From gnutls-devel at lists.gnutls.org Sun Dec 1 18:30:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 17:30:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli log client X.509 certificate loading to stdout despite --logfile (#865) References: Message-ID: Airtower created an issue: https://gitlab.com/gnutls/gnutls/issues/865 When I run `gnutls-cli` with `--logfile=/dev/stderr`, the following line still appears on stdout when loading a client certificate using `--x509certfile=...` and `--x509keyfile=...`: Processed 1 client X.509 certificates... I first noticed this in 3.6.9 from Ubuntu, but the bug is still present on master. Looking at the code the same issue seems to exist for loading raw key pairs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 18:32:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 17:32:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1112 https://gitlab.com/gnutls/gnutls/merge_requests/1112 * 51eed263 - gnutls_session_set_secret_hook_function: new function -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 18:37:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 17:37:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/constate.c: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_252859353 > ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block); > if (ret < 0) > return gnutls_assert_val(ret); > + Perhaps I'm missing something, but I doubt it would be useful as not all secrets are associated with a specific handshake message. Also, it is already documented that the new API is about traffic secrets. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_252859353 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 18:40:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 17:40:49 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Daiki Ueno commented: We used to export epoch values as is from the API, but I realized that it's not very useful in the context of [QUIC encryption levels](https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#name-encryption-level-changes) and [its replacement of TLS key updates](https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#section-6). I added `gnutls_encryption_level_t` enum. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_252859665 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 18:49:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 17:49:15 +0000 Subject: [gnutls-devel] GnuTLS | Send log messages about loading client credentials to logfile, if set (!1125) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1125 Project:Branches: airtower-luna/gnutls:tmp-fix-cli-logfile to gnutls/gnutls:master Author: Airtower Closes: #865 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 19:22:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 18:22:10 +0000 Subject: [gnutls-devel] GnuTLS | Send log messages about loading client credentials to logfile, if set (!1125) In-Reply-To: References: Message-ID: Airtower pushed new commits to merge request !1125 https://gitlab.com/gnutls/gnutls/merge_requests/1125 * 45fd720b - Write OCSP status request debug information to logfile, if set -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 19:25:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 18:25:12 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli log client X.509 certificate loading to stdout despite --logfile (#865) In-Reply-To: References: Message-ID: Airtower commented: I noticed the same problem with OCSP response data in `print_other_info(gnutls_session_t session)`, if running with `--verbose`. I've updated !1125 accordingly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/865#note_252864042 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 22:31:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 21:31:56 +0000 Subject: [gnutls-devel] GnuTLS | Log info on client credentials and OCSP status request to logfile, if set (!1125) In-Reply-To: References: Message-ID: Merge Request !1125 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1125 Project:Branches: airtower-luna/gnutls:tmp-fix-cli-logfile to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 22:32:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 21:32:13 +0000 Subject: [gnutls-devel] GnuTLS | Log info on client credentials and OCSP status request to logfile, if set (!1125) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125#note_252882963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 22:35:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 21:35:18 +0000 Subject: [gnutls-devel] GnuTLS | Log info on client credentials and OCSP status request to logfile, if set (!1125) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Merged manually. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125#note_252883628 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 22:35:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 21:35:18 +0000 Subject: [gnutls-devel] GnuTLS | Log info on client credentials and OCSP status request to logfile, if set (!1125) In-Reply-To: References: Message-ID: Merge Request !1125 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1125 Project:Branches: airtower-luna/gnutls:tmp-fix-cli-logfile to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1125 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 1 22:48:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 01 Dec 2019 22:48:32 +0100 Subject: [gnutls-devel] gnutls 3.6.11 Message-ID: Hello, I've just released gnutls 3.6.11. This is a bug fix release on the stable 3.6.x branch. I'd like to thank everyone who contributed in this release: Dmitry Eremin-Solenikov, Tim R?hsen, Daiki Ueno, Tom Vrancken, Fiona Klute, Ludovic Court?s, Andreas Metzler, Nia Alarie, Bj?rn Jacke, Karsten Ohme, G?nther Deschner, Miroslav Lichvar and Ricardo M. Correia. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/-/milestones/25 Changes ======= * Version 3.6.11 (released 2019-12-01) ** libgnutls: Use KERN_ARND for the system random number generator on NetBSD. This syscall provides an endless stream of random numbers from the kernel's ChaCha20-based random number generator, without blocking or requiring an open file descriptor. ** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption (#841). ** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations (#834). ** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle. ** certtool: CRL distribution points will be set in CA certificates even when non self-signed (#765). ** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and --rawpkfile flags. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From gnutls-devel at lists.gnutls.org Mon Dec 2 01:06:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 00:06:51 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#866) References: Message-ID: Kevin Cernekee created an issue: https://gitlab.com/gnutls/gnutls/issues/866 I see these files in git, but I don't see them in `gnutls-3.6.11.tar.xz`. This results in a libopts build failure. Do they need to be added to `EXTRA_DIST`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/866 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 04:29:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 03:29:49 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.11: build fails (#867) References: Message-ID: Tomasz K?oczko created an issue: https://gitlab.com/gnutls/gnutls/issues/867 
make[4]: Entering directory '/home/tkloczko/rpmbuild/BUILD/gnutls-3.6.11/src/libopts'
make  all-am
make[5]: Entering directory '/home/tkloczko/rpmbuild/BUILD/gnutls-3.6.11/src/libopts'
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../..  -I../.. -I.   -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -flto=auto -flto-partition=none -c -o libopts_la-libopts.lo `test -f 'libopts.c' || echo './'`libopts.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I. -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -flto=auto -flto-partition=none -c libopts.c  -fPIC -DPIC -o .libs/libopts_la-libopts.o
libopts.c:14:10: fatal error: save-flags.h: No such file or directory
   14 | #include "save-flags.h"
      |          ^~~~~~~~~~~~~~
compilation terminated.
make[5]: *** [Makefile:1519: libopts_la-libopts.lo] Error 1
-- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 08:54:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 07:54:31 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.11: build fails (#867) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks for reporting this. A work-around is to get the file directly from https://gitlab.com/gnutls/gnutls/tree/master/src/libopts or you can build with system libopts. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253040199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 08:57:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 07:57:02 +0000 Subject: [gnutls-devel] GnuTLS | libopts: include new files into dist (!1126) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1126 Branches: tmp-libopts-fix to master Author: Nikos Mavrogiannopoulos This fixes a compilation issue when local-libopts is being used. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 08:57:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 07:57:07 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.11: build fails (#867) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 08:59:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 07:59:23 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#866) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Indeed. I've opened an MR to fix that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/866#note_253042837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 09:06:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 08:06:02 +0000 Subject: [gnutls-devel] GnuTLS | libopts: include new files into dist (!1126) In-Reply-To: References: Message-ID: Merge Request !1126 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1126 Branches: tmp-libopts-fix to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 09:49:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 08:49:02 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: A similar update: https://github.com/openssl/openssl/commit/d02d80b2e80adfdde49f76cf7c7af4e013f45005 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_253070520 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 09:49:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 08:49:26 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add CI tarball build (!809) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !809 https://gitlab.com/gnutls/gnutls/merge_requests/809 * e2e9d29d...e62a9bcb - 209 commits from branch `master` * 645b183e - Add CI tarball build * 3598ec84 - SKIP tests/cert-tests/certtool on Alpine/Busybox -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 10:00:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 09:00:19 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav We dismissed the tarball CI check on a basic Alpine runner a while ago. The reason was to not blow up the total CI execution time by adding another stage. Should we rethink this ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253077680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 11:53:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 10:53:45 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Reassigned Issue 867 https://gitlab.com/gnutls/gnutls/issues/867 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 11:56:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 10:56:59 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#866) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing as duplicate of #867 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/866#note_253190452 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 11:57:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 10:57:00 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#866) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #866: https://gitlab.com/gnutls/gnutls/issues/866 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/866 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 12:50:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 11:50:49 +0000 Subject: [gnutls-devel] GnuTLS | libopts: include new files into dist (!1126) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1126 https://gitlab.com/gnutls/gnutls/merge_requests/1126 * e22661a6 - libopts: include new files into dist -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 12:51:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 11:51:45 +0000 Subject: [gnutls-devel] GnuTLS | libopts: include new files into dist (!1126) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've amended it, with a CI update to catch this kind of issues with libopts in the future. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1126#note_253221238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 12:59:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 11:59:51 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Yes it makes sense. We do not necessarily need an additional CI system, I've added a check as part of !1126. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253226047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 13:27:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 12:27:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli log client X.509 certificate loading to stdout despite --logfile (#865) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #865: https://gitlab.com/gnutls/gnutls/issues/865 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 13:27:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 12:27:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli log client X.509 certificate loading to stdout despite --logfile (#865) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closed by !1125. Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/865#note_253250081 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 13:34:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 12:34:42 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The issue was correctly identified, the .map file updated an existing release. I've updated this MR directly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253254133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 13:35:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 12:35:33 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 14:05:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 13:05:25 +0000 Subject: [gnutls-devel] GnuTLS | libopts: include new files into dist (!1126) In-Reply-To: References: Message-ID: Merge Request !1126 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1126 Branches: tmp-libopts-fix to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 14:05:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 13:05:25 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1126 (https://gitlab.com/gnutls/gnutls/merge_requests/1126) Issue #867: https://gitlab.com/gnutls/gnutls/issues/867 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 14:07:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 13:07:54 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Add CI tarball build (!809) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !809 https://gitlab.com/gnutls/gnutls/merge_requests/809 * e22661a6...7a14109f - 2 commits from branch `master` * eb057511 - Add CI tarball build * a575fd11 - SKIP tests/cert-tests/certtool on Alpine/Busybox -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 14:56:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 13:56:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * 38c8dc43...e62a9bcb - 196 commits from branch `master` * 4535eff9 - WIP: Ported openconnect TPM2 code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 14:58:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 13:58:06 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: Sorry are you going to make new release or so? Simple current dist tar ball is broken :/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253315124 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 16:39:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 15:39:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Ported openconnect TPM2 code (!1055) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1055 https://gitlab.com/gnutls/gnutls/merge_requests/1055 * 7127ba6d - WIP: Ported openconnect TPM2 code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 17:20:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 16:20:47 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've released 3.6.11.1 which includes those files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253407155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 17:20:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 16:20:52 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#866) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've released 3.6.11.1 which includes those files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/866#note_253407193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 17:21:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 16:21:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/20 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 19:26:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 18:26:36 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: Are you sure? I just downloaded again https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.tar.xz tar ball and build still fails 
make[5]: Entering directory '/home/tkloczko/rpmbuild/BUILD/gnutls-3.6.11/src/libopts'
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../..  -I../.. -I.   -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -flto=auto -flto-partition=none -c -o libopts_la-libopts.lo `test -f 'libopts.c' || echo './'`libopts.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I. -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -flto=auto -flto-partition=none -c libopts.c  -fPIC -DPIC -o .libs/libopts_la-libopts.o
libopts.c:14:10: fatal error: save-flags.h: No such file or directory
   14 | #include "save-flags.h"
      |          ^~~~~~~~~~~~~~
compilation terminated.
make[5]: *** [Makefile:1519: libopts_la-libopts.lo] Error 1
make[5]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/gnutls-3.6.11/src/libopts'
-- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253466743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 19:38:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 18:38:35 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: I see that new git tag has been added but - theree is no dist tar ball - using custom format of the tag is causing that downloading tar ball from tag generated tar https://gitlab.com/gnutls/gnutls/-/archive/gnutls_3_6_11_1/gnutls-gnutls_3_6_11_1.tar.bz2 which additionally provides base directory `gnutls-gnutls_3_6_11_1/` Please consider change tagging convention from custom one to standard one consisting from munbers and dots. If current tag would be just `3.6.11` augenerated tar ball will be with base directory `gnutls-3.6.11/` because gitlab/github are autogeneratig tar balls like `-` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253472010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 19:40:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 18:40:42 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Andreas Metzler commented: You'll need to download the fixed release (3.6.11.1) instead of 3.6.11. See https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.1.tar.xz -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253472967 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 19:44:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 18:44:07 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: OK I see that dist tar ball has been uploaded :) Thx. Nevertheless it would be really nice if you would change tagging convention as well :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253474321 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 19:58:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 18:58:02 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav See https://semver.org/ for tagging. I changed tagging for e.g. libidn2 and wget2. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253479882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 2 20:28:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 02 Dec 2019 19:28:12 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: That document has been written long before git and gilab/github started been using. Things are changing and if you will have look across gitlab/github repos you may see that mist of them are using just version for regular releases. gitlab and gitlab are using tags and repo name to autogenerate tar balls. You may ignore that fact but you cannot change that fact by pointing to not relevant document. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253492558 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 10:23:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 09:23:25 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tim R?hsen commented: Maybe there is a misunderstanding. That document emphasizes version tags like `3.6.11`. This is meanwhile adopted throughout Gitlab and Github projects (or at least get more and more common). This document is the basis for this. You are suggesting exactly the same version scheme :-) BTW, the "tarballs" that are auto-generated by Gitlab and Github are *not* what we all know as GNU distribution tarballs (with a ./configure script). They are just tar'ed and gzip'ed sources - same as you get from a 'git clone'. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_253766642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 15:44:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 14:44:36 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/auth/psk_passwd.c: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253985121 > + > +static bool username_matches(const gnutls_datum_t *username, > + const char *line, size_t line_size) > +{ > + int retval; > + unsigned i; > + gnutls_datum_t hexline, hex_username = { NULL, 0 }; > + > + /* move to first ':' */ > + i = 0; > + while ((i < line_size) && (line[i] != '\0') > + && (line[i] != ':')) { > + i++; > + } > + > + if (line[0] == '#') { Buffer overflow if `line_size` is 0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253985121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 15:59:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 14:59:26 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/str.h: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253995926 > return 1; > } > > +inline static int _gnutls_has_embedded_null(const char *str, unsigned size) Why isn't the return type a bool ? `return strlen(str) != size;` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253995926 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 16:03:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 15:03:18 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/psk.c: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253998568 > if (info == NULL) > return NULL; > > - if (info->username[0] != 0) > + if (info->username[0] != 0 && !_gnutls_has_embedded_null(info->username, info->username_len)) Is info->username guaranteed to be 0-terminated ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_253998568 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 16:52:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 15:52:45 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/constate.c: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_254043549 > ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block); > if (ret < 0) > return gnutls_assert_val(ret); > + Indeed that doesn't make sense. By similar I meant some indicator on the secret that is being communicated. For example there is the `APPLICATION_CLIENT_TRAFFIC_LABEL`. Though I see there is already the `ENCRYPTION_LEVEL`, but it is not clear to me what are they. Are they quic-related, or they are mapping these labels to an enumeration (the level part of the name is confusing to me). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_254043549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 3 22:36:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 03 Dec 2019 21:36:34 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tomasz K?oczko commented: Issue is that many developers are not carrying about details and if you want to use/package release + some number of patches from git source tree you may find that impossible to do as many people do not separate CI and other files commits from actual source tree files and **only** way everywhere to have correctly build package is to grab tagged repo content -> apply patches -> initialise am/ac/lt an build everything. Do you see my point? Definitely in case of gnutls obstacle is that it is not possible to use version as tag on above procedure. This is why I've asked consider change tagging convention to just version without any "decorations" :) As long as this repo holds only gnutls repeating that in tag name is pointless .. a bit. Only this and nothing more. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_254221864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 08:05:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 07:05:42 +0000 Subject: [gnutls-devel] GnuTLS | Missing src/libopts/save-flags.[ch] in 3.6.11 release tarball (#867) In-Reply-To: References: Message-ID: Tim R?hsen commented: > Definitely in case of gnutls obstacle is that it is not possible to use version as tag on above procedure. This is why I've asked consider change tagging convention to just version without any "decorations" :) But that is exactly what semver suggests. I understand all your points and I am also pro "version only" tags. What I don't understand is that you still argue as if we disagree. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/867#note_254338672 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 15:39:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 14:39:30 +0000 Subject: [gnutls-devel] GnuTLS | lib: remove obsolete AVOID_INTERNALS (!1127) References: Message-ID: Vitezslav Cizek created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1127 Project:Branches: civz/gnutls:AVOID_INTERNALS to gnutls/gnutls:master Author: Vitezslav Cizek Although commit 1f246c38 enabled the self-check functions unconditionally, the #ifdef AVOID_INTERNALS checks remained in lib/crypto-selftests-pk.c. This gets rid of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 15:52:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 14:52:18 +0000 Subject: [gnutls-devel] GnuTLS | lib: remove obsolete AVOID_INTERNALS (!1127) In-Reply-To: References: Message-ID: Merge Request !1127 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1127 Project:Branches: civz/gnutls:AVOID_INTERNALS to gnutls/gnutls:master Author: Vitezslav Cizek Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 17:05:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 16:05:33 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) References: Message-ID: Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/868 I was testing a new tlsfuzzer script for PHA and it doesn't look to me like it is possible to test PHA with a single script against one instance of GnuTLS. https://github.com/tomato42/tlsfuzzer/pull/551 I executed the script with ``` --query '**REAUTH** ' --pha-as-reply ``` options set, and started `gnutls-serv` with `--echo`. While executing the 'post-handshake authentication' script works as expected, even multiple times, any other conversation, including 'post-handshake authentication with no client cert' results in an abort from server: ``` |<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589 |<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59 |<3>| ASSERT: buffers.c[get_last_packet]:1168 |<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589 |<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59 |<3>| ASSERT: buffers.c[get_last_packet]:1168 |<5>| REC[0xcad710]: SSL 3.3 Application Data packet received. Epoch 2, length: 37 |<5>| REC[0xcad710]: Expected Packet Handshake(22) |<5>| REC[0xcad710]: Received Packet Application Data(23) with length: 37 |<5>| REC[0xcad710]: Decrypted Packet[1] Handshake(22) with length: 20 |<4>| HSK[0xcad710]: CERTIFICATE (11) was received. Length 16[16], frag offset 0, frag length: 16, sequence: 0 |<4>| HSK[0xcad710]: parsing certificate message |<3>| ASSERT: tls13/certificate.c[parse_cert_list]:407 |<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:110 |<3>| ASSERT: tls13/post_handshake.c[_gnutls13_reauth_server]:175 reauth: Certificate is required. $ ``` and no Alert sent to client: ``` Error encountered while processing node ExpectNewSessionTicket(note='second set') (child: ExpectNewSessionTicket(note='second set')) with last message being: None Error while processing Traceback (most recent call last): File "scripts/test-tls13-post-handshake-auth.py", line 446, in main runner.run() File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 221, in run "Unexpected closure from peer") AssertionError: Unexpected closure from peer ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 20:43:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 19:43:03 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: What is the actual issue you are describing here? That no alert was sent? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_254802963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 21:42:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 20:42:00 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: After some thought, I am not sure we should fix this. The reason is that we apply name constrains on CN only for certificates marked as WWW server that have no DNSname field. That we assume that a web server certificate which has no DNSname, it must have a DNS name in the CN field. I find that a reasonable assumption and a work-around is easy; don't mark the end certificate as a WWW server one. As such, I do not think we should consider a fix without a more concrete issue presented. Note that a similar issue was reported to NSS, but that was an issue because NSS applied the constrains to CN for all end-entity certificates, not only the web server ones. https://frasertweedale.github.io/blog-redhat/posts/2019-01-29-name-constraints.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_254826143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 21:42:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 20:42:00 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #776: https://gitlab.com/gnutls/gnutls/issues/776 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 21:42:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 20:42:10 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:19 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#869) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/issues/869 The following issues require labels: - [ ] [Priority Strings documentation - +% doesn't work](https://gitlab.com/gnutls/gnutls/issues/856) - [ ] [Enhance gnutls-cli to request RSA or ECDSA certificate](https://gitlab.com/gnutls/gnutls/issues/855) - [ ] [Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority](https://gitlab.com/gnutls/gnutls/issues/825) - [ ] [Thread local storages not free'd until application exits](https://gitlab.com/gnutls/gnutls/issues/824) - [ ] [GnuTLS asm accelerated crypto for PowerPC (ppc64le)](https://gitlab.com/gnutls/gnutls/issues/820) - [ ] [GitLab config: Job 'Debian.cross.i686-linux-gnu' is retried in case of failures](https://gitlab.com/gnutls/gnutls/issues/819) - [ ] [Service Desk (from barry.j.mcinnes at noaa.gov): cannot compile](https://gitlab.com/gnutls/gnutls/issues/817) - [ ] [Provide high-level KDF API](https://gitlab.com/gnutls/gnutls/issues/813) - [ ] [Possible code simplifications using gnulib's pthread modules](https://gitlab.com/gnutls/gnutls/issues/803) - [ ] [weak import of symbol '____chkstk_darwin'](https://gitlab.com/gnutls/gnutls/issues/795) - [ ] [Consider implementing stricter support for Supported Groups extension](https://gitlab.com/gnutls/gnutls/issues/792) - [ ] [Solaris self test failures](https://gitlab.com/gnutls/gnutls/issues/785) - [ ] [GnuTLS 3.6.8 and one failed self test on Fedora 29, x86_64](https://gitlab.com/gnutls/gnutls/issues/784) - [ ] [Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99](https://gitlab.com/gnutls/gnutls/issues/782) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/869 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:22 +0000 Subject: [gnutls-devel] GnuTLS | GitLab config: Job 'Debian.cross.i686-linux-gnu' is retried in case of failures (#819) In-Reply-To: References: Message-ID: GnuTLS bot commented: @proksch This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/819#note_254843283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:25 +0000 Subject: [gnutls-devel] GnuTLS | Solaris self test failures (#785) In-Reply-To: References: Message-ID: GnuTLS bot commented: @noloader This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/785#note_254843298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:20 +0000 Subject: [gnutls-devel] GnuTLS | Priority Strings documentation - +% doesn't work (#856) In-Reply-To: References: Message-ID: GnuTLS bot commented: @phmarek This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/856#note_254843259 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:21 +0000 Subject: [gnutls-devel] GnuTLS | Thread local storages not free'd until application exits (#824) In-Reply-To: References: Message-ID: GnuTLS bot commented: @davecraig This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/824#note_254843274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:34 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AF_ALG support for GnuTLS (!555) In-Reply-To: References: Message-ID: GnuTLS bot commented: @smuellerDD This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/555#note_254843344 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:33 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/830#note_254843338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:21 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_254843271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:24 +0000 Subject: [gnutls-devel] GnuTLS | Consider implementing stricter support for Supported Groups extension (#792) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/792#note_254843297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:23 +0000 Subject: [gnutls-devel] GnuTLS | Possible code simplifications using gnulib's pthread modules (#803) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/803#note_254843292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:20 +0000 Subject: [gnutls-devel] GnuTLS | Enhance gnutls-cli to request RSA or ECDSA certificate (#855) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dilyanpalauzov This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/855#note_254843261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:22 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from barry.j.mcinnes@noaa.gov): cannot compile (#817) In-Reply-To: References: Message-ID: GnuTLS bot commented: @support-bot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/817#note_254843287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:25 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.6.8 and one failed self test on Fedora 29, x86_64 (#784) In-Reply-To: References: Message-ID: GnuTLS bot commented: @noloader This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/784#note_254843302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:31 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Merge Request !1007 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1007 Branches: tmp-more-const-1 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:24 +0000 Subject: [gnutls-devel] GnuTLS | weak import of symbol '____chkstk_darwin' (#795) In-Reply-To: References: Message-ID: GnuTLS bot commented: @Schamschula This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/795#note_254843296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:34 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AF_ALG support for GnuTLS (!555) In-Reply-To: References: Message-ID: Merge Request !555 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/555 Project:Branches: smuellerDD/gnutls:afalg to gnutls/gnutls:master Author: Stephan Mueller Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:32 +0000 Subject: [gnutls-devel] GnuTLS | WIP: tests: cert-tests: crl: try to infer 64-bit time using date(1) (!986) In-Reply-To: References: Message-ID: Merge Request !986 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/986 Project:Branches: julian-klode/gnutls:crl-check-64-bit-time-support to gnutls/gnutls:master Author: Julian Andres Klode Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:23 +0000 Subject: [gnutls-devel] GnuTLS | Provide high-level KDF API (#813) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813#note_254843290 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:33 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: Merge Request !830 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/830 Project:Branches: GostCrypt/gnutls:pkcs12-signed to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/830 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:33 +0000 Subject: [gnutls-devel] GnuTLS | WIP: tpm: Try to use password from the PIN callback if srk_password is NULL (!796) In-Reply-To: References: Message-ID: GnuTLS bot commented: @stefanberger This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/796#note_254843341 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:31 +0000 Subject: [gnutls-devel] GnuTLS | WIP: tests: cert-tests: crl: try to infer 64-bit time using date(1) (!986) In-Reply-To: References: Message-ID: GnuTLS bot commented: @julian-klode This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/986#note_254843329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:32 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dueno This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_254843333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:31 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_254843326 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:26 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: GnuTLS bot commented: @noloader This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_254843309 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:21 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS asm accelerated crypto for PowerPC (ppc64le) (#820) In-Reply-To: References: Message-ID: GnuTLS bot commented: @johnjmar This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/820#note_254843276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:32 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge Request !984 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/984 Branches: tmp-ed448 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:30:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:30:34 +0000 Subject: [gnutls-devel] GnuTLS | WIP: tpm: Try to use password from the PIN callback if srk_password is NULL (!796) In-Reply-To: References: Message-ID: Merge Request !796 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/796 Project:Branches: stefanberger/gnutls:tpm12_fixes_issue_601 to gnutls/gnutls:master Author: Stefan Berger Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:36:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:36:10 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.6.8 and one failed self test on Fedora 29, x86_64 (#784) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Sorry, I have missed it for quite some time. I have no issues building it in fedora (in fact a large part of our CI is based on it), so it seems related with the setup you are using. I do not know what RUNPATH so I'm unsure what the solution can be. If you have a suggested solution would you like to open an MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/784#note_254844956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:38:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:38:33 +0000 Subject: [gnutls-devel] GnuTLS | Consider implementing stricter support for Supported Groups extension (#792) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Is that actually the case? I see that the precedence is followed in ext/supported_groups.c unless the server explicitly overrides that. Or do you refer to something else? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/792#note_254845560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:41:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:41:46 +0000 Subject: [gnutls-devel] GnuTLS | weak import of symbol '____chkstk_darwin' (#795) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I am not sure we can do anything with this report as it is not clear whether that's an issue in gnutls or the system built. We have a CI that builds on macosx on travis and that seems to pass. Please provide more information on what do you think is the issue in gnutls, or open an MR that addresses it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/795#note_254846336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:42:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:42:52 +0000 Subject: [gnutls-devel] GnuTLS | Possible code simplifications using gnulib's pthread modules (#803) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm inclined to close rather than keep that on the backlog. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/803#note_254846826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:42:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:42:52 +0000 Subject: [gnutls-devel] GnuTLS | Possible code simplifications using gnulib's pthread modules (#803) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #803: https://gitlab.com/gnutls/gnutls/issues/803 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:44:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:44:31 +0000 Subject: [gnutls-devel] GnuTLS | GitLab config: Job 'Debian.cross.i686-linux-gnu' is retried in case of failures (#819) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing for similar reasons as: https://gitlab.com/gnutls/libtasn1/issues/23 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/819#note_254847325 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:44:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:44:32 +0000 Subject: [gnutls-devel] GnuTLS | GitLab config: Job 'Debian.cross.i686-linux-gnu' is retried in case of failures (#819) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #819: https://gitlab.com/gnutls/gnutls/issues/819 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/819 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:45:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:45:43 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from barry.j.mcinnes@noaa.gov): cannot compile (#817) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'd suggest to use the mailing list for issue regarding compiling or using gnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/817#note_254847679 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:45:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:45:44 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from barry.j.mcinnes@noaa.gov): cannot compile (#817) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #817: https://gitlab.com/gnutls/gnutls/issues/817 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/817 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:51:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:51:26 +0000 Subject: [gnutls-devel] GnuTLS | Checked-in files in devel/ contain local paths that result in merge conflicts (#797) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @Vrancken have you reported this on libabigail? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/797#note_254849469 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 22:52:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 21:52:51 +0000 Subject: [gnutls-devel] GnuTLS | Enhance gnutls-cli to request RSA or ECDSA certificate (#855) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: You can do the same using priority strings, e.g., +SIGN-RSA-PSS-SHA256. Is that what you are asking? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/855#note_254849932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 23:06:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 22:06:21 +0000 Subject: [gnutls-devel] GnuTLS | Consider implementing stricter support for Supported Groups extension (#792) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I think I thought about choosing a certificate and session group basing on this extension. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/792#note_254854327 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 23:25:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 22:25:20 +0000 Subject: [gnutls-devel] GnuTLS | weak import of symbol '____chkstk_darwin' (#795) In-Reply-To: References: Message-ID: Issue was closed by Marius Schamschula Issue #795: https://gitlab.com/gnutls/gnutls/issues/795 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/795 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 4 23:25:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 04 Dec 2019 22:25:23 +0000 Subject: [gnutls-devel] GnuTLS | weak import of symbol '____chkstk_darwin' (#795) In-Reply-To: References: Message-ID: Marius Schamschula commented: I think this problem has been resolved by more a recent build toolchain. I just updated a machine running Catalina to gnutls 3.6.11. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/795#note_254859411 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 09:26:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 08:26:13 +0000 Subject: [gnutls-devel] GnuTLS | Possible code simplifications using gnulib's pthread modules (#803) In-Reply-To: References: Message-ID: Tim R?hsen commented: As soon as I have time I will test this on Wget2. With the gained experience I will judge this issue again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/803#note_255001387 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 10:15:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 09:15:54 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Merge Request !1007 was reopened by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1007 Branches: tmp-more-const-1 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 10:20:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 09:20:37 +0000 Subject: [gnutls-devel] GnuTLS | lib: remove obsolete AVOID_INTERNALS (!1127) In-Reply-To: References: Message-ID: Tim R?hsen commented: @civz Make sure that your CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout), then restart the pipeline. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1127#note_255038161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 11:11:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 10:11:11 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 * bbb559bb - Update ABI check files -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 11:18:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 10:18:02 +0000 Subject: [gnutls-devel] GnuTLS | lib: remove obsolete AVOID_INTERNALS (!1127) In-Reply-To: References: Message-ID: Vitezslav Cizek commented: @rockdaboot I set the timeout to 3 hours and it's now running again: https://gitlab.com/civz/gnutls/pipelines/100629804 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1127#note_255073919 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 11:47:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 10:47:37 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1128 Branches: tmp-gnutls-cli to master Author: Nikos Mavrogiannopoulos This improves the output of gnutls-cli --benchmark-tls-kx by increasing precision when necessary and separating the various printed data. Example new output: ``` (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 18.81 transactions/sec - avg. handshake time: 53.16 ms - standard deviation: 3.06 ms (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-SHA256)-(AES-128-GCM) - 183.62 transactions/sec - avg. handshake time: 5.44 ms - standard deviation: 0.65 ms (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 181.22 transactions/sec - avg. handshake time: 5.51 ms - standard deviation: 0.80 ms ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 11:51:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 10:51:14 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: The issue is that gnutls-serv --echo can be used only for positive tests, it's not possible to execute multiple negative tests against a single instance of gnutls-serv --echo ? it exits on first negative test (and doesn't send an alert when it does this, but that's secondary). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_255098000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 11:52:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 10:52:16 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 13:04:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 12:04:36 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Please review. I am not sure if the ABI file changes are as you had them in mind. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_255136324 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 14:07:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 13:07:39 +0000 Subject: [gnutls-devel] GnuTLS | Enhance gnutls-cli to request RSA or ECDSA certificate (#855) In-Reply-To: References: Message-ID: Dilyan Palauzov commented: This might be the option I am looking for. But `gnutls-cli --priority-list` does not print ?SIGN-RSA-PSS-SHA256?. Using `gnutls-cli --priority="+SIGN-RSA-PSS-SHA256"` says ?Error in priorities: no or insufficient priorities were set.? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/855#note_255170500 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 16:45:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 15:45:04 +0000 Subject: [gnutls-devel] GnuTLS | Enhance gnutls-cli to request RSA or ECDSA certificate (#855) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I would refer you to the manual for more information, but most likely what you need is something align the line `--priority="NORMAL:-SIGN-ALL:+SIGN-RSA-PSS:SHA256:+SIGN-ALL"`. https://gnutls.org/manual/html_node/Priority-Strings.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/855#note_255274896 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 16:45:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 15:45:12 +0000 Subject: [gnutls-devel] GnuTLS | Enhance gnutls-cli to request RSA or ECDSA certificate (#855) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #855: https://gitlab.com/gnutls/gnutls/issues/855 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 16:46:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 15:46:31 +0000 Subject: [gnutls-devel] GnuTLS | lib: remove obsolete AVOID_INTERNALS (!1127) In-Reply-To: References: Message-ID: Merge Request !1127 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1127 Project:Branches: civz/gnutls:AVOID_INTERNALS to gnutls/gnutls:master Author: Vitezslav Cizek Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 16:48:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 15:48:02 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've marked it as WIP due to open questions about this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1073#note_255276656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 17:03:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 16:03:40 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @tomato42 note that in this example you have configured gnutls-serv to require a certificate. If you run gnutls-serv without the `-r` option it will not exit. However, you are right that it should not exit even in that case, only notify the client of an error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_255285850 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 17:52:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 16:52:10 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented: @rockdaboot I'm to be honest a bit surprised that's how you feel about autotools+gnulib considering you seemed to have quite strong opinions against autogen+libopt (which you might be able to get rid of by switching buildsystem) in https://gitlab.com/gnutls/gnutls/merge_requests/862#note_129463733 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255312635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 18:09:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 17:09:58 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: Sorry, can't see what autogen+libopts have to do with autotools+libtool (except the 'auto' in their names). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255320928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 19:04:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 18:04:23 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented: Doesn't the autotools buildsystem you have in place require using autogen when building from git? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255351060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 20:14:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 19:14:47 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: No definitely not. GnuTLS uses it for generating processing for command line options for the command in `src/`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255375968 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 20:42:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 19:42:13 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented: Wow. There's been quite some confusion then going on. Thank you for that piece of information. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255385170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 5 20:54:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 05 Dec 2019 19:54:32 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: NP :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_255388825 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 13:33:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 12:33:05 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: With the update-abi files commit you remove effectively the ABI checks we have for backwards compatibility. Why did you remove the 3.6.7 ABI? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_256962156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 13:34:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 12:34:49 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If it is because the abidiff catches something I think it is more reasonable to add an explicit rule to ignore this change, otherwise as a reviewer it is very hard to see what we are skipping. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_256962329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 13:41:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 12:41:29 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1129 Project:Branches: nmav/gnutls:tmp-fix-serv-exit to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos If gnutls_reauth() or gnutls_heartbeat_ping() fail, gnutls-serv would simply quit. This prevents using this tool in a test environment like tlsfuzzer. Ensure that we don't quit on error. This is not explicitly tested, but will be when the tlsfuzzer integration for PHA is introduced. Resolves: #868 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 13:43:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 12:43:45 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1129 https://gitlab.com/gnutls/gnutls/merge_requests/1129 * 41e06ac4 - gnutls-serv: do not exit on command failure -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 14:09:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 13:09:02 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen commented: > Why did you remove the 3.6.7 ABI ? Because you suggested it as one option ("Alternatively we can regenerate the ABI dump files"). But I see your point regarding review. Let me read into abigail exception rules then... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_256965495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 14:16:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 13:16:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1129 https://gitlab.com/gnutls/gnutls/merge_requests/1129 * f7f12bed - gnutls-serv: do not exit on command failure -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 14:39:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 13:39:24 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 * 95ae2f66...89ca230d - 2 commits from branch `master` * 26c410bc - Add const to function arguments in lib/x509 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 14:41:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 13:41:01 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav here we go... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_256968455 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:30:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:30:51 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 * f0d3d9e8 - abi: updated to latest const changes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:34:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:34:29 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 * 11f0dc32 - abi: updated to latest const changes and added NEWS entry -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:35:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:35:49 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. I didn't realize this was an older MR. I went through the history and it makes sense in its original form (I added the updated ABI files and updated the NEWS file). I think it makes sense and since it is compatible it can be included in 3.6.x. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257018624 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:36:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:36:02 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Please review the added patches and merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257018636 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:36:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:36:08 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Merge Request !1007 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1007 Branches: tmp-more-const-1 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:36:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:36:15 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Reassigned Merge Request 1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 Assignee changed to Tim R?hsen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 21:37:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 20:37:02 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 22:18:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 21:18:01 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257036999 > Copyright (C) 2013-2019 Nikos Mavrogiannopoulos > See the end for copying conditions. > > +* Version 3.6.12 (unreleased) > + > +** libgnutls: Introduced the gnutls_ocsp_req_const_t which is a compatible Is that 'a' before 'compatible' on purpose ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257036999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 22:19:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 21:19:08 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on NEWS: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257037086 > Copyright (C) 2013-2019 Nikos Mavrogiannopoulos > See the end for copying conditions. > > +* Version 3.6.12 (unreleased) > + > +** libgnutls: Introduced the gnutls_ocsp_req_const_t which is a compatible else LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257037086 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 7 22:21:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 07 Dec 2019 21:21:24 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on NEWS: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257037215 > Copyright (C) 2013-2019 Nikos Mavrogiannopoulos > See the end for copying conditions. > > +* Version 3.6.12 (unreleased) > + > +** libgnutls: Introduced the gnutls_ocsp_req_const_t which is a compatible Hmmm, what is this (failed pipeline) ? ``` 'function int drbg_aes_generate(drbg_aes_ctx*, unsigned int, uint8_t*, unsigned int, const uint8_t*)' {drbg_aes_generate@@GNUTLS_FIPS140_3_4} 'function int drbg_aes_init(drbg_aes_ctx*, unsigned int, const uint8_t*, unsigned int, const uint8_t*)' {drbg_aes_init@@GNUTLS_FIPS140_3_4} 'function int drbg_aes_reseed(drbg_aes_ctx*, unsigned int, const uint8_t*, unsigned int, const uint8_t*)' {drbg_aes_reseed@@GNUTLS_FIPS140_3_4} ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_257037215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 10 11:53:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Dec 2019 10:53:12 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1007 https://gitlab.com/gnutls/gnutls/merge_requests/1007 * e48290a5 - abi: updated to latest const changes and added NEWS entry -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 10 11:53:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Dec 2019 10:53:58 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on NEWS: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_258078356 > Copyright (C) 2013-2019 Nikos Mavrogiannopoulos > See the end for copying conditions. > > +* Version 3.6.12 (unreleased) > + > +** libgnutls: Introduced the gnutls_ocsp_req_const_t which is a compatible The first was a typo. I've updated it. The latter, I am not sure. I uploaded a clean one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007#note_258078356 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 10 12:49:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Dec 2019 11:49:51 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: All discussions on Merge Request !1007 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1007 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 10 13:59:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Dec 2019 12:59:48 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: Well, yes, I did configure it to require a certificate - the point of the test was to see what happens if the certificate is required and the client doesn't provide one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_258149357 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 10 14:52:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 10 Dec 2019 13:52:12 +0000 Subject: [gnutls-devel] GnuTLS | Add const to function arguments in lib/x509 (!1007) In-Reply-To: References: Message-ID: Merge Request !1007 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1007 Branches: tmp-more-const-1 to master Author: Tim R?hsen Assignee: Tim R?hsen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 11 14:51:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Dec 2019 13:51:39 +0000 Subject: [gnutls-devel] GnuTLS | Need testcases for multi-component ocsp stapling (#871) References: Message-ID: jgh created an issue: https://gitlab.com/gnutls/gnutls/issues/871 TLS 1.3 supports stapling of certificate status for multiple components of a certificate chain, and GnuTLS supports that. There are no testcases for it under tests/ocsp-tests (at least, going by the response files), and there need to be. Note that GnuTLS can use either a reponse file with multiple PEM components, or multiple response files. Only the second, with one cert-status per file, results in wire traffic that is acceptable to OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/871 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 11 15:07:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 11 Dec 2019 14:07:58 +0000 Subject: [gnutls-devel] GnuTLS | Need testcases for multi-component ocsp stapling (#871) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Have you checked the set_x509_ocsp_multi*.c and set_x509_key_file_ocsp_multi2.c? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/871#note_258802940 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 07:17:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 06:17:12 +0000 Subject: [gnutls-devel] GnuTLS | Solaris self test failures (#785) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Is there anything we can do to address these issues? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/785#note_259125731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 07:18:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 06:18:07 +0000 Subject: [gnutls-devel] GnuTLS | Priority Strings documentation - +% doesn't work (#856) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #856: https://gitlab.com/gnutls/gnutls/issues/856 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/856 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 07:18:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 06:18:06 +0000 Subject: [gnutls-devel] GnuTLS | Priority Strings documentation - +% doesn't work (#856) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing as it seems resolved. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/856#note_259126041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 07:20:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 06:20:27 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It is not clear to me what is the actual issue here. @noloader @rockdaboot any suggestion on how to proceed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_259126571 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 07:21:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 06:21:33 +0000 Subject: [gnutls-devel] GnuTLS | Disable TLS 1.3 dynamically during handshake if bad KX is enabed in priority (#825) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've marked it as something to be addressed in 3.7.x however it is unclear after all the discussions whether that's something we should do. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/825#note_259126790 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 10:13:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 09:13:55 +0000 Subject: [gnutls-devel] GnuTLS | Solaris self test failures (#785) In-Reply-To: References: Message-ID: Tim R?hsen commented: - document SH_LOG_COMPILER, e.g. in the "How to build GnuTLS" manual section - either document the replacement for `netstat -l` or write a small C program doing that job - reconsider the use of 'local', we possibly don't even need it. And if, why not use 'declare -n' ? - datefudge: fix ocsp-tests/ocsp-must-staple-connection -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/785#note_259212065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 11:11:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 10:11:57 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Tim R?hsen commented: @noloader What does the latest GnuTLS code say here ? If this is still an issue, let's first investigate where exactly alloca() is used: Within lib/nettle, the two defines of TMP_ALLOC that use alloca() only use it if HAVE_ALLOCA is defined Please check if `config.h` contains `#define HAVE_ALLOCA 1`. If that is the case, we have to find out why the linker doesn't find alloca(). Possibly a library missing in a Makefile.am !?. If HAVE_ALLOCA is not defined in `config.h`, this is a gnulib issue and we should ask on the gnulib ML fro help. @nmav, @lumag Can we get rid of the alloca() code in `cfb8.[hc]`, `nettle-internal.h` and `gostdsa-sign.c` ? Those wrappings into TMP_ALLOC and TMP_DECL make technically not much sense in this code (except for obfuscation and saving a few bytes on the stack). There is no stack-reallocation needed since the array sizes are fixed-size or have a pretty low upper limit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_259260887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 15:38:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 14:38:50 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I can remove TMP_ALLOC from that code by the price of diverting from nettle code. Not a great problem I think. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_259414108 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 15:43:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 14:43:32 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Tim R?hsen commented: :thumbsup: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_259416952 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 16:15:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 15:15:20 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) References: Message-ID: julia created an issue: https://gitlab.com/gnutls/gnutls/issues/872 I recently created a faked certificate, which happens to have an ?empty?subject and two subject alternative name instances. The certificate is not rejected during path validation. I can understand that the public key relies on the subject name and the alternative name. The problem is, which subject alternative name needs to be bound to the public key? The version of Gnutls: 3.6.8. The command I used is: certtool --verify --load-ca-certificate='rootCA_key_cert.pem' < 5009.pem The extension part is: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Alternative Name (critical): DNSname: motherless.com Subject Alternative Name (critical): DNSname: www.flipkart.com DNSname: flipkart.com DNSname: secure.flipkart.com The verification returns: Loaded CAs (1 available) Subject: (null) Issuer: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN Checked against: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. The rootCA_key_cert.pem (self-signed root CA): -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59 8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH 1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69 FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg 1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6 cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA 3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8 2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP 9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1 -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP 0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX 3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m -----END CERTIFICATE----- 5009.pem: -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6bDHBmJk6NBt2 gBP/xV4wJl1xusclcMLsW3id/6kmZJuW0kDdzqQUn50EeFxbIk1lEcWC1ia7dffs ZcfAWEPXG63UgAaqUe0R9xYKjCGZG8yk/J4+nvuufxG3Kw9B9r4rd4v9x3X3Wy8/ oWdWeZGuWlNPTa4KTjC19PpC5WqhQhNeiAzqRSQ3ICrnhxuNZv9J4U2GECldnwqE MxSWOwwLny2VSK6yFOobG0uuf+IfL6+OP4Xj2wqGJwdlDUeoc7z1QiFPpap3UMUm J9WSPyvsDcnWAnyvriMCJEblES+anCmmzaOoGE4x5syGXlgCEk0cOQJx4QULVDsE 8PQwUmHTAgMBAAECggEABAcibBRn+yH1FfJefEA/cLrjefmXI+/zxjeTu5YyiWnT EscoL6KvWOK5+ca/+Bgdo/lmUxVdcN9zo9/vGPDPRm6KqvS5MCTlAmZcS44Li8tV +JqcsK2usm58a4C6q6oxIa9LjwgoPFf0BWPvX6bwxtucwTHkeMSHuOa6IYfjbeh+ GnB8qMtbYwC7zadb3yJNlbt3w/NUHXkpTzj+u/F+7NKWnBP6FRNHpDNo2xQoBFw1 3xtfey0kf9N2TBj18CKEHRv3FcCQx181SCg65DHlvrU7m7Cm7VKxzS5Kqm2RolFY L6HCf5lzF7Dm0BETrk6vkLKCz4nqIP5+rGhaSx1vQQKBgQDsXgMKY2xLIP3LWwvB rzdKdtlLW7xTDDmrEp2CwalLhnV/hkbmJAfoVcC3+1pengSTFlWdI62JvB4BOwg/ sRf1Cmk2vC9KIBFtbPDode8/OMMUFraEtEDnzqgynotRpg25Hat1+60axepElR/1 DFX9j3Sb7VPV+J/mzdDtFlY3DQKBgQDJ6C/W57+BKDENZk49Nr4KJrpb8VyA1vNV P/4TG2XX9yYqrxTrE5cAayFBiEwBPd9/qk9oSjB0Uf89NEcxtjERv3F4AXJNjMOQ Prn9qqIDu25zDKDUMKXL2z3qM62hOuNR/Hzpc0xXX7GXrUlHl0vhvZElD/2yKbue 5k6LiWbEXwKBgQDQK7Az2wKKXGEJU4NULrPccjXIB+AhqDe18iwk99jZOm+LQ8B3 ei44siWMI+QgRr0yqc33GnABSVuHq+0E4zx9RJELcsuXVgzjObomkY+HN7+flq1i zLoJLlm2UynSXBPkADx9KY34cWx0wH2nvRiSu2Bw36EhZtm1VXj3BeAilQKBgQCa VhG7hIquf7p/M6S6xg2eVNw/S9AZ7DU1BSWCFX9UBmf2WL70spTKjRlurnDqwhEF 1Xm9jnhbchJZBo0lQs9fcaeaxABLpz4WFNy3Oqd9kthquUx25njVy1EYpUgj5o+9 K/OPv8KrR0rJVnydbNlkRTOd0QtsFNqGLCX+I5maoQKBgEWpJPLIwIQZlCbe4E2+ mMUpj3UlMbx1rO9t5unsh8hQSiAd54uI4y0tNanQoNnzVoHQgdVLxTbS78iXSdTS RPZL51HeYehXDwaeQ9LL9JuoyCRri0IAjC+XLntYpf02RH/IvJcVhc92+xkTeWFJ l1t0lQs0V36HcC8i+g2AsMWj -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDMzCCAhugAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJDTjEL MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumwxwZiZOjQbdoAT/8VeMCZdcbrHJXDC 7Ft4nf+pJmSbltJA3c6kFJ+dBHhcWyJNZRHFgtYmu3X37GXHwFhD1xut1IAGqlHt EfcWCowhmRvMpPyePp77rn8RtysPQfa+K3eL/cd191svP6FnVnmRrlpTT02uCk4w tfT6QuVqoUITXogM6kUkNyAq54cbjWb/SeFNhhApXZ8KhDMUljsMC58tlUiushTq GxtLrn/iHy+vjj+F49sKhicHZQ1HqHO89UIhT6Wqd1DFJifVkj8r7A3J1gJ8r64j AiRG5REvmpwpps2jqBhOMebMhl5YAhJNHDkCceEFC1Q7BPD0MFJh0wIDAQABo3Qw cjAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQEB/wQSMBCCDm1vdGhlcmxlc3MuY29t MEEGA1UdEQEB/wQ3MDWCEHd3dy5mbGlwa2FydC5jb22CDGZsaXBrYXJ0LmNvbYIT c2VjdXJlLmZsaXBrYXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcBlUfXcKN+qz HV3uMVkqBYlCoM4Mrp83rFWgGbzggcu1Q9RLRHe+N5N4QQZUTUOaP/ZtbrGBjJfE GoFJaJ0KBfjyaSotSj9W4tVQGtVt9c3kGWVSi8AQ5peaLQn3jmOQXrvHP2/behkm 40Ino7R5wbpGQ8V+2EhQufaBf9nfgCveBHvfY+QWSCrmKdZEKbQjCcAXMcRWRzCS H8Y8eKKuna7cgndXudcQY7JQYhzB7Rf2F1k15JeSShhe4CbfpP+rjAVaewnJogS2 R8Y2tYnD/VVXR9p74S/M/MEXRMQb56gQsfw1V709M42/WDqHyU0z59P/nASQMQD/ zTFdEaCLtQ== -----END CERTIFICATE----- [rootCA_key_cert.pem](/uploads/ea3d5695fb35f7d2fed38916b8563992/rootCA_key_cert.pem) [5009.pem](/uploads/3cb189d2c81df6123378d6ea080200ad/5009.pem) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 12 17:36:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 12 Dec 2019 16:36:11 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) References: Message-ID: llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/873 ## Description of problem: I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has an invalid Subject Public Key Info field. Although the subject public key field conforms to the syntax of the bit string, the RSAPublicKey in it does not conform to the syntax. The DER encoded RSAPublicKey is the value of the BIT STRING subjectPublicKey. The structure of RSApublickey described in RFC3279 is: RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER } -- e Meanwhile, the chain can still pass certificate verification with Gnutls3.6.7, however,the chain was rejected by openssl. Does Gnutls3.6.7 have a bug here? (Or do I have some misunderstandings on Gnutls3.6.7 in its parsing or verification procedure?) Will it cause any further problems in certificate verification? ## Version of gnutls used: Gnutls3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu16.04 ## How reproducible: Steps to Reproduce: ``` certtool --verify --load-ca-certificate 1.pem --infile leaf.pem ``` ## Actual results: The verification returns: ``` Chain verification output: Verified. The certificate is trusted. ``` however, the result of openssl: ``` error 66 at 0 depth lookup: EE certificate key too weak error leaf.pem: verification failed ``` ## Expected results: Chain verification output: failed. the 1.pem is: ``` -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo 6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262 ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4 kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6 AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN 1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8 6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT 4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL 0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0 W0ebRMo2T0FNhUhm -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+ WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY 4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em 1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo /6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+ NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv 6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN 2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7 TQ/vJrJvgyxVSgOH -----END CERTIFICATE----- ``` the leaf.pem is: ``` -----BEGIN CERTIFICATE----- MIIExzCCAq+gAwIBAgIRAPABuQ6DmexEq0k9QQaewMUwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL bGkxQDE2My5jb20wHhcNMDEwMTAxMDEwMDAwWhcNMzUxMjIzMTEyMzM0WjB7MQsw CQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQswCQYDVQQHDAJUSjEMMAoGA1UECgwD VEpVMRQwEgYDVQQLDAtiZWl5YW5neXVhbjEMMAoGA1UEAwwDTExRMR8wHQYJKoZI hvcNAQkBFhBsamZwb3dlckAxNjMuY29tMIGqMA0GCSqGSIb3DQEBAQUAA4GYAHbQ RwFvnLFf2dsnbPBgE8WIDSBIduUcCpXnVRNA0lnlYAAB8igI////f0C4o45iaUQ9 Htd8hjYbdaEvM9CPACC/f2pJ6UhanEUpAAAAZOfnSFqcFWtEwcBSzanrkQHH6NP8 pknE+fUAGEVFRUUsOaICpqT77ZpO9RZdEOWnf8eR24c4osp/N3/Cn9i7b6os333s hjYBAAGjgc8wgcwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUjQbPWu5jN7z4SYDgxnTo E9TQCyIwHwYDVR0jBBgwFoAUkj6KUUqWTHzwMQr1DwruE2Zod/AwDgYDVR0PAQH/ BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDBDAoBgNVHREEITAf ggVhLmNvbYIIKi5hYy5jb22CBnh6LmNvbYcEfwAAATAYBgNVHRIEETAPgg1hYmNl d3dyd3QuY29tMAwGA1UdJAQFMAOAAQMwDQYJKoZIhvcNAQELBQADggIBAIrlxfaD mBSBTXKK9/a00U7ZBFeZCXfaaxO/RbtTdPZtf0UNL4ZuUhkBrCaNvsD0Xp6erM41 A/s77syo74IWYh5B0zGsc2jgX6M1xVjrGvDc1Gxr+urhy83MPcT5YGWz1hQrnY9o RYPAmEBMYqInXiW7VZFJQxV+KSprpEHSDInrINipNrBXBs6eMrGSctHfN7T/1Per /NZkufA3abTz34psGai6+6aK+boKy4/EHKO7wCpptu6Pl68lmyVcuFuJRS1fkkcy /kegeq44uL8Fr10J5l10JxW9TvtpBa5WGmduyiMt4noMngxMTRkyyEgAG0nA9yvl Hmr3UgUkCfzMdPbWHbvYhX0/tHCVBm+uP4QNAdqRdnMoSWuQOjO4T1C8k7SPI6t9 NOipuWn4Kb/oUzTD1GNVPff6zXey+PAYqjk5yJv+QS+TsEAWfWu59GQcNkbeOpYl MqW4x8W3YzIQ/aDu+SiQ6jo7vpJs0EfopOTRKPRIyJeUWYd780lIRm+CqrHGo824 zzG4X5SbFpbVcIh1gDvySy/tOujWfA3CWYu+Rm7CvAAbPMWhFqwB9pYrFxZfjqzo p3bRUvn+y4RlQacQq9fEndLoO8eJHsNfBw1OPHON7fg5xTKTms7CqekoXVv2DLLa mbixAD0Rl9naMfL7Yxc1gns1d3tUq6/3/dMs -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:00:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:00:21 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Well I am not sure I understand the issue. The certificate verification process verifies whether the signatures on the certificate are correct. You however expect that gnutls during verification checks also whether the public key on the end certificate makes sense. I am not sure that's a reasonable expectation. Or did I miss the point? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873#note_260333895 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:01:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:01:49 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > The certificate is not rejected during path validation. While I understand that this is kind of wrongly generated certificate, why do you think gnutls should reject it. Is that mandated by some RFC or other spec? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260333998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:02:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:02:26 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Marking it as backlog, as I see it as nice to have at most. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/782#note_260334038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:11:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:11:15 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm closing it as duplicate of #207. Even more reasons to be stricter. Ironically it was openssl that caused us accept that form. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260334689 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:11:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:11:15 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #870: https://gitlab.com/gnutls/gnutls/issues/870 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:15:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:15:12 +0000 Subject: [gnutls-devel] GnuTLS | do not tolerate DER encoded certificates with invalid time format (#207) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: To address this 8e7bc8fec48bf5748b08426ea183d18c2d7b52a9 should be reverted. As it is a behavioral change we should target 3.7.x. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/207#note_260334961 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:17:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:17:00 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Issue was reopened by Nikos Mavrogiannopoulos Issue 870: https://gitlab.com/gnutls/gnutls/issues/870 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:17:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:17:00 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @llqll actually it may not be the same solution as #207, could you verify that by reverting 8e7bc8fec48bf5748b08426ea183d18c2d7b52a9 the issue you report is addressed? Otherwise we may need to handle it separately. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260335105 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:53:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:53:28 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: julia commented: In RFC 5280, I found the next statements, and wondered how a subject public key and two subjectAltName extensions should be bound. Which parts of the two extensions are verified (if the verification is still performed)? 1. "Certification path processing verifies the binding between the subject distinguished name and/or subject alternative name and subject public key." (Section 6). 2. "If subject naming information is present only in the subjectAltName extension (e.g., a key bound only to an email address or URI), then the subject name MUST be an empty sequence and the subjectAltName extension MUST be critical." (Section 4.1.2.6) 3. "A certificate MUST NOT include more than one instance of a particular extension." (4.2) 4. "Because the subject alternative name is considered to be definitively bound to the public key, all parts of the subject alternative name MUST be verified by the CA." (4.2.1.6) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260338436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:54:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:54:16 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1130 Project:Branches: nmav/gnutls:tmp-certtool-crq to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 10:56:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 09:56:32 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1130 https://gitlab.com/gnutls/gnutls/merge_requests/1130 * 1e9c9ba0...2b715b95 - 8 commits from branch `master` * 9764915c - tests: check certificate generation from certificate request * bf706e65 - certtool: always set extensions from template -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 11:01:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 10:01:33 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 11:01:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 10:01:47 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. I think the statement `A certificate MUST NOT include more than one instance of a particular extension.` is pretty clear. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260339237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 14:12:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 13:12:13 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: llqll commented: @nmav hello?thanks for your advice. I verify the certificate by reverting [https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9](https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9). And I used the new version of gnutls ?gnutls3.6.11? to verify the certificate. The result is the same. gnutls3.6.11 accept the certificate with invalid notbefore field. I think this problem is different from [https://gitlab.com/gnutls/gnutls/issues/207](https://gitlab.com/gnutls/gnutls/issues/207) because the notbefore field of the certificate conforms to der syntax. Through debugging I found the reason. gnutls uses atoi(x) to get the year, month and day values. When x cannot be converted to int, return 0 instead of error. In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi). the gnutls code is: ![image text](https://github.com/llqll/image/raw/master/certtooltime.png) In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260357431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 14:26:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 13:26:52 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) In-Reply-To: References: Message-ID: llqll commented: What I want to express is what you understand. I hope that gnutls during verification checks also whether the public key on the end certificate makes sense. If not checked, gnutls will accept certificates that do not conform to the public key syntax. In addition, some ssl implementations (openssl, mbedtls and wolfssl) have checked these. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873#note_260358768 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 15:06:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 14:06:08 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Reassigned Issue 868 https://gitlab.com/gnutls/gnutls/issues/868 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 15:54:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 14:54:56 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Reassigned Issue 829 https://gitlab.com/gnutls/gnutls/issues/829 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 15:57:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 14:57:20 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1131 Project:Branches: nmav/gnutls:tmp-ocsp-check to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos That adds the flag GNUTLS_SFLAGS_OCSP_REQUESTED which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 15:58:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 14:58:40 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @jgh would you like to check whether https://gitlab.com/gnutls/gnutls/merge_requests/1131 addresses the problem you described? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260368966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 16:08:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 15:08:46 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The error will be detected when the public key is to be used. For example if you try to print that certificate you'll get: ``` error importing public key: ASN1 parser: Error in TAG. ``` Similarly if you try to use it in a TLS handshake the handshake will fail when it tries to use it. So accepted is not really the case. The fact that other implementations reject it earlier may have more to do with the internal parsers of X.509 rather than an intentional action. Is there some particular attack or potential flaw that you are trying to address from? Nevertheless, if there is a particular attack or threat we can defend from would you like to suggest an MR? We could check whether there is an error when reading the public key algorithm (that will check the pubkey form too), at `_gnutls_check_cert_sanity`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873#note_260370109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 16:09:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 15:09:39 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 16:10:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 15:10:08 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. It makes sense to address independently. Would you like to propose an MR to fix it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260370257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 17:42:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 16:42:11 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Jonathan Hoffman commented: Hello @nmav! I see that I have been mentioned in this thread a few times. However, I am not involved in this discussion. Perhaps you meant to mention @j29280? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260379897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 14 18:37:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 17:37:12 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: Aye - build in progress... (another JGH) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260381464 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 00:14:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 23:14:13 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: Initial check says no - I'm only seeing the "extended-master-secret" bit set. This is a TLS1.3 connection, and a gnutls_ext_raw_parse() done for a client-hello from a callback for (GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST) does see the status_req extension. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260392904 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 00:15:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 23:15:57 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @jgh sorry for that, @j29280 is who I mean to mention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260401134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 00:16:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 23:16:00 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1131 https://gitlab.com/gnutls/gnutls/merge_requests/1131 * f6ff0625 - Provide flag to identify sessions that an OCSP response was requested -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 00:15:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 23:15:54 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1131 https://gitlab.com/gnutls/gnutls/merge_requests/1131 * 8d6df780 - Provide flag to identify sessions that an OCSP response was requested -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 00:16:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 14 Dec 2019 23:16:02 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @j29280 thank you. That's strange, there is a test for tls1.3 and this flag included. I've updated the MR with a handshake log message being printed (when GNUTLS_DEBUG_LOG=4 or greater). This will print when the OCSP response is seen on the server side. Do you see it in that case? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260401421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 01:06:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 00:06:06 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: Nope. I wonder if I'm not running with the library I just built? Ah. It's not in the exec-time searchpath. Having fixed that, yes. And "session flags: 0x801" which is good. So that's the (a) server saw req from client. Still want the (b) the server having been able to send out a cert-status. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260411261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 02:28:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 01:28:29 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: julia commented: Hi, Nikos,thank you. I'm still confused by the binding mechanism here. Next shows another certificate (5009_2.pem), in which the subject is null and the sujectAltName extension is not present. Why can the certificate pass the path validation?---Nothing should be bound to the subject public key."Certification path processing verifies the binding between the subject distinguished name and/or subject alternative name and subject public key." (RFC5280, Sec. 6). Jiayu ------------------------------------------------------------ 5009_2.pem -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGK3/TkVnaeeEy RE2fo8QPH8uH1aSmwt3PqaFfYjl+r5+Ksp0O2WH2kBAInVZ9JySiQpiscAmtNlqE EvolOZCDOEgRVn7UeqZkpKo1kYObrPbDDPtQA3ZVszsBSHvVBhjQv/qYtNFOdDBz ko5Qg7Razz5sWu6JkIHWvW7jJWr7AJPstYJsZOrtG/kuXS4wZGnRWCedhGatYk+s My3lwPHlwZEmSBEaK1mrL72YrsVa5oqdSPvvKhrXTJslKk1+OSqytwhV+1hsAaCA uO93cmHeE+fNZkCJILdzxWJqWJM+r/PBIcYasdlARF/xND7XSbzzKR5UJs5xGjjy t5YiO5ljAgMBAAECggEBALK64NsMKSIm8rjHacslhNqvLn4gbhQJhMyajXTdvkVI WHhbh9Ows+4RGKTsYukVuLCvp8s+cTvL3e9ovjt8o5310OnyPQmeZRw4d1tBFpX9 dcGNn8wWk0/QCtOpcCY9DXyY6Yd47Z34pQpXkAuF/dA5Qm+vw5xGvRPUXoJ3aPlf gPVr17UceSK9jyM+Q0set+kOW/0FkJYTVoG+debpFJbqn29LW0vZ/Q6Pd9SFXVOG J3tjOhoF/5xqWgrnTrFevWkaVuyRFSUp1inAOSwtY+nImPIpn9F6dU69BKrjegR/ BrfIp9wwQX2UKno7foNIWxgL9o2TVM/ekeU8TayVsUECgYEA78Xa/P0EdLVS4Vvu eNg8vkSy8GkLESI1giAP5yvGOGmIJ2KlSP18ntCtz7m8SOPAd+4zTJgNvXybK0xe 89wMyGVZniNGlZrbryuvkoLgt0tf3IhZOvza99si1KJi88sNfRLzIdujtpyQwzDW snzSX2ZCCbo7J4Tgf2BTgpcC+UsCgYEA05Tb4oxyMSq+/CJpjVY0uC4Cui3DRFee U3V9qIQJQwFCp3KL4pqtEBYZv5A0FcN7Qq7C2fPTREaSOa+XbCrfYhPiXFxafpEx DOoDuFbAaBqF4WcHpIBlP8XgMivH71ni5VFp6Mb7BPjyaZC3HHqXHEVgAnTE7AzD V0H6zUFwqUkCgYAmydE1YBEaeELiJicb8Y9SEHcKIVQi/2+8j0dDVHeKpLfb9z9Z 4XgJkSStGBT3jbCTNjuiRm7imofXp1EtDgobWRn4VSiUBytG2UBb6URFIrJtULlu q30Y36Bw2Zw8aDrUYv5mGcwQPJ/Gk94Hnd3ChR5lyHTNXdebg4++7oMSpQKBgClf T0vSaLXihOvqkrc3ZyGopZHgRvGDLItnSwX7o4/9nBoAFQhfdH3TxH8n5Hdo/R5B 7AoQWnxcTFWJV1OoYnvcJYQn7u4W1/+NduLB2+e/X/R+YAkzrhi1Sayl0PelnO94 ZvxEhGspfsVTreqcshWuHyL70FHUARJ77V3bcPs5AoGAdeMMaTvRYkw33h0WLafW O0bpnTOQLr5fEMryt3XSWNqJlESf8XHu5pEEbzgT1aQS++33tuAl/JBS/nhSi46/ O1cekxLmmV0lq8M++jalv4BoK02hyqU1Hy7e6Y3XzV5iqgPySra/5dK8XFYbDlDS CM1Kmd5p/V9GsOmAEL9Yh7A= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC0jCCAbqgAwIBAgIBATANBgkqhkiG9w0BAQ4FADBAMQswCQYDVQQGEwJDTjEL MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5aM8KCuLHVK0mpFLfbvBaFNx6uDHWM0 ksxXTQDXAeqaakymmOnpZGwf8GhWSCg3xSdId2/kCBJaQMkgMTjUqiTeiHFhB7T4 zOj3d+R8gbYjPw5oHK+aXk7B0fSUTVLXnlidu/EuwRTU9dERBzN1EtrptNzUJZJa ZUbUjTV14amSJ9HOJvVghEiZ1CWPdhfI0I8om6AqO3akBpdwx4h1MT26lxTIAEj8 vUa33OM/Ac933q9cgoii6EmVwOfe9riFFwRFzZh0ygzVhsd83ujvBRLT2dDl7oxE 6himl1D/iSOQv7VxosVdca3k/5iXEDeENncNNCWoCZwZRsDQwKZ6DwIDAQABoxMw ETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDgUAA4IBAQAiQvULr9pFxgIJ yjtxVHxY9dPKRumSnjQnUfd86mICk/XD1ywQM/amRyVrIInUxP6Gg2xCnYr7gNuG FeYf3EqtlEZYqfWLIClJSU62mKbCXwfRIldh1ihSiH5+IV0Put4SAvjamQ5xnSAm KG4TH/v8d+cmx2vC/gyRe1uH60g1o7yOgwzP5UYe6WeGx3lIRW2Av9u/roYMmegv lXUBbMSpqpp/nGoAn9IxaNticZWlz4pkYXTWn0NFoaDDz7855zeXJ3IBBrfR5R1O sK6jmqhXPfGGAtS0+Wz8bnl1pHeNtNI5gqjamji6NOutR0oZv/FzDcfds3erBBD2 AktONs4U -----END CERTIFICATE----- results: Loaded CAs (1 available) Subject: (null) Issuer: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN Checked against: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN Signature algorithm: RSA-SHA224 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260414244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 05:15:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 04:15:05 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#875) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/issues/875 The following issues require labels: - [ ] [OCSP response manipulation & signing support](https://gitlab.com/gnutls/gnutls/issues/859) - [ ] [new coverity issues](https://gitlab.com/gnutls/gnutls/issues/857) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 05:15:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 04:15:05 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: GnuTLS bot commented: @mbiberhofer This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_260420547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 05:15:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 04:15:05 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: GnuTLS bot commented: @nmav This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_260420548 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:18:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:18:49 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm closing it as I do not think this ticket is the best way to track coverity issues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_260436804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:18:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:18:49 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #857: https://gitlab.com/gnutls/gnutls/issues/857 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:20:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:20:23 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm marking it as ok for 3.6.x. @mbiberhofer do you have any estimate on when you'll be able to submit an MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_260436917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:20:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:20:37 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#875) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #875: https://gitlab.com/gnutls/gnutls/issues/875 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:21:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:21:22 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#869) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #869: https://gitlab.com/gnutls/gnutls/issues/869 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/869 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:26:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:26:11 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Hi, Nikos,thank you. I'm still confused by the binding mechanism here. Next shows another certificate (5009_2.pem), in which the subject is null and the sujectAltName extension is not present. Why can the certificate pass the path validation?---Nothing should be bound to the subject public key."Certification path processing verifies the binding between the subject distinguished name and/or subject alternative name and subject public key." (RFC5280, Sec. 6). I think there is a misunderstanding here. gnutls does not have a strict path validation mechanism as described in RFC5280. It has a validation mechanism that works as: 1. gnutls_certificate_verify_peers2: "are the signatures on the certificate valid" 2. gnutls_certificate_verify_peers3: "is this certificate trusted for this DNS name"? 3. gnutls_certificate_verify_peers: a more advanced combination of these questions; e.g., is this certificate marked as server-only and trusted for this DNS name? Thus for the certificate you are quoting it will pass (1) since the signatures are valid, but will not pass (2) where a name comparison is requested (for 3 the pass/not pass depends on whether the request includes name comparison). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260437386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 10:31:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 09:31:06 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Could you clarify what do you mean by (b)? Isn't the fact that certificate verification output includes that result sufficient? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260437727 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 13:05:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 12:05:52 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: If that means "certificate verification done on the client, of the server cert and ocsp" - then it is not sufficient because the server-end application has no visibility of that. I'm asking for observability by the server application (above the library) of what the server (as a whole) did. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260449672 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 13:34:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 12:34:45 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: So if I understand correctly, you want to check in server, whether it has sent the OCSP responses to client right? If that's the case then if the server has OCSP responses to send, and the client requested them, they are sent. The new API answers the latter (did client requested them?). So is your question on whether the is an API to query whether it has responses to sent, or it is about making it easier to do this deduction with a new api? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260463711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 14:09:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 13:09:40 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: Yes. It's closest to the latter, but slightly more subtle: was a response actually sent? The distinction being that, because there could have been multiple possible server certs, and multiple possible OCSP responses - it's quite feasible for the application code using the library to fail to have loaded up a consistent combination. Especially in the face of changing client behaviour, requiring the server to use a cert for which no OCSP response has been loaded. Therefore, a plain easy-to-use question from the server application code to the server-side library, after the handshake: was an OCSP stapled response sent? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260466598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 20:04:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 19:04:07 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: But for which certificate? As in TLS1.3 multiple certificates can be stapled with an OCSP response, one flag will not be able to answer the question you pose. Could you describe an API that you have in mind? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260522950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 20:12:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 19:12:17 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1131 https://gitlab.com/gnutls/gnutls/merge_requests/1131 * 0ae82294 - Provide flag to identify sessions that an OCSP response was requested -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 20:20:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 19:20:09 +0000 Subject: [gnutls-devel] GnuTLS | OCSP: server does not request client OCSP staples (#876) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/876 According to [TLS1.3](https://tools.ietf.org/html/rfc8446#section-4.4.2.1) a server can request a client to send OCSP staples during the CertificateVerify by sending an empty "status_request" extension. However we seem to be sending such OCSP staples even when this extension is not present (see `tests/tls13/ocsp-client.c`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/876 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 20:31:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 19:31:32 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: Fair comment. Most commonly it'll be just the leaf, but... if we allow for an indefinite number and combination, that means a bitfield - which no longer fits with the gnutls_session_get_flags() interface. So that would be a new api call, which I'd fully understand if you don't really want to do. If you do - one bit position per chain position; bit0 for the leaf, bit set for ocsp-status-of-this-cert-sent. Perhaps punt on the chain-status support (we can't parse a 1.3 servercert at this time; gnutls_ext_raw_parse() crashes) and just return a single bit via gnutls_session_get_flags() if _any_ status was transmitted? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_260526515 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 15 21:39:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 15 Dec 2019 20:39:30 +0000 Subject: [gnutls-devel] GnuTLS | doc: update reference to the default configuration file (!1132) References: Message-ID: Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1132 Project:Branches: xnox/gnutls:fix-docs to gnutls/gnutls:master Author: Dimitri John Ledkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 12:45:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 11:45:46 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1131 https://gitlab.com/gnutls/gnutls/merge_requests/1131 * 44f9bac3 - gnutls_ocsp_status_request_is_checked: mark explicitly as unsigned the return type -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 12:55:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 11:55:16 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1133 Project:Branches: nmav/gnutls:tmp-ext-fuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This adds new fuzzers for gnutls_ext_raw_parse(). ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 12:58:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 11:58:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * af0b8c79 - fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 17:08:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 16:08:46 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Michael Catanzaro commented: > I talked to Daiki about this at GUADEC. I'm hoping to get around to this before 2020, but if I don't, then I probably won't get to it ever (I won't be working on networking for much longer) and somebody else can take it. Sorry, I'm going to run out of time to work on this. Hope I didn't discourage others from tackling it for too long. :( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/202#note_261129956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 21:02:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 20:02:18 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1131 https://gitlab.com/gnutls/gnutls/merge_requests/1131 * bd383624 - gnutls_ocsp_status_request_is_checked: mark explicitly as unsigned the return type -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 16 21:33:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 16 Dec 2019 20:33:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: There is so not much to fuzz in gnutls_ext_raw_parse() / _gnutls_extv_parse(). Posibly it would be a good idea to create just one fuzzer with three calls to gnutls_ext_raw_parse() !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261299164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 01:53:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 00:53:58 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Daiki Ueno commented: Do you happen to have any work in progress patches someone can continue working on? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/202#note_261391376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 05:45:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 04:45:06 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) References: Message-ID: llqll created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1134 Project:Branches: llqll/gnutls:issue-870 to gnutls/gnutls:master Author: llqll Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 05:48:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 04:48:13 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: llqll commented: yes,I have proposed MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_261430056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 07:52:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 06:52:57 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Airtower commented: Spontaneous thought while reading these comments: It should be possible to record the actually sent OCSP response(s) when using `gnutls_certificate_set_retrieve_function3`. The callback has full control over which certificate(s) and response(s) to send, and could e.g. log them at will. This would force the application to implement its own selection logic, though. Maybe it'd be possible to make the default certificate and response retrieval method available as API, so applications could easily call it as part of their `gnutls_certificate_set_retrieve_function3` callbacks? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_261456959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 11:52:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 10:52:59 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * cc00f814 - fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 12:50:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 11:50:45 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1134 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/x509/time.c: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_261660249 > + /* Make sure everything else is digits. */ > + for (int i = 0; i < len - 1; i++) { > + if (isdigit(ttime[i])) Thank you. It makes sense. Two comments, maybe we should cache the output of strlen() above to avoid two runs when compiled with older compilers or in simpler systems. The other is that we should use `c_isdigit()` from `` to ensure that this comparison is done right even when the locale is not C. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 12:52:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 11:52:11 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Did you see my comment above ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261661000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 12:53:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 11:53:54 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Would you like to clarify the commit message to something more expressive e.g., "reject certificates accepts whose notbefore field is a non-digits", and mention the bug number int he description, e.g., "Resolves #840". Also would you like to add the reproducer as part of the test suite e.g, in `tests/cert-tests/certtool` or even separately, so that we ensure we do not regress in the future? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_261661788 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 16:03:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 15:03:32 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi Tim, I just did read it. Would it be ok for a reasonable fuzzer? The input form is different for each fuzzer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261792865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 16:29:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 15:29:38 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: > Would it be ok for a reasonable/effective fuzzer? Yes, definitely. Having three calls (with different flags) in a single fuzzer is even better in this case, IMO (less/shared corpora, less code, same results/coverage). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261809547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 16:44:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 15:44:30 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If I combine and I run afl-cmin on the new program, it identifies a single trace on them. With the individual these were seen as different traces. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261830167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 16:49:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 15:49:22 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'll run again the afl-fuzzer on the new binary -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261833314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 16:51:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 15:51:18 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Michael Catanzaro commented: No I don't, sorry. I never started. I'm about 2/3 of the way to having glib-networking refactored to get all use of gnutls_session_t onto the same thread. My plan was always to start looking at the GnuTLS side of things once that work was done. Sorry. :( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/202#note_261838881 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:00:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:00:12 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzers for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * 4cfbdc96 - fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:01:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:01:25 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261849798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:05:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:05:23 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM. If you want, I can run it with libFuzzer tomorrow and possibly add more corpora. If you build 'normally', you could check that the code coverage is satisfying (cd fuzz; make coverage). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261851937 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:05:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:05:39 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Merge Request !1133 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1133 Project:Branches: nmav/gnutls:tmp-ext-fuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:10:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:10:16 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * 57a39b08 - fuzzer: added fuzzer for gnutls_ext_raw_parse() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 17:11:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 16:11:11 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. Yes please! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261855424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 20:15:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 19:15:26 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: Created branch tmp-update-fuzzer with 3 commits. The coverage by the new fuzzer is 96.5% for extv.c and 87.5 for extv.h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261936191 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 17 20:17:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 17 Dec 2019 19:17:03 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: make syntax-check fails due to ``` fuzz/gnutls_ext_raw_parse_fuzzer.c maint.mk: the above files include assert.h but don't use it make: *** [maint.mk:519: sc_prohibit_assert_without_use] Fehler 1 make: *** Es wird auf noch nicht beendete Prozesse gewartet.... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_261936984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 07:54:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 06:54:12 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: llqll pushed new commits to merge request !1134 https://gitlab.com/gnutls/gnutls/merge_requests/1134 * ddf5f873 - we cache the output of strlen() above to avoid two runs when compiled with... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:30:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:30:48 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * f445e3b0 - Add fuzz corpora for gnutls_ext_raw_parse_fuzzer * 403c5991 - Amend fuzz scripts and README for clang-8 * f2874a25 - Sync with fuzzers from OSS-Fuzz -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:31:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:31:02 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Sorry, yesterday evening I forget to say: - fix syntax-check in your commit >From branch tmp-update-fuzzer: - merge the first commit (just 4 additional corpora) into your commit - add the other 2 commits to your MR When testing with libFuzzer locally, several UBs pop up with the existing corpora. I wonder why they don't result in failure of the CI. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_262186372 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:31:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:31:55 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1133 https://gitlab.com/gnutls/gnutls/merge_requests/1133 * e1555e63 - fuzzer: added fuzzer for gnutls_ext_raw_parse() * 4de4bd80 - Add fuzz corpora for gnutls_ext_raw_parse_fuzzer * ed23a2d5 - Amend fuzz scripts and README for clang-8 * 9f45a6d3 - Sync with fuzzers from OSS-Fuzz -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:32:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:32:49 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've included the patches and removed the assert. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_262187254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:33:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:33:09 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: llqll pushed new commits to merge request !1134 https://gitlab.com/gnutls/gnutls/merge_requests/1134 * 08378b73 - add file tests/cert-tests/cert-non-digits-time. This file is used to check if... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:33:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:33:17 +0000 Subject: [gnutls-devel] GnuTLS | doc: update reference to the default configuration file (!1132) In-Reply-To: References: Message-ID: Merge Request !1132 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1132 Project:Branches: xnox/gnutls:fix-docs to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:33:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:33:45 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Tim R?hsen commented: Nice ! I will investigate into the UBs I saw yesterday evening. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133#note_262187757 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:33:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:33:53 +0000 Subject: [gnutls-devel] GnuTLS | doc: update reference to the default configuration file (!1132) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. You may want to increase CI running time as in the checklist or add `[ci skip]` in the first line of your commit message. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1132#note_262187804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 09:47:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 08:47:26 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: ok @j29280 should we track the last request as a separate issue? To my understanding and from the suggestion of @airtower-luna the solution may be something quite unrelated, and more elaborate. As such I think it makes more sense to separate the requests, and use this issue for the first one as in title. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_262194355 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 10:48:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 09:48:13 +0000 Subject: [gnutls-devel] GnuTLS | fuzzer: added fuzzer for gnutls_ext_raw_parse() [ci skip] (!1133) In-Reply-To: References: Message-ID: Merge Request !1133 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1133 Project:Branches: nmav/gnutls:tmp-ext-fuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 13:22:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 12:22:29 +0000 Subject: [gnutls-devel] GnuTLS | UB detected, but test suite stays silent (#878) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/878 Building with ASAN/UBSAN enabled and then `cd fuzz; make check; grep -i Sani *.log` shows: ``` gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1155:22 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior pk.c:573:28 in gnutls_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior pk.c:573:19 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_client_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_ocsp_resp_parser_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ocsp_output.c:527:58 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../num.h:60:12 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_psk_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1155:22 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_psk_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1155:22 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior pk.c:668:12 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior pk.c:670:37 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rsa.c:233:8 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rsa.c:235:8 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rsa.c:231:7 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rsa.c:236:10 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1155:22 in gnutls_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_server_rawpk_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_set_trust_file_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior verify-high.c:284:7 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_srp_client_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:96:15 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rnd-fuzzer.c:122:10 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior handshake.c:2704:34 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1173:61 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.c:982:15 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:298:9 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior kx.c:299:34 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hello_ext.c:403:9 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior num.h:60:12 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1773:47 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior buffers.h:89:15 in gnutls_srp_server_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior record.c:1155:22 in gnutls_x509_verify_fuzzer.log:SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior verify.c:660:29 in ``` We should fix these and then set UBSAN_OPTIONS in the CI to abort on UB. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/878 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 13:24:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 12:24:44 +0000 Subject: [gnutls-devel] GnuTLS | UB detected, but test suite stays silent (#878) In-Reply-To: References: Message-ID: Tim R?hsen commented: To reproduce: ``` export CC=clang export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp" ./configure --disable-guile --enable-fuzzer-target --enable-static --disable-doc --disable-gcc-warnings --disable-hardware-acceleration make clean make cd fuzz make check grep Sani *.log ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/878#note_262377518 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 13:44:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 12:44:17 +0000 Subject: [gnutls-devel] GnuTLS | UB detected, but test suite stays silent (#878) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Why doesn't the existing ubsan run print these out? Is clang sanitizer using a different standard it checks against definition? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/878#note_262387120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 14:42:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 13:42:51 +0000 Subject: [gnutls-devel] GnuTLS | UB detected, but test suite stays silent (#878) In-Reply-To: References: Message-ID: Tim R?hsen commented: Not sure about differences between gcc and clang here. By tendency, clang is more advanced than gcc regarding sanitizers (from what I read). But the main issue (IMO) is that UBSAN doesn't abort/error by default. Hmm, we already have -fno-sanitize-recover... Ah, we don't run the tests in `fuzz/` at all (runner asan.Fedora.x86_64). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/878#note_262457263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 14:47:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 13:47:38 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: llqll commented: yes,I have changed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_262460158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 16:46:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 15:46:21 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Fail tests if UB detected (!1135) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1135 Project:Branches: rockdaboot/gnutls:tmp-check-fuzz to gnutls/gnutls:master Author: Tim R?hsen This MR is for squeezing out the detected UB. The UBSAN runner has been modified to run with clang 9 on Fedora 31 and also includes ASAN. Detected UB is now printed with a symbolized stack trace, to allow review / tracking directly from the CI artifacts (*.log files). (In the end) it fixes #878. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 16:48:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 15:48:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Fail tests if UB detected (!1135) In-Reply-To: References: Message-ID: Merge Request !1135 was closed by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1135 Project:Branches: rockdaboot/gnutls:tmp-check-fuzz to gnutls/gnutls:master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 16:51:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 15:51:38 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1136 Branches: tmp-check-fuzz to master Author: Tim R?hsen This MR is for squeezing out the detected UB. The UBSAN runner has been modified to run with clang 9 on Fedora 31 and also includes ASAN. Detected UB is now printed with a symbolized stack trace, to allow review / tracking directly from the CI artifacts (*.log files). (In the end) it fixes #878. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 17:05:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 16:05:23 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 30f70995 - UBSAN: Fail tests if UB detected -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 19:37:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 18:37:00 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 82ef4419 - UBSAN: Fail tests if UB detected -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 19:46:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 18:46:38 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 1665fdb4 - gnutls_x509_trust_list_add_cas: Fix implicit value change -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 19:50:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 18:50:00 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * d98b622d - gnutls_x509_trust_list_add_cas: Fix implicit value change [skip ci] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:01:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:01:51 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262690946 > - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 > - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" > dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile > + - make clean That seems unrelated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262690946 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:03:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:03:06 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262691340 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm I see you already added it in the build image. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262691340 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:07:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:07:16 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262692558 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm > - ./bootstrap > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure That kind of changes completely the goal of this runner. This checks for C99 compliance and presence of no warnings (Werror) in addition to undefined sanitizer. If the problem was that we didn't run `make check` on fuzz directory, I think let's fix this issue, and we can have separate runners with clang if we believe it is beneficial to do so. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262692558 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:07:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:07:28 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262692623 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm > - ./bootstrap > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure I wouldn't like to give up on gcc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262692623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:12:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:12:03 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! Could you please use your real name in the commit message and add the Signoff-by tag (use `git commit -s`). That's necessary for including them: https://gitlab.com/gnutls/gnutls/blob/master/CONTRIBUTING.md#git-commits -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_262693939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:13:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:13:09 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Also you seem to have included some changes in the indentation (from tabs to 4-spaces) in the changed code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_262694247 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:19:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:19:38 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262696162 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm Yes, but the pipeline fails due to fedora 28 misses 'podman'. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262696162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:26:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:26:05 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262697969 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm > - ./bootstrap > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure OK. This MR is mostly about fixing the issues. I am not against gcc (the opposite is the case), but having gcc *and* clang gives us more confidence as both work slightly different. So in the end, we can decide whether we add another runner or if we combine gcc and clang into one. For this MR I will investigate the ASAN options of gcc in the next days. I did this a while ago and at that time clang was definitely superior regarding sanitizer checks. But these things change over time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262697969 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:26:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:26:40 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262698121 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm That shouldn't matter as f31 image was uploaded. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262698121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:28:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:28:49 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262698637 > - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 > - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" > dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile > + - make clean Yes, sorry. It should definitely be added to have a clean build after a ./configure run, but not in this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_262698637 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:32:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:32:10 +0000 Subject: [gnutls-devel] build-images | build-img.sh: detect podman or docker (!26) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/build-images/merge_requests/26 Branches: tmp-detect-podman to master Author: Nikos Mavrogiannopoulos This allows building fedora 28. Signed-off-by: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/merge_requests/26 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 21:38:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 20:38:30 +0000 Subject: [gnutls-devel] GnuTLS | Add options to enable GOST by default/support different configuration sets (#879) References: Message-ID: Dmitry Eremin-Solenikov created an issue: https://gitlab.com/gnutls/gnutls/issues/879 The following discussions from !1119 should be addressed: - [ ] @nmav started a [discussion](https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243928311): (+17 comments) > That's a part which I think is the most questionable in terms of policy. How can we have an implementation which supports GOST but enables it conditionally. For example debian or fedora may want to support GOST but not enable it by default (i.e., enable it via a crypto policy). The reason is that this is a national standard, not widely accepted and enabling by default will trigger pushback to the whole effort of gost support. For now GOST ciphersuites are going to be merged, but they have to be explicitly enabled on both server (this is more or less fine) and on client (and this ideally should be fixed) sides. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 22:06:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 21:06:01 +0000 Subject: [gnutls-devel] GnuTLS | fuzzying: add GOST traces and certificates (#880) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/880 We should ensure that the GOST part of the protocol implementation is fuzzed similarly [with the rest of the library](https://gnutls.gitlab.io/coverage/master-fuzz/). For that we should include traces and certificates/structures when necessary. Potentially affected fuzzers: - [ ] gnutls_x509_parser_fuzzer - [ ] gnutls_server_fuzzer: Traces and keys - [ ] gnutls_client_fuzzer: Traces - [ ] gnutls_pkcs7_parser_fuzzer - [ ] gnutls_pkcs8_key_parser_fuzzer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 22:15:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 21:15:01 +0000 Subject: [gnutls-devel] build-images | build-img.sh: detect podman or docker (!26) In-Reply-To: References: Message-ID: Merge Request !26 was merged Merge Request url: https://gitlab.com/gnutls/build-images/merge_requests/26 Branches: tmp-detect-podman to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/merge_requests/26 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 23:25:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 22:25:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy (#881) References: Message-ID: Dimitri John Ledkov created an issue: https://gitlab.com/gnutls/gnutls/issues/881 gnutls serv loads keyfile & cert, but doesn't bother to check if it should trust it or if it is acceptable as per policy. For example, one can start gnutls serv with 512 RSA keys in the cert chain, even if no sane client will trust to connect to it. Some checks are performed e.g. gnutls_check_key_cert_match, but it should also check if the cert meets the minimum profile security standard w.r.t. algos / key sizes / hashes / etc. Such that, for example, daemons fail to start with bogus certs instead of waiting for clients to fail to establish a connection. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/881 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 23:25:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 22:25:54 +0000 Subject: [gnutls-devel] GnuTLS | Trusted CA certificates with keys that should have been rejected by the verification profile are accepted for TLS (#877) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: Opened https://gitlab.com/gnutls/gnutls/issues/881 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/877#note_262736971 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 23:26:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 22:26:21 +0000 Subject: [gnutls-devel] GnuTLS | Trusted CA certificates with keys that should have been rejected by the verification profile are accepted for TLS (#877) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: This issue is now public, for the second portion as described by you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/877#note_262737096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 18 23:27:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 18 Dec 2019 22:27:31 +0000 Subject: [gnutls-devel] GnuTLS | gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy (#881) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: Not quite sure how this should be fixed, I guess actually not at _key_file but at certfile setting one already knows the key sizes?! even before the private key is loaded. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/881#note_262737396 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 06:29:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 05:29:29 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: llqll pushed new commits to merge request !1134 https://gitlab.com/gnutls/gnutls/merge_requests/1134 * 763b4dad - Signed-off-by: Lili Quan <13132239506 at 163.com> -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 10:12:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 09:12:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1137 Project:Branches: GostCrypt/gnutls:gost-split-4 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 10:13:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 09:13:51 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1138 Project:Branches: GostCrypt/gnutls:gost-split-5 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov SChannel-based clients can not send GOST identifiers as a part of SignatureAlgorithms extension. To mitigate this forcefully enable GOST signature algorithms if client sends GOST ciphersuite. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 10:21:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 09:21:00 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 82cb8c63...8d81203c - 44 commits from branch `master` * d625f003 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 2cd08b34 - SignatureAlgorithms: force-enable GOST signatures for GOST KX * 2183639f - tls12-server-kx-neg: add tests without GOST signature algorithms * bab27911 - Add GOST values to cipher suites priorities -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 10:28:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 09:28:37 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1139 Project:Branches: GostCrypt/gnutls:abi-fix to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 11:40:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 10:40:17 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_262954608 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ Shouldn't this be `$(builddir)/lib/includes/gnutls/` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_262954608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 11:47:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 10:47:01 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: `$(builddir)` = `pwd` at this moment. I can change that for clarity though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_262959066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 11:50:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 10:50:24 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_262960807 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ `$(builddir)` is `pwd`. Each `Makefile` has `builddir = .` assignment. I can change this line for clarity though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_262960807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 12:49:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 11:49:10 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 8bba9a84 - UBSAN: Fail tests if UB detected * c816b143 - gnutls_x509_trust_list_add_cas: Fix implicit value change [skip ci] * 56b730de - handshake.c: Suppress warning in fuzzing build * d4bc1996 - rnd-fuzzer.c: Suppress shift sanitization check * 60a1f2f0 - status_request.c: Silence -Wsign-compare * 2a62ab79 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * a91decda - Fix 2x -Wunused-function in tests/ * de133a43 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 12:54:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 11:54:07 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263049839 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ When building in a (first-level) subdir, `builddir` is `..`. But yes, for clarification and to allow a non-brainer copy&paste, using `$(builddir)` would be good, IMO. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263049839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:10:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:10:59 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 7195b94f - UBSAN: Fail tests if UB detected * b352662a - gnutls_x509_trust_list_add_cas: Fix implicit value change * 4340d98d - handshake.c: Suppress warning in fuzzing build * ae2dbc4f - rnd-fuzzer.c: Suppress shift sanitization check * d284d373 - status_request.c: Silence -Wsign-compare * 408d63fd - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 40e83d5a - Fix 2x -Wunused-function in tests/ * b911bb50 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:24:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:24:01 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 04358e99 - UBSAN: Fail tests if UB detected * 8524c62e - gnutls_x509_trust_list_add_cas: Fix implicit value change * ec515563 - handshake.c: Suppress warning in fuzzing build * 2a05c377 - rnd-fuzzer.c: Suppress shift sanitization check * 404e875d - status_request.c: Silence -Wsign-compare * ae0e4f8b - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * ff5beb33 - Fix 2x -Wunused-function in tests/ * 22fe6391 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:24:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:24:13 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_263074144 > - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 > - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" > dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile > + - make clean Reverted -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_263074144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:32:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:32:25 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_263079179 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > script: > + - dnf install -y llvm > - ./bootstrap > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure We now have two combined sanitizer runners, one for clang the other one for gcc. Both runners check asan, ubsan, leak, ..., use `-std=c99` and `-Werror`. There are still two sets of annoying warnings, `-Wno-enum-conversion` and `-Wno-parentheses`. The first one can possibly addressed by explicit casts. The second one comes from sloppy programming in autogen. If nobody sends a patch upstream, we might sit on this forever. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_263079179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:32:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:32:25 +0000 Subject: [gnutls-devel] GnuTLS | UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: All discussions on Merge Request !1136 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1136 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 13:56:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 12:56:33 +0000 Subject: [gnutls-devel] GnuTLS | WIP: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1140 Project:Branches: nmav/gnutls:tmp-check-same-certs to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:16:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:16:21 +0000 Subject: [gnutls-devel] GnuTLS | WIP: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * c35744ae - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:18:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:18:03 +0000 Subject: [gnutls-devel] GnuTLS | WIP: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * bac4978c - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:31:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:31:54 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1139 https://gitlab.com/gnutls/gnutls/merge_requests/1139 * 728a34bd - abi-check: fix include paths -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:34:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:34:47 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263126267 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ No, `top_builddir` would be `..`, `builddir` will still be just `.`. I've changed this piece of code anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263126267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:52:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:52:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * c5b5f7cb - certtool: apply the medium certificate verification profile by default * 49482286 - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:56:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:56:55 +0000 Subject: [gnutls-devel] GnuTLS | RFC: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 14:57:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 13:57:09 +0000 Subject: [gnutls-devel] GnuTLS | Trusted CA certificates with keys that should have been rejected by the verification profile are accepted for TLS (#877) In-Reply-To: References: Message-ID: Reassigned Issue 877 https://gitlab.com/gnutls/gnutls/issues/877 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/877 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 15:38:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 14:38:20 +0000 Subject: [gnutls-devel] GnuTLS | RFC: _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * a019d406 - Export profile ID/name handling functions * 0fa03bab - certtool: added option to apply a certificate verification profile * 1e3fbcce - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:09:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:09:54 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/profiles.c: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263191890 > } > + > +/** > + * gnutls_certificate_verification_profile_get_name: > + * @algorithm: is a MAC algorithm > + * > + * Convert a #gnutls_certificate_verification_profiles_t value to a string. > + * > + * Returns: a string that contains the name of the specified profile or %NULL. > + **/ > +const char * > + gnutls_certificate_verification_profile_get_name(gnutls_certificate_verification_profiles_t id) > +{ > + const gnutls_profile_entry *p; > + > + for(p = profiles; p->name != NULL; p++) { space after 'for' ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263191890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:19:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:19:21 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263197759 > +unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, > + time_t now, unsigned int flags) > +{ > + unsigned int status = 0; > + unsigned sigalg; > + int ret; > + > + /* explicit time check for trusted CA that we remove from > + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS > + */ > + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && > + !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { > + status |= check_time_status(issuer, now); > + } > + > + ret = why not use `sigalg` directly here and remove `ret` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263197759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:20:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:20:58 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * 9f1de014 - Export profile ID/name handling functions * be136ecb - certtool: added option to apply a certificate verification profile * d5257463 - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:22:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:22:58 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * 57bb83e1 - certtool: added option to apply a certificate verification profile * f78b7bc7 - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:44:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:44:39 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263212648 > +unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, > + time_t now, unsigned int flags) > +{ > + unsigned int status = 0; > + unsigned sigalg; > + int ret; > + > + /* explicit time check for trusted CA that we remove from > + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS > + */ > + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && > + !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { > + status |= check_time_status(issuer, now); > + } > + > + ret = That was to avoid commenting on the code. These casts can be lost when restructuring the code (I have at least once messed something up). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263212648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:45:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:45:36 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * cf5bf721...8d81203c - 11 commits from branch `master` * 065355fd - is_level_acceptable: use the system-wide profile if none is set * cc1ea48a - Export profile ID/name handling functions * 3d984a47 - certtool: added option to apply a certificate verification profile * b8378354 - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:45:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:45:57 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/profiles.c: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263213587 > } > + > +/** > + * gnutls_certificate_verification_profile_get_name: > + * @algorithm: is a MAC algorithm > + * > + * Convert a #gnutls_certificate_verification_profiles_t value to a string. > + * > + * Returns: a string that contains the name of the specified profile or %NULL. > + **/ > +const char * > + gnutls_certificate_verification_profile_get_name(gnutls_certificate_verification_profiles_t id) > +{ > + const gnutls_profile_entry *p; > + > + for(p = profiles; p->name != NULL; p++) { Thanks, fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263213587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:57:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:57:22 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: All discussions on Merge Request !1140 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1140 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:57:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:57:22 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263219693 > +unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, > + time_t now, unsigned int flags) > +{ > + unsigned int status = 0; > + unsigned sigalg; > + int ret; > + > + /* explicit time check for trusted CA that we remove from > + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS > + */ > + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && > + !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { > + status |= check_time_status(issuer, now); > + } > + > + ret = Hm, that's the caveat when the return value has two meanings (status and algorithm). For non-trivial functions it might be better (readable/maintainable) to just return error and add an output param (gnutls_sign_algorithm_t *sigalg) (talking about `_gnutls_x509_get_signature_algorithm`). But this shouldn't be a blocker for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263219693 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 16:57:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 15:57:50 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Merge Request !1140 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1140 Project:Branches: nmav/gnutls:tmp-check-same-certs to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 17:11:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 16:11:12 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. I do not know why the commit check fails but it may be because there are various commits. Could you merge all commits into a single one and force push on this repo? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_263226855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 17:11:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 16:11:51 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Or let me restructure it a little. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_263227175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 17:22:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 16:22:08 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've merged everything in a single commit at: https://gitlab.com/nmav/gnutls/pipelines/104411100 When CI passes I'll merge it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_263235286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 19:58:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 18:58:16 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870) In-Reply-To: References: Message-ID: Issue was closed by llqll via commit 3cbeffcb7d4a70858b1c46fe955516b9eab0ef8e Issue #870: https://gitlab.com/gnutls/gnutls/issues/870 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 19:58:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 18:58:39 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Merge Request !1134 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1134 Project:Branches: llqll/gnutls:issue-870 to gnutls/gnutls:master Author: llqll Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 19:58:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 18:58:38 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! Merged manually. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_263297982 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:29:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:29:25 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * 3cbeffcb - 1 commit from branch `master` * 321a017f - is_level_acceptable: apply the system-wide profile in all verifications * 9c3d0063 - Export profile ID/name handling functions * 88b3fb29 - certtool: added option to apply a certificate verification profile * 1abb4298 - _gnutls_verify_crt_status: apply algorithm checks to trusted CAs * fa502cf3 - updated auto-generated files -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:30:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:30:59 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you @rockdaboot . I've rebased and added auto-generated files, but after some thought I've changed the semantics of the first patch. Instead of applying the minimum value when no value is set, it is always applying it as minimum. Let me know if that's ok with you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263309169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:32:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:32:28 +0000 Subject: [gnutls-devel] GnuTLS | doc: update reference to the default configuration file (!1132) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Merged manually. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1132#note_263309796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:32:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:32:28 +0000 Subject: [gnutls-devel] GnuTLS | doc: update reference to the default configuration file (!1132) In-Reply-To: References: Message-ID: Merge Request !1132 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1132 Project:Branches: xnox/gnutls:fix-docs to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:41:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:41:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263313000 > { > const char *err; > int ret = gnutls_priority_set_direct(session, str, &err); > + //fprintf(stderr, "Setting priority to '%s'\n", str); That seems like a leftover. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263313000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:42:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:42:38 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263313332 > return ret; > } > > +#ifdef ENABLE_GOST > +test_code_t test_vko_gost_12(gnutls_session_t session) > +{ > + int ret; > + > + if (tls_ext_ok == 0) > + return TEST_IGNORE; > + > + sprintf(prio_str, INIT_STR > + ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS > + ":+VKO-GOST-12:+CURVE-ALL:%s", protocol_all_str, Is CURVE-ALL intentional? Wouldn't CURVE-GOST-ALL fit better? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263313332 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:43:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:43:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Merge Request !1137 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1137 Project:Branches: GostCrypt/gnutls:gost-split-4 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 20:44:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 19:44:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the comments, LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263314087 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 23:46:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 22:46:16 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1137 https://gitlab.com/gnutls/gnutls/merge_requests/1137 * 2a6e8708 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 23:46:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 22:46:27 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263362614 > { > const char *err; > int ret = gnutls_priority_set_direct(session, str, &err); > + //fprintf(stderr, "Setting priority to '%s'\n", str); Removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263362614 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 23:53:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 22:53:47 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: All discussions on Merge Request !1137 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1137 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 19 23:53:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 19 Dec 2019 22:53:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263363989 > return ret; > } > > +#ifdef ENABLE_GOST > +test_code_t test_vko_gost_12(gnutls_session_t session) > +{ > + int ret; > + > + if (tls_ext_ok == 0) > + return TEST_IGNORE; > + > + sprintf(prio_str, INIT_STR > + ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS > + ":+VKO-GOST-12:+CURVE-ALL:%s", protocol_all_str, Dropped this altogether, as `rest` will already contain `GROUP-GOST-ALL`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137#note_263363989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 01:04:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 00:04:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests (!1137) In-Reply-To: References: Message-ID: Merge Request !1137 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1137 Project:Branches: GostCrypt/gnutls:gost-split-4 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 06:25:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 05:25:22 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls no longer accepts certificates whose notbefore field is a non-digits string (!1134) In-Reply-To: References: Message-ID: llqll commented: thank you very much! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1134#note_263445079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 10:18:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 09:18:32 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Tim R?hsen commented: If that is ok or not is a matter of policy. As i understand it, you can't set/use a profile that is less secure than the system profile (also not sure what UNKNOWN means in this context). That's good for most users, but might need special care taken by testers and/or developers (they eventually have to change system policy). LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263533853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 10:35:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 09:35:24 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263549758 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ My bad, you are right regarding `top_builddir` and `builddir`. So do you think we can remove all occurrences of `$(builddir)/` in `Makefile.am` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263549758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 10:35:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 09:35:24 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: All discussions on Merge Request !1139 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1139 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 10:36:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 09:36:07 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Merge Request !1139 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1139 Project:Branches: GostCrypt/gnutls:abi-fix to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 11:07:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 10:07:30 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263566216 > > abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la > @echo "Checking whether the latest ABI dump matches" > - @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/"; if test $$? != 0;then \ > + @abidiff --suppressions $(ABIGNORE_FILE) lib/.libs/libgnutls.so $(LIBGNUTLS_ABI_LAST_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 lib/includes/gnutls/ ; if test $$? != 0;then \ @rockdaboot We can but must probably we should not. There is no reason to remove them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139#note_263566216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 16:30:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 15:30:51 +0000 Subject: [gnutls-devel] GnuTLS | WIP: UBSAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * cf5bf721...ec5ecd1c - 16 commits from branch `master` * 36f846f0 - UBSAN: Fail tests if UB detected * 32c006c5 - Fix implicit value change in verify-high.c * 26b9be74 - handshake.c: Suppress warning in fuzzing build * ee896795 - rnd-fuzzer.c: Suppress shift sanitization check * 1deff0a6 - status_request.c: Silence -Wsign-compare * cca55bbd - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 4c91aa6a - Fix 2x -Wunused-function in tests/ * c4b52040 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * 43dbbf75 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 194a22a3 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 8cbc586f - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 9436178d - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 9edb9643 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 4052a4db - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 45b92afe - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 54d0ec68 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * cab98d45 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * f78144e5 - Fix checks in mpi.c:__gnutls_x509_write_int() * b642b929 - Suppress integer UB checks in record.c:record_read_headers() * d4666837 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 20:47:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 19:47:28 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > If that is ok or not is a matter of policy. As i understand it, you can't set/use a profile that is less secure than the system profile (also not sure what UNKNOWN means in this context). Indeed. I thought that since we set this value as the minimum verification profile, it should apply for general verification not only to verifications happening on TLS sessions. > That's good for most users, but might need special care taken by testers and/or developers (they eventually have to change system policy). That's a good point. We should also make sure in our test suite that we override the policy. I've amended with another commit doing just that. I'll merge once it passes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263831929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 20:47:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 19:47:36 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * 66e89851 - tests: ensure test suite does not apply global config -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 20:52:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 19:52:47 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1128 https://gitlab.com/gnutls/gnutls/merge_requests/1128 * 95ae2f66...ec5ecd1c - 27 commits from branch `master` * 6f314f1c - gnutls-cli: benchmark-tls-kx can work with sub-ms accuracy * 29730609 - gnutls-cli: improved output of --benchmark-tls-kx -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 22:06:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 21:06:25 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1140 https://gitlab.com/gnutls/gnutls/merge_requests/1140 * 09d4b8f2 - tests: ensure test suite does not apply global config -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 23:09:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 22:09:39 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140) In-Reply-To: References: Message-ID: Merge Request !1140 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1140 Project:Branches: nmav/gnutls:tmp-check-same-certs to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 20 23:09:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 20 Dec 2019 22:09:39 +0000 Subject: [gnutls-devel] GnuTLS | Trusted CA certificates with keys that should have been rejected by the verification profile are accepted for TLS (#877) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1140 (https://gitlab.com/gnutls/gnutls/merge_requests/1140) Issue #877: https://gitlab.com/gnutls/gnutls/issues/877 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/877 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 21 01:17:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Dec 2019 00:17:12 +0000 Subject: [gnutls-devel] GnuTLS | abi-check: fix include paths (!1139) In-Reply-To: References: Message-ID: Merge Request !1139 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1139 Project:Branches: GostCrypt/gnutls:abi-fix to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 21 19:53:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Dec 2019 18:53:26 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * ba1bd0c7 - UBSAN: Fail tests if UB detected * a5fa2dcb - Fix implicit value change in verify-high.c * 73468779 - handshake.c: Suppress warning in fuzzing build * cff43af1 - rnd-fuzzer.c: Suppress shift sanitization check * 2b361b9f - status_request.c: Silence -Wsign-compare * f37fc899 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 88d80ab2 - Fix 2x -Wunused-function in tests/ * 8bf44313 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * 8b53b42b - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * bc5901e5 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 0a541317 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 11d6d42e - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * f7b9e076 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 3a2e290e - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 4baa6a90 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 1f84ca9d - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 0b356d5f - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * f93d61f7 - Fix checks in mpi.c:__gnutls_x509_write_int() * c3081ec6 - Suppress integer UB checks in record.c:record_read_headers() * 9e029d85 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 1c0eecd7 - Use check_for_datefudge in tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 21 19:57:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Dec 2019 18:57:01 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/882 Running the commands in !1136 for the runner `UB+ASAN-Werror.Fedora.x86_64.gcc` stop with the error/backtrace below. *If* memcpy checks for NULL, nothing would happen. But if not, we would see a segmentation fault. ``` tim at ryzen:~/src/gnutls$ cat tests/slow/test-ciphers.sh.log iov.c:119:3: runtime error: null pointer passed as argument 2, which is declared to never be null #0 0x7f99d24b1f5b in _gnutls_iov_iter_next /home/tim/src/gnutls/lib/iov.c:119 #1 0x7f99d2469482 in gnutls_aead_cipher_encryptv /home/tim/src/gnutls/lib/crypto-api.c:1043 #2 0x7f99d249995b in test_cipher_aead_scatter /home/tim/src/gnutls/lib/crypto-selftests.c:1028 #3 0x7f99d249995b in test_cipher_aead /home/tim/src/gnutls/lib/crypto-selftests.c:1292 #4 0x7f99d24a04d8 in gnutls_cipher_self_test /home/tim/src/gnutls/lib/crypto-selftests.c:1889 #5 0x555e1ea0e310 in main /home/tim/src/gnutls/tests/slow/cipher-test.c:45 #6 0x7f99d15aabba in __libc_start_main ../csu/libc-start.c:308 #7 0x555e1ea0e199 in _start (/home/tim/src/gnutls/tests/slow/cipher-test+0x1199) default cipher tests failed FAIL test-ciphers.sh (exit status: 1) tim at ryzen:~/src/gnutls$ cat tests/slow/override-ciphers.log iov.c:119:3: runtime error: null pointer passed as argument 2, which is declared to never be null #0 0x7f574b5c3f5b in _gnutls_iov_iter_next /home/tim/src/gnutls/lib/iov.c:119 #1 0x7f574b57b482 in gnutls_aead_cipher_encryptv /home/tim/src/gnutls/lib/crypto-api.c:1043 #2 0x7f574b5ab95b in test_cipher_aead_scatter /home/tim/src/gnutls/lib/crypto-selftests.c:1028 #3 0x7f574b5ab95b in test_cipher_aead /home/tim/src/gnutls/lib/crypto-selftests.c:1292 #4 0x7f574b5b2501 in gnutls_cipher_self_test /home/tim/src/gnutls/lib/crypto-selftests.c:1892 #5 0x5583cd9f8c45 in main /home/tim/src/gnutls/tests/slow/cipher-override.c:228 #6 0x7f574a681bba in __libc_start_main ../csu/libc-start.c:308 #7 0x5583cd9f82e9 in _start (/home/tim/src/gnutls/tests/slow/.libs/cipher-override+0x32e9) overridden cipher tests failed FAIL override-ciphers (exit status: 1) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 21 22:25:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Dec 2019 21:25:11 +0000 Subject: [gnutls-devel] GnuTLS | OCSP stapling transmission observability (#883) References: Message-ID: jgh created an issue: https://gitlab.com/gnutls/gnutls/issues/883 ## Description of the feature: A way for the server application to know if the library sent an OCSP stapled certificate status. Complication: TLS1.3 allows for more than one certificate chain-element to be sent with associated status. While a single bit would be simple for the application to retrieve, and cover most current cases (where only the leaf element has status), that is not complex enough for the general case. It has been suggested (issue 829) that gnutls_certificate_set_retrieve_function3() could be used for this, if access were provided to the library default methods for identifying the staplings. ## Applications that this feature may be relevant to: Anything wanting observability ## Is this feature implemented in other libraries (and which) OpenSSL has a status-callback similar to gnutls_certificate_set_retrieve_function3(). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 21 22:26:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 21 Dec 2019 21:26:16 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: jgh commented: OK. Raised #883. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829#note_263981098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 22 08:32:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Dec 2019 07:32:29 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) In-Reply-To: References: Message-ID: Daiki Ueno commented: Indeed, there should be a null check around `memcpy()` on `iov.c:119` (we can assume that `p` is non-NULL for other occurrences of `memcpy()` in that function). Would you like to fix it as part of !1136? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882#note_264004853 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 22 12:08:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Dec 2019 11:08:40 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) In-Reply-To: References: Message-ID: Tim R?hsen commented: @dueno Is it ok for `iov->iov_base` being NULL ? If not, protecting `memcpy()` is just a work-around. And real the problem might be elsewhere. If you are sure, I'll add a check to !1136. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882#note_264019288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 22 14:24:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Dec 2019 13:24:33 +0000 Subject: [gnutls-devel] GnuTLS | ecore_event_handler_add(): member access within null pointer of type 'struct Ecore_Event_Handler' (#884) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/884 Any idea about this ? ``` $ cat tests/suite/eagain.log Warning: no private key and certificate pairs were set. Echo Server listening on IPv4 0.0.0.0 port 44517...done Echo Server listening on IPv6 :: port 44517...done ecore/src/lib/ecore_events.c:137:7: runtime error: member access within null pointer of type 'struct Ecore_Event_Handler' #0 0x562619617a0e in ecore_event_handler_add ecore/src/lib/ecore_events.c:137 #1 0x562619621c0e in _ecore_job_init ecore/src/lib/ecore_job.c:27 #2 0x5626196171e3 in ecore_init ecore/src/lib/ecore.c:122 #3 0x56261961626a in main /home/tim/src/gnutls/tests/suite/mini-eagain2.c:171 #4 0x7f2c4e19cbba in __libc_start_main ../csu/libc-start.c:308 #5 0x562619615a59 in _start (/home/tim/src/gnutls/tests/suite/eagain-cli+0x9aa59) FAIL eagain.sh (exit status: 1) ``` Fixing the above leads to the next issue: ``` $ cat tests/suite/eagain.log Warning: no private key and certificate pairs were set. Echo Server listening on IPv4 0.0.0.0 port 61742...done Echo Server listening on IPv6 :: port 61742...done ecore/src/lib/ecore_main.c:618:6: runtime error: member access within null pointer of type 'struct Ecore_Fd_Handler' #0 0x55d050285311 in ecore_main_fd_handler_add ecore/src/lib/ecore_main.c:618 #1 0x55d0502773ce in main /home/tim/src/gnutls/tests/suite/mini-eagain2.c:203 #2 0x7fd4395afbba in __libc_start_main ../csu/libc-start.c:308 #3 0x55d050276a59 in _start (/home/tim/src/gnutls/tests/suite/eagain-cli+0x9aa59) Error in handshake: The TLS connection was non-properly terminated. FAIL eagain.sh (exit status: 1) ``` After fixing this `tests/suite/eagain-cli` hangs at ``` 0x00007f308bf68177 in __GI___select (nfds=1, readfds=0x7ffc8d7c3440, writefds=0x7ffc8d7c34e0, exceptfds=0x7ffc8d7c3580, timeout=0x0) at ../sysdeps/unix/sysv/linux/select.c:41 41 ../sysdeps/unix/sysv/linux/select.c: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 0x00007f308bf68177 in __GI___select (nfds=1, readfds=0x7ffc8d7c3440, writefds=0x7ffc8d7c34e0, exceptfds=0x7ffc8d7c3580, timeout=0x0) at ../sysdeps/unix/sysv/linux/select.c:41 #1 0x000055c15f965447 in _ecore_main_select (timeout=, timeout at entry=-1) at ecore/src/lib/ecore_main.c:903 #2 0x000055c15f966b4e in _ecore_main_loop_iterate_internal (once_only=once_only at entry=0) at ecore/src/lib/ecore_main.c:1186 #3 0x000055c15f967037 in ecore_main_loop_begin () at ecore/src/lib/ecore_main.c:494 #4 0x000055c15f9593dd in main () at mini-eagain2.c:210 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 22 14:35:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 22 Dec 2019 13:35:03 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 4f75d955 - UBSAN: Fail tests if UB detected * 7cba8776 - Fix implicit value change in verify-high.c * 26beaae5 - handshake.c: Suppress warning in fuzzing build * 39b479cd - rnd-fuzzer.c: Suppress shift sanitization check * b47328a6 - status_request.c: Silence -Wsign-compare * bfe20ef9 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 86afe587 - Fix 2x -Wunused-function in tests/ * 15593174 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * 56358749 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 127d58a3 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 28941e2c - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 9d90680a - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 3d8a8044 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * ae4002a5 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 3465c658 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * ad3d822a - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 7c6d3c56 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 90c1136c - Fix checks in mpi.c:__gnutls_x509_write_int() * dd7d329a - Suppress integer UB checks in record.c:record_read_headers() * 6d9c34b9 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * bfc0c160 - Use check_for_datefudge in tests * 15ea3990 - Fix NULL ptr access in _gnutls_iov_iter_next() * 8d1c751c - Temporarily disable test 'eagain.sh' until #884 is fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:00:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:00:33 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on src/benchmark.h: https://gitlab.com/gnutls/gnutls/merge_requests/1128#note_264147720 > return (a->tv_sec - b->tv_sec) * 1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000); > } > > +inline static unsigned long `uint64_t` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128#note_264147720 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:02:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:02:05 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: LGTM other than small comment above. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128#note_264148213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:09:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:09:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check certificate issuer correctly according to RFC5280 (#885) References: Message-ID: llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/885 ## description gnutls rejects a certificate when the issuer of the certificate and the subject of the CA certificate is caseIgnoreMatch. I recently created a certificate chain [rootca, intermediate certificate,leaf certificate], the issuer of leaf certificate is "....,, OU = beiyangyuAn, ... ". the subject of intermediate certificate is " ....,,OU = beiyangyuan,.....". According to Section7.1, RFC5280: "Conforming implementations MUST support name comparisons using caseIgnoreMatch". In this case, the intermediate certificate should be the the CA of the leaf certificate. However,gnutls can not find the issuer. The chain was rejected by Gnutls3.6.11, however, the chain was accepted by openssl. ## The command I used is: `certtool --verify --load-ca-certificate 1.pem --infile leaf.pem` ## actual result ` The certificate is NOT trusted. The certificate issuer is unknown.` ## expected result `The certificate is trusted.` 1.pem (it contains two certificates inside): ``` -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo 6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262 ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4 kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6 AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN 1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8 6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT 4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL 0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0 W0ebRMo2T0FNhUhm -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+ WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY 4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em 1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo /6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+ NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv 6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN 2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7 TQ/vJrJvgyxVSgOH -----END CERTIFICATE----- ``` the leaf.pem: ``` -----BEGIN CERTIFICATE----- MIISSjCCEDKgAwIBAgIQCHtGjysjHCK0GhceTMWcazANBgkqhkiG9w0BAQsFADBq MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dUFuMQ0wCwYDVQQDDARiMzI2MRowGAYJKoZIhvcNAQkBFgts aTFAMTYzLmNvbTAeFw0wMTAxMDEwMTAwMDBaFw0zNTEyMjMxMTIzMzRaMIGZMQsw CQYDVQQGEwJDTjEYMBYGA1UECBMPR3Vhbmdkb25nIFNoZW5nMREwDwYDVQQHEwhT aGVuemhlbjE6MDgGA1UEChMxU2hlbnpoZW4gVGVuY2VudCBDb21wdXRlciBTeXN0 ZW1zIENvbXBhbnkgTGltaXRlZDEMMAoGA1UECwwDUiZEMRMwEQYDVQQDEwp3d3cu cXEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq5FEkvyBqbjo YACSkthoNu6S5ID7IlZCYyJeOBc24QEN9u9vDHjNd61Ip4PA4igNyOrwTk44z5Ei 4rTGxfRSiNwIZCRvRZJWnxX8U+6huoL/QdnEiMoFPfwbckJ8oh47abqDGc6d2r7J mKRrpIne/t/cxhVdO6A5Rikjz4u/fCzz9Qu1Xe4wYFBy1quRzLGfyHOB8M0jqRci eW1WWet5gMWApd6OS+zOBp2eKF9hKpBsxDwQ0HHlIsq2iL+Zj5uqbn5f02nDsQTs YEt6dL8Mp+OxLotIY67BYeO4ejdg4phkV4cMy0bLeHuzeXhrsQYPM8zYa1YA+BRU pqFNE4kSIQIDAQABo4INujCCDbYwHwYDVR0jBBgwFoAUkj6KUUqWTHzwMQr1Dwru E2Zod/AwHQYDVR0OBBYEFIfsl586OIrk33RsRxJ2SC5kwa6RMIILAQYDVR0RBIIK +DCCCvSCCnd3dy5xcS5jb22CDjEweWVhcnMucXEuY29tggsyMDEwLnFxLmNvbYIL MjAxMS5xcS5jb22CCzIwMTIucXEuY29tggsyMDE0LnFxLmNvbYILMjAxNi5xcS5j b22CCzIwMTgucXEuY29tgg4zZy50ZWNoLnFxLmNvbYIJNjEucXEuY29tgg5hcnNl bmFsLnFxLmNvbYIUYXN0cm8uZmFzaGlvbi5xcS5jb22CEWFzdHJvLmxhZHkucXEu Y29tggxhc3Ryby5xcS5jb22CFWF1c3RyYWxpYW5vcGVuLnFxLmNvbYILYXV0by5x cS5jb22CC2JhYnkucXEuY29tgg9iYXIudGVjaC5xcS5jb22CD2Jicy5saXN0LnFx LmNvbYIMYmVsbGEucXEuY29tggliaS5xcS5jb22CDmJpem5leHQucXEuY29tgg1i ai5qamoucXEuY29tggliai5xcS5jb22CDWJqMjAyMi5xcS5jb22CC2JvYW8ucXEu Y29tgg9idXNpbmVzcy5xcS5jb22CEWJ3Zi5zcG9ydHMucXEuY29tgg1jYW1wdXMu cXEuY29tggljZC5xcS5jb22CDmNkcGFuZGEucXEuY29tggxjaGluYS5xcS5jb22C C2NpdHkucXEuY29tggtjb3N0LnFxLmNvbYIJY3AucXEuY29tggljcS5xcS5jb22C CmN1bC5xcS5jb22CCWN5LnFxLmNvbYIMZGFqaWEucXEuY29tgg1kYWxpYW4ucXEu Y29tggpkYW8ucXEuY29tghNkYW8ucnVzaGlkYW8ucXEuY29tghBkYXRhLmF1dG8u cXEuY29tgg5kYXRhLnJlLnFxLmNvbYILZGlnaS5xcS5jb22CEGRpZ2kudGVjaC5x cS5jb22CDmVjb25vbXkucXEuY29tggplZHUucXEuY29tgg5lbi4yMDEyLnFxLmNv bYIKZW50LnFxLmNvbYIPZXVybzIwMTIucXEuY29tggtmYWN0LnFxLmNvbYISZmFu cy5zcG9ydHMucXEuY29tgg5mYXNoaW9uLnFxLmNvbYISZmNiYXJjZWxvbmEucXEu Y29tgg5maW5hbmNlLnFxLmNvbYIJZmoucXEuY29tghJmby5ydXNoaWRhby5xcS5j b22CDGZveHVlLnFxLmNvbYIUZnV0c2FsLnNwb3J0cy5xcS5jb22CDGdhbWVzLnFx LmNvbYIJZ2QucXEuY29tggtnb2xmLnFxLmNvbYINZ29uZ3lpLnFxLmNvbYIRZ3Jl ZW4ubmV3cy5xcS5jb22CCWd5LnFxLmNvbYINZ3oyMDEwLnFxLmNvbYINaGFuaGFu LnFxLmNvbYINaGIuampqLnFxLmNvbYIJaGIucXEuY29tggpoZWEucXEuY29tgg1o ZWFsdGgucXEuY29tggxoZWJlaS5xcS5jb22CDGhlbmFuLnFxLmNvbYITaGlzdG9y eS5uZXdzLnFxLmNvbYIOaGlzdG9yeS5xcS5jb22CCWhuLnFxLmNvbYILaG9vcC5x cS5jb22CDGhvdXNlLnFxLmNvbYIOaS5tYXRjaC5xcS5jb22CC2lhaW8ucXEuY29t gg5pYXBwLnh3LnFxLmNvbYIMaWxpa2UucXEuY29tggtpcGFkLnFxLmNvbYIKaXJz LnFxLmNvbYIJaXQucXEuY29tggxqaWFqdS5xcS5jb22CCmpqai5xcS5jb22CC2pv a2UucXEuY29tggpqb3kucXEuY29tgglqcy5xcS5jb22CCmticy5xcS5jb22CEWti cy5zcG9ydHMucXEuY29tggtrZXB1LnFxLmNvbYIKa2lkLnFxLmNvbYILa3h5eC5x cS5jb22CD2xlYXJuaW5nLnFxLmNvbYIObGVxdWlwZS5xcS5jb22CC2xpYnMucXEu Y29tgg9saXV4aWFuZy5xcS5jb22CCWxuLnFxLmNvbYINbHV4dXJ5LnFxLmNvbYIJ bHkucXEuY29tghFtLm5iYWNoaW5hLnFxLmNvbYILbWFwcC5xcS5jb22CEW1lZGlh Lm5ld3MucXEuY29tggxtZWRpYS5xcS5jb22CCm1pbC5xcS5jb22CC21pbmkucXEu Y29tgg9taW5pMjAxNS5xcS5jb22CD21pbmlzaXRlLnFxLmNvbYITbWluaXNpdGUy MDA5LnFxLmNvbYITbWluaXNpdGUyMDEyLnFxLmNvbYIUbW9uZXkuZmluYW5jZS5x cS5jb22CDG1vbmV5LnFxLmNvbYIRbmJhLnNwb3J0cy5xcS5jb22CEG5iYS5zdGF0 cy5xcS5jb22CD25iYWNoaW5hLnFxLmNvbYIKbmV3LnFxLmNvbYILbmV3cy5xcS5j b22CDm5ld3NhcHAucXEuY29tggtvLnh3LnFxLmNvbYIMcGFuZWwucXEuY29tggpw aXUucXEuY29tgg5wcml2YWN5LnFxLmNvbYIRcW9zLnJlcG9ydC5xcS5jb22CC3Jh aW4ucXEuY29tgglyZS5xcS5jb22CEnJlcG9ydC5uZXdzLnFxLmNvbYIKcnNzLnFx LmNvbYIJcnUucXEuY29tghJydS5ydXNoaWRhby5xcS5jb22CDnJ1Zm9kYW8ucXEu Y29tgglzaC5xcS5jb22CDXNvY2Nlci5xcS5jb22CE3NvY2Nlci5zdGF0cy5xcS5j b22CDnNvY2lldHkucXEuY29tggxzcGFjZS5xcS5jb22CDXNwb3J0cy5xcS5jb22C EXN0YXRzLjIwMTYucXEuY29tghFzdGV2ZS1qb2JzLnFxLmNvbYIMc3RvY2sucXEu Y29tgg9zdXBlci5kdy5xcS5jb22CCXN6LnFxLmNvbYINdC5uZXdzLnFxLmNvbYIL dGVjaC5xcS5jb22CDnRoaW5rZXIucXEuY29tggp0aHIucXEuY29tgg10aWFucWku cXEuY29tggt0aW1lLnFxLmNvbYINdGouampqLnFxLmNvbYIJdGoucXEuY29tggp0 bncucXEuY29tghF0b3JjaC4yMDExLnFxLmNvbYIPdHJlbmQuY3EucXEuY29tggx2 LmVudC5xcS5jb22CEHYuZmFzaGlvbi5xcS5jb22CDXYubmV3cy5xcS5jb22CD3Yu c3BvcnRzLnFxLmNvbYIMdmFsdWUucXEuY29tggt2aG90LnFxLmNvbYIQdmlldy5u ZXdzLnFxLmNvbYIQdmlldy55dXR1LnFxLmNvbYIRdmlwLnNwb3J0cy5xcS5jb22C DHZsaWtlLnFxLmNvbYIJdnMucXEuY29tgg13LmF1dG8ucXEuY29tggl3Yy5xcS5j b22CEndjYmEuc3BvcnRzLnFxLmNvbYITd2VhdGhlci5uZXdzLnFxLmNvbYIOd2Vh dGhlci5xcS5jb22CEHdpbWJsZWRvbi5xcS5jb22CDHdvcmxkLnFxLmNvbYIPd29y bGRjdXAucXEuY29tghN3d3cud29ybGRjdXAucXEuY29tggp3eG4ucXEuY29tghB4 aWFuLm5ld3MucXEuY29tggt4aWFuLnFxLmNvbYIReG5jLnNwb3J0cy5xcS5jb22C DXhwcml6ZS5xcS5jb22CCXh3LnFxLmNvbYIQeHcudGlhbnFpLnFxLmNvbYIOeHcu dGltZS5xcS5jb22CC3lzbHAucXEuY29tggl6ai5xcS5jb22CDHpwLmNxLnFxLmNv bYIOenQubmV3cy5xcS5jb22CBnFxLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMG8GA1UdHwRoMGYwMaAvoC2GK2h0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9TZWN1cmVTaXRlQ0FHMi5jcmwwMaAvoC2GK2h0 dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9TZWN1cmVTaXRlQ0FHMi5jcmwwTAYDVR0g BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwbAYIKwYBBQUHAQEEYDBeMCEGCCsGAQUF BzABhhVodHRwOi8vb2NzcC5kY29jc3AuY24wOQYIKwYBBQUHMAKGLWh0dHA6Ly9j cmwuZGlnaWNlcnQtY24uY29tL1NlY3VyZVNpdGVDQUcyLmNydDAMBgNVHRMBAf8E AjAAMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYA7ku9t3XOYLrhQmkfq+GeZqMP fl+wctiDAMR7iXqo/csAAAFsmLvd2QAABAMARzBFAiBsGesLEVwmjodEZRFykRB+ ua0K0et3cGH5OblFtpuKBgIhAMfWpeQr5jhB1slV0Q8LeVG6oEXmxZZ53jRkfSPf qQLKAHUAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFsmLveXAAA BAMARjBEAiBnJJnDea8mKMW9r0m+ltvCq5mA46K9VDStS79haryvVwIgGRvsm5Aj DPvNJ4d32NAxxim7O0rzwMQE9kT/AN9aqjcwDQYJKoZIhvcNAQELBQADggIBAHu6 LWdQ56UTztxY94oyKoo512aD1pYfB2xUhhPFfLx9jeJjIdyewyTm9mtlOl+gJk2r h5QTsDe+X5fj4KJxRRuHFhkXahSDEHjE9wSQSk3l3YckcW+ftbAAh7kOS9UbV1Ji nkOCWTLLmXcFVTtou1szSqJUSEEEMYRgh6HbgPVw5GDyKFJtqPBhdLEsJIu1LWUk brqhJfWUREzRzDFUJkO5L+LLnErOwkIvl8LcIdstS1B8FhNCwn10S/JN2J1ZiCjO 1IwjUXzkuBUgXATHAoCf4JAiV/VPxtXZdEfDb9ythsycOf8EAfXiTvNYusBbarog dd4BrSeEPk2TeUGEwiGlnL8exlYO68HjP+h6uuoIvfeHCdujm/j4jF1YtftSGts/ 7J1CA5FsNgCUYqq0NsY7sgbu0R074CmUADwcBa42HfmnCiIIzb8dwgjIAUduorwx WSQX03ZGtPpK1ejmV3s8EVOrY7NEZssCW/hAAa+6EGxqoS8TDWh4ZycbJnXmname 2TAEicJohuzWKDYYq/hUsqgaakgA3478sBQ9QmbwjLlwDZ5fqeHHszkxXb7b9EHc Xe0w5Qw+3UJnhJ9ZTLfBCszTgXShw1aw7uQ/WXshT6z9Tq6WfHAHE5fbPeKkVrFo uzo4CZS5WMo+0qo6zoOXTjYcGquun2b/akuVxfa8 -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:44:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:44:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check certificate issuer correctly according to RFC5280 (#885) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for reporting this; this is however a known issue that will not be fixed. See https://gitlab.com/gnutls/gnutls/issues/553#note_101657335 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/885#note_264163304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:44:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:44:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check certificate issuer correctly according to RFC5280 (#885) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #885: https://gitlab.com/gnutls/gnutls/issues/885 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:52:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:52:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: LGTM. `tcp_server` functions has too many levels of depth, but I don't think it should be corrected in this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129#note_264166939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:52:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:52:58 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) In-Reply-To: References: Message-ID: Merge Request !1129 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1129 Project:Branches: nmav/gnutls:tmp-fix-serv-exit to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 09:58:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 08:58:40 +0000 Subject: [gnutls-devel] libtasn1 | isdigit: replace with gnulib's c-ctype (!53) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/53 Branches: tmp-c-ctype to master Author: Nikos Mavrogiannopoulos This uses gnulib's c-ctype which ensures that locale will not affect string comparisons. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/53 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 10:03:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 09:03:12 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: LGTM. Has merge conflicts though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130#note_264175439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 10:03:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 09:03:21 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Merge Request !1130 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1130 Project:Branches: nmav/gnutls:tmp-certtool-crq to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 10:33:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 09:33:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) References: Message-ID: llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/886 An error occurred when I verified a certificate, and the certificate contains an object identifier(TLV) of `"0x06,0x11, 0xfa, 0x80, 0x0, 0x0, 0x0, 0xe, 0x1, 0xe, 0xfa, 0x80,0x0, 0x0, 0x0, 0xe, 0x63, 0x6f"`. The error is "error parsing CRTs: ASN1 parser: Error in DER parsing." Through debugging,I found that an error occurred while parsing that object identifier. The reason is the leading octet have the value 0x80. But,in the object identifier value, the leading octet is 0xfa. The basis of this check is `x.690 8.19` (Encoding of an object identifier value). ![image text](https://github.com/llqll/image/raw/master/g2.png) After careful debugging, I found that the `asn1_get_object_id_der` function always checks the second byte instead of the leading byte of object identifier value. ![image text](https://github.com/llqll/image/raw/master/g1.png) In lib/decoding.c : asn1_get_object_id_der(), the `der` points to the length of the TLV structure instead of the tag? and `der[len_len + k]` is the second byte of the object identifier value instead of the leading byte. Therefore, the function cannot properly check the encoding of the object identifier. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 13:33:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 12:33:03 +0000 Subject: [gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887) References: Message-ID: llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/887 I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate containing two Subject Key Identifier fields. Clearly, leaf certificate violate Section 4.2, RFC5280: ?A certificate MUST NOT include more than one instance of a particular extension. ?. Meanwhile, the chain can still pass certificate verification with gnutls3.6.11. The command I used is: ``` certtool --verify --load-ca-certificate 1.pem --infile leaf.pem ``` The verification returns: ``` Chain verification output: Verified. The certificate is trusted. ``` 1.pem (it contains two certificates inside): ``` -----BEGIN CERTIFICATE----- MIIGBjCCA+6gAwIBAgIQY8Mi35RmHbQSpWR8XD7V9DANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUwMzBaFw0zOTA1MjQxMTUwMzBaMG0x CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE CwwLYmVpeWFuZ3l1YW4xCzAJBgNVBAMMAkNTMR8wHQYJKoZIhvcNAQkBFhBsamZw b3dlckAxNjMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7nKX zAyRuE6cWnJCT9h1QsQu8Ee+Kk0DtZM7wBQK+bSqpg5m0N1qnfrPStvsvBkXsYlZ nUCf1Pg9Oz/BGSHVmwFAJCC16uSdq9n/ifB8YK3CdVpSsnjsccQW5Ti+ga/4O/wg euauD23asZaedDoa1LkdI2DYAT/P/wFnC/wQGhnAObeIgvgAbYiF151ymBLzkvSw ZobKzWqyIRrxwntetxRWQx3ZJrnx5plrKrui8A5BaETiu14vi38NJ8A42rWC0q0d qDoXSrZtSXzfzIm2SAiBbBwQxePAcGbJegrGH43Oe+hoIky7P5zoRt6ZZsxFbbCG 7OPyVS0rmlojFjJJ5L95DBhvGqfn8jOPsq/23BvwAg+1yUmeWFZfqHPYFXco876I XkMX+tW7Zyl4lVSb9zeavPmwUo/rnksZdGELb4Io8caUakJ5liy+oE0UvX7vAc5+ uUGRbk2uCOqOJUcKHa4wu3V3Iy8phSRvA+FzlkZs2CpBSlIs9lBevBv5vWA3GfxO VDEOwE/yQZYOBXF82p1y/K744+wc/lyodkVS98+RAWnoP6awPpyN0EuzbZHF7A40 wiGEJAYpm8IzNDyT/0tNaFiOv4/WyGfxuULXItkzvMXxoCZZ1PuoNxdANA1UygRb WDkZxtg54aI7v5TZbnNgtglqTgvRxzzuENlrJmcCAwEAAaOBoTCBnjAdBgNVHQ4E FgQUI6MIq57hXlN/cyhNYKHXior5n0IwHwYDVR0jBBgwFoAUI6MIq57hXlN/cyhN YKHXior5n0IwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwOwYDVR0R BDQwMoIHYWJjLmNvbYIJKi5hYmMuY29tggd4eXouY29tgg13d3cuYmFpZHUuY29t hwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQAkfysmRAf0RNZ3bre37+Yz2xufFAtd xpOOP2d85sO1HVY82acVuzEcLUQtfdnxyFe1Zk9wqqlSXI0Md5gD9Wc1J5BMZULC Bwma/iFb53ijNQuEz81Fzea0KIggdnQpajDbd1mZDH/dRqTRvXhFDazZy1LGSMne BwTlH9GGVYoc2s6YbPDL8GyARhdR5ad4h3+/WisIT6ZdlK1H+vSy/KfDRh514Ibo zE0rI7ArHjQwh3i6NM14ImSUf6SjkMvHlzvCyJtQ5yDygt7OQWmX4u1eLQ4n4xom BI/oPSA0/ioDoICIvl4KzGiGtFu2LqRu6YPqxe1D1bmbX3Yrskyzcy/uT4t4DuZn ps8yR9ihpliSGWu2euf9GwUa58fJCExUrzksyzDGaqTxKvi7ThOlB30Lq712CTUw e9JwGZ/BE7S++4lVC0J2GKuoHZR/moXQCaWrASkWEttWxYSWCd+RZaruox9JnRDS jmcRFHt+Oogr1oH1W7UVeiGs5BuRqDgo5KOAm9ZvlxQ8L1rsx2UewLFGEH4LLUin 6D/b5PW3GS+A51qsd+/Y/08TXL4TdlIOa54CF7rMl9UH05Z9ooEY6i2KtmBw5Gwt 8XyUiz5L49tT4IlR2MDDXx0aJXB3roQGnHP/IgqcQbWZyM9ZvfQbx1Mnyohnbj2J FBtJbqU4k1PhAg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCzCCA/OgAwIBAgIQY8Mi35RmHbQSpWR8XD7V9TANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUzMDdaFw0yOTA1MjYxMTUzMDdaMG8x CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE CwwLYmVpeWFuZ3l1YW4xDTALBgNVBAMMBGIzMjYxHzAdBgkqhkiG9w0BCQEWEGxq ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH dTYsTjtslYOmt04a7neg5paT2TEqVCt+bp1C0OSRy/UrvEkiKdAHu2UKSoOYEbxE rib4JFL+7Cm3YGwHbXuEkP8sWwekVkt/BuBbMLq0577NMiU6rBrGP78DYrxxVmwo ndIFHVwwe9MjMIglPtgwtxiqHrYGraiG2b7KxLl0vp/iHF0LwuwhGJ4qTImDpHOF Df3TkunOzqcW6UjlzR8ciEaIQJrsJt4MStw983Ui9kYwSdzdOJM2giZ2m7fsh5M2 lQv02cEJJRVdE5atftFLF0tQj4wIltXI/Q3t+KgSsj3spveXzBUN0l9zJbl0gPKt Dy411ZaZBRwwZaq/oJaUkowEhUJ6XrQk/JqvVKTt4j2XiI5vbDsJUGF3JiuMPYod wVUJDnvSsm1AG+Be8CxhDDSvTJPz29XW6YNdEGyg51KTtZ7ujrpPisdeuZT0r5t2 gSMz9t0i2ooccKzERcZpRoLt4GikWzcU10LxpnJhse/IR6jsaYohK+BI5RCkAIrK J7x64YX9dRD5sIf9TvY4SXdimGZkVBERan/MAgZvo1BhSoSo1oTRYKD6nNpA90Hg 4HLddGEtkQNPEzPUjMidMyVUOVpzVpXoOIW8ASgm1EPAeAw/VZ/HEm6P1y93mlOU N4RXjLPfyJzxvTC/HM4xaYlZzKt/dUUKW2v5J3a3mQIDAQABo4GkMIGhMB0GA1Ud DgQWBBTtLYj/I3LedKqEcgWmczrb9dYceDAfBgNVHSMEGDAWgBQjowirnuFeU39z KE1godeKivmfQjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7 BgNVHREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlk dS5jb22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBADv9HtThzbHoHmo57sEL09TY ISKbdzsghNkZYK3QwlLxAak/Zp4JRQcqwm0XM2xPOQOw1K04qYGmwBqIH9ANqUvb rU/78uL6GfIUSqQ6sHdlxj9tQFmEtopWofvtRcMwawgSL9XQOyQU8A0kYm0HI4k0 9JHA1Xc3mxE/MGn6LBdbVsNW1jqUKhfQ+F0UWKueG3nV3TA2DwdahGm20Gk0M3SA nU+vc5a6aj2d7EjJvR+0xVK1Jy+khpJhDxng1Mxiavvgi7k5HVJDLgo4ALHFdfNP Pt267ufdcajgrWchbgxWUdu3hzwGsvxJu79dpR3pz42n3fHWokoS6ONmyxlJtAiO FYfgJ4J1Hu51GEkNb498Y8TBRPkuMCGY5QbIEiiCBRB8I6OtSHw+mWBHZVEiBvBr IUjSVvn1+KrxrxJ8Bn6sn+Rj+MEyIneSEtLJ3gkn4P7UZHtdMpIEojlIf2v5UbR9 xDPkbayWJiYloETDpafuaeK46x9UvPFt957cbqKEChrkReaEnJzxOQMUwBR3uHyy GFjM1EwOzN6SdBQ1sTDea4+TEcdHSzOC4pfaR1jKKCdInI7/Adiqs7YqM48nx504 JsLsy76DnUI0GFlWz8n0Ybz6qFWq6ckz9JLQ1N7TQJjSfZxDEEGwE6+wpjVyzCpB CfPgBs5qw8HWtxrvsirH -----END CERTIFICATE----- ``` leaf.pem: ``` -----BEGIN CERTIFICATE----- MIIFiDCCA3CgAwIBAgIRAPABuQ6DmexEq0k9QQaewLcwDQYJKoZIhvcNAQELBQAw bzELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEfMB0GCSqGSIb3DQEJARYQ bGpmcG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTU2NDBaFw0yOTA0MDYxMTU2NDBa MHsxCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxCzAJBgNVBAcMAlRKMQwwCgYD VQQKDANUSlUxFDASBgNVBAsMC2JlaXlhbmd5dWFuMQwwCgYDVQQDDANMUUwxHzAd BgkqhkiG9w0BCQEWEGxqZnBvd2VyQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDNKbU4xRcAGOyzHWgEQw0/smt+BJaLtbIvKdPKPTDzDxSl Rud0rf1GWzG5vKhEzn3ruNwFs23JTu4OcXlkqp4sGqC5SQ06qVhe+eWhK+pjsCll AG9ZQ40kNdsE5Bt9gbl38tdykM/a5bU4+h8S9P5XP+Vr/xGuB1aqw07NqaUsOs3+ McH/ZFZQgSv8NDXl9eok5XEfaDZoRf29nAH/I+Ottbw37oW7omvMaC39CVKKmYMA rdRJR/JrICsOKKnmEf6oLNErBGs3TLXo9/CiQJz/KeV9mHT/BfPumAbSlIXo6en8 AVyA0V+N1bwUiBu58m9B+z0GlaxeQlxSvTn2wUx5AgMBAAGjggERMIIBDTAJBgNV HRMEAjAAMB0GA1UdDgQWBBR/7mRMJ+8WoDdxiWO1eCLw0xH+0DAdBgNVHQ4EFgQU f+5kTCfvFqA3cYljtXgi8NMR/tAwHwYDVR0jBBgwFoAU7S2I/yNy3nSqhHIFpnM6 2/XWHHgwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDBDAYBgNVHREEETAPgQ1oaEBiYi5hZGRyZXNzMBgGA1UdEgQRMA+CDWFiY2V3 d3J3dC5jb20wMAYIKwYBBQUHAQEEJDAiMCAGCCsGAQUFBzAChhRodHRwOi8vbXku Y2EvY2EuaHRtbDAMBgNVHSQEBTADgAEDMA0GCSqGSIb3DQEBCwUAA4ICAQCopPaM SMElD42TZYn1+SnACRnH4YWH/gfG3utPeGVPkBmvV5Je7/gNMlhAQJL5YKdDYa4o S1zjkNrRSlamH6akX4KyOm19tKRkU7dvtcTRF5CwXGcE2Yte6hc1gWeGzsx5taZL y2yan7jhCHMqtN5R8AMTDdK4ORPu+sSrghAwkS6KSR0VlVmgbrJQ0WAxRk5bKm7v R402pLhH2MjsJV48XqvaRTjyT96nbAZ4tdSoyJoHXRvUv9QpFtHSddlnPbEgxJWT 3OLbr+kIpWuaaZNjntLOqe9aPkLEhpw07sGLpT23dYqdehZd12O5+3olULXVBOgg h8uF4Q9kRtJDpLCd70hUoiyovCxgPbFYUjvmtpCtmNkSCq/txWc3YqOwR+HPe83j aAsIDnEO6cY6M3uqM1xradU5jzDeMKHJV7XDdXsq9nyQoZ8ytKlKcgM5kNoaqAkT zeutyjGtQCkJr5V+5Te0JJinVL+xafpwP6749VRUaEWHWk2crkTKxu7/lUK6lgnS 70gLDO1QEJ/edPDC143eRP+dF/d7bN2UF1l+G0F4AcW7kB5mKgOBIWTZSnTmByz5 +HI1touSh9dDcDDuZ7z6k2Obl0fuPY7ROLZQT3BaYGU4M2FGT4sJa6P6VtfufzEB MHcS14u+3EvHBxhcI8N4WTrBE36FBzPk6R0g+A== -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 13:54:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 12:54:53 +0000 Subject: [gnutls-devel] libtasn1 | isdigit: replace with gnulib's c-ctype (!53) In-Reply-To: References: Message-ID: Merge Request !53 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/53 Branches: tmp-c-ctype to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/53 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:49:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:49:04 +0000 Subject: [gnutls-devel] libtasn1 | isdigit: replace with gnulib's c-ctype (!53) In-Reply-To: References: Message-ID: Merge Request !53 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/53 Branches: tmp-c-ctype to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/53 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:52:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:52:49 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1129 (https://gitlab.com/gnutls/gnutls/merge_requests/1129) Issue #868: https://gitlab.com/gnutls/gnutls/issues/868 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:52:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:52:50 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-serv: do not exit on command failure (!1129) In-Reply-To: References: Message-ID: Merge Request !1129 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1129 Project:Branches: nmav/gnutls:tmp-fix-serv-exit to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:55:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:55:15 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1130 https://gitlab.com/gnutls/gnutls/merge_requests/1130 * 838c04a7...2baf633b - 31 commits from branch `master` * 2923c812 - tests: check certificate generation from certificate request * c35490f0 - certtool: always set extensions from template -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:56:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:56:47 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you. Rebased and set to auto-merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130#note_264442537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:58:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:58:58 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: All discussions on Merge Request !1128 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1128 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:58:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:58:56 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on src/benchmark.h: https://gitlab.com/gnutls/gnutls/merge_requests/1128#note_264443001 > return (a->tv_sec - b->tv_sec) * 1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000); > } > > +inline static unsigned long Thanks. updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128#note_264443001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 19:59:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 18:59:33 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @civodul ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_264443097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 20:03:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 19:03:11 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/issues/888 It would be nice to permit `certtool --to-p12` to generate password-less PKCS#12 objects. ``` certtool --no-text --key-type rsa --hash SHA512 --bits 2048 --to-p12 --p12-name bob --password '' --load-privkey bob.key --load-ca-certificate ca.crt --load-certificate bob.crt --outfile bob.p12 < /dev/null Generating a PKCS #12 structure... Loading private key list... Loaded 1 private keys. bag_encrypt: The request is invalid. ``` using `--null-password` or `--empty-password` is of course not the same thing as having no password set. (fwiw, `--password ''` is a weird way to state "no password" -- it might be nicer to explicitly add `--no-password`. Also, it looks like `--ask-pass` is irrelevant for `--to-p12`, since it always requires a password) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 20:03:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 19:03:49 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Merge Request !1128 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1128 Branches: tmp-gnutls-cli to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 20:04:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 19:04:14 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Merge Request !1128 was unapproved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1128 Branches: tmp-gnutls-cli to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 20:04:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 19:04:22 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Merge Request !1128 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1128 Branches: tmp-gnutls-cli to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 20:04:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 19:04:26 +0000 Subject: [gnutls-devel] GnuTLS | Improvements in gnutls-cli --benchmark-tls-kx (!1128) In-Reply-To: References: Message-ID: Merge Request !1128 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1128 Branches: tmp-gnutls-cli to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1128 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 21:07:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 20:07:18 +0000 Subject: [gnutls-devel] GnuTLS | certtool --to-p12 seems to alway require a password (#888) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: I note that i can launder the .p12 file through NSS's `pk12util` to remove the passwords on the embedded certificates: nsstmp=$(mktemp -d) pk12util -i bob.der.p12 -d "sql:$nsstmp" pk12util -o bob.laundered.p12 -n bob -d "sql:$nsstmp" -W '' -C NONE rm -rf "$nsstmp" but even that laundered certificate has a passphrase (the empty string) on the private key material, despite having no passphrase for the certificates. Maybe it's not possible to store a cleartext private key in PKCS#12? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/888#note_264457141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 21:07:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 20:07:39 +0000 Subject: [gnutls-devel] GnuTLS | certtool: always set extensions from template (!1130) In-Reply-To: References: Message-ID: Merge Request !1130 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1130 Project:Branches: nmav/gnutls:tmp-certtool-crq to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 21:10:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 20:10:51 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1141 Project:Branches: nmav/gnutls:tmp-strict-x509-time to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This effectively reverts !400 and ensures that we no longer tolerate invalid DER time. This complements the previous commit by Lili Quan and ensures we provide the --disable-strict-der-time backwards compatibility option. In practice this change together with Lili Quan's patch are a behavioral change of gnutls' DER parser (stricter checks), but with the option to disable at compile time, I believe we provide a good compromise between allowing broken certificates for longer than necessary. Resolves: #207 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 23 21:15:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 23 Dec 2019 20:15:26 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1141 https://gitlab.com/gnutls/gnutls/merge_requests/1141 * f7f12bed...58a45b8c - 8 commits from branch `master` * 2d248522 - Do not tolerate invalid DER time -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 01:01:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 00:01:38 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: civodul commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_264508787 Hi @ametzler, (Sorry for the late reply; for some reason, I had not received a notification.) So `pkg-config guile-2.2 --variable extensiondir` returns literally `$(GUILE_EXTENSION)`? Can you show your `guile-2.2.pc` file? The `guile-2.2.pc.in` template reads this: ``` extensiondir=@libdir@/guile/@GUILE_EFFECTIVE_VERSION@/extensions ``` ... so I don't understand how one can end up with `$(GUILE_EXTENSION)`. Thanks for your feedback, Ludo'. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_264508787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 06:47:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 05:47:26 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_264546862 @civodul wrote [...] > So `pkg-config guile-2.2 --variable extensiondir` returns literally `$(GUILE_EXTENSION)`? Hello, No, "$guileextensiondir" has that value, pkg-config output is sane. (See previous message for exact results.) cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_264546862 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:32:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:32:44 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1142 Project:Branches: GostCrypt/gnutls:gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:38:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:38:24 +0000 Subject: [gnutls-devel] GnuTLS | Add support for russian GOST cryptography (#52) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: So far support for GOST PKI infrastructure and for GOST ciphers/digests/MACs went in. GnuTLS 3.6.12 will have support for one of GOST TLS ciphersuites described in [draft-smyshlyaev-tls12-gost-suites](https://tools.ietf.org/html/draft-smyshlyaev-tls12-gost-suites). @nmav thanks a lot for your patience and for your constant collaboration! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/52#note_264685781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:40:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:40:13 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Merge Request !920 was closed by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/920 Project:Branches: GostCrypt/gnutls:gost-cleaned-cnt to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:40:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:40:12 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Closing now. Most of the patches went in. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_264686268 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:41:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:41:41 +0000 Subject: [gnutls-devel] GnuTLS | Add support for russian GOST cryptography (#52) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Eremin-Solenikov Issue #52: https://gitlab.com/gnutls/gnutls/issues/52 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 14:42:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 13:42:07 +0000 Subject: [gnutls-devel] GnuTLS | fuzzying: add GOST traces and certificates (#880) In-Reply-To: References: Message-ID: Reassigned Issue 880 https://gitlab.com/gnutls/gnutls/issues/880 Assignee changed to Dmitry Eremin-Solenikov -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 15:42:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 14:42:28 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/x509/common.h: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_264703003 > inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, > int len, char *errorDescription) > { > -#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME > -# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER > -#else > +#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) > # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER > +#else > +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER Not MR related, but parenthesis around the #define value would be nice. Else LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_264703003 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 15:42:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 14:42:34 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Merge Request !1141 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1141 Project:Branches: nmav/gnutls:tmp-strict-x509-time to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 24 15:49:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 24 Dec 2019 14:49:55 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * f7f12bed...58a45b8c - 17 commits from branch `master` * bf1cef87 - UBSAN: Fail tests if UB detected * f0936f22 - Fix implicit value change in verify-high.c * 75c74663 - handshake.c: Suppress warning in fuzzing build * c402b804 - rnd-fuzzer.c: Suppress shift sanitization check * 554884eb - status_request.c: Silence -Wsign-compare * 0cbd55df - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 052b3e99 - Fix 2x -Wunused-function in tests/ * 7cea0d44 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * 7b79aae5 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 30719169 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * f5acf775 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * a31717e2 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 5234e8ad - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 87abf6e8 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 61f9b9e2 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 9c5ff13e - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * ed60ad9f - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 2bcf6d33 - Fix checks in mpi.c:__gnutls_x509_write_int() * cddb1e6e - Suppress integer UB checks in record.c:record_read_headers() * 59c37451 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 7bf92ccf - Use check_for_datefudge in tests * dfec13eb - Fix NULL ptr access in _gnutls_iov_iter_next() * 6aca0a00 - Temporarily disable test 'eagain.sh' until #884 is fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 25 14:18:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Dec 2019 13:18:51 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 3063c36f - UBSAN: Fail tests if UB detected * 34c74d67 - Fix implicit value change in verify-high.c * 014b0211 - handshake.c: Suppress warning in fuzzing build * 22b2f4e1 - rnd-fuzzer.c: Suppress shift sanitization check * 52dd549f - status_request.c: Silence -Wsign-compare * 9216a94e - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * a69ea09d - Fix 2x -Wunused-function in tests/ * 9b8c6371 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * a6fd22af - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 2484075e - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 595f1e28 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 92d71ef1 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * c0f23007 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 73d23772 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 7591ee9b - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * e5f18482 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 34ab4f55 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * f8b69791 - Fix checks in mpi.c:__gnutls_x509_write_int() * 228dfc51 - Suppress integer UB checks in record.c:record_read_headers() * ae25d401 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 7bda19e5 - Use check_for_datefudge in tests * f754a662 - Fix NULL ptr access in _gnutls_iov_iter_next() * 370a4241 - Temporarily disable test 'eagain.sh' until #884 is fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 25 18:33:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 25 Dec 2019 17:33:00 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented: The timeout in `mini-overhead` seen in runner `UB+ASAN-Werror.Fedora.x86_64.clang` is not reproducible locally (using the Fedora 31 image from the Gitlab registry). I currently have no idea... The failure of `ocsp-tests/ocsp-must-staple-connection` seen in runner `Debian.cross.i686-linux-gnu` seems unrelated: ``` ... === Test 5: Server with valid certificate - expired staple === ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. Echo Server listening on IPv4 0.0.0.0 port 46538...done Echo Server listening on IPv6 :: port 46538...done Exiting via signal 15 Running gnutls-serv with an expired response, succeeds! FAIL ocsp-tests/ocsp-must-staple-connection (exit status: 1) ``` Is it possible that `datefudge` doesn't work correctly and `tests/scripts/common/check_for_datefudge` does not catch it ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_264926317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 07:45:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 06:45:25 +0000 Subject: [gnutls-devel] GnuTLS | do not tolerate DER encoded certificates with invalid time format (#207) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 07:45:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 06:45:22 +0000 Subject: [gnutls-devel] GnuTLS | do not tolerate DER encoded certificates with invalid time format (#207) In-Reply-To: References: Message-ID: Reassigned Issue 207 https://gitlab.com/gnutls/gnutls/issues/207 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 07:47:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 06:47:00 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1141 https://gitlab.com/gnutls/gnutls/merge_requests/1141 * 49d27a55 - x509: do not tolerate invalid DER time -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 07:47:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 06:47:05 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/common.h: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_264987653 > inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, > int len, char *errorDescription) > { > -#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME > -# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER > -#else > +#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) > # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER > +#else > +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER Done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_264987653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 07:47:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 06:47:24 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: All discussions on Merge Request !1141 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1141 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 10:31:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 09:31:21 +0000 Subject: [gnutls-devel] GnuTLS | do not tolerate DER encoded certificates with invalid time format (#207) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1141 (https://gitlab.com/gnutls/gnutls/merge_requests/1141) Issue #207: https://gitlab.com/gnutls/gnutls/issues/207 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 10:31:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 09:31:21 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Merge Request !1141 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1141 Project:Branches: nmav/gnutls:tmp-strict-x509-time to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 13:18:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 12:18:32 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/common.h: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265075928 > inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, > int len, char *errorDescription) > { > -#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME > -# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER > -#else > +#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) > # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER > +#else > +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER Sorry for being not precise - I meant ``` # define _ASN1_DER_FLAGS (ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME | ASN1_DECODE_FLAG_STRICT_DER) ``` Because `&` and others have precedence over `|`, using `_ASN1_DER_FLAGS` might cause unwanted behavior and hard to find bugs under certain conditions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265075928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 18:56:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 17:56:21 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: civodul pushed new commits to merge request !1121 https://gitlab.com/gnutls/gnutls/merge_requests/1121 * fba9533e - guile: Arrange to make 'gnutls.scm' architecture-independent. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 18:57:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 17:57:34 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: civodul commented: @ametzler: oops, my bad, could you check with fba9533e260d98e1152bd263ec893458d5f81fd2? Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_265157984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 19:24:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 18:24:45 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/x509/common.h: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265162592 > inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, > int len, char *errorDescription) > { > -#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME > -# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER > -#else > +#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) > # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER > +#else > +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER Isn't what the final code has? I see the parenthesis in the second define. ``` #if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER #else # define _ASN1_DER_FLAGS (ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER) #endif ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265162592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 19:26:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 18:26:50 +0000 Subject: [gnutls-devel] GnuTLS | Do not tolerate invalid DER time (!1141) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/common.h: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265162936 > inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider, > int len, char *errorDescription) > { > -#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME > -# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER > -#else > +#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME) > # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER > +#else > +# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER Oh, sorry, my bad (somehow Gitlab UI tricked me). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1141#note_265162936 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:11:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:11:09 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265170563 > &epriv); > priv = epriv; > > +#ifdef ENABLE_GOST > + /* Some (all SChannel) clients fail to send proper SigAlgs due to Micro$oft crazyness. > + * Patch the extension for them. To my understanding you handle few cases below (a) no SignatureAlgorithms extension, (b) SignatureAlgorithms extension present but no GOST algorithms. Are they both behaviors of this server? For the former wouldn't it make sense to plug on the existing code which sets a default based on SHA1, and set something relevant as default for GOST? On the latter I think a similar fallback logic would be more clear on its purpose. I think also moving the gost-specific logic outside this function would help keeping it simple (e.g., something like is_gost_sig_present() instead of the whole loop). We may also keep this code inside a special ifdef so it is clear that it is a "temporary" workaround that can be removed at some point in the future (see TLS13_APPENDIX_D4 for a similar hack). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265170563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:14:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:14:38 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171079 > &epriv); > priv = epriv; > > +#ifdef ENABLE_GOST > + /* Some (all SChannel) clients fail to send proper SigAlgs due to Micro$oft crazyness. > + * Patch the extension for them. > + */ > + if (_gnutls_kx_is_vko_gost(kx_algorithm)) { > + bool found_gost = false; > + > + /* If there was no SigAlgs at all */ > + if (ret < 0 && _gnutls_version_has_selectable_sighash(ver)) { > + priv = gnutls_calloc(1, sizeof(*priv)); This should not be necessary if handled as fallback similarly to SHA1, right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171079 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:16:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:16:44 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171394 > .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2" > }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert lacking signature algs", It may be more clear to explicitly call out that the client is lacking signature algs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171394 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:17:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:17:23 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171492 > .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2" > }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert lacking signature algs", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_256_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-SHA256" Is it needed to have the GOST sigs added and then removed with -SIGN-ALL? If not it may be easier to read without it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171492 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:18:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:18:46 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171807 > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_256_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-SHA256" > + }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert lacking signature algs", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-SHA256" same here -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265171807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:21:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:21:48 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1142#note_265172341 > return _gnutls_mac_get_algo_len(mac_to_entry(algorithm)); > } > > +/** > + * gnutls_hmac_get_key_size: > + * @algorithm: the mac algorithm to use > + * > + * This function will return the size of the key to be used with this algorithm. We may want to clarify that this is a size associated with TLS requirements. What do you think on something like "on the algorithms which may accept arbitrary key sizes, the returned size is the MAC key size used in the TLS protocol"? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142#note_265172341 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:23:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:23:52 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the comment on function description, LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142#note_265173108 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:27:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:27:04 +0000 Subject: [gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for your report. This is already known and tracked in #872, however this report is more clear and consise so I'm keeping this as primary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887#note_265174013 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:27:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:27:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:27:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:27:32 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing as duplicate of #887. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_265174072 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 26 20:27:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 26 Dec 2019 19:27:32 +0000 Subject: [gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #872: https://gitlab.com/gnutls/gnutls/issues/872 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 10:00:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 09:00:20 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1142 https://gitlab.com/gnutls/gnutls/merge_requests/1142 * 49d27a55...0af5ee94 - 2 commits from branch `master` * 650b60cc - nettle/gost: remove gost28147_imit_init * 60377065 - crypto-api: add gnutls_hmac_get_key_size() function * afae0d3a - benchmark: use mac key size instead of block size * 4a6a7b83 - benchmark: support benchmarking GOST ciphers/MACs * 1babf0c5 - benchmark: enable benchmarking of GOST CNT ciphersuite/KX -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 10:01:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 09:01:40 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1142#note_265281750 > return _gnutls_mac_get_algo_len(mac_to_entry(algorithm)); > } > > +/** > + * gnutls_hmac_get_key_size: > + * @algorithm: the mac algorithm to use > + * > + * This function will return the size of the key to be used with this algorithm. True. I've updated the description. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142#note_265281750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 10:01:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 09:01:41 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: All discussions on Merge Request !1142 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1142 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 10:33:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 09:33:47 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265290876 > .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2" > }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert lacking signature algs", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_256_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-SHA256" True. I'd better start from `NONE` and explicitly list required parts. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265290876 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 11:20:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 10:20:28 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265309119 > &epriv); > priv = epriv; > > +#ifdef ENABLE_GOST > + /* Some (all SChannel) clients fail to send proper SigAlgs due to Micro$oft crazyness. > + * Patch the extension for them. I rewrote this piece of code to mimic SHA1 fallback. Indeed it became simpler. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265309119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 11:20:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 10:20:43 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls12-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265309195 > .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2", > .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:-VERS-ALL:+VERS-TLS1.2" > }, > + { > + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert lacking signature algs", done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265309195 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 11:21:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 10:21:10 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1138 https://gitlab.com/gnutls/gnutls/merge_requests/1138 * 15f9fc7c - SignatureAlgorithms: force-enable GOST signatures for GOST KX * 08ab8677 - tls12-server-kx-neg: add tests without GOST signature algorithms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 22:35:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 21:35:34 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @llqll do you have some examples that you can attach? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886#note_265475551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 22:57:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 21:57:10 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Merge Request !1142 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1142 Project:Branches: GostCrypt/gnutls:gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 22:57:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 21:57:22 +0000 Subject: [gnutls-devel] GnuTLS | Benchmark GOST ciphers/ciphersuites (!1142) In-Reply-To: References: Message-ID: Merge Request !1142 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1142 Project:Branches: GostCrypt/gnutls:gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1142 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:02:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:02:49 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265478852 > + else if (cert_algo == GNUTLS_PK_GOST_12_256) > + dig = GNUTLS_DIG_STREEBOG_256; > + else if (cert_algo == GNUTLS_PK_GOST_12_512) > + dig = GNUTLS_DIG_STREEBOG_512; > + else > + dig = GNUTLS_DIG_SHA1; > + > + ret = gnutls_pk_to_sign(cert_algo, dig); > + > + if (!client_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) > + goto fail; > + return ret; > + } > +#endif > + > if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver)) { Should we use a different variable to indicate no priv? This `ret` is being overwritten above, and although it shouldn't matter it makes this quite difficult to read (and easy to miss on a restructuring). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265478852 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:04:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:04:44 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265479064 > + else if (cert_algo == GNUTLS_PK_GOST_12_256) > + dig = GNUTLS_DIG_STREEBOG_256; > + else if (cert_algo == GNUTLS_PK_GOST_12_512) > + dig = GNUTLS_DIG_STREEBOG_512; > + else > + dig = GNUTLS_DIG_SHA1; > + > + ret = gnutls_pk_to_sign(cert_algo, dig); > + > + if (!client_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) > + goto fail; > + return ret; > + } > +#endif > + > if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver)) { Or can this check be included on the above code? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265479064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:05:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:05:47 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the comment LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265479201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:07:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:07:53 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1138 https://gitlab.com/gnutls/gnutls/merge_requests/1138 * 69ffa3a6 - SignatureAlgorithms: force-enable GOST signatures for GOST KX * 9d1c8553 - tls12-server-kx-neg: add tests without GOST signature algorithms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:08:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:08:31 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265479544 > + else if (cert_algo == GNUTLS_PK_GOST_12_256) > + dig = GNUTLS_DIG_STREEBOG_256; > + else if (cert_algo == GNUTLS_PK_GOST_12_512) > + dig = GNUTLS_DIG_STREEBOG_512; > + else > + dig = GNUTLS_DIG_SHA1; > + > + ret = gnutls_pk_to_sign(cert_algo, dig); > + > + if (!client_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) > + goto fail; > + return ret; > + } > +#endif > + > if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver)) { I've changed code to set `priv` to `NULL` if there was no extension present. Then the code can use `if (!priv)` condition. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265479544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 27 23:10:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 27 Dec 2019 22:10:59 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Merge Request !1138 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1138 Project:Branches: GostCrypt/gnutls:gost-split-5 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 28 18:23:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Dec 2019 17:23:59 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_265559154 Looks good to me. No more arch specific path in scm and release tarball (not full) testsuite continues to succeed. Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_265559154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 28 21:05:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Dec 2019 20:05:33 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Merge Request !1121 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1121 Project:Branches: civodul/gnutls:wip-arch-independent-scm to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Dec 28 21:07:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 28 Dec 2019 20:07:42 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_265572334 Are there any remaining tasks for this MR? Is there a way to automatically check that we make it arch independent? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_265572334 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 10:55:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 09:55:54 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1143 Project:Branches: GostCrypt/gnutls:fix-gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov As noticed by Niels M?ller, GnuTLS will fail compilation (in `benchmark-tls.c`) if GOST is disabled. This was not noticed by the CI as minimal build skipped building `gnutls-cli`. This MR: - enables building `gnutls-cli` (and `gnutls-serv`) unconditionally, - fixes build issue. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 11:00:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 10:00:00 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: All discussions on Merge Request !1138 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1138 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 11:00:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 10:00:08 +0000 Subject: [gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138) In-Reply-To: References: Message-ID: Merge Request !1138 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1138 Project:Branches: GostCrypt/gnutls:gost-split-5 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 11:13:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 10:13:58 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1144 Project:Branches: GostCrypt/gnutls:gost-cleaned to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov This MR provides support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites. Currently it misses tests. I plan to split it into smaller MRs and submit them separately complete with necessary checks and tests. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 11:29:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 10:29:31 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav This MR manifests a crypto-api issue. CTR-ACPKM (CTR with internal rekeying, see [RFC 8645](https://www.rfc-editor.org/rfc/rfc8645.html) modes are defined with an integer parameter called section size. It is the amount of data to be encrypted using a single key before rekeying. This parameter is a part of encryption scheme, but it is not fixed. So e.g. TLS 1.2 will use 1024 bytes for MAGMA-CTR-ACPKM and 4096 bytes for KYZNYECHIK-CTR-ACPKM. However provided test vectors use sections of 256 bits (32 bytes). While this looks like a lesser problem (one can regenerate test vectors big enough to actually test rekeying transformation), this is actually only a partial solution. For example CMS files are going to use 256-KBytes sections. OpenSSL solved this by adding a "control" to set section size. However GnuTLS lacks such "controls". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144#note_265608844 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 12:09:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 11:09:29 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1143 https://gitlab.com/gnutls/gnutls/merge_requests/1143 * 69ffa3a6...fb5035e5 - 3 commits from branch `master` * e15d2a79 - serv: support building with OCSP disabled * 99f4ce1e - cli: support building with OCSP and ANON disabled * 57356949 - cli: fix building with GOST disabled -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 21:33:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 20:33:24 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The problem I see is that this is very easy to break as we do not test for compilation under these conditions. If I remember well the minimal build does not build the tools because it was too complex to manage these scenarios for the tools. What's your goal in this MR, to compile the tools without GOST or to revive the minimal build, or even to introduce a new minimal build which is kind of supported? My point is that in all of these cases we would need to introduce a test build which actually tests that scenario. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143#note_265659882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 22:54:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 21:54:23 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1145 Project:Branches: nmav/gnutls:tmp-check-dup-extensions to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 22:54:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 21:54:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887) In-Reply-To: References: Message-ID: Reassigned Issue 887 https://gitlab.com/gnutls/gnutls/issues/887 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 22:56:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 21:56:23 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1145 https://gitlab.com/gnutls/gnutls/merge_requests/1145 * c211bdd3 - x509: reject certificates having duplicate extensions -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Dec 29 23:10:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 29 Dec 2019 22:10:59 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: The problem is that Nettle master uses `--disable-gost` which got broken by benchmarking MR. I had the feeling that `--disable-gost` is covered by minimal build, however that minimal build disabled too much (e.g. `cli` and `serv` are disabled). This MR enables building of `cli` and `serv` under minimal build to catch such errors. Another approach would be to add just `--disable-gost` test run. Would you like me to do it instead of this MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143#note_265665583 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 05:31:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 04:31:13 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Aha, I missed the last part. It makes sense as it is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143#note_265692219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 05:31:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 04:31:16 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Merge Request !1143 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1143 Project:Branches: GostCrypt/gnutls:fix-gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 05:31:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 04:31:29 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Merge Request !1143 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1143 Project:Branches: GostCrypt/gnutls:fix-gost-bench to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 05:35:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 04:35:55 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1145 https://gitlab.com/gnutls/gnutls/merge_requests/1145 * 1cff65d7 - fuzz: import certificate with and without sanity checks -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 05:37:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 04:37:02 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1145 https://gitlab.com/gnutls/gnutls/merge_requests/1145 * 001ad754 - gnutls_x509_crt_get_extension_info: optimize when critical equals NULL -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 06:05:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 05:05:10 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've also restarted the failed pipelines in nettle: https://gitlab.com/gnutls/nettle/pipelines -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143#note_265696020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 08:51:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 07:51:52 +0000 Subject: [gnutls-devel] GnuTLS | Fix gnutls-cli compilation with GOST disabled (!1143) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1143#note_265722202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 12:16:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 11:16:32 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I tried to extend this enhancement for CRLs but rolled back as RFC5280 doesn't require something similar there. Certificate requests also. Most likely though it is the right thing to apply this restriction to both of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145#note_265810608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 12:33:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 11:33:26 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Having used libgcrypts control APIs I wanted to avoid them completely in gnutls. They are error prone and when developing a typical application you shouldn't even need to use them (crypto is already too complex for app developers to care about such details). Said that we would need to test that code and cover existing applications if we add it. What's your suggestion? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144#note_265814638 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 12:37:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 11:37:23 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think you are trying to hit too many birds with one stone. I'd suggest to fix the exact problem at hand and then move to adding clang in a different MR. > The failure of `ocsp-tests/ocsp-must-staple-connection` seen in runner `Debian.cross.i686-linux-gnu` seems unrelated: It passes though without the patch. It seems like a 64-bit version was compiled? What if we separate the datefudge changes for a different MR as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265817196 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 12:47:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 11:47:00 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1146 Project:Branches: nmav/gnutls:tmp-i686-build to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This patch set introduces checks to ensure that 32-cross-compiled builds are indeed 32-bit. This relates to issues found in !1136. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 12:47:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 11:47:56 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've created an MR to verify whether what's being generated by our i686 build is indeed i686. https://gitlab.com/gnutls/gnutls/merge_requests/1146 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265824713 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:00:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:00:07 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've updated the running times for ./bootstrap, and the results are much worse (2m gnulib+autostuff vs 22 seconds of building). I've experimented with meson at https://gitlab.com/ipcalc/ipcalc/. I can say I'm very impressed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265828368 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:02:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:02:53 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1146 https://gitlab.com/gnutls/gnutls/merge_requests/1146 * 06febdd6 - .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:41:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:41:43 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: Timings here (AMD 5 3600): ``` 1m13 ./bootstrap 0m4,5 ./configure --disable-doc 0m13 make -j$(nproc) ``` The problem with meson (and cmake) seems to be gnulib integration. `./bootstrap + meson + ninja` seems to be appropriate. But really, even if meson takes 0 seconds - you save 4.5 seconds. Ninja will likely also take around 13s (or more). Meson needs python3 and python3 is a huge dependency. Also, how often do you execute `./bootstrap` ? I do this very rarely - e.g. when modifying `bootstrap.conf`. To just re-create `configure.ac` you can use `autoreconf -fi`. To re-create Makefiles, use `./config.status`. One of my projects, `libpsl` got meson build support. It still needs `./configure` to create `meson.build` from `meson.build.in`. There still is this comment: ``` # FIXME: Cleanup this when Meson gets 'feature-combo': # https://github.com/mesonbuild/meson/issues/4566 # Dependency fallbacks would help too: # https://github.com/mesonbuild/meson/pull/4595 ``` Both, issue and PR are still 'open' after ~1 year. I am not saying that another build system doesn't make sense. But ipcalc seems to be a trivial project compared to gnutls and doesn't need gnulib. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265844215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:46:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:46:11 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: gnulib is indeed problematic in this regard as it is tied with autotools. glib however uses meson and gnulib so there may be a way out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265849000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:49:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:49:51 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: > however the frustration of waiting for bootstrap and configure grows every day See my comment above. You don't have to call bootstrap often (if you think you have to, let's figure out why). Same with ./configure - and even if you do, it only takes 4.5s (here) when you set up your environment correctly (let's talk). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265851805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:50:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:50:55 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot this has a trivial change over your patch (removed CC_FOR_BUILD) but may be affecting it. Would you mind rebasing over this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265852064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:52:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:52:20 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > See my comment above. You don't have to call bootstrap often (if you think you have to, let's figure out why). Same with ./configure - and even if you do, it only takes 4.5s (here) when you set up your environment correctly (let's talk). It is the CI that calls it often. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265852463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:54:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:54:03 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Tim R?hsen commented: Sure (was just about to run the CI image here to find out :-)) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265852962 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:58:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:58:05 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265854099 I don't know how I got subscribed to this bug, but it's interesting. I'm a meson and glib developer. It is not true that libpsl needs configure to generate meson.build, they do that only to set the project version to not have to write it in both build systems, as far as I can tell. But it works without running configure too. About the fixme, it's just a possible cleanup, nothing really required. Glib contains a copy of gnulib and wrote meson.build files for it, so that could be shared with gnutls. glib-networking uses gnutls, and if it gets ported to meson that would mean we can build gnutls as subproject of glib-networking which makes it a lot easier to bundle that dependency. IMHO that would be a big win for glib. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265854099 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 13:59:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 12:59:44 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 49d27a55...05e1cdf3 - 15 commits from branch `master` * f023fcf9 - UBSAN: Fail tests if UB detected * 7de3c58a - Fix implicit value change in verify-high.c * 99915676 - handshake.c: Suppress warning in fuzzing build * 4c171527 - rnd-fuzzer.c: Suppress shift sanitization check * 0fe4a181 - status_request.c: Silence -Wsign-compare * 58e157b0 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * b392c5d4 - Fix 2x -Wunused-function in tests/ * 9682c2fa - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * de1f4989 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 5104b189 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 07435d57 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * f1971949 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * cbea5a0e - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 139f0507 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 4f8ab204 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * a2382e1b - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 437b60e8 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 1e48375b - Fix checks in mpi.c:__gnutls_x509_write_int() * b09af034 - Suppress integer UB checks in record.c:record_read_headers() * dd92af3b - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 0116dffe - Use check_for_datefudge in tests * ed322277 - Fix NULL ptr access in _gnutls_iov_iter_next() * c5b85ee5 - Temporarily disable test 'eagain.sh' until #884 is fixed * 945cf561 - .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 14:00:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 13:00:18 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav I cherry-picked your commit, rebased on master and pushed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265854681 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 14:08:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 13:08:50 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented: > 4.5seconds sounds like not gnutls! Cached. But the configure runs in the CI are also cached. I use (automatically) different caches for different CC and CFLAGS. I have `CONFIG_SITE=/home/tim/src/config.site` in my `~/.bashrc`. The contents of `config.site` are ``` # load rm and cat loadable modules to bash if [ -n "$BASH" ]; then enable -f ~/src/bash/examples/loadables/rm rm enable -f ~/src/bash/examples/loadables/cat cat fi if test "$cache_file" = /dev/null; then hash=`echo $CXX $CXXFLAGS $CFLAGS $LDFLAGS $host_alias $build_alias|md5sum|cut -d' ' -f1` cache_file="/home/tim/src/config.cache.$CC.$hash" fi ``` The bash plugins are just to give another small boost of 1-3 seconds. You can comment those out, if you don't have the loadables installed or built. Debian doesn't provide them, maybe Fedora does !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265857403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 14:24:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 13:24:21 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265862431 Glib indeed has it's own copy of gnulib code and wrote their own meson build definition for it. However, now that glib dropped autotools, I think they should instead use gnulib as subproject, and either: - merge meson build definition upstream - have a "fork" git repo with meson - put it in wrapdb, it's a collection of projects for which meson.build files are stored in a separate tarball. That helps using common non-meson projects as meson subproject. Having gnulib as subproject means meson can download and build it for you if not found on the system. On less dependency to care about for the user. Doing this, and having gnutls as meson project, would mean glib-networking could use gnutls as subproject, and share the same build of gnulib, instead of having 2 copies currently, as far as I understand. IMHO the build speed is great but it's not the main adventage of meson. I like meson because it makes the build definition a lot nicer than obscure shell and m4 scripts that nobody really understand. And it supports more advanced features like subproject. Finally, I don't think Python 3 is a big dependency. It is available everywhere and much easier to install that autotools. Especially on Windows autotools requires msys2 or similar Unix env, that is not needed with meson. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265862431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:13:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:13:37 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265878401 Thanks for having a look into this issue and sharing your thoughts ! IMO, the first step would be to have meson and gnulib working together. One of the big workloads in gnulib's `bootstrap` is the invokation of `gnulib-tool` (even three times for gnutls). How is that addressed, considering that this issue is about to speed up that process ? @nmav Just seeing that we don't use `gnulib-tool.py` in `bootstrap` - that would be a big performance win, btw. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265878401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:16:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:16:55 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265879379 > Finally, I don't think Python 3 is a big dependency On Debian it is, checked with `debtree`. > It (python3) is available everywhere and much easier to install that autotools. I think it is the other way round. Autotools are available basically on *every* platform as it is used to build basic GNU tools. No gcc without it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265879379 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:20:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:20:22 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265881765 But as I said somewhere else, I am not against meson. Just want to discuss all the pros and cons and then decide. Maintaining two build systems needs a certain amount of manual resources. On several platform we have the extra burden that only old and/or outdated versions of the build tools exist. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265881765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:23:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:23:03 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Tim R?hsen commented: Still failing with ``` === Generating good server certificate === === Bringing OCSP server up === ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. ocsp: waiting for OCSP client connections... === Verifying OCSP server is up === ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. ERROR: ld.so: object 'datefudge.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored. Connecting to OCSP server: localhost... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265882526 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:39:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:39:38 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/891 This is just an idea... we have to test it yet. In the CI images, we could manually run the 3 invocations of `gnulib-tool` to create `gl/`, `lib/unistring/` and `src/gl/`. We can even build the gnulib libraries in there and run the gnulib tests. In the CI runners, we have to `cp -a` those directories into the `gnutls/` directory. Then we create ./configure with `autoreconf -fi` and go on as normal. [We can possibly even avoid this last step as long configure is newer than configure.ac]. The gain is at least that we avoid `./bootstrap`. Still the question, how much weights the 1.x minutes of bootstrapping against the 1,5h of running a pipeline ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:45:03 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:45:03 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265891054 @rockdaboot I have no idea how gnulib works tbh. But from a quick look at glib's copy, they don't use gnulib-tool.py https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gnulib/meson.build -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265891054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:49:21 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:49:21 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265892446 @rockdaboot by "available" I meant user already has it anyway, or can install it in a few clicks. Especially thinking about Windows here, porting glib to meson made Windows (and msvc) builds a **lot** easier. I'm pretty sure python "exists" for all interesting platforms, unless gnutls has to support really exotic environments? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265892446 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:54:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:54:07 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265893893 > Maintaining two build systems needs a certain amount of manual resources. I wouldn't recommend that, unless it's only for a temporary transition period. IMHO if gnutls decide to add meson build system, it should be with the goal of dropping autotools. This is how we proceeded in glib. > On several platform we have the extra burden that only old and/or outdated versions of the build tools exist. As long as you have python 3.5 (that's 4 years old, arguably still "new" I guess...), you can easily install latest meson with pip3. There are no other dependency. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265893893 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 15:59:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 14:59:16 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265895425 To be honest, I would be more concerned at creating possible cyclical dependencies for distros than whether Python supports some distro. But as long as things are built modular so you can disable TLS support from reverse dependencies of this project and build them twice during distro-level bootstrapping, it should probably be fine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265895425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:02:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:02:58 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265896550 oh, you mean python depends on gnutls? Didn't know that, it could be an issue indeed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265896550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:20:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:20:14 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265901668 I think Python itself uses OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265901668 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:27:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:27:37 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265903834 @nanonyme What cyclical dependencies where you reffering to then? Is gnulib used by python? Or was that just hypothetical? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265903834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:29:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:29:38 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265904426 Mostly hypothetical since I don't remember Meson dependency graph by heart. I can check later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265904426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:32:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:32:09 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265905212 Meson only requires python3.5 standard library. No other modules are needed, it is a design choice made to make it available everywhere. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265905212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:37:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:37:13 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265907765 btw, since gnutls configure uses gnulib-tool.py, you effectively already have a build-dep on python. So porting to meson brings no new dependency, but removes sh, m4, autotools deps. That's a win-win situation ;-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265907765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:40:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:40:45 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265908876 Yeah, I didn't mean to block this for the investigation. I'd be thrilled to see Meson support in GnuTLS -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265908876 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:46:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:46:41 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265910741 No, currently we are not using `gnulib-tool.py`. But it would be a gain in speed *if* python is available. If python is not available, we fall back to `gnulib-tool` which is a bash script. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265910741 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:51:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:51:18 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265912098 oh ok, haven't seen that there is a shell version of the script. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265912098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 16:59:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 15:59:04 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265914544 At some point they have to. Likely they do it manually every few months or years, just adding the updated gnulib files to the repo. GnuTLS has been there. We moved to gnulib's `bootstrap` that makes gnulib updates extremely easy. But that script does way more, e.g. it downloads and installs latest translation files, initializes git submodules, cleans up and installs all the gettext stuff, calls autopoint/autoreconf appropriately, prepares libtool, checks build prerequisites (tools + versions), and possibly things that i don't have in mind. To not have all that stuff in mind, we have `bootstrap`, a 1000+ lines bash script. > https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gnulib/meson.build This looks not so straight forward. And it likely requires some scripts with the proper calls to gnulib-tool. All in all possibly much more complicated than what we have now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265914544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 17:15:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 16:15:22 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265918898 It is indeed all manual it seems: https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gnulib/README. I don't know gnulib/gnutls build tools enough to tell how that can be done with meson. I personally can read 1000+ lines of python, but 3 lines of bash and you already lost me. IMHO it's one of the strong reasons to move away from autotools, nobody understand those languages in the past 2 decades. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265918898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 18:16:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 17:16:17 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265934996 Hmmm, (ba)sh is mostly what I type on the console the whole day, plus some syntactic sugar. But surely I like python much more as a programming language than shell scripts. Shell scripts exist mainly to execute command sequences. Both, shell scripts and python "programs" complement each other (when designed correctly). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265934996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 18:56:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 17:56:58 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265944039 Another thing we didn't talk about is cross-building. E.g. building on x86_64 for aarch64, arm, mips, i686. What is meson's current status here ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265944039 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 19:08:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 18:08:30 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav We use `datefudge` on libtool shell scripts, e.g. `datefudge ../src/certtool` when `../src/certtool` is a shell script. Since in this shell script several 64bit commands are executed, we see one error for each of them. Not sure how predictable that is at all. What we need are `-noinstall` real executables in `src/`. We have had similar issues in wget2 and thus always produce both versions of wget2, one for installation and `wget2_noinstall` for testing. After `apt-get install datefudge:amd64` the issue is gone and the test succeeds. *scratch* - not sure I understand this fully. It means the 64bit datefudge with 32bit/i686 and 64bit/amd64 executables. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265947239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 19:12:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 18:12:57 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 249eb444 - Install 64bit datefudge on i686 runner -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 20:14:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 19:14:44 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Xavier Claessens commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265963440 To cross build with meson, you need to write a cross-file: https://mesonbuild.com/Cross-compilation.html Example: https://gitlab.freedesktop.org/gstreamer/gst-build/tree/master/data/cross-files -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265963440 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 20:51:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 19:51:23 +0000 Subject: [gnutls-devel] GnuTLS | consider using an alternative build system (#320) In-Reply-To: References: Message-ID: Seppo Yli-Olli commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/320#note_265969817 Just checked our tree, couldn't find anything especially worrying. Looks like it's mostly gnutls->curl->git which might generate unexpected cycles but that's not a new thing and that's also quite easy to workaround and I would expect people who care have done that already. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/320#note_265969817 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 22:22:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 21:22:07 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm not sure if that's an issue. Indeed it would have been nicer without the errors but the LD_PRELOAD gets inherited and used where it should (all other tests succeed). There is something in that script that makes it fail after the change, which is not in other scripts. What's different here is that the openssl binary is being called and that I see in the generator dockerfile is not a 32-bit binary. So we should either skip this test, or install a 32-bit openssl binary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146#note_265988850 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 22:42:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 21:42:44 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265991877 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 Let's use a 32-bit openssl. I've recreated the image to contain a 32-bit openssl: https://gitlab.com/gnutls/build-images/-/jobs/391224238 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265991877 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 22:50:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 21:50:29 +0000 Subject: [gnutls-devel] GnuTLS | WPA EAP-TLS Failed to Connect (#890) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: There is very little to say here. Please report the issue to the application you are using. Nevertheless the error from its backend (gnutls) is pretty clear: `GnuTLS: The certificate is NOT trusted. The certificate chain uses insecure algorithm.` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/890#note_265993047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 22:50:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 21:50:30 +0000 Subject: [gnutls-devel] GnuTLS | WPA EAP-TLS Failed to Connect (#890) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #890: https://gitlab.com/gnutls/gnutls/issues/890 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 23:25:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 22:25:06 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265998003 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 Pushed without latest commit after build-images pipeline succeeded. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_265998003 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 30 23:34:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 30 Dec 2019 22:34:00 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: Tim R?hsen commented: The two gnulib-tool invocations in `bootstrap.conf` use options that are not implemented in `gnulib-tool.py`. That python tool needs some work, likely nothing complicated. Measured here, each replacement of `gnulib-tool` by the python version gives me ~6s boost, so reducing `./bootstrap` here from 1m03 to 45s then. Would be nice to have that for other projects as well. The other CPU intensive command are mostly perl scripts (autoreconf and autopoint). When above things are done, we can analyze the command/fork/system timings with [librusage](https://gitlab.com/rockdaboot/librusage). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/891#note_265999826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 31 03:06:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Dec 2019 02:06:00 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) References: Message-ID: Edward Stangler created an issue: https://gitlab.com/gnutls/gnutls/issues/892 ## Description of problem: When compiling on Linux that doesn't have getrandom() at all: ``` /* if defined(__linux__) && !defined(HAVE_GETRANDOM) && !defined(SYS_getrandom) */ # define getrandom(dst,s,flags) -1 ``` Then if this executes (on a Linux with kernel < 3.17, for example) during GNU TLS init: ``` static unsigned have_getrandom(void) { char c; int ret; ret = getrandom(&c, 1, 1/*GRND_NONBLOCK*/); if (ret == 1 || (ret == -1 && errno == EAGAIN)) return 1; return 0; } ``` Then have_getrandom() = 1 when GNU TLS init is executed right after an API call that sets errno = EAGAIN. This causes TLS failure. This actually happened. At a very bad time. Our patch was to change this line: ``` # define getrandom(dst,s,flags) -1 ``` to this: ``` static ssize_t _getrandom0(void *buf, size_t buflen, unsigned int flags) { errno = ENOSYS; return -1; } # define getrandom(dst,s,flags) _getrandom0(dst,s,flags) ``` ## Version of gnutls used: 3.6.10 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) None ## How reproducible: Always Steps to Reproduce: * one * two * three ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 31 11:18:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Dec 2019 10:18:02 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266100989 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 Now, the package `dpkg-dev` is missing which contains the command `dpkg-architecture`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266100989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 31 12:30:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Dec 2019 11:30:57 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I also do not like `ioctl`-like calls, which allow one to pass arbitrary values. Given that GnuTLS crypto API is about high-level algorithm definitions, I'd create test vectors for TLS-specified section size. Low-level implementation (if it is merged into Nettle one day) will use test vectors from official docs since it will be able to set section size manually. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144#note_266117767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 31 18:49:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 31 Dec 2019 17:49:57 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_266194852 I cannot come up with a simple test. You'd need to build on two different archs with multiarch paths and compare the file in /usr/share. The will show up on Debian post gnutls-release and I assume there is automatic testing for this issue on the shipped pacjages. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_266194852 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: