDSA/DSA -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:45:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:45:26 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 2239d12c - pk: implement deterministic ECDSA/DSA -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:45:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:45:38 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Hanno Stock commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/811#note_198647470 Hi, yes - I also tested with 3.6.9-1 from Debian. Will do the -d 6 test ASAP. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_198647470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:48:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:48:44 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/libtasn1_encoding_fuzzer.c: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198648862 > + if (size > 2048) // same as max_len = 1000 in .options file > + return 0; > + > + g_data = data; > + g_size = size; > + > + int rc = asn1_parser2tree("pkix.asn", &definitions, errorDescription); > + if (rc != ASN1_SUCCESS) > + return 0; > + > + rc = asn1_create_element(definitions, "TEST_TREE.Koko", &asn1_element); > + if (rc != ASN1_SUCCESS) > + goto out; > + > + size_t vlen = size <= 32 ? size : 32; > + value = malloc(vlen); OK, I add an assert. Though for libFuzzer, malloc checking isn't relevant. The fuzzer will stop with an OOM, giving traceback and and `oom-...` corpus. So the assert is never executed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198648862 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:49:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:49:14 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on fuzz/libtasn1_encoding_fuzzer.c: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198649101 > + * This file is part of libtasn1. > + * > + * Libtasn1 is free software: you can redistribute it and/or modify > + * it under the terms of the GNU Lesser General Public License as published by > + * the Free Software Foundation, either version 3 of the License, or > + * (at your option) any later version. > + * > + * Libtasn1 is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public License > + * along with libtasn1. If not, see . > + */ > + Description added -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198649101 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:59:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:59:34 +0000 Subject: [gnutls-devel] libtasn1 | Add function asn1_parser2tree_mem() (#21) References: Message-ID: Tim R?hsen created an issue: ## Description of problem: Currently we have `asn1_parser2tree()` which takes input from a given filename. This requires `_asn1_yylex()` to do lot's of (buffered but slow) I/O. A function that takes a block of memory seems to be more elegant, less code and faster execution. Also, the current situation forces us to 'overwrite' `fopen()` when fuzzing `asn1_parser2tree()`. That introduces non-portable functions like `dlsym()` and `fmemopen()`. Regression testing the fuzz corpora as we do with `make check` has the same caveats. Thus the tests can't be run on every platform. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/21 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 11:59:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 09:59:57 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Hanno Stock commented: The following is the debug output after installing libgnutls30_3.6.9-1 from experimental. ``` root at groupware-beta:~# pwgen 16383 | gnutls-cli -d 6 --no-ca-verification --port 5556 ldap.indurad.x |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1575 |<3>| ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3902 |<3>| ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990 Processed 130 CA certificate(s). Resolving 'ldap.indurad.x:5556'... Connecting to '10.144.8.33:5556'... |<5>| REC[0x55fb29e95ff0]: Allocating epoch #0 |<2>| added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list |<5>| REC[0x55fb29e95ff0]: Allocating epoch #1 |<4>| HSK[0x55fb29e95ff0]: Adv. version: 3.3 |<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) |<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) |<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) |<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) |<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (OCSP Status Request/5) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension OCSP Status Request/5 (5 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Client Certificate Type/19) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Server Certificate Type/20) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Supported Groups/10) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sent group SECP256R1 (0x17) |<4>| EXT[0x55fb29e95ff0]: Sent group SECP384R1 (0x18) |<4>| EXT[0x55fb29e95ff0]: Sent group SECP521R1 (0x19) |<4>| EXT[0x55fb29e95ff0]: Sent group X25519 (0x1d) |<4>| EXT[0x55fb29e95ff0]: Sent group FFDHE2048 (0x100) |<4>| EXT[0x55fb29e95ff0]: Sent group FFDHE3072 (0x101) |<4>| EXT[0x55fb29e95ff0]: Sent group FFDHE4096 (0x102) |<4>| EXT[0x55fb29e95ff0]: Sent group FFDHE6144 (0x103) |<4>| EXT[0x55fb29e95ff0]: Sent group FFDHE8192 (0x104) |<4>| EXT[0x55fb29e95ff0]: Sending extension Supported Groups/10 (20 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Supported EC Point Formats/11) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Supported EC Point Formats/11 (2 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (SRP/12) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Signature Algorithms/13) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: sent signature algo (4.1) RSA-SHA256 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.9) RSA-PSS-SHA256 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (4.3) ECDSA-SHA256 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.7) EdDSA-Ed25519 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (5.1) RSA-SHA384 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.10) RSA-PSS-SHA384 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (5.3) ECDSA-SHA384 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (6.1) RSA-SHA512 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.11) RSA-PSS-SHA512 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (6.3) ECDSA-SHA512 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (2.1) RSA-SHA1 |<4>| EXT[0x55fb29e95ff0]: sent signature algo (2.3) ECDSA-SHA1 |<4>| EXT[0x55fb29e95ff0]: Sending extension Signature Algorithms/13 (32 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (SRTP/14) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Heartbeat/15) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (ALPN/16) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Encrypt-then-MAC/22 (0 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Extended Master Secret/23) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Extended Master Secret/23 (0 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Session Ticket/35) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Session Ticket/35 (0 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Key Share/51) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: sending key share for SECP256R1 |<4>| EXT[0x55fb29e95ff0]: sending key share for X25519 |<4>| EXT[0x55fb29e95ff0]: Sending extension Key Share/51 (107 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Supported Versions/43) for 'client hello' |<2>| Advertizing version 3.4 |<2>| Advertizing version 3.3 |<2>| Advertizing version 3.2 |<2>| Advertizing version 3.1 |<4>| EXT[0x55fb29e95ff0]: Sending extension Supported Versions/43 (9 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Post Handshake Auth/49) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Safe Renegotiation/65281) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Safe Renegotiation/65281 (1 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Server Name Indication/0) for 'client hello' |<2>| HSK[0x55fb29e95ff0]: sent server name: 'ldap.indurad.x' |<4>| EXT[0x55fb29e95ff0]: Sending extension Server Name Indication/0 (19 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Cookie/44) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Early Data/42) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension PSK Key Exchange Modes/45 (3 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Record Size Limit/28) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Sending extension Record Size Limit/28 (2 bytes) |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Maximum Record Size/1) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (ClientHello Padding/21) for 'client hello' |<4>| EXT[0x55fb29e95ff0]: Preparing extension (Pre Shared Key/41) for 'client hello' |<4>| HSK[0x55fb29e95ff0]: CLIENT HELLO was queued [355 bytes] |<5>| REC[0x55fb29e95ff0]: Preparing Packet Handshake(22) with length: 355 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 360 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 0, length: 85 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 85 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[0] Handshake(22) with length: 85 |<4>| HSK[0x55fb29e95ff0]: SERVER HELLO (2) was received. Length 81[81], frag offset 0, frag length: 81, sequence: 0 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1162 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413 |<4>| HSK[0x55fb29e95ff0]: Server's version: 3.3 |<4>| HSK[0x55fb29e95ff0]: SessionID length: 32 |<4>| HSK[0x55fb29e95ff0]: SessionID: 98ee8cc8645ce0d3098030df1413871b0d5674ec4038e9a78880fb595c8f6d0a |<4>| HSK[0x55fb29e95ff0]: Selected cipher suite: GNUTLS_RSA_AES_256_CBC_SHA1 |<4>| EXT[0x55fb29e95ff0]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) |<4>| EXT[0x55fb29e95ff0]: Parsing extension 'Session Ticket/35' (0 bytes) |<4>| HSK[0x55fb29e95ff0]: Safe renegotiation succeeded |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 0, length: 714 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 714 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[1] Handshake(22) with length: 714 |<4>| HSK[0x55fb29e95ff0]: CERTIFICATE (11) was received. Length 710[710], frag offset 0, frag length: 710, sequence: 0 |<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99 - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 - subject `CN=ldap-master', issuer `CN=ldap-master', serial 0x00e120b43d69e2e4d8, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-07-06 10:03:48 UTC', expires `2027-07-04 10:03:48 UTC', pin-sha256="SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc=" Public Key ID: sha1:21c8b2ecfc2b23da00de3371a4aa7bb8b8fc13bc sha256:4b18205f1c9f1038bd7e65722f0ccf37dc84e72ebd4fdd9a17c08174631ef517 Public Key PIN: pin-sha256:SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc= |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 0, length: 19 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 19 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[2] Handshake(22) with length: 19 |<4>| HSK[0x55fb29e95ff0]: CERTIFICATE REQUEST (13) was received. Length 15[15], frag offset 0, frag length: 15, sequence: 0 |<4>| EXT[0x55fb29e95ff0]: rcvd signature algo (4.2) (null) |<4>| EXT[0x55fb29e95ff0]: rcvd signature algo (4.1) RSA-SHA256 |<4>| EXT[0x55fb29e95ff0]: rcvd signature algo (2.1) RSA-SHA1 |<4>| EXT[0x55fb29e95ff0]: rcvd signature algo (2.2) DSA-SHA1 - Successfully sent 0 certificate(s) to server. |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 4 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[3] Handshake(22) with length: 4 |<4>| HSK[0x55fb29e95ff0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 0, sequence: 0 |<4>| HSK[0x55fb29e95ff0]: CERTIFICATE was queued [7 bytes] |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 |<4>| HSK[0x55fb29e95ff0]: CLIENT KEY EXCHANGE was queued [262 bytes] |<4>| REC[0x55fb29e95ff0]: Sent ChangeCipherSpec |<5>| REC[0x55fb29e95ff0]: Initializing epoch #1 |<5>| REC[0x55fb29e95ff0]: Epoch #1 ready |<4>| HSK[0x55fb29e95ff0]: Cipher Suite: GNUTLS_RSA_AES_256_CBC_SHA1 |<4>| HSK[0x55fb29e95ff0]: Initializing internal [write] cipher sessions |<4>| HSK[0x55fb29e95ff0]: recording tls-unique CB (send) |<4>| HSK[0x55fb29e95ff0]: FINISHED was queued [16 bytes] |<5>| REC[0x55fb29e95ff0]: Preparing Packet Handshake(22) with length: 7 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 12 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Handshake(22) with length: 262 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[3] Handshake(22) in epoch 0 and length: 267 |<5>| REC[0x55fb29e95ff0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[4] ChangeCipherSpec(20) in epoch 0 and length: 6 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 69 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 0, length: 444 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 444 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[4] Handshake(22) with length: 444 |<4>| HSK[0x55fb29e95ff0]: NEW SESSION TICKET (4) was received. Length 440[440], frag offset 0, frag length: 440, sequence: 0 |<4>| HSK[0x55fb29e95ff0]: received session ticket |<5>| REC[0x55fb29e95ff0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1 |<5>| REC[0x55fb29e95ff0]: Expected Packet ChangeCipherSpec(20) |<5>| REC[0x55fb29e95ff0]: Received Packet ChangeCipherSpec(20) with length: 1 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[5] ChangeCipherSpec(20) with length: 1 |<4>| HSK[0x55fb29e95ff0]: Cipher Suite: GNUTLS_RSA_AES_256_CBC_SHA1 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1171 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Handshake packet received. Epoch 1, length: 128 |<5>| REC[0x55fb29e95ff0]: Expected Packet Handshake(22) |<5>| REC[0x55fb29e95ff0]: Received Packet Handshake(22) with length: 128 |<5>| REC[0x55fb29e95ff0]: Decrypted Packet[0] Handshake(22) with length: 16 |<4>| HSK[0x55fb29e95ff0]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0 |<5>| REC[0x55fb29e95ff0]: Start of epoch cleanup |<5>| REC[0x55fb29e95ff0]: Epoch #0 freed |<5>| REC[0x55fb29e95ff0]: End of epoch cleanup - Description: (TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1) - Session ID: BA:E6:B8:3D:69:59:FE:0E:75:A0:A3:0E:FC:D8:AD:B7:2C:85:74:7C:DC:85:FC:E1:E2:E4:4C:E6:51:2F:2E:5F |<3>| ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:229 |<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99 |<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_is_checked]:626 - Options: safe renegotiation, |<3>| ASSERT: ../../../lib/ext/srtp.c[gnutls_srtp_get_selected_profile]:320 |<3>| ASSERT: ../../../lib/ext/alpn.c[gnutls_alpn_get_selected_protocol]:246 - Handshake was completed |<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99 - Simple Client Mode: |<5>| REC[0x55fb29e95ff0]: Preparing Packet Application Data(23) with length: 4095 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[2] Application Data(23) in epoch 1 and length: 4149 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Application Data(23) with length: 4095 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[3] Application Data(23) in epoch 1 and length: 4149 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Application Data(23) with length: 4095 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[4] Application Data(23) in epoch 1 and length: 4149 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Application Data(23) with length: 4095 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[5] Application Data(23) in epoch 1 and length: 4149 |<5>| REC[0x55fb29e95ff0]: Preparing Packet Application Data(23) with length: 4 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[6] Application Data(23) in epoch 1 and length: 53 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696 |<5>| REC: Sending Alert[1|0] - Close notify |<5>| REC[0x55fb29e95ff0]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<5>| REC[0x55fb29e95ff0]: Sent Packet[7] Alert(21) in epoch 1 and length: 53 |<5>| REC[0x55fb29e95ff0]: SSL 3.3 Application Data packet received. Epoch 1, length: 16448 |<1>| Received packet with illegal length: 16448 |<3>| ASSERT: ../../lib/record.c[recv_headers]:1235 |<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1304 |<3>| ASSERT: ../../lib/record.c[_gnutls_recv_int]:1777 *** Fatal error: A TLS record packet with invalid length was received. *** Server has terminated the connection abnormally. |<5>| REC[0x55fb29e95ff0]: Start of epoch cleanup |<5>| REC[0x55fb29e95ff0]: End of epoch cleanup |<5>| REC[0x55fb29e95ff0]: Epoch #1 freed ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_198654520 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 12:06:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 10:06:23 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitignore: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198658040 > examples/Makefile.in Let me do this after merge the `libtasn1_encoding_fuzzer` commit into the initial commit. Currently, I immediately see OOM with the new fuzzer - that's the reason I didn't include initial corpora yet. I'll have a look today - there must be an endless loop (or recursion) that eats up all memory. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38#note_198658040 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 12:55:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 10:55:14 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * e4dc7d3d - nettle: add functions for deterministic ECDSA/DSA * 8312f9c7 - privkey_sign_raw_data: remove unnecessary local variable * 8e122c02 - pk: implement deterministic ECDSA/DSA -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 13:16:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 11:16:05 +0000 Subject: [gnutls-devel] libtasn1 | Endless loop in asn1_create_element(), ending in OOM (#22) References: Message-ID: Tim R?hsen created an issue: The following call sequence eats up memory while running in an (endless) loop: ``` if (asn1_parser2tree("infile", &definitions, errorDescription) == ASN1_SUCCESS) asn1_create_element(definitions, "TEST_TREE.Koko", &asn1_element); ``` with `infile` being ``` TEST_TREE { } DEFINITIONS IMPLICIT TAGS ::= BEGIN Koko ::= SEQUENCE { x ?L } END ``` Easiest way to reproduce: - git checkout tmp-fuzzing - ./bootstrap && ./configure && make && cd fuzz - make check TESTS=libtasn1_encoding_fuzzer You have to CTRL-C to stop it. It hangs in `_asn1_expand_identifier()`, each loop iteration running through the code block of `if (type_field (p->type) == ASN1_ETYPE_IDENTIFIER)`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/22 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 13:51:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 11:51:14 +0000 Subject: [gnutls-devel] GnuTLS | Implement gnutls_aead_cipher_(en|de)crypt_vec() (#718) In-Reply-To: References: Message-ID: Reassigned Issue 718 https://gitlab.com/gnutls/gnutls/issues/718 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/718 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 15:03:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 13:03:37 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav I'm stuck here. Feature is ready, but I can't tell why are the cross-arch tests failing. Sorry for not saying earlier. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_198796641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 17:00:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 15:00:00 +0000 Subject: [gnutls-devel] libtasn1 | Endless loop in asn1_create_element(), ending in OOM (#22) In-Reply-To: References: Message-ID: Tim R?hsen commented: `_asn1_expand_identifier()` isn't documented at all. It's not clear to me at which point it has to be 'fixed'. IMO, a recursive algorithm like a tree needs some kind of 'stack' (via recursion or via a stack emulation) for a general proper operation. How can we make the code better maintainable ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/22#note_198935692 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 17:39:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 15:39:46 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: All discussions on Merge Request !38 were resolved by Tim R?hsen https://gitlab.com/gnutls/libtasn1/merge_requests/38 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 1 18:33:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 16:33:31 +0000 Subject: [gnutls-devel] libtasn1 | Add initial fuzzing implementation (!38) In-Reply-To: References: Message-ID: Merge Request !38 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/38 Branches: tmp-fuzzing to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/38 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 01:10:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 23:10:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * da8e1b83...3b0766ee - 15 commits from branch `master` * 484780e3 - lib: define TC26 GOST curves * 9650bb5f - nettle/gost: provide GOST 28147-89 CNT mode * 72423d73 - nettle/gost: provide GOST 28147-89 IMIT MAC mode * b564136d - lib: provide GOST 28147-89 CNT mode support * e3deeae0 - lib: provide GOST 28147-89 IMIT MAC support * ffaa627d - nettle: provide GOST 28147-89 CNT mode support * fec819d3 - nettle: provide GOST 28147-89 IMIT MAC support * c74e5bb6 - nettle/gost: provide GOST keywrapping support * 4d02dece - nettle/gost: add support for GOST VKO algorithm * 41d566f5 - _gnutls_pk_derive: add argument for nonce * 4abe7bd0 - nettle: add support for GOST key derivation * 2b50b71f - mpi: add _gnutls_mpi_bprint_size_le() * 6c625cd8 - pk: support little endian GOST signatures * 046a4c2a - Allow using implicit IV for stream ciphers with TLS * 77ac3bc9 - Support GOST certificate request values * 8bc82b6e - Add GOST key transport support * 6e1c0468 - groups: add function to return group by curve * 129a8ccd - Add support for VKO GOST key exchange * e224dc1e - Support GOST cipher suite MAC calculation * 5d9f7956 - Add GOST cipher suites * 673953e4 - Declare groups corresponding to GOST curves * ee9bfce1 - Add GOST values to cipher suites priorities * dcd2fdb8 - Swap TLS signatures in case we are signing them with GOST keys * 91344d04 - prf: add GOST R 34.11-94 and Streebog PRF support * 5599ac9c - tests: add tests for KX-GOST-VKO using different key variants * 0e3bd36b - lib: fix group selection in case of GOST cipher suites * 666924a3 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * ec5c0031 - lib/algorithms: add AID values assigned by IANA * bb385d3d - lib: pubkey vs TLS signature compatibility for GOST algorithms * c94b257a - cli-debug: include GOST VKO into KX list * 954a6d8f - priority: add GROUP-GOST-ALL keyword * 15b989fa - nettle/pk: add support for "new" TC26 256 B curve * f83270d4 - ecc: define curve->group relationship * ce1c9c63 - ext/supported_groups: don't consider non-EC groups for EC * ff941fba - ext/signature: use GOST signatures for GOST ciphersiuites * e54256ff - tests: correct gost server certificates -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 01:50:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 01 Aug 2019 23:50:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 1 alert** when merging e54256ff3beedcf13a6cdce2acca1d7ba058cb7e into 3b0766ee96de1c3d6c706faed97fa938e7ef01ea - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-5ddca6b26e7240a110847a13c255563831cbe293) **new alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199176647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 02:16:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 00:16:08 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known (#812) In-Reply-To: References: Message-ID: Will Tan commented: Excuse me, how can I fix this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812#note_199179278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 02:24:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 00:24:12 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known (#812) In-Reply-To: References: Message-ID: Will Tan commented: If you change the compilation optional, you get another error messages, ``` cd ~/gnutls-3.6.9 ./configure --bindir=/usr/bin/ \ --sbindir=/usr/sbin/ \ --libexecdir=/usr/libexec/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --includedir=/usr/include/ \ --datarootdir=/usr/share/ \ --infodir=/usr/share/info/ \ --localedir=/usr/share/locale/ \ --mandir=/usr/share/man/ \ --docdir=/usr/share/doc/gnutls/ \ --enable-static \ --disable-guile \ --without-p11-kit ``` Error Messages, ``` psktool-args.c:42:0: warning: macro "OPTION_CODE_COMPILE" is not used [-Wunused-macros] #define OPTION_CODE_COMPILE 1 ^ CCLD libcmd-psk.la CCLD psktool ../lib/.libs/libgnutls.so: undefined reference to `__get_cpuid_count' collect2: error: ld returned 1 exit status make[4]: *** [psktool] Error 1 make[4]: Leaving directory `/root/gnutls-3.6.9/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.9/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.9/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.9' make: *** [all] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812#note_199180019 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 10:31:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 08:31:43 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I cannot reproduce. That may be a local issue. See the error: `No .bak files found; will call autogen` Do any .bak files miss after unpacking the release? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_199272062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 10:47:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 08:47:34 +0000 Subject: [gnutls-devel] libtasn1 | README.md: added links to issue trackers [ci skip] (!41) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/41 Branches: tmp-issue-trackers to master Author: Nikos Mavrogiannopoulos Assignees: Added links to oss-fuzz and main issue trackers. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/41 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 11:00:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 09:00:49 +0000 Subject: [gnutls-devel] libtasn1 | README.md: added links to issue trackers [ci skip] (!41) In-Reply-To: References: Message-ID: Merge Request !41 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/41 Branches: tmp-issue-trackers to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/41 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:08:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:08:08 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1052 Branches: tmp-encryptv2 to master Author: Daiki Ueno Assignees: This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(). Fixes #718. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:18:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:18:48 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * a44f535d - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:20:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:20:18 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno commented: @cryptomilk does this suffice your use-case? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_199368785 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:27:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:27:15 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Andreas Schneider commented: Awesome! Looks great, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_199376578 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:35:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:35:14 +0000 Subject: [gnutls-devel] GnuTLS | Checked-in files in devel/ contain local paths that result in merge conflicts (#797) In-Reply-To: References: Message-ID: Tom commented: Hi Nikos, I tagged it as confidential because this issue reveals local file paths from developers and thus potential private information. But indeed nothing sensitive related to GnuTLS. I will report this upstream. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/797#note_199393738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 12:41:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 10:41:40 +0000 Subject: [gnutls-devel] libtasn1 | Fix null dereference in _asn1_expand_object_id() (!42) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/42 Branches: tmp-fix-ossfuzz-16158 to master Author: Tim R?hsen Assignees: Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/42 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 13:03:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 11:03:37 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on README.md: https://gitlab.com/gnutls/gnutls/merge_requests/1029#note_199436355 > > Debian/Ubuntu: > ``` > -apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect > +apt-get install -y valgrind nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect > apt-get install -y dieharder libpolarssl-runtime openssl abigail-tools socat net-tools ppp lockfile-progs @kaoh Just a nitpick, as you are updating this (sorry for the long delay). libpolarssl-runtime has been also removed for quite a while, so we'd better fix this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029#note_199436355 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 13:05:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 11:05:25 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 189748bb - nettle: add functions for deterministic ECDSA/DSA * 50c5355b - privkey_sign_raw_data: remove unnecessary local variable * 4428a25d - pk: implement deterministic ECDSA/DSA -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 13:10:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 11:10:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199443699 > + ret = > + _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + return ret; > + } > + > + /* just in case we are resuming a session */ > + gnutls_pk_params_release(&session->key.kshare.ecdh_params); > + > + gnutls_pk_params_init(&session->key.kshare.ecdh_params); > + > + curve = peer_cert.pubkey->params.curve; We limit VKO KX to GOST public keys in `pk_mappings` struct. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199443699 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 13:32:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 11:32:31 +0000 Subject: [gnutls-devel] libtasn1 | Fix null dereference in _asn1_expand_object_id() (!42) In-Reply-To: References: Message-ID: Merge Request !42 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/42 Branches: tmp-fix-ossfuzz-16158 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/42 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 13:56:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 11:56:26 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199482938 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, Should this test go to tls12-server-kx-neg or tls13-server-kx-neg? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199482938 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 14:05:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 12:05:53 +0000 Subject: [gnutls-devel] GnuTLS | Move GOST cryptography to nettle (#814) References: Message-ID: Dmitry Eremin-Solenikov created an issue: GnuTLS has become a testbed for GOST algorithms implementation, which should be moved to nettle cryptographic library. The following discussion from !920 should be addressed: - [ ] @nmav started a [discussion](https://gitlab.com/gnutls/gnutls/merge_requests/920#note_144295514): (+1 comment) > Not sure if you already tried, but if not we should try to add it to nettle (in parallel with here) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/814 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 14:11:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 12:11:11 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 763c05cb - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 14:34:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 12:34:50 +0000 Subject: [gnutls-devel] GnuTLS | certtool: default to yes on signing certificates for CAs (!1048) In-Reply-To: References: Message-ID: Merge Request !1048 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1048 Branches: tmp-sign-cas to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 15:12:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 13:12:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Emerson Bernier commented: .bak files are available after unpacking release. We used to build in a separate `builddir` which didn't work with 3.6.9 but after switching to build in the source dir it seems working. So it seems this is the new requirement to build without autogen which we can deal with. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_199566713 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 15:12:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 13:12:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Issue was closed by Emerson Bernier Issue #810: https://gitlab.com/gnutls/gnutls/issues/810 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:01:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:01:57 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known (#812) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: For this: ``` pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known struct ck_rsa_pkcs_pss_params rsa_pss_params; ``` Most likely a newer p11-kit version is required. I believe you disabled pkcs11 support to make it compile right? The `__get_cpuid_count` is more complex; it seems gcc 4.8 doesn't contain this function. I'll submit a pull request for this; you'll need to apply this patch on top of your copy. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812#note_199703607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:02:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:02:16 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Reassigned Issue 812 https://gitlab.com/gnutls/gnutls/issues/812 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:02:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:02:17 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:19:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:19:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Issue was reopened by Nikos Mavrogiannopoulos Issue 810: https://gitlab.com/gnutls/gnutls/issues/810 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:19:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:19:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Reassigned Issue 810 https://gitlab.com/gnutls/gnutls/issues/810 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:19:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:19:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:19:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:19:05 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for confirming. I'm reopening since that's a regression. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_199706827 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:19:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:19:48 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1053 Branches: tmp-fixes to master Author: Nikos Mavrogiannopoulos Assignees: This contains a set of minor fixes in the 3.6.9 release. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:29:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:29:52 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It makes sense. Seeing how this is implemented in [openssl](https://github.com/openssl/openssl/pull/6674/files#diff-ac9bfc23ea9303f8896d38a0aa01ad6e) and PKCS#11, such an API can get very messy and hard to use if everything needs to be handled. Not sure if it helps, but checking what model could fit for such a demanding/extensible API, the closest I see is some function similar to `gnutls_session_set_verify_cert2` with `gnutls_vdata_types_t`, but most likely on steroids. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813#note_199708767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:31:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:31:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199709117 > * @GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT: Keys generated or imported as provable require an extended format which cannot be read by previous versions > * of gnutls or other applications. By setting this flag the key will be exported in a backwards compatible way, > * even if the information about the seed used will be lost. > + * @GNUTLS_PRIVKEY_SIGN_FLAG_GOST_RS_LE: Swap generated GOST 34.10 signature byte order (mainly for TLS CertificateVerify message). Not sure; can we treat the signature a different signature, or it would get more messy? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199709117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:35:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:35:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199709822 > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", > + .server_ret = 0, Maybe the tls13 is a better fit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_199709822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 22:57:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 20:57:52 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1051 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/pk.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199713714 > #define _gnutls_pk_decrypt( algo, ciphertext, plaintext, params) _gnutls_pk_ops.decrypt( algo, ciphertext, plaintext, params) > #define _gnutls_pk_decrypt2( algo, ciphertext, plaintext, size, params) _gnutls_pk_ops.decrypt2( algo, ciphertext, plaintext, size, params) > -#define _gnutls_pk_sign( algo, sig, data, params, sign_params) _gnutls_pk_ops.sign( algo, sig, data, params, sign_params) If we cannot avoid the flags parameter, what about adding a brief comment documenting which flags are expected here? -- Nikos Mavrogiannopoulos started a new discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199713715 > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); Have you considered the use of the `gnutls_pk_params_st` `pkflags` field instead of a new flags? -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199713718 > + if (ret < 0) > + goto dsa_fail; > + /* dsa_sign adds 1 for some reason */ Interesting. Most likely to ensure a non-zero value. What about changing the comment to: `/* cancel-out dsa_sign's addition of 1 to random data */`? That would guide a curious reader without having to refer to nettle to understand why is that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 23:00:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 21:00:50 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199714287 > int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature, > const gnutls_datum_t * data, > const gnutls_pk_params_st *priv, > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); Or maybe even the `gnutls_x509_spki_st` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199714287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 23:07:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 21:07:10 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/int/dsa-compute-k.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199715466 > + uint8_t *xp = NULL; > + uint8_t *hp = NULL; > + uint8_t *tp = NULL; > + mp_limb_t *h = NULL; > + mp_size_t qn = mpz_size(q); > + mp_size_t hn = (length + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); > + mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); > + mp_bitcnt_t h_bits = length * 8; > + size_t nbytes = (q_bits + 7) / 8; > + const uint8_t c0 = 0x00; > + const uint8_t c1 = 0x01; > + mp_limb_t cy; > + gnutls_hmac_hd_t hd; > + int ret = 0; > + > + xp = gnutls_malloc(nbytes); Have you measured the performance of the reproducible signatures in contrast to the default signing? I wonder whether combining these allocations to a single one would result to faster or slower code due to non-aligned start of data. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199715466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 23:11:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 21:11:29 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It looks good to me. Some questions after reading it: - Would it make sense to have a flag to enable reproducible signatures under TLS for ECDSA? Most likely that shouldn't include RSA-PSS as on the latter the security is reduced. - Shouldn't we enable the provable part on the self-tests as part of this patch set? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199716132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 2 23:12:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 21:12:30 +0000 Subject: [gnutls-devel] GnuTLS | optional: Support for deterministic ECDSA (#94) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/94 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 00:59:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 22:59:44 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Karsten Ohme pushed new commits to merge request !1029 https://gitlab.com/gnutls/gnutls/merge_requests/1029 * bc8f21b3...3b0766ee - 86 commits from branch `master` * e2e9d29d - Notes about Ubuntu specific software versions not available. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 01:01:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 23:01:22 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Karsten Ohme commented on a discussion on README.md: https://gitlab.com/gnutls/gnutls/merge_requests/1029#note_199733187 > > Debian/Ubuntu: > ``` > -apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect > +apt-get install -y valgrind nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect > apt-get install -y dieharder libpolarssl-runtime openssl abigail-tools socat net-tools ppp lockfile-progs Removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029#note_199733187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 01:29:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 23:29:59 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: All discussions on Merge Request !1029 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1029 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 01:30:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 02 Aug 2019 23:30:10 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Merge Request !1029 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1029 Project:Branches: kaoh/gnutls:patch-1 to gnutls/gnutls:master Author: Karsten Ohme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 07:21:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 05:21:36 +0000 Subject: [gnutls-devel] GnuTLS | certtool: default to yes on signing certificates for CAs (!1048) In-Reply-To: References: Message-ID: Merge Request !1048 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1048 Branches: tmp-sign-cas to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 08:02:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 06:02:11 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. I tried to reproduce with 2.12.24, and I could not. It's a pitty ubuntu never updated to that version. The issue is that we moved to a more precise maximum record size calculation but that did not include the random padding possibility. Most likely we need to enhance `_gnutls_record_overhead` to account for it in CBC modes. We also miss backwards interoperability tests which could have prevented that. However, I'm not sure how easy would be to introduce them due to conflicting dependencies. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_199751636 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 08:02:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 06:02:28 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 11:21:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 09:21:48 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/int/dsa-compute-k.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199765012 > + uint8_t *xp = NULL; > + uint8_t *hp = NULL; > + uint8_t *tp = NULL; > + mp_limb_t *h = NULL; > + mp_size_t qn = mpz_size(q); > + mp_size_t hn = (length + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); > + mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); > + mp_bitcnt_t h_bits = length * 8; > + size_t nbytes = (q_bits + 7) / 8; > + const uint8_t c0 = 0x00; > + const uint8_t c1 = 0x01; > + mp_limb_t cy; > + gnutls_hmac_hd_t hd; > + int ret = 0; > + > + xp = gnutls_malloc(nbytes); If the maximum size of q is limited (e.g., max. 521 in ECDSA, 512 in DSA), we can avoid those allocations altogether, though GnuTLS seems to allow arbitrary size through `GNUTLS_SUBGROUP_TO_BITS`. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199765012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 14:27:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 12:27:57 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/811#note_199794403 You can pull the old packages from Debian's archive server to test: ``` #!/bin/sh set -e mkdir -p /tmp/OLDGNUTLS/debs || exit 1 mkdir -p /tmp/OLDGNUTLS/x -p /tmp/OLDGNUTLS/tmp cd /tmp/OLDGNUTLS/debs wget -c \ http://archive.debian.org/debian/pool/main/g/gnutls26/gnutls-bin_3.0.22-3+really2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/guile-gnutls_3.0.22-3+really2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/libgnutls-dev_2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/libgnutls-openssl27_2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/libgnutls26-dbg_2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/libgnutls26_2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/g/gnutls26/libgnutlsxx27_2.12.20-8+deb7u5_amd64.deb \ http://archive.debian.org/debian/pool/main/r/readline6/libreadline6_6.2+dfsg-0.1_amd64.deb \ http://archive.debian.org/debian/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-5+deb7u4_amd64.deb \ http://archive.debian.org/debian/pool/main/libt/libtasn1-3/libtasn1-3_2.13-2+deb7u2_amd64.deb \ http://archive.debian.org/debian/pool/main/n/ncurses/libtinfo5_5.9-10_amd64.deb for i in /tmp/OLDGNUTLS/debs/*.deb ; do rm -f /tmp/OLDGNUTLS/tmp/* cd /tmp/OLDGNUTLS/tmp ar -x $i tar -C /tmp/OLDGNUTLS/x -xf data.tar.* done echo run ... echo env LD_LIBRARY_PATH=/tmp/OLDGNUTLS/x/usr/lib:/tmp/OLDGNUTLS/x/usr/lib/x86_64-linux-gnu:/tmp/OLDGNUTLS/x/lib:/tmp/OLDGNUTLS/x/lib/x86_64-linux-gnu /tmp/OLDGNUTLS/x/usr/bin/gnutls-serv ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_199794403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 17:57:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 15:57:43 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Will Tan commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/812#note_199809841 Yeah, I disabled Pkcs11 support in order to compile smoothly. In addition, I tried to install "[p11-kit-0.23.16](https://github.com/p11-glue/p11-kit)", but still prompted the same error, am I mistaken about dependency. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812#note_199809841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 18:17:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 16:17:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Andreas Metzler commented: This should fix it: ``` diff --git a/src/Makefile.am b/src/Makefile.am index 501bca58c..468ad3007 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -276,7 +276,7 @@ if NEED_LIBOPTS # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing .def.stamp: @b=`echo $@ | sed 's/.stamp$$//'`; \ - if ! test -f $${srcdir}$${b}.c.bak;then \ + if ! test -f $(srcdir)/$${b}.c.bak;then \ echo "No .bak files found; will call autogen"; \ $(AM_V_GEN) $(AUTOGEN) $<; \ else \ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_199811096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 18:53:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 16:53:25 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199813679 > int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature, > const gnutls_datum_t * data, > const gnutls_pk_params_st *priv, > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); Yes I thought about it, but neither params seem to be a good fit for this flag: `gnutls_pk_params_st` is associated with the private key, so it lasts after signing, and `gnutls_x509_spki_st` is a public interface about SPKI, while deterministic signing has nothing to do with it. Also `privkey_sign_prehashed()` already takes a flag in addition to those params. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_199813679 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 19:52:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 17:52:24 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Emerson Bernier commented: @ametzler I saw fix was already proposed in https://gitlab.com/gnutls/gnutls/commit/ea0f035e6b86d65027a2fa0975d50b4165a20e2a as a part of https://gitlab.com/gnutls/gnutls/merge_requests/1053 . -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_199821402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 22:11:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 20:11:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: do not forbid random padding in TLS1.x CBC ciphersuites (!1054) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1054 Project:Branches: nmav/gnutls:tmp-interop-old-gnutls to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: This patch set includes a cleanup in the record size calculations, and accounts for random padding in TLS1.x CBC ciphersuites. This fixes interoperability with gnutls 2.12.x. A test suite is introduced to check against GnuTLS 2.12.x. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 22:13:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 20:13:40 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you Andreas! Based on your script I've updated the debian CI image, and I've created an MR to include such a test suite and fix the actual issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_199829138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 22:29:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 20:29:47 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1053 https://gitlab.com/gnutls/gnutls/merge_requests/1053 * 0dcb0c3c - src/Makefile.am: fix detection of .bak files * cf0b4854 - read_cpuid_vals: made more portable -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 22:50:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 20:50:03 +0000 Subject: [gnutls-devel] GnuTLS | WIP: do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 99f184f8 - _gnutls_record_overhead: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 3 23:10:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 03 Aug 2019 21:10:45 +0000 Subject: [gnutls-devel] GnuTLS | MAX_RECORD_SEND_SIZE: remove macro (#815) References: Message-ID: Nikos Mavrogiannopoulos created an issue: This macro is a duplicate of `max_record_send_size()` and is being used in only two occasions. Its difference is that it typically returns a less accurate and larger value. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/815 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 4 07:05:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 04 Aug 2019 05:05:45 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1053 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199847813 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ I would add `$(AM_V_GEN)` here, instead of inside the `if`, so `GEN foo.def` is always printed upon make. -- Daiki Ueno started a new discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199847814 > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ The original rule (still there below line 290) came from: https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/autoconf.html#Installation-Directory-Variables That said, the use of the shell variable `$srcdir` here was a bit redundant as automake always sets `$(srcdir)`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 4 07:21:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 04 Aug 2019 05:21:39 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199848362 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ The autoconf example takes care to first /set/ the environment variable srcdir=$(srcdir) before trying to use it, the gnutls code did not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199848362 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 4 08:47:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 04 Aug 2019 06:47:46 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199851463 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ @ametzler I know, and I'm saying that it is unnecessary if we exclusively use `$(srcdir)`. I'd suggest to rewrite the code below line 290 similarly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_199851463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 4 13:43:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 04 Aug 2019 11:43:37 +0000 Subject: [gnutls-devel] GnuTLS | git clone error on ubuntu 19.04 (#769) In-Reply-To: References: Message-ID: BigGosh commented: Hi, I hope following info can help you and some other users. I changed the second ethernet port on the firewall (it's a simple USB-->ETH dongle) and now everything works fine. So the problem is in the old dongle chip driver or in the chip itself. Thanks -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/769#note_199886409 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 10:12:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 08:12:38 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200042875 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ Just want to mention !809. It tests on Alpine from tarball without libopts/autogen. I somewhat dropped the ball for other issues... maybe we can finish it to have a CI test bed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200042875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 10:22:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 08:22:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add CI tarball build (!809) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !809 https://gitlab.com/gnutls/gnutls/merge_requests/809 * f0e4f8df...252540a7 - 411 commits from branch `master` * 31ca5321 - Add CI tarball build * 31a9e8de - SKIP tests/cert-tests/certtool on Alpine/Busybox -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 10:40:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 08:40:19 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200055390 > int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature, > const gnutls_datum_t * data, > const gnutls_pk_params_st *priv, > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); In RSA-PSS signatures `gnutls_privkey_sign_data` via `_gnutls_privkey_update_spki_params` does something similar for reproducible signatures by updating `gnutls_x509_spki_st`. I'd go for consistency in both cases; a documented flag parameter is fine as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200055390 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 10:46:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 08:46:40 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/int/dsa-compute-k.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200058306 > + uint8_t *xp = NULL; > + uint8_t *hp = NULL; > + uint8_t *tp = NULL; > + mp_limb_t *h = NULL; > + mp_size_t qn = mpz_size(q); > + mp_size_t hn = (length + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); > + mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); > + mp_bitcnt_t h_bits = length * 8; > + size_t nbytes = (q_bits + 7) / 8; > + const uint8_t c0 = 0x00; > + const uint8_t c1 = 0x01; > + mp_limb_t cy; > + gnutls_hmac_hd_t hd; > + int ret = 0; > + > + xp = gnutls_malloc(nbytes); True, it seems that for DSA the maximum subgroup bits can be up to 512 (checking `algorithms/secparams.c` table), and that's close with the 521 in ECDSA. If we introduce such a maximum value we'd need an assert somewhere in sec-params.c so that any violation is caught early (e.g., in `tests/sec-params.c`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200058306 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 11:01:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 09:01:36 +0000 Subject: [gnutls-devel] GnuTLS | WIP: do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 35ec1c73 - 1 commit from branch `master` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 11:01:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 09:01:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 621951ab - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 13:20:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 11:20:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 63fb6570 - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 13:24:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 11:24:30 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1053 https://gitlab.com/gnutls/gnutls/merge_requests/1053 * 70fc3866...252540a7 - 2 commits from branch `master` * 05ec1133 - configure: AS_HELP_STRING cannot print variables; don't try * 11dc122e - src/Makefile.am: fix detection of .bak files * ed2c9180 - read_cpuid_vals: made more portable -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 14:03:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 12:03:20 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 14:05:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 12:05:55 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 4c8b0612 - tests: added interoperability test with gnutls 2.12.x * 95291ee8 - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 14:48:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 12:48:33 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 4428cdef - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 15:03:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 13:03:28 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 4818fde5 - tests: added interoperability test with gnutls 2.12.x * bfd39e7d - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:22:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:22:27 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks for the comments. What do you think of `get_cpuid_level7()`? I would have liked to use the `__get_cpuid_count` macro when available, but I cannot see an obvious way to check for an inline static function in autoconf. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200150427 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:23:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:23:57 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200155636 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ Done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200155636 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:24:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:24:57 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If the issue is on these platforms only, I'd say it should be something related to endianness, or unaligned read/write. The failure is on `psk-file.c` only but artifacts from the build were removed quite some time ago though. You can reproduce this build locally with docker: `docker run -ti registry.gitlab.com/gnutls/build-images:buildenv-debian-cross /bin/bash` (or podman) and then follow the build steps as in `.gitlab-ci.yml` `Debian.cross.mips-linux-gnu`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_200158882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:46:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:46:34 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * abad8b6f - nettle: add functions for deterministic ECDSA/DSA * 69a07e4d - privkey_sign_raw_data: remove unnecessary local variable * 49c6f14a - pk: implement deterministic ECDSA/DSA * 56ee44a9 - nettle: enable deterministic ECDSA/DSA during FIPS selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:47:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:47:08 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Tim R?hsen commented: Try something like this ? ``` # check for gcc's atomic read-add-write functionality AC_MSG_CHECKING([for __sync_fetch_and_add (int)]) AC_LINK_IFELSE( [AC_LANG_SOURCE([ int main(void) { return __sync_fetch_and_add((int *)0, 0); } ])], [AC_DEFINE([WITH_SYNC_FETCH_AND_ADD], [1], [use __sync_fetch_and_add]) AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no])] ) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200244406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:48:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:48:22 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * bfa1531d - pk: implement deterministic ECDSA/DSA * 35640543 - nettle: enable deterministic ECDSA/DSA during FIPS selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:49:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:49:17 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: All discussions on Merge Request !1051 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/1051 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:49:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:49:13 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1051 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/pk.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200247283 > #define _gnutls_pk_decrypt( algo, ciphertext, plaintext, params) _gnutls_pk_ops.decrypt( algo, ciphertext, plaintext, params) > #define _gnutls_pk_decrypt2( algo, ciphertext, plaintext, size, params) _gnutls_pk_ops.decrypt2( algo, ciphertext, plaintext, size, params) > -#define _gnutls_pk_sign( algo, sig, data, params, sign_params) _gnutls_pk_ops.sign( algo, sig, data, params, sign_params) I've added comment in the `gnutls_crypto_pk` structure. -- Daiki Ueno commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200247287 > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); The salt size is still related to SPKI, while deterministic signatures are not. I ended up with the documentation fix. -- Daiki Ueno commented on a discussion on lib/nettle/int/dsa-compute-k.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200247292 > + int ret = 0; > + > + xp = gnutls_malloc(nbytes); OK, I've limited the maximum to 521 bits and mentioned the limit in the `GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE` flag documentation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 16:50:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 14:50:45 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200248424 For TLS, while it's possible, I'm not sure if it is useful, because randomness is always needed in TLS. For self-tests, I've enabled it in 3564054379e5985951ca78605f89f5759fa8707b. @smuellerDD could you double check? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200248424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 20:40:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 18:40:29 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200338083 > } > > mpz_init(k); > - if (flags & GNUTLS_PK_FLAG_PROVABLE) { Isn't more clear to pass the provable flag from the self test directly, rather than change the behavior of this function depending on the library state? This seems to me more in par with the rest of this file which doesn't change behavior (only sets the error state on error). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200338083 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 20:46:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 18:46:23 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Reassigned Issue 811 https://gitlab.com/gnutls/gnutls/issues/811 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 20:49:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 18:49:44 +0000 Subject: [gnutls-devel] GnuTLS | optional: Support for deterministic ECDSA (#94) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @oerdnj do you remember what was the use case you were interested at? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/94#note_200340347 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 20:58:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 18:58:00 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1053 https://gitlab.com/gnutls/gnutls/merge_requests/1053 * ef80617d - read_cpuid_vals: use __get_cpuid_count() only when available -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 21:00:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 19:00:18 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. It seems to do the trick! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200343162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 21:00:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 19:00:34 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: All discussions on Merge Request !1053 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1053 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 21:01:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 19:01:54 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200343544 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ Unless I'm misunderstanding, it is fine to use `$(srcdir)` in that part of the code so I'm resolving this. Please re-open if I misunderstood and you are suggesting a different way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200343544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 21:19:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 19:19:51 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200347747 > } > > mpz_init(k); > - if (flags & GNUTLS_PK_FLAG_PROVABLE) { That would be cleaner, while I am not completely sure if it is okay from the FIPS point of view. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200347747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 21:22:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 19:22:10 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200348337 > # case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing > .def.stamp: > @b=`echo $@ | sed 's/.stamp$$//'`; \ > - if ! test -f $${srcdir}$${b}.c.bak;then \ > + if ! test -f $(srcdir)/$${b}.c.bak;then \ It would be nice if the `else` block is also rewritten, but looks fine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053#note_200348337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 5 22:20:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 05 Aug 2019 20:20:47 +0000 Subject: [gnutls-devel] GnuTLS | optional: Support for deterministic ECDSA (#94) In-Reply-To: References: Message-ID: Ond?ej Sur? commented: I am quite sure it was DNSSEC in Knot DNS. Especially with on-the-fly signing. Now I am waiting for the same thing in in OpenSSL for BIND 9 ;). The ECDSA is too fragile when weak PRNG is used - think of spinning multiple VM guests with the same seed from the image. That might leak private key pretty quickly if the timing is right. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/94#note_200367633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 10:57:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 08:57:51 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200585519 > int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature, > const gnutls_datum_t * data, > const gnutls_pk_params_st *priv, > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); I realized that the current code is not correct when hash algorithm doesn't match the q parameter. To support these exceptional cases we also need to propagate hash algorithm to `_wrap_nettle_pk_sign()`. Maybe extending `gnutls_x509_spki_st` (or wrapping it in a new struct) would be simpler to implement it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_200585519 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 14:07:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 12:07:53 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Merge Request !1029 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1029 Project:Branches: kaoh/gnutls:patch-1 to gnutls/gnutls:master Author: Karsten Ohme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 14:08:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 12:08:01 +0000 Subject: [gnutls-devel] GnuTLS | Notes about Ubuntu specific software versions not available. (!1029) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 14:35:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 12:35:04 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * e2e9d29d...e6c99320 - 2 commits from branch `master` * e399063e - tests: added interoperability test with gnutls 2.12.x * 1ac32702 - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 15:05:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 13:05:22 +0000 Subject: [gnutls-devel] GnuTLS | Undefined symbol for ___get_cpuid_count when building on macOS Sierra (#816) References: Message-ID: Caleb Xu created an issue: ## Description of problem: Building `gnutls` 3.6.9 fails on macOS Sierra with error: ``` Undefined symbols for architecture x86_64: "___get_cpuid_count", referenced from: _register_x86_crypto in libaccelerated.a(x86-common.o) ``` ## Version of gnutls used: 3.6.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) >From source tarball, testing in CI for updating the Homebrew package manager with `gnutls` 3.6.9. Associated change on the Homebrew side: https://github.com/Homebrew/homebrew-core/pull/42779 ## How reproducible: Steps to Reproduce: * Download and unpack 3.6.9 tarball (https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.9.tar.xz) * `./configure --disable-dependency-tracking --disable-silent-rules --disable-static --prefix=#{prefix} --sysconfdir=#{etc} --with-default-trust-store-file=#{etc}/openssl/cert.pem --disable-guile --disable-heartbeat-support --with-p11-kit` * `make install` ## Actual results: ``` Undefined symbols for architecture x86_64: "___get_cpuid_count", referenced from: _register_x86_crypto in libaccelerated.a(x86-common.o) ``` ## Expected results: Successful compilation. --- Based on my limited understanding from googling this particular error, it seems that the symbol in question was added into `clang` starting in `llvm` 5.0.0. macOS Sierra ships with a toolchain derived from `llvm` 4.0.0, so the symbol is not available. I have attempted to use `gcc` to build it instead, but `gcc` does not seem to like some of the macOS Security framework that `gnutls` links against: ``` In file included from /System/Library/Frameworks/Security.framework/Headers/AuthSession.h:32, from /System/Library/Frameworks/Security.framework/Headers/Security.h:43, from system/certs.c:49: /System/Library/Frameworks/Security.framework/Headers/Authorization.h:192:7: error: variably modified 'bytes' at file scope 192 | char bytes[kAuthorizationExternalFormLength]; | ^~~~~ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 15:51:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 13:51:58 +0000 Subject: [gnutls-devel] GnuTLS | Undefined symbol for ___get_cpuid_count when building on macOS Sierra (#816) In-Reply-To: References: Message-ID: Tim R?hsen commented: This has been addressed in !1053 If you are able to build from git, it would be nice if you could test branch `tmp-fixes`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/816#note_200723643 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 15:53:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 13:53:48 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Merge Request !1053 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1053 Branches: tmp-fixes to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 16:00:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 14:00:20 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes in 3.6.9 release (!1053) In-Reply-To: References: Message-ID: Merge Request !1053 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1053 Branches: tmp-fixes to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 16:00:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 14:00:23 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1053 (https://gitlab.com/gnutls/gnutls/merge_requests/1053) Issue #810: https://gitlab.com/gnutls/gnutls/issues/810 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 16:00:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 14:00:25 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1053 (https://gitlab.com/gnutls/gnutls/merge_requests/1053) Issue #812: https://gitlab.com/gnutls/gnutls/issues/812 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 16:39:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 14:39:41 +0000 Subject: [gnutls-devel] GnuTLS | Undefined symbol for ___get_cpuid_count when building on macOS Sierra (#816) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing as already addressed. Please re-open if not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/816#note_200748801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 6 16:39:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 14:39:45 +0000 Subject: [gnutls-devel] GnuTLS | Undefined symbol for ___get_cpuid_count when building on macOS Sierra (#816) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #816: https://gitlab.com/gnutls/gnutls/issues/816 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 00:16:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 06 Aug 2019 22:16:31 +0000 Subject: [gnutls-devel] GnuTLS | Undefined symbol for ___get_cpuid_count when building on macOS Sierra (#816) In-Reply-To: References: Message-ID: Caleb Xu commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/816#note_200894217 I'm not able to build in the CI environment from Git at the moment, but I've applied the patch for the relevant commit in the merge request, and the build is passing where it was failing before. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/816#note_200894217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 13:58:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 11:58:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Emerson Bernier commented: @nmav Hi, I applied https://gitlab.com/gnutls/gnutls/commit/11dc122ebd3f6acd87fffa0b6bceb8606787d3fe to gnutls 3.6.9 and build in separate dir and it still [fails](https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/267216286) same way as before. Did I miss something? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_201108130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 14:38:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 12:38:09 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 25b6dad6 - nettle: add functions for deterministic ECDSA/DSA * 20536e48 - privkey_sign_raw_data: remove unnecessary local variable * d7fa2d32 - privkey_sign_prehashed: remove unused argument * 609a0152 - pk: implement deterministic ECDSA/DSA * 49b47b48 - nettle: enable deterministic ECDSA/DSA during FIPS selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 14:39:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 12:39:48 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201127090 > int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature, > const gnutls_datum_t * data, > const gnutls_pk_params_st *priv, > - const gnutls_x509_spki_st *sign); > + const gnutls_x509_spki_st *sign, > + unsigned int flags); Moved flags to `gnutls_x509_spki_st` and added `dsa_sig` field there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201127090 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 15:39:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 13:39:57 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Stephan Mueller commented: The patches would not violate FIPS requirements. However, the FIPS Security Policy would need to state that the GNUTLS_PK_FLAG_PROVABLE flag must not be used. You could prevent such statement if you disallow that flag in FIPS mode. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201160974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 15:57:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 13:57:19 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * c927b93f - nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 16:01:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 14:01:39 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201172456 @smuellerDD would [something like this](c927b93fc947dac1aa6ef0ca7cdcb7cee9138cba) work? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201172456 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 16:13:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 14:13:07 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Stephan Mueller commented: That patch would solve my remark. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201178764 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 17:27:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 15:27:07 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1052 was reviewed by Simo Sorce -- Simo Sorce started a new discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201215482 > + > + if (iter->block_offset > 0) { > + if ((size_t) len >= iter->block_size - iter->block_offset) { seem like you are using iter->block_size - iter->block_offset quite a few times here, and it makes the code harder to read and more verbose. What about: ``` size_t block_left = iter->block_size - iter->block_offset; if (len >= block_left) { mempcy(iter->block + iter->block_offset, p, block_left); iter->iov_offset += block_left; ... ``` -- Simo Sorce started a new discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201215497 > + const giovec_t *iov = &iter->iov[iter->iov_index]; > + uint8_t *p = iov->iov_base; > + ssize_t len = iov->iov_len; Why declare len signed and then cast it later tounsigned during comparison? Sounds like that could lead to wraparound errors. I would declare len size_t, in no case a length can ever be negative. -- Simo Sorce started a new discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201215498 > + } > + > + memcpy(iter->block + iter->block_offset, p, len); I found it hard to figure out why this block was ok without a return (which is instead in the other 2 conditional blocks above. At the very least I would put a comment that says what is the chopping in blocks strategy here. however I also think a different organization of the code might make it more readable: ``` *blocks = 0; if (iter->block_offest == 0 && len >= iter->block_size) { /* We have at least one full block, return a whole set of full blocks immediately */ [code from second block here - except return statemnt] } else if (len >= iter->block_size - iter->block_offset) { /* We can complete one full block to return */ [code from first block - except return statement] } else { /* Not enough data for a full block, store in temp memory */ [final block] } if (*blocks > 0) return 0; ``` -- Simo Sorce started a new discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201215499 > + > +/* Initialize the iterator. */ > +static inline int Why put these functions inline in a header file ? They are rather big, I would let the compiler decide what is more efficient speed/space wise. -- Simo Sorce started a new discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201215502 > + iter->iov_offset = 0; > + } > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; If I read this function right this return statement makes it so that the function requires iovecs with a total size that is as big or larger than a blocksize, is that intended, if so it should be in the comment that describes the function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 19:02:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 17:02:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/810#note_201253837 The patch changes Makefile.am. It will only be effective if the corresponding Makefile.in is regenerated by automake. I cannot tell from the very limited buildlog excerpt whether that happened. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_201253837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 7 21:20:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 07 Aug 2019 19:20:53 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Emerson Bernier commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/810#note_201300405 @ametzler sorry, you can see full buildlog [here](https://freedesktop-sdk.gitlab.io/-/freedesktop-sdk/-/jobs/267216286/artifacts/cache/buildstream/logs/freedesktop-sdk/components-gnutls/669f0ff2-build.5005.log). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_201300405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 07:21:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 05:21:56 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * c65f333e - nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 10:49:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 08:49:31 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 5e8c18ea - nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 11:54:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 09:54:55 +0000 Subject: [gnutls-devel] libtasn1 | Add pkix der fuzzer (!43) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/43 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: Add a new fuzzer. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/43 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:05:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:05:00 +0000 Subject: [gnutls-devel] libtasn1 | Tmp pkix der fuzzer (!45) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/45 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: add a fuzzer ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/45 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:13:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:13:58 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 1833f083...74a30ab3 - 3 commits from branch `master` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:34:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:34:40 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 70fc3866...28c5912c - 10 commits from branch `master` * e94ab6b7 - nettle: add functions for deterministic ECDSA/DSA * f42d9645 - privkey_sign_raw_data: remove unnecessary local variable * 3dd0df9e - privkey_sign_prehashed: remove unused argument * 519cda2a - pk: implement deterministic ECDSA/DSA * 2c878329 - nettle: enable deterministic ECDSA/DSA during FIPS selftests * 430fc287 - nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:37:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:37:26 +0000 Subject: [gnutls-devel] libtasn1 | Add pkix der fuzzer (!43) In-Reply-To: References: Message-ID: Merge Request !43 was closed by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/43 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/43 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:37:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:37:56 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 70fc3866...28c5912c - 8 commits from branch `master` * 5f4c65fc - iov: add iterator interface for giovec_t * 702ed943 - crypto-api: use giovec_t iterator interface for aead_encryptv * 28a46a12 - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:51:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:51:18 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201532166 > /* if non-zero, the legacy value for PKCS#7 signatures will be > * written for RSA signatures. */ > unsigned int legacy; > + > + /* the digest used by ECDSA/DSA */ > + gnutls_digest_algorithm_t dsa_dig; > + > + /* flags may include GNUTLS_PK_FLAG_PROVABLE for deterministic Should we introduce/use a flag `PK_FLAG_REPRODUCIBLE`? The provable doesn't seem to describe what is going on here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201532166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 12:53:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 10:53:01 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201532666 > /* if non-zero, the legacy value for PKCS#7 signatures will be > * written for RSA signatures. */ > unsigned int legacy; > + > + /* the digest used by ECDSA/DSA */ > + gnutls_digest_algorithm_t dsa_dig; > + > + /* flags may include GNUTLS_PK_FLAG_PROVABLE for deterministic The RSA parameters seem to be provable and reproducible; however on the DSA/ECDSA from we only have the reproducive part. Maybe rename the flag PROVABLE to REPRODUCIBLE? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201532666 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:00:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:00:13 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/x509/pkcs7.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201536070 > goto cleanup; > } > > + if (flags & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { Given that this is called almost on every use, would it be useful to have this as macro in case we want to extend it in the future? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201536070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:04:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:04:46 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/sign-verify-deterministic.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201538347 > testfail("gnutls_privkey_init\n"); > > + signature.data = NULL; > + signature.size = 0; > + > ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); > if (ret < 0) > testfail("gnutls_privkey_import_x509_raw\n"); > > ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, > &tests[i].msg, &signature); > - if (ret < 0) > - testfail("gnutls_privkey_sign_data\n"); > + if (gnutls_fips140_mode_enabled()) { > + /* deterministic ECDSA/DSA is prohibited under FIPS */ > + if (ret == 0) Wouldn't it make sense to test that the error code is the expected one? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201538347 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:06:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:06:01 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201538864 > return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); > } > > + /* deterministic ECDSA/DSA is prohibited under FIPS except in Shouldn't this test only happen for the ECDSA/DSA case? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201538864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:17:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:17:16 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1052 was reviewed by Simo Sorce -- Simo Sorce started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201528179 > + } > + > + ret = copy_to_iov(&ptext, iov, iovcnt); Ok, so I was wondering about ptext.size here and I was really confused. It seem you are using the difference between size and capacity in iov_store to keep the tag from being copied and copying in later. That's pretty hard to figure out, I would not use this trick to cope with the gnutls_aead_cipher_encrypt() api, I would leave iov_store always faithfully represent the size of the store with the size field, and keep track in the functions that needed it (like this one) whether there is extra data in there. I would add an optional size parameter to copy_to_iov() so that you can truncate the copy short if needed as in this case instead. So in this function you would call: ``` copy_to_iov(&ptext, iov, iovcnt, ptext.size - _tag_size); ``` -- Simo Sorce started a new discussion on lib/iov.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201528185 > + iter->iov_offset = 0; > + } > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; Still trying to figure out if an io vector with a size that is not an exact multiple of the block_size is legal or not. If it is legal this code can incorrectly fail with GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the last io vector is < block_size If it is illegal I think you should return a different error like GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, because it is not that data is missing but that it does not conform to the expected parameter sizes I think, but that may be subject to interpretation, feel free to ignore if GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is normally used to express a function parameter is not ok size wise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:21:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:21:56 +0000 Subject: [gnutls-devel] libtasn1 | Tmp pkix der fuzzer (!45) In-Reply-To: References: Message-ID: Merge Request !45 was closed by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/45 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/45 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:30:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:30:34 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1051 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/crypto-backend.h: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201547864 > + gnutls_digest_algorithm_t dsa_dig; > + > + /* flags may include GNUTLS_PK_FLAG_PROVABLE for deterministic OK, added `GNUTLS_PK_FLAG_REPRODUCIBLE` and use it extensively in ECDSA/DSA cases. -- Daiki Ueno commented on a discussion on lib/x509/pkcs7.c: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201547875 > } > > + if (flags & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { Added `FIX_SIGN_PARAMS` macro. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 13:31:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 11:31:00 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1052 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201548434 > + > + if (iter->block_offset > 0) { > + if ((size_t) len >= iter->block_size - iter->block_offset) { Thanks, done. -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201548443 > + const giovec_t *iov = &iter->iov[iter->iov_index]; > + uint8_t *p = iov->iov_base; > + ssize_t len = iov->iov_len; This is a common convention throughout the code so the `DECR_LEN` macro work. -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201548446 > + } > + > + memcpy(iter->block + iter->block_offset, p, len); Nice, I've rewritten the blocks in a similar way. -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201548450 > + > +/* Initialize the iterator. */ > +static inline int Moved to `iov.c`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:16:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:16:05 +0000 Subject: [gnutls-devel] libtasn1 | Add pkix der fuzzer (!46) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/46 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: Add a new fuzzer ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/46 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:18:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:18:57 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1051 https://gitlab.com/gnutls/gnutls/merge_requests/1051 * 8eb3a293 - pk: implement deterministic ECDSA/DSA * 1adee9e1 - nettle: enable deterministic ECDSA/DSA during FIPS selftests * 3beaa23e - nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:31:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:31:46 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1052 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201591763 > + } > + > + ret = copy_to_iov(&ptext, iov, iovcnt); That makes sense. I've removed the capacity field and check the length in the caller side. -- Daiki Ueno commented on a discussion on lib/iov.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201591767 > + iter->iov_offset = 0; > + } > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; I believe it is legal, but yes the documentation is not clear enough. Added detailed doc comment in gdoc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:56:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:56:58 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Merge Request !1051 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1051 Branches: tmp-deterministic-ecdsa to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:57:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:57:22 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 14:57:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 12:57:53 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 38b30c21 - iov: add iterator interface for giovec_t * a29508e8 - crypto-api: use giovec_t iterator interface for aead_encryptv * 9d256a0a - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 15:45:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 13:45:38 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: All discussions on Merge Request !1051 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1051 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 15:51:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 13:51:55 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Simo Sorce commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201640333 > + iter->iov_index = 0; > + iter->iov_offset = 0; > + iter->block_size = block_size; > + iter->block_offset = 0; > + return 0; > +} > + > +/* Retrieve the current block(s) pointed by @iter and advance it to > + * the next buffer. */ > +static inline int > +iov_iter_next(struct iov_iter_st *iter, uint8_t **data, size_t *blocks) > +{ > + while (iter->iov_index < iter->iov_count) { > + const giovec_t *iov = &iter->iov[iter->iov_index]; > + uint8_t *p = iov->iov_base; > + ssize_t len = iov->iov_len; It's dangerous to cast len though, because if it becomes negative via DECR_LEN macro then your cast will compare as greater instead of smaller. Why the cast ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201640333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 15:59:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 13:59:32 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Simo Sorce started a new discussion on lib/iov.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201646685 > return 0; > } > > +/** > + * _gnutls_iov_iter_next: > + * @iter: the iterator > + * @data: the return location of extracted data > + * @blocks: the number of blocks @data contains > + * > + * Retrieve consecutive block(s) pointed by @iter and advance it to > + * the next position. At the end of iteration, > + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. Is this now a fatal error condition, or does it just indicate that in order to proceed more data would be needed ? If the latter perhaps this should be explicitly stated in the Returns: section below -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201646685 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:00:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:00:26 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Simo Sorce commented: Except for the confusion I still have around the return from the iterator I think this PR is good now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201647317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:02:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:02:29 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201648809 > + iter->iov_index = 0; > + iter->iov_offset = 0; > + iter->block_size = block_size; > + iter->block_offset = 0; > + return 0; > +} > + > +/* Retrieve the current block(s) pointed by @iter and advance it to > + * the next buffer. */ > +static inline int > +iov_iter_next(struct iov_iter_st *iter, uint8_t **data, size_t *blocks) > +{ > + while (iter->iov_index < iter->iov_count) { > + const giovec_t *iov = &iter->iov[iter->iov_index]; > + uint8_t *p = iov->iov_base; > + ssize_t len = iov->iov_len; The `DECR_LEN` macro is defined as follows: ```c #define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert (); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) ``` If `len` becomes negative, it will immediately return from the loop and the cast will not reach. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201648809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:04:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:04:41 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you @nmav and @smuellerDD for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051#note_201650511 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:05:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:05:32 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @dwmw2 I'm slow proceeding assuming that (1) will happen and in the meantime creating [a test tool to convert such keys](https://gitlab.com/nmav/gnutls/blob/tmp-tpm2/tests/tpm2-key.c). I created also [a basic test-suite](https://gitlab.com/nmav/gnutls/blob/tmp-tpm2/tests/tpm2.sh) based on Stefan's swtpm, but I seem to be unable to make it pass (the testsuite generates keys and tries to sign a certificate). The error is during the signing: ``` Signing certificate... |<2>| signing structure using ECDSA-SHA256 |<2>| tpm2: EC sign function called for 32 bytes. |<2>| tpm2: Establishing connection with TPM. WARNING:esys:src/tss2-esys/esys_tcti_default.c:134:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so WARNING:esys:src/tss2-esys/esys_tcti_default.c:134:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so WARNING:esys:src/tss2-esys/api/Esys_ReadPublic.c:326:Esys_ReadPublic_Finish() Received TPM Error ERROR:esys:src/tss2-esys/esys_tr.c:219:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x00000184) ERROR:esys:src/tss2-esys/esys_tr.c:309:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x00000184) |<3>| ASSERT: tpm2_esys.c[init_tpm2_key]:291 |<2>| tpm2: Esys_TR_FromTPMPublic failed for handle 0x2f326c72: 0x184 |<3>| ASSERT: privkey.c[privkey_sign_and_hash_data]:1298 |<3>| ASSERT: sign.c[_gnutls_x509_pkix_sign]:187 |<3>| ASSERT: x509_write.c[gnutls_x509_crt_privkey_sign]:1834 ``` That points to a [failure in `Esys_TR_FromTPMPublic`](https://gitlab.com/nmav/gnutls/blob/tmp-tpm2/lib/tpm2_esys.c#L288) with 0x184 as error. I cannot figure it out. Do you see something obvious in [the keys I generate](https://gitlab.com/nmav/gnutls/blob/tmp-tpm2/tests/tpm2.sh#L191) with tpm2-tools? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201651055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:09:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:09:10 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: Does it work if you use a key generated with the `create_tpm2_key` tool from openssl_tpm2_engine? That's what all my testing was done with. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201653286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 16:13:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 14:13:56 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I have not been able to compile this project so I was postponing using it. I'll try that way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201656173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 17:13:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 15:13:39 +0000 Subject: [gnutls-devel] libtasn1 | Add pkix der fuzzer (!46) In-Reply-To: References: Message-ID: Merge Request !46 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/46 Branches: tmp-pkix-der-fuzzer to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/46 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 17:19:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 15:19:49 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: Hm, why are you in that code anyway? That's the `!parent_is_generated()` case, using a key in NV storage as the parent for what's in the PEM. Aren't you using a generated primary key? Can you show the output of `openssl asn1parse -in $YOURPEMFILE` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201691045 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 17:48:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 15:48:16 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Stefan Berger commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/594#note_201703162 TPM 2 error code 0x184 means: TPM_RC_VALUE - value is out of range or is not correct for the context Handle number 1 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201703162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 17:53:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 15:53:18 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Stefan Berger commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/594#note_201705230 My guess would be a malformed request sent to the TPM 2 because that's where TPM_RC_VALUE often comes back from. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201705230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 17:58:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 15:58:38 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Stefan Berger commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/594#note_201707346 The handle 0x2f326c72 looks weird and there's a check in a function `TPMI_DH_OBJECT_Unmarshal` in the TPM 2 code that may catch this weird handle and return this error code. Isn't there a handle with the format 0x8......., so 0x8. in the MSB flying around somewhere? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201707346 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 19:24:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 17:24:32 +0000 Subject: [gnutls-devel] GnuTLS | pk: implement deterministic ECDSA/DSA for provable signing (!1051) In-Reply-To: References: Message-ID: Merge Request !1051 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1051 Branches: tmp-deterministic-ecdsa to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 19:24:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 17:24:50 +0000 Subject: [gnutls-devel] GnuTLS | optional: Support for deterministic ECDSA (#94) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1051 (https://gitlab.com/gnutls/gnutls/merge_requests/1051) Issue #94: https://gitlab.com/gnutls/gnutls/issues/94 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/94 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 19:31:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 17:31:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.6.9 fails to build: WARNING: 'autogen' is missing on your system. (#810) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/810#note_201738007 Emerson Bernier @EmersonBernier replied > Andreas Metzler @ametzler ?wrote >> The patch changes Makefile.am. It will only be effective if the corresponding Makefile.in is regenerated by automake. I cannot tell from the very limited buildlog excerpt whether that happened. > @ametzler sorry, you can see full buildlog here. You could have checked yourself for invocations of automake in the buildlog ;-) I don't see any. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/810#note_201738007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 19:48:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 17:48:16 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) References: Message-ID: Andreas Metzler created an issue: Hello, this is https://bugs.debian.org/934193 reported by Steve Langasek against 3.6.9: ``` In Ubuntu we discovered that the new version of libgnutls was causing systemd-resolved to fail to start on i386, due to forbidden text relocations: Aug 07 23:21:43 vorlon-i386-test systemd-resolved[8810]: /lib/systemd/systemd-resolved: error while loading shared libraries: /lib/i386-linux-gnu/libgnutls.so.30: cannot make segment writable for relocation: Operation not permitted This is a fatal error for systemd-resolved because the systemd unit sets MemoryDenyWriteExecute=yes, but the problem can be more generally seen by examining the library with readelf: $ readelf -d ./debian/tmp/usr/lib/i386-linux-gnu/libgnutls.so.30.25.0 |grep TEXTREL 0x00000016 (TEXTREL) 0x0 0x0000001e (FLAGS) TEXTREL BIND_NOW $ These text relocations should not be there. This is a one-line fix (see attached), but I don't understand how the bug occurred in the first place, as this looks like a case of a version of an "automatically generated" file being checked into upstream git that was in fact hand-edited (wrongly) since it does not match what is generated by the upstream openssl assembly-generating perl scripts. ``` [i386-fix-wrong-reloc.patch](/uploads/e612ab336204e1495fa3b8204ac79ced/i386-fix-wrong-reloc.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 20:51:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 18:51:25 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: ``` -----BEGIN TSS2 PRIVATE KEY----- MIHrBgZngQUKAQMCBEAAAAsEWABWACMACwAGAHIAAAAQABAAAwAQACB7W9mlHRF/ QLe1vdSL5FPKURg5kznEE0Vj6VfIy6F0egAgO+psutyT5RDDPcgjK8bjgUj97ChN jx8Ocd5Gnez/7QIEgYAAfgAg13a0stkXA9pSlYWI1QiN78Ntq00DcAeDtaCusd8g wqgAEAcNsCe5wX4ihtbIwZSLrGiL75rxM7i2ge3fbWSEfcGvIljYYIDSDUXOQN4+ w6O7Ah7wyst/OLSxl28g1bbTVCTldkFq5byI9LclBw14OVYahowkiM7egnQ0zw== -----END TSS2 PRIVATE KEY----- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe1vZpR0Rf0C3tb3Ui+RTylEYOZM5 xBNFY+lXyMuhdHo76my63JPlEMM9yCMrxuOBSP3sKE2PHw5x3kad7P/tAg== -----END PUBLIC KEY----- ``` And the private key expands to: ``` 0:d=0 hl=3 l= 235 cons: SEQUENCE 3:d=1 hl=2 l= 6 prim: OBJECT :2.23.133.10.1.3 11:d=1 hl=2 l= 4 prim: INTEGER :4000000B 17:d=1 hl=2 l= 88 prim: OCTET STRING [HEX DUMP]:00560023000B000600720000001000100003001000207B5BD9A51D117F40B7B5BDD48BE453CA5118399339C4134563E957C8CBA1747A00203BEA6CBADC93E510C33DC8232BC6E38148FDEC284D8F1F0E71DE469DECFFED02 107:d=1 hl=3 l= 128 prim: OCTET STRING [HEX DUMP]:007E0020D776B4B2D91703DA52958588D5088DEFC36DAB4D03700783B5A0AEB1DF20C2A80010070DB027B9C17E2286D6C8C1948BAC688BEF9AF133B8B681EDDF6D64847DC1AF2258D86080D20D45CE40DE3EC3A3BB021EF0CACB7F38B4B1976F20D5B6D35424E576416AE5BC88F4B725070D7839561A868C2488CEDE827434CF ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201758052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 20:59:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 18:59:17 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I haven't checked the issue, but this assembly file is auto-generated from `cfg.mk` (`make asm-sources-clean;make asm-sources`) so any fix should go there as well. There is already a `pic-check` run in CI but it probably doesn't work/run on x86. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_201759887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 21:01:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 19:01:00 +0000 Subject: [gnutls-devel] GnuTLS | Ported openconnect TPM2 code (!1055) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1055 Project:Branches: nmav/gnutls:tmp-tpm2 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 21:01:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 19:01:58 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.10 (Jul 26, 2019?Sep 25, 2019) ( https://gitlab.com/gnutls/gnutls/-/milestones/24 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 21:15:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 19:15:15 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Stefan Berger commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/594#note_201763976 Maybe add `--log level=20,file=/tmp/logfile` to the parameters passed to `swtpm` and let's have a look at the output... uuuuh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201763976 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 22:09:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 20:09:45 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: That's the endorsement hierarchy; most of my testing was done with the owner hierarchy but I believe it should work. Does your key file work with OpenConnect and the two ENGINE implementations? Still don't see why you're not taking the `parent_is_generated()` path. Can you print the value of `info->parent`? You shouldn't *be* at line 291. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201777342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 8 23:41:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 08 Aug 2019 21:41:30 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Michael Hudson-Doyle commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/818#note_201798850 This was the part that confused us, it certainly _looks_ like cfg.mk would not produce this bug. (I haven't tried to run the autogeneration process myself, though). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_201798850 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 07:02:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 05:02:47 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * e94ab6b7...3f2c3b8d - 7 commits from branch `master` * d42438bc - iov: add iterator interface for giovec_t * 6e9fb755 - crypto-api: use giovec_t iterator interface for aead_encryptv * 85c304af - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 07:06:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 05:06:14 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 4a1d3f7d - iov: add iterator interface for giovec_t * 3459ecaf - crypto-api: use giovec_t iterator interface for aead_encryptv * dbaf2996 - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 07:08:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 05:08:34 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1052 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201866306 > + const giovec_t *iov = &iter->iov[iter->iov_index]; > + uint8_t *p = iov->iov_base; > + ssize_t len = iov->iov_len; As `DECR_LEN` here works like an assertion, I just expanded it there. -- Daiki Ueno commented on a discussion on lib/iov.h: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201866308 > + iter->iov_offset = 0; > + } > + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; OK, I changed the function to return the number of blocks in `data` and use 0 to indicate the EOF. -- Daiki Ueno commented on a discussion on lib/iov.c: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201866310 > + * Retrieve consecutive block(s) pointed by @iter and advance it to > + * the next position. At the end of iteration, > + * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. This is no longer applicable after making the function return the number of blocks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 07:08:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 05:08:41 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: All discussions on Merge Request !1052 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/1052 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 07:34:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 05:34:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1056 Branches: tmp-decr-len to master Author: Daiki Ueno Assignees: `DECR_LEN` was previously implemented in a way that it first decrements the given length and then checks whether the result is negative. This requires the caller to properly coerce the length argument to a signed integer before invoking the macro. This changes the logic to first compare the length and the amount to subtract, so the macro works both with signed and unsigned lengths. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 08:05:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 06:05:22 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The value is already printed it is 0x184. ``` `|<2>| tpm2: Esys_TR_FromTPMPublic failed for handle 0x2f326c72: 0x184` ``` @stefanberger the swtpm log is attached.[tpmlog.txt](/uploads/7fb9896a4c628fc57bf70be21cb3bbbe/tpmlog.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201874738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 08:11:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 06:11:20 +0000 Subject: [gnutls-devel] GnuTLS | Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * 514025aa - WIP: Ported openconnect TPM2 code [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 08:47:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 06:47:20 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * 38c8dc43 - iov: add iterator interface for giovec_t * 9ca7a2b4 - crypto-api: use giovec_t iterator interface for aead_encryptv * f3c09f47 - crypto-api: add gnutls_aead_cipher_{en,de}crypt_vec -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 09:49:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 07:49:46 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: According to the ASN.1 dump you showed, it's supposed to be 0x4000000B. (Or 0x40000001 now if you switched to the owner hierarchy). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201906785 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 10:25:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 08:25:51 +0000 Subject: [gnutls-devel] libtasn1 | Fix OSS-Fuzz issue 16249 (!47) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/47 Branches: tmp-fix-ossfuzz-16249 to master Author: Tim R?hsen Assignees: removes exit() to let fuzzers continue ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/47 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 10:40:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 08:40:59 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Since this is ok with Simo, it is fine with me. My only concern would be that the `_vec` name is inconsistent. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_201928219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 10:42:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 08:42:55 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Merge Request !1052 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1052 Branches: tmp-encryptv2 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 10:43:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 08:43:15 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: There is some confusion around the allocation of the `tpm2_info_st`. You allocate two, fill one, free the good one. This makes it work for TLSv1.2 for me: ``` diff --git a/lib/tpm2.c b/lib/tpm2.c index f16374e292..09c0072bb9 100644 --- a/lib/tpm2.c +++ b/lib/tpm2.c @@ -251,7 +251,7 @@ int _gnutls_load_tpm2_key(gnutls_privkey_t pkey, const gnutls_datum_t *fdata) out_tpmkey: asn1_delete_structure(&tpmkey); - release_tpm2_ctx(info); +// release_tpm2_ctx(info); out_asn1: free(asn1.data); return ret; diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c index 26a927def3..7046518371 100644 --- a/lib/tpm2_esys.c +++ b/lib/tpm2_esys.c @@ -284,7 +284,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle, gnutls_assert(); goto error; } - } else { + } else { printf("PArent %x at %p not generated?\n", info->parent, info); r = Esys_TR_FromTPMPublic(*ctx, info->parent, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &parentHandle); if (r) { @@ -534,12 +534,14 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, return GNUTLS_E_TPM_ERROR; } +#if 0 info = calloc(1, sizeof(*info)); if (!info) return GNUTLS_E_MEMORY_ERROR; +#endif info->parent = parent; - + printf("parent %x in info at %p\n", info->parent, info); r = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, &info->priv); if (r) { ``` TLSv1.3 gives me: `|<1>| The hash size used in signature (20) is less than the expected (32)` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201929152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:08:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:08:04 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: My test setup: Using the OpenConnect test certificates, with the EC key wrapped using the `create_tpm2_key` tool from openssl_tpm2_engine since the tpm2-tss engine can't wrap keys yet; it can only create them. ``` ~/git/openconnect/tests/certs$ openssl s_server -cert server-cert.pem -key server-key.pem -accept 8443 -verify 1 -tls1_2 ``` ``` ~$ openconnect -c ~/git/openconnect/tests/certs/ec-cert.pem -k ~/git/openssl_tpm2_engine/ec.tss localhost:8443 --servercert pin-sha256:xp3scfzy3rOQsv ``` ``` ~/git/gnutls/src$ ./gnutls-cli --x509keyfile ~/git/openssl_tpm2_engine/ec.tss --x509certfile ~/git/openconnect/tests/certs/ec-cert.pem --x509cafile ~/git/openconnect/tests/certs/ca.pem localhost:8443 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201944276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:13:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:13:21 +0000 Subject: [gnutls-devel] libtasn1 | Fix OSS-Fuzz issue 16249 (!47) In-Reply-To: References: Message-ID: Merge Request !47 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/47 Branches: tmp-fix-ossfuzz-16249 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/47 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:17:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:17:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * bc3ce40b - WIP: Ported openconnect TPM2 code [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:18:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:18:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * 193fbb17 - WIP: Ported openconnect TPM2 code [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:23:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:23:12 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks @dwmw2 it was a stupid issue in the transformation of the code. Stuck a little later on the signing process now, still checking it: ``` |<2>| tpm2: Establishing connection with TPM. WARNING:esys:src/tss2-esys/esys_tcti_default.c:134:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so WARNING:esys:src/tss2-esys/esys_tcti_default.c:134:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so |<2>| tpm2: Creating primary key under hierarchy:owner hierarchy. |<2>| tpm2: Loading TPM2 key blob, parent handle 0x418367. WARNING:esys:src/tss2-esys/api/Esys_Load.c:325:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:118:Esys_Load() Esys Finish ErrorCode (0x000001df) |<3>| ASSERT: tpm2_esys.c[init_tpm2_key]:341 |<2>| tpm2: Esys_Load failed: 0x1df |<3>| ASSERT: privkey.c[privkey_sign_and_hash_data]:1298 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201951247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:40:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:40:48 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * 2288bd94 - WIP: Ported openconnect TPM2 code [ci skip] * dcfe5e3e - dwmw2: use pkg-config [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:46:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:46:49 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: (We're doing this on IRC, but for the record and for @stefanberger's benefit: your primary key must be generated *exactly* the same way as required by the standard. Which is what's in the `primaryTemplate` in your tpm2_esys.c, but your invocation of tpm2_createprimary in the test tpm2.sh script doesn't match.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201963256 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:47:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:47:01 +0000 Subject: [gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1054 https://gitlab.com/gnutls/gnutls/merge_requests/1054 * 05ec1133...3f2c3b8d - 11 commits from branch `master` * 65982e57 - tests: added interoperability test with gnutls 2.12.x * 0a792930 - _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:47:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:47:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * e94ab6b7...3f2c3b8d - 7 commits from branch `master` * e348c23e - WIP: Ported openconnect TPM2 code [ci skip] * 7c43d13f - dwmw2: use pkg-config [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:54:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:54:12 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Ok, most likely I need to modify the CMD for the generation in `tpm2.sh` to match the template in the primaryTemplate structure. Most likely we'll need a wrapper script or tool from gnutls that can make this key generation work. The whole thing seems too complex. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201968506 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:55:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:55:21 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Most likely will follow up on this after holidays.. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201969781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 11:57:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 09:57:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * c7097c23 - WIP: Ported openconnect TPM2 code [ci skip] * 4967d697 - dwmw2: use pkg-config [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 12:10:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 10:10:34 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: Testing with authorisation required. If I get the password wrong I get... ``` Token 'key' with URL 'tpm2:' requires user PIN Enter PIN: WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) .... for ever ... ``` OpenConnect asks me again instead: ``` Enter TPM2 key password: WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) Enter TPM2 key password: WARNING:esys:src/tss2-esys/api/Esys_Sign.c:339:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:132:Esys_Sign() Esys Finish ErrorCode (0x000009a2) Enter TPM2 key password: Using client certificate 'A user' ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201979737 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 12:12:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 10:12:55 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: David Woodhouse commented: To bypass the primary key issue for now, you can use a parent in NV storage. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_201980734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 13:27:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 11:27:19 +0000 Subject: [gnutls-devel] libtasn1 | Add another fuzzer with code from gnutls (!48) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/48 Branches: tmp-gnutls-fuzzer to master Author: Tim R?hsen Assignees: ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/48 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 13:35:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 11:35:12 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1052 https://gitlab.com/gnutls/gnutls/merge_requests/1052 * d230011c - crypto-api: add gnutls_aead_cipher_{en,de}cryptv2 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 13:54:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 11:54:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 * a7d1fb78 - lib/*: remove unnecessary cast to ssize_t -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 14:38:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 12:38:40 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_202038105 OK, I renamed it to `_encryptv2` and `_decryptv2` (though there is no `_decryptv`, it would make applications' code more consistent). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_202038105 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 14:38:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 12:38:48 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}crypt_vec (!1052) In-Reply-To: References: Message-ID: All discussions on Merge Request !1052 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/1052 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 14:39:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 12:39:32 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}cryptv2 (!1052) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you @simo and @nmav for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052#note_202038461 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 15:36:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 13:36:00 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: add gnutls_aead_cipher_{en, de}cryptv2 (!1052) In-Reply-To: References: Message-ID: Merge Request !1052 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1052 Branches: tmp-encryptv2 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 15:35:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 13:35:59 +0000 Subject: [gnutls-devel] GnuTLS | Implement gnutls_aead_cipher_(en|de)crypt_vec() (#718) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1052 (https://gitlab.com/gnutls/gnutls/merge_requests/1052) Issue #718: https://gitlab.com/gnutls/gnutls/issues/718 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/718 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 16:50:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 14:50:46 +0000 Subject: [gnutls-devel] libtasn1 | Add another fuzzer with code from gnutls (!48) In-Reply-To: References: Message-ID: Merge Request !48 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/48 Branches: tmp-gnutls-fuzzer to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/48 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 9 16:58:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 09 Aug 2019 14:58:41 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav looks like my latest commit fixed the issue, and I rebased master on top of my branch and pushed again. But now I'm only seeing the LGTM tests. Is there any problem with the pipeline, or my rebase? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_202109253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 10 12:01:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 10 Aug 2019 10:01:37 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/818#note_202253625 Just did. Regeneration generates the broken file: line 2998 in devel/perlasm/aesni-x86.pl &picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const")); is converted by ```CC=gcc perl devel/perlasm/aesni-x86.pl elf lib/accelerated/x86/elf/aesni-x86.s.tmp``` to ``` leal OPENSSL_ia32cap_P,%ebp ``` instead of ``` leal OPENSSL_ia32cap_P-.Lkey_const(%ebx),%ebp ``` It is the only occurence of picmeup in devel/perlasm/aesni-x86.pl. Debian's openssl packages includes a patch to the asm code, but it does not seem to make a difference. https://salsa.debian.org/debian/openssl/blob/debian/unstable/debian/patches/pic.patch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_202253625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 10 14:28:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 10 Aug 2019 12:28:02 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/818#note_202264295 When openssl is built, aesni-x86.s is not generated by a simple > CC="gcc" /usr/bin/perl ../crypto/aes/asm/aesni-x86.pl elf crypto/aes/aesni-x86.s the respective build.info file reads ``` GENERATE[aesni-x86.s]=asm/aesni-x86.pl \ $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR) ``` which expands to e.g. > CC="gcc" /usr/bin/perl ../crypto/aes/asm/aesni-x86.pl elf -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/dev/shm/GNUTLS/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/i386-linux-gnu/engines-1.1\"" -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 crypto/aes/aesni-x86.s Playing around a little bit we find that the `-fPIC` is significant, adding/removing it triggers exactly the one-line change mentioned above. And indeed we find this in perlasm/x86asm.pl: ```perl $pic=0; for (@ARGV) { $pic=1 if (/\-[fK]PIC/i); } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_202264295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 10 14:38:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 10 Aug 2019 12:38:55 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/818#note_202265159 Afaict simply changing the cfg.mk a la ``` lib/accelerated/x86/elf/%.s: devel/perlasm/%.pl .submodule.stamp CC=gcc perl $< elf {+-fPIC+} $@.tmp cat $<.license $@.tmp > $@ && rm -f $@.tmp ``` will not work since not all .s files are buildable when specifying -fPIC to the perl script. The openssl build.info passes -fPIC selectively: ``` [...] GENERATE[ghash-x86.s]=asm/ghash-x86.pl \ $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR) GENERATE[ghash-x86_64.s]=asm/ghash-x86_64.pl $(PERLASM_SCHEME) [...] ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_202265159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 10 21:11:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 10 Aug 2019 19:11:09 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_202293592 I'm seeing the same problem sometimes, though I can check the full CI status from [the pipelines tab](https://gitlab.com/gnutls/gnutls/pipelines). @rockdaboot any ideas? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_202293592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 12 00:11:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 11 Aug 2019 22:11:02 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 70fc3866...4234e99b - 19 commits from branch `master` * 9782be0c - lib: define TC26 GOST curves * a5b96ad1 - nettle/gost: provide GOST 28147-89 CNT mode * fec26690 - nettle/gost: provide GOST 28147-89 IMIT MAC mode * f83cbc3d - lib: provide GOST 28147-89 CNT mode support * 67505d3c - lib: provide GOST 28147-89 IMIT MAC support * 265672ba - nettle: provide GOST 28147-89 CNT mode support * e1da2e65 - nettle: provide GOST 28147-89 IMIT MAC support * ad2822a9 - nettle/gost: provide GOST keywrapping support * 0e157c6f - nettle/gost: add support for GOST VKO algorithm * 602d6f45 - _gnutls_pk_derive: add argument for nonce * e251f359 - nettle: add support for GOST key derivation * b369fedb - mpi: add _gnutls_mpi_bprint_size_le() * 7b1e1b4b - Allow using implicit IV for stream ciphers with TLS * eec95e4f - Support GOST certificate request values * 838a359a - Add GOST key transport support * 101a61ee - groups: add function to return group by curve * a4c5ecba - Add support for VKO GOST key exchange * 6f9de196 - Support GOST cipher suite MAC calculation * 7f92c1f6 - Add GOST cipher suites * e3570944 - Declare groups corresponding to GOST curves * a599ba39 - Add GOST values to cipher suites priorities * 4ebaab22 - prf: add GOST R 34.11-94 and Streebog PRF support * a875196c - tests: add tests for KX-GOST-VKO using different key variants * ba0f3242 - lib: fix group selection in case of GOST cipher suites * 407d1933 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 93c927a0 - lib/algorithms: add AID values assigned by IANA * 05647f95 - lib: pubkey vs TLS signature compatibility for GOST algorithms * ede8b703 - cli-debug: include GOST VKO into KX list * ac46360e - priority: add GROUP-GOST-ALL keyword * 567ea7ef - nettle/pk: add support for "new" TC26 256 B curve * 12798206 - ecc: define curve->group relationship * fb6f1c97 - ext/supported_groups: don't consider non-EC groups for EC * 2b7f2715 - ext/signature: use GOST signatures for GOST ciphersiuites * 9db05dd2 - tests: correct gost server certificates * 90a3cb32 - tests: add verbose logging to server-kx-neg tests * 98f41449 - Swap TLS signatures in case we are signing them with GOST keys -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 12 00:54:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 11 Aug 2019 22:54:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/tls-sig.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_202416422 > return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > > gnutls_sign_algorithm_set_client(session, sign_algo); > + pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL); Rewrote as CipherSuite flag. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_202416422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 12 00:55:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 11 Aug 2019 22:55:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms.h: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_202416462 > return 0; > } > > +static inline unsigned _gnutls_kx_is_vko_gost(gnutls_kx_algorithm_t kx) This was done to follow `_gnutls_kx_is_ecc`/`_gnutls_kx_is_psk`/`_gnutls_kx_is_dhe`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_202416462 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 12 06:13:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 12 Aug 2019 04:13:00 +0000 Subject: [gnutls-devel] GnuTLS | Check key purpose on gnutls_certificate_verify_peers3/2 (#808) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: https://www.rfc-editor.org/errata/eid5802 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/808#note_202444333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Aug 12 13:37:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 12 Aug 2019 11:37:23 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_int.h: make DECR_LEN neutral to signedness (!1056) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1056 https://gitlab.com/gnutls/gnutls/merge_requests/1056 * fd8c0b02 - build: dummy commit to trigger debug output -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 13 22:01:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 13 Aug 2019 20:01:07 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in gnutls_db_set_cache_expiration() docs (!1057) References: Message-ID: Michael Catanzaro created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1057 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Assignees: This fixes a typo, "size" should be "six" I've actually changed it to 6 to parallel the numeral 7, which is used on the next line below. ## Checklist * [*] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [*] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 00:44:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 13 Aug 2019 22:44:55 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in gnutls_db_set_cache_expiration() docs (!1057) In-Reply-To: References: Message-ID: Michael Catanzaro pushed new commits to merge request !1057 https://gitlab.com/gnutls/gnutls/merge_requests/1057 * eb94b8d2 - Fix typo in gnutls_db_set_cache_expiration() docs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 06:22:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 14 Aug 2019 04:22:57 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in gnutls_db_set_cache_expiration() docs (!1057) In-Reply-To: References: Message-ID: Merge Request !1057 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1057 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 06:23:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 14 Aug 2019 04:23:30 +0000 Subject: [gnutls-devel] GnuTLS | Fix typo in gnutls_db_set_cache_expiration() docs (!1057) In-Reply-To: References: Message-ID: Merge Request !1057 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1057 Project:Branches: TheRealMichaelCatanzaro/gnutls:mcatanzaro/typo to gnutls/gnutls:master Author: Michael Catanzaro Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 09:35:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 14 Aug 2019 07:35:03 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Is it possible to address this on our copy? I am on holidays at this point so i cannot get into it soon. Would you like to propose an MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_203492186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 16:14:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 14 Aug 2019 14:14:48 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Andreas Metzler commented: This would work. It uses GNU-make idioms, is this a problem? ```diff diff --git a/cfg.mk b/cfg.mk index ff79dbf2ed..dfa9857418 100644 --- a/cfg.mk +++ b/cfg.mk @@ -143,6 +143,8 @@ ASM_SOURCES_XXX := \ lib/accelerated/x86/XXX/aes-ssse3-x86.s \ lib/accelerated/x86/XXX/aes-ssse3-x86_64.s +PL_NEEDS_FPIC := aesni-x86.s + ASM_SOURCES_ELF := $(subst XXX,elf,$(ASM_SOURCES_XXX)) ASM_SOURCES_COFF := $(subst XXX,coff,$(ASM_SOURCES_XXX)) ASM_SOURCES_MACOSX := $(subst XXX,macosx,$(ASM_SOURCES_XXX)) @@ -193,7 +195,9 @@ lib/accelerated/x86/files.mk: $(ASM_SOURCES_ELF) # Appro's code lib/accelerated/x86/elf/%.s: devel/perlasm/%.pl .submodule.stamp - CC=gcc perl $< elf $@.tmp + CC=gcc perl $< elf \ + $(if $(findstring $(@F),$(PL_NEEDS_FPIC)),-fPIC) \ + $@.tmp cat $<.license $@.tmp > $@ && rm -f $@.tmp echo "" >> $@ echo ".section .note.GNU-stack,\"\",%progbits" >> $@ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_203669643 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 14 21:11:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 14 Aug 2019 19:11:11 +0000 Subject: [gnutls-devel] GnuTLS | wrong text relocations on i386 due to non-PIC assembly (#818) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think it is reasonable to require gnu make to generate these files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/818#note_203775683 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 06:31:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 04:31:20 +0000 Subject: [gnutls-devel] GnuTLS | MINGW : multiple definition of `inet_ntop' (#800) In-Reply-To: References: Message-ID: GnuTLS bot commented: @StalderT This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/800#note_203860672 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 06:31:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 04:31:21 +0000 Subject: [gnutls-devel] GnuTLS | MINGW : multiple definition of `inet_ntop' (#800) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #800: https://gitlab.com/gnutls/gnutls/issues/800 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 15:55:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 13:55:48 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) References: Message-ID: Bernhard M. Wiedemann created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1058 Project:Branches: bmwiedemann/gnutls:datev2 to gnutls/gnutls:master Author: Bernhard M. Wiedemann Assignees: Do not auto-update Copyright year, in order to make builds reproducible. See https://reproducible-builds.org/ for why this is good. Fixes: #928 When someone does a change in a new year, the `args-std.def.in` can be updated in the same commit. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 16:06:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 14:06:43 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Bernhard M_ Wiedemann commented: @rockdaboot @nmav - IMHO this should be good to merge. It is not often that one can solve issues by deleting code ;-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204046772 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 16:19:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 14:19:54 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204052824 > AC_DEFINE([read_file], [_gnutls_read_file], [static lib rename]) > AC_DEFINE([read_binary_file], [_gnutls_read_binary_file], [static lib rename]) > > -dnl Some variables needed in makefiles > -YEAR=`date +%Y` Yes you are right regarding reproducible builds. The real issue here is `date +%Y` which should be replaced by '2019' (and increased every year as we do at other places). Could you update the MR, so that only this line is changed *plus* a comment why the year should only be manually changed !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204052824 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 20:31:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 18:31:15 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This seems to add busywork though and busywork which is hard to find. Cannot we have reproducible builds while at the same time eliminating such busywork? The reason this is automated is because in the past that file did not get updated for several years and this commit does not seem to address that problem. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204137820 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 20:39:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 18:39:26 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204139566 These are two issues then. What exactly are you doing when updating the copyright ? Maybe we can extend that with a small sed command !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204139566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Aug 15 21:17:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 15 Aug 2019 19:17:53 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: For the code changed nothing, the copyright was automatically updated. Do we need reproducible builds for released code or for devel repository too? If it is for released code maybe bootstrap could handle it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204148830 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 16 10:11:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 16 Aug 2019 08:11:40 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Bernhard M_ Wiedemann commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204346398 Also, you do not **need** to update copyright every year. It only expires after 70+ years, so busywork is rather limited. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_204346398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 16 10:52:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 16 Aug 2019 08:52:44 +0000 Subject: [gnutls-devel] GnuTLS | GitLab config: Job 'Debian.cross.i686-linux-gnu' is retried in case of failures (#819) References: Message-ID: Sebastian P_ created an issue: To fully benefit from the advantages of CI/CD, developers need to follow certain principles. Many of these principles have been introduced in the landmark book [Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation](https://www.oreilly.com/library/view/continuous-delivery-reliable/9780321670250/) and are nowadays widely accepted. One of these principles is: > The build process has to be deterministic. Flaky behavior, e.g., tests that sometimes fail, should be avoided at all cost, because this causes maintenance issues. However, addressing this issue through retries after failures might not only hide the underlying problem, but makes issues also harder to debug when they only occur sometimes. **Problem**: We analyzed your project and found that the file [.gitlab-ci.yml](https://gitlab.com/gnutls/gnutls/blob/master/.gitlab-ci.yml#L524) (line 524) violates this principle. The job `Debian.cross.i686-linux-gnu` (in stage `stage1-testing`) is set to be retried in case of failures: ``` Debian.cross.i686-linux-gnu: ... retry: 1 ... ``` **Suggested Fix:** Remove ```retry: 1``` from the job definition or consider adding the option ```when``` to specify failures cases (e.g., ```runner_system_failure```) in which the job can be retried without hiding flaky tests. **Disclaimer:** This issue has been automatically reported by [CD-Linter](https://bitbucket.org/sealuzh/cd-linter/), a tool developed at the [University of Zurich](https://www.uzh.ch/) that detects CI/CD violations in the GitLab CI/CD pipeline configuration. We are currently evaluating the effectiveness of our tool and we are monitoring this issue. *Please up/downvote this issue to indicate whether you agree/disagree with the report.* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/819 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 16 14:41:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 16 Aug 2019 12:41:51 +0000 Subject: [gnutls-devel] libtasn1 | GitLab config: Job 'x86' is retried in case of failures (#23) References: Message-ID: Sebastian P_ created an issue: To fully benefit from the advantages of CI/CD, developers need to follow certain principles. Many of these principles have been introduced in the landmark book [Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation](https://www.oreilly.com/library/view/continuous-delivery-reliable/9780321670250/) and are nowadays widely accepted. One of these principles is: > The build process has to be deterministic. Flaky behavior, e.g., tests that sometimes fail, should be avoided at all cost, because this causes maintenance issues. However, addressing this issue through retries after failures might not only hide the underlying problem, but makes issues also harder to debug when they only occur sometimes. **Problem**: We analyzed your project and found that the file [.gitlab-ci.yml](https://gitlab.com/gnutls/libtasn1/blob/master/.gitlab-ci.yml#L34) (line 34) violates this principle. The job `x86` (in stage `test`) is set to be retried in case of failures: ``` x86: ... retry: 1 ... ``` **Suggested Fix:** Remove ```retry: 1``` from the job definition or consider adding the option ```when``` to specify failures cases (e.g., ```runner_system_failure```) in which the job can be retried without hiding flaky tests. **Disclaimer:** This issue has been automatically reported by [CD-Linter](https://bitbucket.org/sealuzh/cd-linter/), a tool developed at the [University of Zurich](https://www.uzh.ch/) that detects CI/CD violations in the GitLab CI/CD pipeline configuration. We are currently evaluating the effectiveness of our tool and we are monitoring this issue. *Please up/downvote this issue to indicate whether you agree/disagree with the report.* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/23 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 20 20:55:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 20 Aug 2019 18:55:15 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS asm accelerated crypto for PowerPC (ppc64le) (#820) References: Message-ID: John Martinez created an issue: ## Description of the feature: GnuTLS seems to inherit openssl accelerated crypto .pl scripts for asm generation, and then incorporates them in their own releases. Specifically cryptograms also available at `https://www.openssl.org/~appro/cryptogams/ [1]`. However, it appears that they do not currently inherit PowerPC (ppc64le) accelerations. ## Is this feature implemented in other libraries (and which) Yes, OpenSSL (Please see `[1]` above) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/820 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 25 06:06:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 25 Aug 2019 04:06:06 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Unless we have a better proposal I think the automation should stay on bootstrap instead of config time. That way both reproducible builds on releases is achieved and no additional busywork is introduced. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_207726683 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Aug 25 06:13:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 25 Aug 2019 04:13:52 +0000 Subject: [gnutls-devel] GnuTLS | Do not auto-update Copyright year (!1058) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The reason this must be updated every year is because it is printed by every tool and visible by users. An old copyright year gives the incorrect impression of a neglected or very old tool. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1058#note_207726979 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 27 14:20:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 27 Aug 2019 12:20:15 +0000 Subject: [gnutls-devel] GnuTLS | Missing CLI/API for testing digest (#821) References: Message-ID: Ondrej Moris created an issue: ## Description of the feature: It would be useful (e.g. for interoperability testing) for have CLI/API for getting message/file digest by specifying not only algorithm but also its options. It should support also SHA3 and SHAKE. In other words we are looking for equivalent of `openssl dgst -sha3-256 -mac hmac -macopt hexkey:010203040506 file` ## Applications that this feature may be relevant to: Interoperability testing. ## Is this feature implemented in other libraries (and which) Yes, openssl (see above). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/821 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Aug 27 23:17:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 27 Aug 2019 21:17:47 +0000 Subject: [gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059) References: Message-ID: Tom created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1059 Project:Branches: Vrancken/gnutls:tmp_gnutls-cli/srv_rawpk_support to gnutls/gnutls:master Author: Tom Assignees: This MR adds functionality for gnutls-cli and gnutls-serv to handle raw public keys during the handshake. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 28 12:53:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 28 Aug 2019 10:53:29 +0000 Subject: [gnutls-devel] GnuTLS | Session resumption fails against GCS after a few hours of inactivity (#822) References: Message-ID: Kostis Lolos created an issue: ## Description of problem: After a few hours of session inactivity, requests towards the `Google Cloud Storage` using `libcurl` and `libgnutls` fail with the following error: > gnutls_handshake() failed: An unexpected TLS packet was received. ## Version of gnutls used: 3.3.30 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) libgnutls-openssl27 3.3.30-0+deb8u1 (from Debian jessie/updates) ## How reproducible: The problems seems to happen consistently when trying to resume a session that is more than a few hours old. In particular: * Connect to GCS via libcurl+libgnutls from within a GKE container. Everything seems to be working as expected for a while, including session resumption. * A few hours later, attempt to issue a request. Session resumption fails with the above error. Note that this seems to always happen after a few hours, and once it happens it never recovers. ## Actual results: Here are the logs from a failed attempt to resume a session: ``` * Connection 0 seems to be dead! * Closing connection 0 gnutls[3]: ASSERT: gnutls_buffers.c:679 gnutls[5]: REC: Sending Alert[1|0] - Close notify gnutls[5]: REC[0x7f4430464870]: Preparing Packet Alert(21) with length: 2 and min pad: 0 gnutls[9]: ENC[0x7f4430464870]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 gnutls[5]: REC[0x7f4430464870]: Sent Packet[11] Alert(21) in epoch 1 and length: 31 gnutls[3]: ASSERT: gnutls_buffers.c:576 gnutls[3]: ASSERT: gnutls_record.c:1063 gnutls[3]: ASSERT: gnutls_record.c:1184 gnutls[3]: ASSERT: gnutls_record.c:1363 gnutls[5]: REC[0x7f4430464870]: Start of epoch cleanup gnutls[5]: REC[0x7f4430464870]: End of epoch cleanup gnutls[5]: REC[0x7f4430464870]: Epoch #1 freed * Hostname was NOT found in DNS cache * Trying 74.125.71.128... * TCP_NODELAY set * Connected to storage.googleapis.com (74.125.71.128) port 443 (#1) gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1923 gnutls[3]: ASSERT: common.c:1923 gnutls[3]: ASSERT: common.c:1923 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 gnutls[3]: ASSERT: common.c:1106 * found 153 certificates in /etc/ssl/certs/ca-certificates.crt gnutls[5]: REC[0x7f44184758a0]: Allocating epoch #0 gnutls[3]: ASSERT: gnutls_session_pack.c:875 gnutls[3]: ASSERT: gnutls_session_pack.c:254 gnutls[3]: ASSERT: gnutls_session.c:217 * SSL re-using session ID gnutls[3]: ASSERT: gnutls_constate.c:586 gnutls[5]: REC[0x7f44184758a0]: Allocating epoch #1 gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) gnutls[4]: HSK[0x7f44184758a0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) gnutls[4]: HSK[0x7f44184758a0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 gnutls[4]: HSK[0x7f44184758a0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 gnutls[4]: HSK[0x7f44184758a0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 gnutls[4]: EXT[0x7f44184758a0]: Sending extension STATUS REQUEST (5 bytes) gnutls[4]: EXT[0x7f44184758a0]: Sending extension SERVER NAME (27 bytes) gnutls[4]: EXT[0x7f44184758a0]: Sending extension SAFE RENEGOTIATION (1 bytes) gnutls[4]: EXT[0x7f44184758a0]: Sending extension SESSION TICKET (0 bytes) gnutls[4]: EXT[0x7f44184758a0]: Sending extension SUPPORTED ECC (12 bytes) gnutls[4]: EXT[0x7f44184758a0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (4.1) RSA-SHA256 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (4.2) DSA-SHA256 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (4.3) ECDSA-SHA256 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (5.1) RSA-SHA384 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (5.3) ECDSA-SHA384 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (6.1) RSA-SHA512 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (6.3) ECDSA-SHA512 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (3.1) RSA-SHA224 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (3.2) DSA-SHA224 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (3.3) ECDSA-SHA224 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (2.1) RSA-SHA1 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (2.2) DSA-SHA1 gnutls[4]: EXT[0x7f44184758a0]: sent signature algo (2.3) ECDSA-SHA1 gnutls[4]: EXT[0x7f44184758a0]: Sending extension SIGNATURE ALGORITHMS (28 bytes) gnutls[4]: HSK[0x7f44184758a0]: CLIENT HELLO was queued [262 bytes] gnutls[5]: REC[0x7f44184758a0]: Preparing Packet Handshake(22) with length: 262 and min pad: 0 gnutls[9]: ENC[0x7f44184758a0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 gnutls[5]: REC[0x7f44184758a0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 267 gnutls[3]: ASSERT: gnutls_buffers.c:1139 gnutls[3]: ASSERT: gnutls_buffers.c:572 gnutls[3]: ASSERT: gnutls_buffers.c:1139 gnutls[5]: REC[0x7f44184758a0]: SSL 3.3 Handshake packet received. Epoch 0, length: 87 gnutls[5]: REC[0x7f44184758a0]: Expected Packet Handshake(22) gnutls[5]: REC[0x7f44184758a0]: Received Packet Handshake(22) with length: 87 gnutls[5]: REC[0x7f44184758a0]: Decrypted Packet[0] Handshake(22) with length: 87 gnutls[4]: HSK[0x7f44184758a0]: SERVER HELLO (2) was received. Length 83[83], frag offset 0, frag length: 83, sequence: 0 gnutls[4]: HSK[0x7f44184758a0]: Server's version: 3.3 gnutls[4]: HSK[0x7f44184758a0]: SessionID length: 32 gnutls[4]: HSK[0x7f44184758a0]: SessionID: a19f24559997b30f74681ade21bea07216b8c9f465045160fd899b4e9e5b6260 gnutls[4]: HSK[0x7f44184758a0]: Selected cipher suite: ECDHE_RSA_AES_128_GCM_SHA256 gnutls[4]: HSK[0x7f44184758a0]: Selected compression method: NULL (0) gnutls[4]: EXT[0x7f44184758a0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) gnutls[4]: EXT[0x7f44184758a0]: Parsing extension 'SUPPORTED ECC POINT FORMATS/11' (2 bytes) gnutls[4]: HSK[0x7f44184758a0]: Safe renegotiation succeeded gnutls[3]: ASSERT: gnutls_buffers.c:1139 gnutls[5]: REC[0x7f44184758a0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1 gnutls[5]: REC[0x7f44184758a0]: Expected Packet Handshake(22) gnutls[5]: REC[0x7f44184758a0]: Received Packet ChangeCipherSpec(20) with length: 1 gnutls[5]: REC[0x7f44184758a0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1 gnutls[3]: ASSERT: gnutls_record.c:815 gnutls[3]: ASSERT: gnutls_record.c:1327 gnutls[3]: ASSERT: gnutls_buffers.c:1393 gnutls[3]: ASSERT: gnutls_handshake.c:1440 gnutls[3]: ASSERT: gnutls_kx.c:630 gnutls[3]: ASSERT: gnutls_handshake.c:2757 * gnutls_handshake() failed: An unexpected TLS packet was received. * Closing connection 1 gnutls[3]: ASSERT: gnutls_record.c:342 gnutls[5]: REC[0x7f44184758a0]: Start of epoch cleanup gnutls[5]: REC[0x7f44184758a0]: End of epoch cleanup gnutls[5]: REC[0x7f44184758a0]: Epoch #0 freed gnutls[5]: REC[0x7f44184758a0]: Epoch #1 freed ``` The relevant strace is the following: ``` 3520963 sendto(21, "\26\3\1\1\6\1\0\1\2\3\3]f at k\227\237\201\236}\30m\240Y\207\315C\205%Vb\340 \346|\301\206\320EV\271\202I \241\237$U\231\227\263\17th\32\336!\276\240r\26\270\311\364e\4Q`\375\211\233N\236[b`\0R\300+\300,\300\206\300\207\300\t\300\n\300\10\300/\3000\300\212\300\213\300\23\300\24\300\22\0\234\0\235\300z\300{\0/\0005\0A\0\204\0\n\0\236\0\237\300|\300}\0003\0009\0E\0\210\0\26\0\242\0\243\300\200\300\201\0002\0008\0D\0\207\0\23\1\0\0g\0\5\0\5\1\0\0\0\0\0\0\0\33\0\31\0\0\26storage.googleapis.com\377\1\0\1\0\0#\0\0\0\n\0\f\0\n\0\27\0\30\0\31\0\25\0\23\0\v\0\2\1\0\0\r\0\34\0\32\4\1\4\2\4\3\5\1\5\3\6\1\6\3\3\1\3\2\3\3\2\1\2\2\2\3", 267, MSG_NOSIGNAL, NULL, 0) = 267 3520963 write(2, "gnutls[3]: ASSERT: gnutls_buffers.c:1139\n", 41) = 41 3520963 recvfrom(21, 0x7f441802b0d0, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) 3520963 write(2, "gnutls[3]: ASSERT: gnutls_buffers.c:572\n", 40) = 40 3520963 poll([{fd=21, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) 3520963 poll([{fd=21, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) 3520963 poll([{fd=21, events=POLLIN}], 1, 186) = 1 ([{fd=21, revents=POLLIN}]) 3520963 poll([{fd=21, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 1 ([{fd=21, revents=POLLIN|POLLRDNORM}]) 3520963 write(2, "gnutls[3]: ASSERT: gnutls_buffers.c:1139\n", 41) = 41 3520963 recvfrom(21, "\26\3\3\0W", 5, 0, NULL, NULL) = 5 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: SSL 3.3 Handshake packet received. Epoch 0, length: 87\n", 87) = 87 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Expected Packet Handshake(22)\n", 62) = 62 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Received Packet Handshake(22) with length: 87\n", 78) = 78 3520963 recvfrom(21, "\2\0\0S\3\3]f at 5,g|\224\\\f'N\217\240\0\232\265\221V\1\3755]5DOWNGRD\1 \241\237$U\231\227\263\17th\32\336!\276\240r\26\270\311\364e\4Q`\375\211\233N\236[b`\300/\0\0\v\377\1\0\1\0\0\v\0\2\1\0", 87, 0, NULL, NULL) = 87 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Decrypted Packet[0] Handshake(22) with length: 87\n", 82) = 82 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: SERVER HELLO (2) was received. Length 83[83], frag offset 0, frag length: 83, sequence: 0\n", 122) = 122 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: Server's version: 3.3\n", 54) = 54 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: SessionID length: 32\n", 53) = 53 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: SessionID: a19f24559997b30f74681ade21bea07216b8c9f465045160fd899b4e9e5b6260\n", 108) = 108 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: Selected cipher suite: ECDHE_RSA_AES_128_GCM_SHA256\n", 84) = 84 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: Selected compression method: NULL (0)\n", 70) = 70 3520963 write(2, "gnutls[4]: EXT[0x7f44184758a0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)\n", 87) = 87 3520963 write(2, "gnutls[4]: EXT[0x7f44184758a0]: Parsing extension 'SUPPORTED ECC POINT FORMATS/11' (2 bytes)\n", 93) = 93 3520963 write(2, "gnutls[4]: HSK[0x7f44184758a0]: Safe renegotiation succeeded\n", 61) = 61 3520963 write(2, "gnutls[3]: ASSERT: gnutls_buffers.c:1139\n", 41) = 41 3520963 recvfrom(21, "\24\3\3\0\1", 5, 0, NULL, NULL) = 5 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1\n", 93) = 93 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Expected Packet Handshake(22)\n", 62) = 62 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Received Packet ChangeCipherSpec(20) with length: 1\n", 84) = 84 3520963 recvfrom(21, "\1", 1, 0, NULL, NULL) = 1 3520963 write(2, "gnutls[5]: REC[0x7f44184758a0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1\n", 88) = 88 3520963 write(2, "gnutls[3]: ASSERT: gnutls_record.c:815\n", 39) = 39 3520963 write(2, "gnutls[3]: ASSERT: gnutls_record.c:1327\n", 40) = 40 3520963 write(2, "gnutls[3]: ASSERT: gnutls_buffers.c:1393\n", 41) = 41 3520963 write(2, "gnutls[3]: ASSERT: gnutls_handshake.c:1440\n", 43) = 43 3520963 write(2, "gnutls[3]: ASSERT: gnutls_kx.c:630\n", 35) = 35 3520963 write(2, "gnutls[3]: ASSERT: gnutls_handshake.c:2757\n", 43) = 43 3520963 write(2, "* ", 2) = 2 3520963 write(2, "gnutls_handshake() failed: An unexpected TLS packet was received.\n", 66) = 66 ``` Since libgnutls does not log the session ID sent via the `ClientHello` packet, here is the corresponding hexdump of the packet from the above strace. The packet seems to include the same session ID as the one in the `ServerHello` packet, i.e., `a19f24559997b30f74681ade21bea07216b8c9f465045160fd899b4e9e5b6260`: ``` $ printf "%b" '\26\3\1\1\6\1\0\1\2\3\3]f at k\227\237\201\236}\30m\240Y\207\315C\205%Vb\340 \346|\301\206\320EV\271\202I \241\237$U\231\227\263\17th\32\336!\276\240r\26\270\311\364e\4Q`\375\211\233N\236[b`\0R\300+\300,\300\206\300\207\300\t\300\n\300\10\300/\3000\300\212\300\213\300\23\300\24\300\22\0\234\0\235\300z\300{\0/\0005\0A\0\204\0\n\0\236\0\237\300|\300}\0003\0009\0E\0\210\0\26\0\242\0\243\300\200\300\201\0002\0008\0D\0\207\0\23\1\0\0g\0\5\0\5\1\0\0\0\0\0\0\0\33\0\31\0\0\26storage.googleapis.com\377\1\0\1\0\0#\0\0\0\n\0\f\0\n\0\27\0\30\0\31\0\25\0\23\0\v\0\2\1\0\0\r\0\34\0\32\4\1\4\2\4\3\5\1\5\3\6\1\6\3\3\1\3\2\3\3\2\1\2\2\2\3' | hexdump -C 00000000 16 03 01 01 06 01 00 01 02 03 03 5d 66 40 6b 97 |...........]f at k.| 00000010 9f 81 9e 7d 18 6d a0 59 87 cd 43 85 25 56 62 e0 |...}.m.Y..C.%Vb.| 00000020 20 e6 7c c1 86 d0 45 56 b9 82 49 20 a1 9f 24 55 | .|...EV..I ..$U| 00000030 99 97 b3 0f 74 68 1a de 21 be a0 72 16 b8 c9 f4 |....th..!..r....| 00000040 65 04 51 60 fd 89 9b 4e 9e 5b 62 60 00 52 c0 2b |e.Q`...N.[b`.R.+| 00000050 c0 2c c0 86 c0 87 c0 09 c0 0a c0 08 c0 2f c0 30 |.,.........../.0| 00000060 c0 8a c0 8b c0 13 c0 14 c0 12 00 9c 00 9d c0 7a |...............z| 00000070 c0 7b 00 2f 05 00 41 00 84 00 0a 00 9e 00 9f c0 |.{./..A.........| 00000080 7c c0 7d 03 00 39 00 45 00 88 00 16 00 a2 00 a3 ||.}..9.E........| 00000090 c0 80 c0 81 02 00 38 00 44 00 87 00 13 01 00 00 |......8.D.......| 000000a0 67 00 05 00 05 01 00 00 00 00 00 00 00 1b 00 19 |g...............| 000000b0 00 00 16 73 74 6f 72 61 67 65 2e 67 6f 6f 67 6c |...storage.googl| 000000c0 65 61 70 69 73 2e 63 6f 6d ff 01 00 01 00 00 23 |eapis.com......#| 000000d0 00 00 00 0a 00 0c 00 0a 00 17 00 18 00 19 00 15 |................| 000000e0 00 13 00 0b 00 02 01 00 00 0d 00 1c 00 1a 04 01 |................| 000000f0 04 02 04 03 05 01 05 03 06 01 06 03 03 01 03 02 |................| 00000100 03 03 02 01 02 02 02 03 |........| 00000108 ``` So, if I understand correctly, the server accepted the resumption and responded with a `ChangeCipherSpec`, as expected. However, the client was expecting another `Handshake` packet. Any clues as to what may be causing this? ## Expected results: Expected to successfully resume the session. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 28 22:11:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 28 Aug 2019 20:11:45 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) References: Message-ID: Guido Trentalancia created an issue: ## Description of problem: gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST when loading certains websites in a web browser using gnutls (e.g. Web/Epiphany) ## Version of gnutls used: 3.6.4 up to 3.6.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) none (compiled from source) ## How reproducible: Always. Steps to Reproduce: * Start a gnutls-enabled browser such as Web/Epiphany * Browse a website such as www.google.com * The connection fails with GNUTLS_E_INVALID_REQUEST (from glib-networking) ## Actual results: The connection fails with GNUTLS_E_INVALID_REQUEST (from glib-networking) ## Expected results: The connection to the requested website should not fail. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 28 22:16:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 28 Aug 2019 20:16:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Guido Trentalancia commented: Example of a GOOD session browsing https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases (example of a BAD session is provided next): GTLS: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) GTLS: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) GTLS: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) GTLS: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) GTLS: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) GTLS: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) GTLS: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) GTLS: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) GTLS: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) GTLS: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) GTLS: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) GTLS: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) GTLS: EXT[0x2466b70]: Preparing extension (Maximum Record Size/1) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (OCSP Status Request/5) for 'client hello' GTLS: EXT[0x2466b70]: Sending extension OCSP Status Request/5 (5 bytes) GTLS: EXT[0x2466b70]: Preparing extension (Supported Groups/10) for 'client hello' GTLS: EXT[0x2466b70]: Sent group SECP256R1 (0x17) GTLS: EXT[0x2466b70]: Sent group SECP384R1 (0x18) GTLS: EXT[0x2466b70]: Sent group SECP521R1 (0x19) GTLS: EXT[0x2466b70]: Sent group X25519 (0x1d) GTLS: EXT[0x2466b70]: Sent group FFDHE2048 (0x100) GTLS: EXT[0x2466b70]: Sent group FFDHE3072 (0x101) GTLS: EXT[0x2466b70]: Sent group FFDHE4096 (0x102) GTLS: EXT[0x2466b70]: Sent group FFDHE8192 (0x104) GTLS: EXT[0x2466b70]: Sending extension Supported Groups/10 (18 bytes) GTLS: EXT[0x2466b70]: Preparing extension (Supported EC Point Formats/11) for 'client hello' GTLS: EXT[0x2466b70]: Sending extension Supported EC Point Formats/11 (2 bytes) GTLS: EXT[0x2466b70]: Preparing extension (SRP/12) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Signature Algorithms/13) for 'client hello' GTLS: EXT[0x2466b70]: sent signature algo (4.1) RSA-SHA256 GTLS: EXT[0x2466b70]: sent signature algo (8.9) RSA-PSS-SHA256 GTLS: EXT[0x2466b70]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 GTLS: EXT[0x2466b70]: sent signature algo (4.3) ECDSA-SHA256 GTLS: EXT[0x2466b70]: sent signature algo (8.7) EdDSA-Ed25519 GTLS: EXT[0x2466b70]: sent signature algo (5.1) RSA-SHA384 GTLS: EXT[0x2466b70]: sent signature algo (8.10) RSA-PSS-SHA384 GTLS: EXT[0x2466b70]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 GTLS: EXT[0x2466b70]: sent signature algo (5.3) ECDSA-SHA384 GTLS: EXT[0x2466b70]: sent signature algo (6.1) RSA-SHA512 GTLS: EXT[0x2466b70]: sent signature algo (8.11) RSA-PSS-SHA512 GTLS: EXT[0x2466b70]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 GTLS: EXT[0x2466b70]: sent signature algo (6.3) ECDSA-SHA512 GTLS: EXT[0x2466b70]: sent signature algo (2.1) RSA-SHA1 GTLS: EXT[0x2466b70]: sent signature algo (2.3) ECDSA-SHA1 GTLS: EXT[0x2466b70]: Sending extension Signature Algorithms/13 (32 bytes) GTLS: EXT[0x2466b70]: Preparing extension (SRTP/14) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Heartbeat/15) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (ALPN/16) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Extended Master Secret/23) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Session Ticket/35) for 'client hello' GTLS: EXT[0x2466b70]: Sending extension Session Ticket/35 (0 bytes) GTLS: EXT[0x2466b70]: Preparing extension (Key Share/51) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Supported Versions/43) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Post Handshake Auth/49) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Safe Renegotiation/65281) for 'client hello' GTLS: EXT[0x2466b70]: Sending extension Safe Renegotiation/65281 (1 bytes) GTLS: EXT[0x2466b70]: Preparing extension (Server Name Indication/0) for 'client hello' GTLS: HSK[0x2466b70]: sent server name: 'github.githubassets.com' GTLS: EXT[0x2466b70]: Sending extension Server Name Indication/0 (28 bytes) GTLS: EXT[0x2466b70]: Preparing extension (Cookie/44) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (ClientHello Padding/21) for 'client hello' GTLS: EXT[0x2466b70]: Preparing extension (Pre Shared Key/41) for 'client hello' GTLS: HSK[0x2466b70]: CLIENT HELLO was queued [209 bytes] GTLS: REC[0x2466b70]: Preparing Packet Handshake(22) with length: 209 and min pad: 0 GTLS: ENC[0x2466b70]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x2466b70]: Sent Packet[1] Handshake(22) in epoch 0 and length: 214 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 69 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 69 GTLS: REC[0x21cd300]: Decrypted Packet[0] Handshake(22) with length: 69 GTLS: HSK[0x21cd300]: SERVER HELLO (2) was received. Length 65[65], frag offset 0, frag length: 65, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: HSK[0x21cd300]: Server's version: 3.3 GTLS: HSK[0x21cd300]: SessionID length: 0 GTLS: HSK[0x21cd300]: SessionID: c0 GTLS: HSK[0x21cd300]: Selected cipher suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: EXT[0x21cd300]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) GTLS: EXT[0x21cd300]: Parsing extension 'Server Name Indication/0' (0 bytes) GTLS: EXT[0x21cd300]: Parsing extension 'Supported EC Point Formats/11' (4 bytes) GTLS: EXT[0x21cd300]: Parsing extension 'Session Ticket/35' (0 bytes) GTLS: EXT[0x21cd300]: Parsing extension 'OCSP Status Request/5' (0 bytes) GTLS: HSK[0x21cd300]: Safe renegotiation succeeded GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 2991 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 2991 GTLS: REC[0x21cd300]: Decrypted Packet[1] Handshake(22) with length: 2991 GTLS: HSK[0x21cd300]: CERTIFICATE (11) was received. Length 2987[2987], frag offset 0, frag length: 2987, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 479 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 479 GTLS: REC[0x21cd300]: Decrypted Packet[2] Handshake(22) with length: 479 GTLS: HSK[0x21cd300]: CERTIFICATE STATUS (22) was received. Length 475[475], frag offset 0, frag length: 475, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 300 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 300 GTLS: REC[0x21cd300]: Decrypted Packet[3] Handshake(22) with length: 300 GTLS: HSK[0x21cd300]: SERVER KEY EXCHANGE (12) was received. Length 296[296], frag offset 0, frag length: 296, sequence: 0 GTLS: received curve X25519 GTLS: HSK[0x21cd300]: Selected group X25519 (6) GTLS: HSK[0x21cd300]: verify TLS 1.2 handshake data: using RSA-SHA512 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 4 GTLS: REC[0x21cd300]: Decrypted Packet[4] Handshake(22) with length: 4 GTLS: HSK[0x21cd300]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: HSK[0x21cd300]: CLIENT KEY EXCHANGE was queued [37 bytes] GTLS: REC[0x21cd300]: Sent ChangeCipherSpec GTLS: INT: PREMASTER SECRET[32]: c4ebcba2abd9e9dc6a26510b9f917fb0b06ae0bf1e4566d4fdd1f6684704062e GTLS: INT: CLIENT RANDOM[32]: 0122190e3830216f3b777a6c2e08dbdfbd548f78edec1e72a562fa6ded2832d7 GTLS: INT: SERVER RANDOM[32]: 7e0c260a55c8d66de977fdd82444a124f817225d920d0ea4ecccd4e5d8c98fdd GTLS: REC[0x21defc0]: SSL 3.3 Handshake packet received. Epoch 0, length: 93 GTLS: REC[0x21defc0]: Expected Packet Handshake(22) GTLS: REC[0x21defc0]: Received Packet Handshake(22) with length: 93 GTLS: INT: MASTER SECRET: 5ae24a9ebe3852011bd5f9bab69020992afed9616d49fd27b2b987e09199ba7207e1257b29b3fb7fbdd2ba48ff93b69b GTLS: REC[0x21cd300]: Initializing epoch #1 GTLS: REC[0x21defc0]: Decrypted Packet[0] Handshake(22) with length: 93 GTLS: INT: KEY BLOCK[40]: 1be31f7e53c25cf87a5fb83136703a3ac9dc7251c920f02fab75829dd2e66fb6 GTLS: HSK[0x21defc0]: SERVER HELLO (2) was received. Length 89[89], frag offset 0, frag length: 89, sequence: 0 GTLS: INT: CLIENT WRITE KEY [16]: 1be31f7e53c25cf87a5fb83136703a3a GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: INT: SERVER WRITE KEY [16]: c9dc7251c920f02fab75829dd2e66fb6 GTLS: HSK[0x21defc0]: Server's version: 3.3 GTLS: INT: CLIENT WRITE IV [4]: 7810fed3 GTLS: HSK[0x21defc0]: SessionID length: 32 GTLS: INT: SERVER WRITE IV [4]: a090830e GTLS: HSK[0x21defc0]: SessionID: 8070f5ddbc94bbb150f4ef6d1ca796a9314c9c81bffe03bc51e836f679f3d2b7 GTLS: HSK[0x21defc0]: Selected cipher suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: EXT[0x21defc0]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) GTLS: REC[0x21cd300]: Epoch #1 ready GTLS: EXT[0x21defc0]: Parsing extension 'Server Name Indication/0' (0 bytes) GTLS: HSK[0x21cd300]: Cipher Suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: EXT[0x21defc0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes) GTLS: HSK[0x21cd300]: Initializing internal [write] cipher sessions GTLS: HSK[0x21defc0]: Safe renegotiation succeeded GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21defc0]: SSL 3.3 Handshake packet received. Epoch 0, length: 3085 GTLS: REC[0x21defc0]: Expected Packet Handshake(22) GTLS: REC[0x21defc0]: Received Packet Handshake(22) with length: 3085 GTLS: HSK[0x21cd300]: recording tls-unique CB (send) GTLS: HSK[0x21cd300]: FINISHED was queued [16 bytes] GTLS: REC[0x21cd300]: Preparing Packet Handshake(22) with length: 37 and min pad: 0 GTLS: ENC[0x21cd300]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x21cd300]: Sent Packet[2] Handshake(22) in epoch 0 and length: 42 GTLS: REC[0x21cd300]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 GTLS: ENC[0x21cd300]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x21cd300]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0x21cd300]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 GTLS: ENC[0x21cd300]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 GTLS: REC[0x21cd300]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21defc0]: Decrypted Packet[1] Handshake(22) with length: 3085 GTLS: HSK[0x21defc0]: CERTIFICATE (11) was received. Length 3081[3081], frag offset 0, frag length: 3081, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21defc0]: SSL 3.3 Handshake packet received. Epoch 0, length: 300 GTLS: REC[0x21defc0]: Expected Packet Handshake(22) GTLS: REC[0x21defc0]: Received Packet Handshake(22) with length: 300 GTLS: REC[0x21defc0]: Decrypted Packet[2] Handshake(22) with length: 300 GTLS: HSK[0x21defc0]: SERVER KEY EXCHANGE (12) was received. Length 296[296], frag offset 0, frag length: 296, sequence: 0 GTLS: received curve X25519 GTLS: HSK[0x21defc0]: Selected group X25519 (6) GTLS: HSK[0x21defc0]: verify TLS 1.2 handshake data: using RSA-PSS-RSAE-SHA256 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21defc0]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 GTLS: REC[0x21defc0]: Expected Packet Handshake(22) GTLS: REC[0x21defc0]: Received Packet Handshake(22) with length: 4 GTLS: REC[0x21defc0]: Decrypted Packet[3] Handshake(22) with length: 4 GTLS: HSK[0x21defc0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: HSK[0x21defc0]: CLIENT KEY EXCHANGE was queued [37 bytes] GTLS: REC[0x21defc0]: Sent ChangeCipherSpec GTLS: INT: PREMASTER SECRET[32]: 1c3134ac5f7f88e5b51a9d5e7e7eaf6dcb13f155259720c3ba5956c52c221016 GTLS: INT: CLIENT RANDOM[32]: 05dec0fa9579c02eb7694598b35d40a29e0548031862272b897911c149798ea3 GTLS: INT: SERVER RANDOM[32]: 5941a25da4b7cca86c95cc618d4728f40932a4d0346033d9444f574e47524401 GTLS: INT: MASTER SECRET: 3e898ca8bdb70d08a706e46f450d4dd53273aab8b84328ab8497d9a03f76ba7bf0b2ae0223a910c88588bce9e0910b06 GTLS: REC[0x21defc0]: Initializing epoch #1 GTLS: INT: KEY BLOCK[40]: 7bad3fbc1c631b97fbda298c98fab59561c81551de1be1fb0910a43575e87d7b GTLS: INT: CLIENT WRITE KEY [16]: 7bad3fbc1c631b97fbda298c98fab595 GTLS: INT: SERVER WRITE KEY [16]: 61c81551de1be1fb0910a43575e87d7b GTLS: INT: CLIENT WRITE IV [4]: 0e90a140 GTLS: INT: SERVER WRITE IV [4]: 7b6d06b1 GTLS: REC[0x21defc0]: Epoch #1 ready GTLS: HSK[0x21defc0]: Cipher Suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: HSK[0x21defc0]: Initializing internal [write] cipher sessions GTLS: HSK[0x21defc0]: recording tls-unique CB (send) GTLS: HSK[0x21defc0]: FINISHED was queued [16 bytes] GTLS: REC[0x21defc0]: Preparing Packet Handshake(22) with length: 37 and min pad: 0 GTLS: ENC[0x21defc0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x21defc0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 42 GTLS: REC[0x21defc0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 GTLS: ENC[0x21defc0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x21defc0]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0x21defc0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 GTLS: ENC[0x21defc0]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 GTLS: REC[0x21defc0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45 GTLS: REC[0x2466b70]: SSL 3.3 Handshake packet received. Epoch 0, length: 69 GTLS: REC[0x2466b70]: Expected Packet Handshake(22) GTLS: REC[0x2466b70]: Received Packet Handshake(22) with length: 69 GTLS: REC[0x2466b70]: Decrypted Packet[0] Handshake(22) with length: 69 GTLS: HSK[0x2466b70]: SERVER HELLO (2) was received. Length 65[65], frag offset 0, frag length: 65, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: HSK[0x2466b70]: Server's version: 3.3 GTLS: HSK[0x2466b70]: SessionID length: 0 GTLS: HSK[0x2466b70]: SessionID: c0 GTLS: HSK[0x2466b70]: Selected cipher suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: EXT[0x2466b70]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) GTLS: EXT[0x2466b70]: Parsing extension 'Server Name Indication/0' (0 bytes) GTLS: EXT[0x2466b70]: Parsing extension 'Supported EC Point Formats/11' (4 bytes) GTLS: EXT[0x2466b70]: Parsing extension 'Session Ticket/35' (0 bytes) GTLS: EXT[0x2466b70]: Parsing extension 'OCSP Status Request/5' (0 bytes) GTLS: HSK[0x2466b70]: Safe renegotiation succeeded GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x2466b70]: SSL 3.3 Handshake packet received. Epoch 0, length: 2991 GTLS: REC[0x2466b70]: Expected Packet Handshake(22) GTLS: REC[0x2466b70]: Received Packet Handshake(22) with length: 2991 GTLS: REC[0x2466b70]: Decrypted Packet[1] Handshake(22) with length: 2991 GTLS: HSK[0x2466b70]: CERTIFICATE (11) was received. Length 2987[2987], frag offset 0, frag length: 2987, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x2466b70]: SSL 3.3 Handshake packet received. Epoch 0, length: 479 GTLS: REC[0x2466b70]: Expected Packet Handshake(22) GTLS: REC[0x2466b70]: Received Packet Handshake(22) with length: 479 GTLS: REC[0x2466b70]: Decrypted Packet[2] Handshake(22) with length: 479 GTLS: HSK[0x2466b70]: CERTIFICATE STATUS (22) was received. Length 475[475], frag offset 0, frag length: 475, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x2466b70]: SSL 3.3 Handshake packet received. Epoch 0, length: 300 GTLS: REC[0x2466b70]: Expected Packet Handshake(22) GTLS: REC[0x2466b70]: Received Packet Handshake(22) with length: 300 GTLS: REC[0x2466b70]: Decrypted Packet[3] Handshake(22) with length: 300 GTLS: HSK[0x2466b70]: SERVER KEY EXCHANGE (12) was received. Length 296[296], frag offset 0, frag length: 296, sequence: 0 GTLS: received curve X25519 GTLS: HSK[0x2466b70]: Selected group X25519 (6) GTLS: HSK[0x2466b70]: verify TLS 1.2 handshake data: using RSA-SHA512 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x2466b70]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 GTLS: REC[0x2466b70]: Expected Packet Handshake(22) GTLS: REC[0x2466b70]: Received Packet Handshake(22) with length: 4 GTLS: REC[0x2466b70]: Decrypted Packet[4] Handshake(22) with length: 4 GTLS: HSK[0x2466b70]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1163 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1392 GTLS: HSK[0x2466b70]: CLIENT KEY EXCHANGE was queued [37 bytes] GTLS: REC[0x2466b70]: Sent ChangeCipherSpec GTLS: INT: PREMASTER SECRET[32]: b6a5f57b1724f4ef5096c4f9a161fc4214bf0ffd6a0ea545c8332fbcb4437639 GTLS: INT: CLIENT RANDOM[32]: a63f730a6248c99456ffd7b06e907820bd8fdea7f87e0a5a58ff09ea9a56d35c GTLS: INT: SERVER RANDOM[32]: 05c7253a7e3600aa94feff6151fc5b83a3ba372c22c2158fc6beff47727ff895 GTLS: INT: MASTER SECRET: 1a6df3abea1288bc65b3226bfb311641a42693d5e6d03914882ccb7d485f9a7fa9251ac03673b08fd15ea034f5af4250 GTLS: REC[0x2466b70]: Initializing epoch #1 GTLS: INT: KEY BLOCK[40]: e584cae306bc473fd68ca9171efb94328138dff9093c560e12f88fd004c359cd GTLS: INT: CLIENT WRITE KEY [16]: e584cae306bc473fd68ca9171efb9432 GTLS: INT: SERVER WRITE KEY [16]: 8138dff9093c560e12f88fd004c359cd GTLS: INT: CLIENT WRITE IV [4]: 68d83539 GTLS: INT: SERVER WRITE IV [4]: 1745a265 GTLS: REC[0x2466b70]: Epoch #1 ready GTLS: HSK[0x2466b70]: Cipher Suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: HSK[0x2466b70]: Initializing internal [write] cipher sessions GTLS: HSK[0x2466b70]: recording tls-unique CB (send) GTLS: HSK[0x2466b70]: FINISHED was queued [16 bytes] GTLS: REC[0x2466b70]: Preparing Packet Handshake(22) with length: 37 and min pad: 0 GTLS: ENC[0x2466b70]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x2466b70]: Sent Packet[2] Handshake(22) in epoch 0 and length: 42 GTLS: REC[0x2466b70]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 GTLS: ENC[0x2466b70]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x2466b70]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0x2466b70]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 GTLS: ENC[0x2466b70]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 GTLS: REC[0x2466b70]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 0, length: 202 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 202 GTLS: REC[0x21cd300]: Decrypted Packet[5] Handshake(22) with length: 202 GTLS: HSK[0x21cd300]: NEW SESSION TICKET (4) was received. Length 198[198], frag offset 0, frag length: 198, sequence: 0 GTLS: HSK[0x21cd300]: received session ticket GTLS: REC[0x21cd300]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1 GTLS: REC[0x21cd300]: Expected Packet ChangeCipherSpec(20) GTLS: REC[0x21cd300]: Received Packet ChangeCipherSpec(20) with length: 1 GTLS: REC[0x21cd300]: Decrypted Packet[6] ChangeCipherSpec(20) with length: 1 GTLS: HSK[0x21cd300]: Cipher Suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: ASSERT: buffers.c[get_last_packet]:1172 GTLS: REC[0x21cd300]: SSL 3.3 Handshake packet received. Epoch 1, length: 40 GTLS: REC[0x21cd300]: Expected Packet Handshake(22) GTLS: REC[0x21cd300]: Received Packet Handshake(22) with length: 40 GTLS: REC[0x21cd300]: Decrypted Packet[0] Handshake(22) with length: 16 GTLS: HSK[0x21cd300]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0 GTLS: REC[0x21cd300]: Start of epoch cleanup GTLS: REC[0x21cd300]: Epoch #0 freed GTLS: REC[0x21cd300]: End of epoch cleanup GTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 GTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 GTLS: REC[0x21cd300]: Preparing Packet Application Data(23) with length: 576 and min pad: 0 GTLS: ENC[0x21cd300]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 GTLS: REC[0x21cd300]: Sent Packet[2] Application Data(23) in epoch 1 and length: 605 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_209493642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Aug 28 22:17:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 28 Aug 2019 20:17:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send() fails with GNUTLS_E_INVALID_REQUEST (#823) In-Reply-To: References: Message-ID: Guido Trentalancia commented: Example of a BAD session browsing https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases: GTLS: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) GTLS: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) GTLS: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) GTLS: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) GTLS: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) GTLS: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) GTLS: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) GTLS: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) GTLS: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) GTLS: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) GTLS: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) GTLS: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) GTLS: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) GTLS: EXT[0xd7d6f0]: Preparing extension (Maximum Record Size/1) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (OCSP Status Request/5) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension OCSP Status Request/5 (5 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Client Certificate Type/19) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Server Certificate Type/20) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Supported Groups/10) for 'client hello' GTLS: EXT[0xd7d6f0]: Sent group SECP256R1 (0x17) GTLS: EXT[0xd7d6f0]: Sent group SECP384R1 (0x18) GTLS: EXT[0xd7d6f0]: Sent group SECP521R1 (0x19) GTLS: EXT[0xd7d6f0]: Sent group X25519 (0x1d) GTLS: EXT[0xd7d6f0]: Sent group FFDHE2048 (0x100) GTLS: EXT[0xd7d6f0]: Sent group FFDHE3072 (0x101) GTLS: EXT[0xd7d6f0]: Sent group FFDHE4096 (0x102) GTLS: EXT[0xd7d6f0]: Sent group FFDHE6144 (0x103) GTLS: EXT[0xd7d6f0]: Sent group FFDHE8192 (0x104) GTLS: EXT[0xd7d6f0]: Sending extension Supported Groups/10 (20 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Supported EC Point Formats/11) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension Supported EC Point Formats/11 (2 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (SRP/12) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Signature Algorithms/13) for 'client hello' GTLS: EXT[0xd7d6f0]: sent signature algo (4.1) RSA-SHA256 GTLS: EXT[0xd7d6f0]: sent signature algo (8.9) RSA-PSS-SHA256 GTLS: EXT[0xd7d6f0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 GTLS: EXT[0xd7d6f0]: sent signature algo (4.3) ECDSA-SHA256 GTLS: EXT[0xd7d6f0]: sent signature algo (8.7) EdDSA-Ed25519 GTLS: EXT[0xd7d6f0]: sent signature algo (5.1) RSA-SHA384 GTLS: EXT[0xd7d6f0]: sent signature algo (8.10) RSA-PSS-SHA384 GTLS: EXT[0xd7d6f0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 GTLS: EXT[0xd7d6f0]: sent signature algo (5.3) ECDSA-SHA384 GTLS: EXT[0xd7d6f0]: sent signature algo (6.1) RSA-SHA512 GTLS: EXT[0xd7d6f0]: sent signature algo (8.11) RSA-PSS-SHA512 GTLS: EXT[0xd7d6f0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 GTLS: EXT[0xd7d6f0]: sent signature algo (6.3) ECDSA-SHA512 GTLS: EXT[0xd7d6f0]: sent signature algo (2.1) RSA-SHA1 GTLS: EXT[0xd7d6f0]: sent signature algo (2.3) ECDSA-SHA1 GTLS: EXT[0xd7d6f0]: Sending extension Signature Algorithms/13 (32 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (SRTP/14) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Heartbeat/15) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (ALPN/16) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Extended Master Secret/23) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Session Ticket/35) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension Session Ticket/35 (0 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Key Share/51) for 'client hello' GTLS: EXT[0xd7d6f0]: sending key share for SECP256R1 GTLS: EXT[0xd7d6f0]: sending key share for X25519 GTLS: EXT[0xd7d6f0]: Sending extension Key Share/51 (107 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Supported Versions/43) for 'client hello' GTLS: Advertizing version 3.4 GTLS: Advertizing version 3.3 GTLS: Advertizing version 3.2 GTLS: Advertizing version 3.1 GTLS: EXT[0xd7d6f0]: Sending extension Supported Versions/43 (9 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Post Handshake Auth/49) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Safe Renegotiation/65281) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension Safe Renegotiation/65281 (1 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Server Name Indication/0) for 'client hello' GTLS: HSK[0xd7d6f0]: sent server name: 'github.githubassets.com' GTLS: EXT[0xd7d6f0]: Sending extension Server Name Indication/0 (28 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Cookie/44) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (Early Data/42) for 'client hello' GTLS: EXT[0xd7d6f0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension PSK Key Exchange Modes/45 (3 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Record Size Limit/28) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension Record Size Limit/28 (2 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (ClientHello Padding/21) for 'client hello' GTLS: EXT[0xd7d6f0]: Sending extension ClientHello Padding/21 (152 bytes) GTLS: EXT[0xd7d6f0]: Preparing extension (Pre Shared Key/41) for 'client hello' GTLS: HSK[0xd7d6f0]: CLIENT HELLO was queued [512 bytes] GTLS: REC[0xd7d6f0]: Preparing Packet Handshake(22) with length: 512 and min pad: 0 GTLS: ENC[0xd7d6f0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0xd7d6f0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 517 GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xee86b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 123 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet Handshake(22) with length: 123 GTLS: REC[0xee86b0]: Decrypted Packet[0] Handshake(22) with length: 123 GTLS: HSK[0xee86b0]: SERVER HELLO (2) was received. Length 119[119], frag offset 0, frag length: 119, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1162 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 GTLS: HSK[0xee86b0]: Server's version: 3.3 GTLS: EXT[0xee86b0]: Parsing extension 'Supported Versions/43' (2 bytes) GTLS: EXT[0xee86b0]: Negotiated version: 3.4 GTLS: HSK[0xee86b0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256 GTLS: EXT[0xee86b0]: Parsing extension 'Key Share/51' (69 bytes) GTLS: HSK[0xee86b0]: Selected group SECP256R1 (2) GTLS: EXT[0xee86b0]: client generated SECP256R1 shared key GTLS: REC[0xee86b0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 GTLS: ENC[0xee86b0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0xee86b0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0xee86b0]: Sent ChangeCipherSpec GTLS: REC[0xee86b0]: Initializing epoch #1 GTLS: INT: CLIENT WRITE KEY [16]: 66311c0d1e91e672ac9066f2a8ff1fe2 GTLS: INT: SERVER WRITE KEY [16]: f77d0fce1957a538eaa9a378d3fbcd34 GTLS: INT: CLIENT WRITE IV [12]: fb70ca41c5f227fc088af612 GTLS: INT: SERVER WRITE IV [12]: 195694312daca347a6796a06 GTLS: REC[0xee86b0]: Epoch #1 ready GTLS: HSK[0xee86b0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256 GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xee86b0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet ChangeCipherSpec(20) with length: 1 GTLS: REC[0xee86b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 37 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet Application Data(23) with length: 37 GTLS: REC[0xee86b0]: Decrypted Packet[0] Handshake(22) with length: 20 GTLS: HSK[0xee86b0]: ENCRYPTED EXTENSIONS (8) was received. Length 16[16], frag offset 0, frag length: 16, sequence: 0 GTLS: HSK[0xee86b0]: parsing encrypted extensions GTLS: EXT[0xee86b0]: Parsing extension 'Server Name Indication/0' (0 bytes) GTLS: EXT[0xee86b0]: Parsing extension 'Supported Groups/10' (6 bytes) GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xee86b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 3107 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet Application Data(23) with length: 3107 GTLS: REC[0xee86b0]: Decrypted Packet[1] Handshake(22) with length: 3090 GTLS: HSK[0xee86b0]: CERTIFICATE (11) was received. Length 3086[3086], frag offset 0, frag length: 3086, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1162 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 GTLS: HSK[0xee86b0]: parsing certificate message GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xee86b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 281 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet Application Data(23) with length: 281 GTLS: REC[0xee86b0]: Decrypted Packet[2] Handshake(22) with length: 264 GTLS: HSK[0xee86b0]: CERTIFICATE VERIFY (15) was received. Length 260[260], frag offset 0, frag length: 260, sequence: 0 GTLS: HSK[0xee86b0]: Parsing certificate verify GTLS: HSK[0xee86b0]: verifying TLS 1.3 handshake data using RSA-PSS-RSAE-SHA256 GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xee86b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 53 GTLS: REC[0xee86b0]: Expected Packet Handshake(22) GTLS: REC[0xee86b0]: Received Packet Application Data(23) with length: 53 GTLS: REC[0xee86b0]: Decrypted Packet[3] Handshake(22) with length: 36 GTLS: HSK[0xee86b0]: FINISHED (20) was received. Length 32[32], frag offset 0, frag length: 32, sequence: 0 GTLS: HSK[0xee86b0]: parsing finished GTLS: HSK[0xee86b0]: sending finished GTLS: HSK[0xee86b0]: FINISHED was queued [36 bytes] GTLS: REC[0xee86b0]: Preparing Packet Handshake(22) with length: 36 and min pad: 0 GTLS: ENC[0xee86b0]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1 GTLS: REC[0xee86b0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 58 GTLS: ASSERT: constate.c[_gnutls_epoch_get]:836 GTLS: REC[0xee86b0]: Allocating epoch #2 GTLS: REC[0xee86b0]: Initializing epoch #2 GTLS: INT: CLIENT WRITE KEY [16]: fc252b87cf210773e5bdc55991cb8819 GTLS: INT: SERVER WRITE KEY [16]: 686b122160748f1cd693ed1a865e1d3e GTLS: INT: CLIENT WRITE IV [12]: e5bd963992f104637ad909b7 GTLS: INT: SERVER WRITE IV [12]: 9f877cfb42f3c86fc0b732f8 GTLS: REC[0xee86b0]: Epoch #2 ready GTLS: HSK[0xee86b0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256 GTLS: REC[0xee86b0]: Start of epoch cleanup GTLS: REC[0xee86b0]: Epoch #0 freed GTLS: REC[0xee86b0]: Epoch #1 freed GTLS: REC[0xee86b0]: End of epoch cleanup GTLS: REC[0xfef650]: SSL 3.3 Handshake packet received. Epoch 0, length: 69 GTLS: REC[0xfef650]: Expected Packet Handshake(22) GTLS: REC[0xfef650]: Received Packet Handshake(22) with length: 69 GTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 GTLS: REC[0xfef650]: Decrypted Packet[0] Handshake(22) with length: 69 GTLS: HSK[0xfef650]: SERVER HELLO (2) was received. Length 65[65], frag offset 0, frag length: 65, sequence: 0 GTLS: ASSERT: buffers.c[get_last_packet]:1162 GTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 GTLS: HSK[0xfef650]: Server's version: 3.3 GTLS: HSK[0xfef650]: SessionID length: 0 GTLS: HSK[0xfef650]: SessionID: c0 GTLS: HSK[0xfef650]: Selected cipher suite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 GTLS: EXT[0xfef650]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) GTLS: EXT[0xfef650]: Parsing extension 'Server Name Indication/0' (0 bytes) GTLS: EXT[0xfef650]: Parsing extension 'Supported EC Point Formats/11' (4 bytes) GTLS: EXT[0xfef650]: Parsing extension 'Session Ticket/35' (0 bytes) GTLS: EXT[0xfef650]: Parsing extension 'OCSP Status Request/5' (0 bytes) GTLS: HSK[0xfef650]: Safe renegotiation succeeded GTLS: ASSERT: buffers.c[get_last_packet]:1171 GTLS: REC[0xfef650]: SSL 3.3 Handshake packet received. Epoch 0, length: 2991 GTLS: REC[0xfef650]: Expected Packet Handshake(22) GTLS: REC[0xfef650]: Received Packet Handshake(22) with length: 2991 GTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 GTLS: The pull function has been replaced but not the pull timeout.GTLS: ASSERT: buffers.c[_gnutls_io_check_recv]:748 GTLS: ASSERT: buffers.c[_gnutls_stream_read]:337 GTLS: ASSERT: buffers.c[_gnutls_io_read_buffered]:589 GTLS: ASSERT: record.c[recv_headers]:1140 GTLS: ASSERT: record.c[_gnutls_recv_in_buffers]:1271 GTLS: ASSERT: session.c[gnutls_session_get_data2]:125 GTLS: ASSERT: record.c[_gnutls_send_tlen_int]:464 gnutls error = -10[gnutls-bad.txt](/uploads/9dc256d91d3c1c82fce2fc63a102061a/gnutls-bad.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/823#note_209493841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 30 13:31:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 30 Aug 2019 11:31:10 +0000 Subject: [gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811) In-Reply-To: References: Message-ID: Hanno Stock commented: @nmav could you update the MR? (due to merge conflicts) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_210366540 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 30 16:14:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 30 Aug 2019 14:14:19 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) References: Message-ID: Dave Craig created an issue: When random.c moved to using thread local storage it started allocating storage whenever gnutls_rnd was called on a new thread. It keeps track of these allocations in a list so that when the application exits it can free them all up. Hopwever, if an application calls gnutls_rnd on a different thread each time (e.g. HLS over HTTPS with GStreamer) then memory is eaten up at a few hundred bytes per call, and is only recovered when the application ends. I've reverted random.c for now, as my posix_ TLS based patch was too ugly. Using the tss_xxx functions for those with C11 should resolve this in a straightfoward way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Aug 30 18:14:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 30 Aug 2019 16:14:43 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) In-Reply-To: References: Message-ID: Dave Craig commented: For reference, here's the pthread version of the fix, but we decided that it would be of no benefit vs. winding back to the version of random.c prior to the leak. [random.pthread_tls.c](/uploads/84500344d059405ebd794e99756b8b7d/random.pthread_tls.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824#note_210520448 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 31 16:44:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 31 Aug 2019 14:44:39 +0000 Subject: [gnutls-devel] GnuTLS | guile: Update the list of certificate status values. (!1060) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1060 Project:Branches: civodul/gnutls:wip-certificate-status to gnutls/gnutls:master Author: civodul Assignees: This updates the list of `gnutls_certificate_status_t` values in the Guile bindings. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 31 16:47:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 31 Aug 2019 14:47:49 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1061 Project:Branches: civodul/gnutls:wip-guile-include-m4-macros to gnutls/gnutls:master Author: civodul Assignees: This includes Guile M4 macros, as discussed with @dueno in #1020. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Aug 31 18:16:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 31 Aug 2019 16:16:54 +0000 Subject: [gnutls-devel] GnuTLS | maint: Include Guile's M4 macros. (!1061) In-Reply-To: References: Message-ID: civodul commented: Note: some of the CI jobs are failing; they'll need the `.gitlab-ci.yml` fixes I proposed in https://gitlab.com/gnutls/gnutls/merge_requests/1020#note_194287538. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1061#note_210802123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: