From gnutls-devel at lists.gnutls.org Fri Nov 1 09:59:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 08:59:42 +0000 Subject: [gnutls-devel] GnuTLS | nettle: Support sysctl(KERN_ARND) for random number generation on NetBSD. (!1109) In-Reply-To: References: Message-ID: Merge Request !1109 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1109 Project:Branches: niaa/gnutls:master to gnutls/gnutls:master Author: nia Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 09:59:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 08:59:43 +0000 Subject: [gnutls-devel] GnuTLS | nettle: Support sysctl(KERN_ARND) for random number generation on NetBSD. (!1109) In-Reply-To: References: Message-ID: Merge Request !1109 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1109 Project:Branches: niaa/gnutls:master to gnutls/gnutls:master Author: nia Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 09:59:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 08:59:51 +0000 Subject: [gnutls-devel] GnuTLS | nettle: Support sysctl(KERN_ARND) for random number generation on NetBSD. (!1109) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1109#note_238796609 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 12:07:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 11:07:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav it looks like F31's `strcmp()` function does something crazy that makes Valgrind belive that it accesses uninitialized values. Is there a way to disable glibc/gcc optimized `strcmp()` functions somehow? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113#note_238857810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 14:00:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 13:00:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think it relates to https://gitlab.com/gnutls/libtasn1/issues/9; maybe we can add an additional suppression for valgrind. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113#note_238908717 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 14:04:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 13:04:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1113 https://gitlab.com/gnutls/gnutls/merge_requests/1113 * f481c7e3 - .gitlab-ci.yml: removed unnecessary use of --enable-valgrind-tests * 10d99887 - .gitlab-ci.yml: do not inline strcmp in valgrind build -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 15:39:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 14:39:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1113 https://gitlab.com/gnutls/gnutls/merge_requests/1113 * 676fa3c9 - .gitlab-ci.yml: removed unnecessary use of --enable-valgrind-tests * e484c69c - .gitlab-ci.yml: do not inline strcmp in valgrind build -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 20:17:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 19:17:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_hkdf{expand, extract}: new API functions exposed (!1115) References: Message-ID: Aniketh Girish created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1115 Project:Branches: Aniketh01/gnutls:quic-expose-hkdf to gnutls/gnutls:tmp-draft-ietf-quic-tls-23 Author: Aniketh Girish Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 20:20:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 19:20:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish commented: @dueno Hi, Please do let me know if there is any other changes needed to be made. I will add the documentation soon. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_239046969 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 21:17:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 20:17:07 +0000 Subject: [gnutls-devel] GnuTLS | tls-sig: reverse bytes in TLS signatures for GOST signatures (!1114) In-Reply-To: References: Message-ID: Merge Request !1114 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1114 Project:Branches: GostCrypt/gnutls:crt-vrfy-final to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1114 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 21:53:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 20:53:15 +0000 Subject: [gnutls-devel] GnuTLS | Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Merge Request !1113 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1113 Project:Branches: nmav/gnutls:tmp-update-ci-to-f31 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 1 21:53:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 01 Nov 2019 20:53:25 +0000 Subject: [gnutls-devel] GnuTLS | Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: LGTM now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113#note_239069166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 10:15:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 09:15:51 +0000 Subject: [gnutls-devel] GnuTLS | Update CI to F31 (!1113) In-Reply-To: References: Message-ID: Merge Request !1113 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1113 Project:Branches: nmav/gnutls:tmp-update-ci-to-f31 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 20:51:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 19:51:23 +0000 Subject: [gnutls-devel] GnuTLS | cipher cfb8 decrypt fixes (!1084) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @gd7 would you like to test the nettle fixes whether they also fix the issues you see? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1084#note_239242095 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 21:15:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 20:15:38 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Reassigned Merge Request 1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 21:26:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 20:26:44 +0000 Subject: [gnutls-devel] GnuTLS | tls-sig: reverse bytes in TLS signatures for GOST signatures (!1114) In-Reply-To: References: Message-ID: Merge Request !1114 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1114 Project:Branches: GostCrypt/gnutls:crt-vrfy-final to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1114 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 21:33:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 20:33:02 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 445fa364...416b1922 - 16 commits from branch `master` * ef482849 - nettle/gost: provide GOST keywrapping support * efccf57c - nettle/gost: add support for GOST VKO algorithm * 3f31b384 - _gnutls_pk_derive: add argument for nonce * 4ef57512 - nettle: add support for GOST key derivation * a31daf38 - Add GOST key transport support * 309927a6 - Declare groups corresponding to GOST curves * d95b29f7 - ecc: define curve->group relationship * d2c7a65b - groups: add function to return group by curve * 275a7ac6 - Add support for VKO GOST key exchange * 9d7ad4c5 - Support GOST certificate request values * 71f19c71 - Add GOST cipher suites * eaa438db - Add GOST values to cipher suites priorities * 5726409d - tests: add tests for KX-GOST-VKO using different key variants * 7f7a650c - lib: fix group selection in case of GOST cipher suites * bee19d20 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 323762a8 - cli-debug: include GOST VKO into KX list * 432933fb - priority: add GROUP-GOST-ALL keyword * 92a5f93e - ext/signature: use GOST signatures for GOST ciphersiuites * 30ce2b6c - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * a43728ef - tls13-server-kx-neg: add test for GOST-enabled server and client * 9c5acf8c - Add check for gost curves in nettle -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 21:48:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 20:48:08 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1097 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245801 > + } > + > + if (nonce == NULL) There seems to be a leak on this point. `ecc_pub` and `ecc_priv`. -- Nikos Mavrogiannopoulos started a new discussion on lib/nettle/gost_keywrap.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245802 > + gnutls_assert(); > + _gnutls_free_temp_key_datum(cek); > + return GNUTLS_E_INTERNAL_ERROR; Is it really an internal error, or something on the paramters? -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245803 > + } > + > + ret = gnutls_hash_init(&dig, digalg); If performance could be an issue here, `_gnutls_hash_fast` may be more suitable. -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245805 > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc); > + if (ret != ASN1_SUCCESS) { `ret < 0` -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245806 > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.maskKey", &zero_data); > + if (ret != ASN1_SUCCESS) { `ret < 0` as well -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245807 > + } > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.macKey", &imit); > + if (ret != ASN1_SUCCESS) { same here -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245808 > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + ret = _gnutls_asn2err(ret); that's not necessary; maybe use different variable names for asn1 return values to easier distinguish them. -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245809 > +/* Returns 1 if decode used ephemeral key */ > +int > +_gnutls_gost_keytrans_decrypt(gnutls_pk_params_st *pub, Would you like to add some description on the key transport, either in the commit message or this file? Some high level info on how it supposed to work and the rfc/draft section it is specified on. While I can read what it does not seem easy to go back to the specification to check what is it expected. -- Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245810 > + gnutls_assert(); > + _gnutls_free_datum(&ukm2); > + ret = GNUTLS_E_ASN1_DER_ERROR; Why is it a der error here? -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245811 > +#ifdef ENABLE_GOST > + { > + .name = "GC256A", Should we link the rfc defining the numbers? -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms.h: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245813 > unsigned gost_curve; > bool supported; > + gnutls_group_t group; Is that sufficient? There may be several places where this mapping is used in a direct way. Shouldn't we replace them to follow that new mapping? -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245814 > + * Returns: the group associated with the named curve or %GNUTLS_GROUP_INVALID. > + * > + * Since: 3.6.9 3.6.10 -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245815 > + * Since: 3.6.9 > + */ > +gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t curve) There is an underscore in the name here, however it is not in the description. -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245816 > +calc_ukm(gnutls_session_t session, gnutls_datum_t *ukm) > +{ > + gnutls_digest_algorithm_t digalg = GNUTLS_DIG_STREEBOG_256; Looks like a const would be suitable. -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245817 > + > +static int > +calc_ukm(gnutls_session_t session, gnutls_datum_t *ukm) Given that the output size is fixed here to 8 bytes would it make sense to avoid the malloc here? -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245818 > + ret = asn1_get_length_der(&data[i], data_size, &len); > + if (ret < 0) > + return gnutls_assert_val(_gnutls_asn2err(ret)); `ret` here cannot be converted to error. It is not a standard libtasn1 error. -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245819 > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); I wish I could unsee that asn.1/tls mix! -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245820 > + return gnutls_assert_val(ret); > + > + if (!privkey || privkey->type != GNUTLS_PRIVKEY_X509) { Wouldn;t it be simpler if it was earlier (simpler in the sense that no cleanup is necessary) -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245821 > + } > + > + ret = _gnutls_gost_keytrans_decrypt(has_pcert ? &peer_cert.pubkey->params : NULL, I think having two separate code paths here would make it much easier to read. I.e., without `has_pcert` variable. -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245822 > + > + if (ret == 0) > + session->internals.hsk_flags &= ~HSK_CRT_VRFY_EXPECTED; Is that necessary? It is not done by any other auth. -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245823 > + uint8_t priv_buf[512/8]; > + char buf[512 / 4 + 1]; > + Given that this is about about printing would it make sense to make it conditional on the same condition as the hard_log function so that it returns early? -- Nikos Mavrogiannopoulos started a new discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239245824 > + has_pcert = 1; > + } > + Are there decryption oracles we should worry about? I.e., should that be constant time/memory access? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 2 21:48:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 02 Nov 2019 20:48:17 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Reassigned Merge Request 1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 06:43:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 05:43:17 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/857 There are 7 new coverity issues some of them seem to be related with the new code: ```Your request for analysis of GnuTLS has been completed successfully. The results are available at``` https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbX3XjXzak05n39fVjRKRJBstdwvApONIEtK0Ba1iQ0GQ-3D-3D_MzsU9UsDXAMLpEZta0NFuACg-2BqqwjyKMJpmisQkFkIkTaDOcFZ0pIBkl-2FsCCjaXO4x-2FxeNQrjOyX5JrZupeYZ9ZbL8hxcAHvm-2BHFPSuY7RT2oJYzgAEgwwUVnYtdhCqCcFqP9sTRlvhB9eQmTgYIN7YMmTmrq06mTHSmrLQn88BgbXi7mh6geMjPmqoAc6IXBXXmm5m-2FQQa7CpzRiMOZzf3dGoknKj-2F9fU4UwjheOHc-3D -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 06:44:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 05:44:41 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @lumag some of the seem to be related with the new gost changes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_239267915 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:48:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:48:22 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 * de3fd8ab...416b1922 - 50 commits from branch `master` * dc85323d - nettle/gost: provide GOST keywrapping support * 020289a4 - nettle/gost: add support for GOST VKO algorithm * 86584fb1 - _gnutls_pk_derive: add argument for nonce * a67f1f5b - nettle: add support for GOST key derivation * 43227e0a - Add GOST key transport support * c4d65f1d - Declare groups corresponding to GOST curves * 7c170817 - ecc: define curve->group relationship * 20043ce4 - groups: add function to return group by curve * c7321fb8 - Add support for VKO GOST key exchange * ea208c5b - fixup! Add support for VKO GOST key exchange -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:50:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:50:06 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306538 > + if (curve == NULL) > + return > + gnutls_assert_val > + (GNUTLS_E_ECC_UNSUPPORTED_CURVE); > + > + ret = _gost_params_to_pubkey(pub, &ecc_pub, curve); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + ret = _gost_params_to_privkey(priv, &ecc_priv, curve); > + if (ret < 0) { > + ecc_point_clear(&ecc_pub); > + return gnutls_assert_val(ret); > + } > + > + if (nonce == NULL) fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:50:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:50:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/gost_keywrap.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306587 > + } > + > + cek->size = GOST28147_KEY_SIZE; > + cek->data = gnutls_malloc(cek->size); > + if (cek->data == NULL) { > + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); > + } > + > + ret = gost28147_key_unwrap_cryptopro(gp, kek->data, > + ukm->data, ukm->size, > + enc->data, imit->data, > + cek->data); > + if (ret == 0) { > + gnutls_assert(); > + _gnutls_free_temp_key_datum(cek); > + return GNUTLS_E_INTERNAL_ERROR; Changed to `GNUTLS_E_DECRYPTION_FAILED`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:50:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:50:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306607 > + digalg = GNUTLS_DIG_STREEBOG_256; > + > + ret = _gnutls_pk_derive_nonce(pub->algo, &tmp_vko_key, > + priv, pub, ukm); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + kek->size = gnutls_hash_get_len(digalg); > + kek->data = gnutls_malloc(kek->size); > + if (kek->data == NULL) { > + gnutls_assert(); > + ret = GNUTLS_E_MEMORY_ERROR; > + goto cleanup; > + } > + > + ret = gnutls_hash_init(&dig, digalg); fixed, thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:51:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:51:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306635 > + } > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + if ((ret = asn1_write_value(kx, "transportParameters.encryptionParamSet", > + gnutls_gost_paramset_get_oid(pub->gost_params), > + 1)) != ASN1_SUCCESS) { > + gnutls_assert(); > + ret = _gnutls_asn2err(ret); > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc); > + if (ret != ASN1_SUCCESS) { ack -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:51:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:51:12 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306643 > + if ((ret = asn1_write_value(kx, "transportParameters.encryptionParamSet", > + gnutls_gost_paramset_get_oid(pub->gost_params), > + 1)) != ASN1_SUCCESS) { > + gnutls_assert(); > + ret = _gnutls_asn2err(ret); > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.maskKey", &zero_data); > + if (ret != ASN1_SUCCESS) { ack -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306643 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:51:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:51:18 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306653 > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.maskKey", &zero_data); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + goto cleanup; > + } > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.macKey", &imit); > + if (ret != ASN1_SUCCESS) { ack -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:51:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:51:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306669 > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + goto cleanup; > + } > + > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.maskKey", &zero_data); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + goto cleanup; > + } > + ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.macKey", &imit); > + if (ret != ASN1_SUCCESS) { > + gnutls_assert(); > + ret = _gnutls_asn2err(ret); ack -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306669 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:52:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:52:14 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306736 > + if (gnutls_oid_to_gost_paramset(oid) != priv->gost_params) { > + gnutls_assert(); > + ret = GNUTLS_E_ASN1_DER_ERROR; > + goto cleanup; > + } > + > + ret = _gnutls_x509_read_value(kx, "transportParameters.ukm", &ukm2); > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + if (ukm2.size != UKM_LEN || memcmp(ukm2.data, ukm->data, UKM_LEN) != 0) { > + gnutls_assert(); > + _gnutls_free_datum(&ukm2); > + ret = GNUTLS_E_ASN1_DER_ERROR; Changed to `GNUTLS_E_DECRYPTION_FAILED`. It seems to suit better here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:52:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:52:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306772 > .tls_id = 29, > .pk = GNUTLS_PK_ECDH_X25519 > }, > +#ifdef ENABLE_GOST > + { > + .name = "GC256A", Added a link to draft with IANA assignment. Will change to RFC once there is an RFC. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306772 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:54:22 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:54:22 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306919 > return ret; > } > > +/** > + * gnutls_ecc_curve_get_group: > + * @curve: is an ECC curve > + * > + * Returns: the group associated with the named curve or %GNUTLS_GROUP_INVALID. > + * > + * Since: 3.6.9 ack -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306919 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:54:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:54:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms/ecc.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306944 > return ret; > } > > +/** > + * gnutls_ecc_curve_get_group: > + * @curve: is an ECC curve > + * > + * Returns: the group associated with the named curve or %GNUTLS_GROUP_INVALID. > + * > + * Since: 3.6.9 > + */ > +gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t curve) Added underscore. I don't feel like exporting this API for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:55:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:55:05 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306988 > + gen_vko_gost_client_kx, > + _gnutls_gen_cert_client_crt_vrfy, > + _gnutls_gen_cert_server_cert_req, > + > + proc_vko_gost_server_crt, > + _gnutls_proc_crt, > + NULL, > + proc_vko_gost_client_kx, > + _gnutls_proc_cert_client_crt_vrfy, > + _gnutls_proc_cert_cert_req > +}; > + > +static int > +calc_ukm(gnutls_session_t session, gnutls_datum_t *ukm) > +{ > + gnutls_digest_algorithm_t digalg = GNUTLS_DIG_STREEBOG_256; Not really. CTR-ACPKM-OMAC ciphersuites will bring change here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239306988 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:57:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:57:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307286 > + _gnutls_gen_cert_client_crt, > + NULL, > + gen_vko_gost_client_kx, > + _gnutls_gen_cert_client_crt_vrfy, > + _gnutls_gen_cert_server_cert_req, > + > + proc_vko_gost_server_crt, > + _gnutls_proc_crt, > + NULL, > + proc_vko_gost_client_kx, > + _gnutls_proc_cert_client_crt_vrfy, > + _gnutls_proc_cert_cert_req > +}; > + > +static int > +calc_ukm(gnutls_session_t session, gnutls_datum_t *ukm) VKO_KDF_GOST (for CTR-ACPKM-OMAP ciphersuites) will use full length (16 bytes). I will give this API a thought though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:58:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:58:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307310 > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); > + if (ret < 0) > + return gnutls_assert_val(_gnutls_asn2err(ret)); ack, fixed. thank you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:59:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:59:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307431 > + cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); > + gnutls_pcert_st peer_cert; > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); Any suggestions? I have tried to do it in the best possible way, but failed to come with better solution. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 15:59:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 14:59:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307444 > + DECR_LEN(data_size, len); > + i += len; > + > + cek.data = &data[i]; > + cek.size = ret; > + > + DECR_LEN(data_size, ret); > + > + if (data_size != 0) > + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > + > + ret = calc_ukm(session, &ukm); > + if (ret < 0) > + return gnutls_assert_val(ret); > + > + if (!privkey || privkey->type != GNUTLS_PRIVKEY_X509) { Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 16:00:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 15:00:57 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307615 > + if (has_pcert) > + gnutls_pcert_deinit(&peer_cert); > + > + gnutls_pk_params_release(&session->key.kshare.ecdh_params); > + _gnutls_free_datum(&ukm); > + > + return ret; > +} > + > +static int print_priv_key(gnutls_pk_params_st *params) > +{ > + int ret; > + size_t bytes = 0; > + uint8_t priv_buf[512/8]; > + char buf[512 / 4 + 1]; > + Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307615 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 3 16:02:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 15:02:20 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307751 > + } > + > + has_pcert = 1; > + } > + > + ret = _gnutls_gost_keytrans_decrypt(has_pcert ? &peer_cert.pubkey->params : NULL, > + &privkey->key.x509->params, > + &cek, &ukm, &session->key.key); > + if (ret < 0) { > + gnutls_assert(); > + _gnutls_free_datum(&ukm); > + goto cleanup; > + } > + > + if (ret == 0) > + session->internals.hsk_flags &= ~HSK_CRT_VRFY_EXPECTED; It's necessary because otherwise a client will expect server's CertificateVerify message. However with this KX a server won't send one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239307751 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 4 00:45:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 03 Nov 2019 23:45:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239370729 > + goto cleanup; > + } > + > + ret = 0; > + > +cleanup: > + asn1_delete_structure(&kx); > + _gnutls_free_datum(&enc); > + _gnutls_free_datum(&imit); > + > + return ret; > +} > + > +/* Returns 1 if decode used ephemeral key */ > +int > +_gnutls_gost_keytrans_decrypt(gnutls_pk_params_st *pub, Sure, I will update the file adding documentation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_239370729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 4 02:02:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 Nov 2019 01:02:02 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Interesting. A tainted access for `sbox[768 + (tmp >> 24)]`, where `tmp` is `uint32_t` and `sbox` is defined as `uint32_t sbox[4*256]`. It seems Coverity is overreacting here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_239377623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 4 02:02:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 04 Nov 2019 01:02:33 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: BTW: it looks like ecore is used only for mini-eagain test. Maybe we can rewrite it to drop ecore/eiai? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_239377654 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 08:51:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 07:51:04 +0000 Subject: [gnutls-devel] GnuTLS | new coverity issues (#857) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That would be nice. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/857#note_240011632 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 09:26:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 08:26:15 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1115 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_240029689 > + > + hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, secret); > + return hkdf_expand(&ctx, (nettle_hash_update_func*)hmac_sha256_update, Note that `hkdf_expand` doesn't return any error. -- Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_240029691 > + gnutls_assert(); > + } > +} I see "\ No newline at end of file"; depending on the editor you use, but afaik vim and emacs add a newline automatically. -- Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_240029693 > + } > + default: > + gnutls_assert(); Shouldn't we return an error here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 09:26:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 08:26:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_240029883 > _gnutls_aead_cipher_deinit(handle); > gnutls_free(handle); > } > + > +void gnutls_hkdf_expand(gnutls_mac_algorithm_t id, > + const unsigned int *secret, > + const unsigned int *info, size_t info_size, > + unsigned out_size, void *out) I would suggest putting `out` before `out_size`, for consistency. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_240029883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 10:53:26 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 09:53:26 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) References: Message-ID: Mario Biberhofer created an issue: https://gitlab.com/gnutls/gnutls/issues/859 Greetings, I just sent an e-mail to gnutls-devel and realized it was a r/o list, so I kind of tried to C&P the content into the form of the feature template. :-) --- ## Description of the feature: Support for manipulating OCSP response data and signing OCSP responses using gnutls. #### Background: About 2 months ago I started implementing a OCSP responder using gnutls as its backend. During development I realized: 1. gnutls_x509_crl_verify(): verify parameter/return value returns the CRL verification status as gnutls_certificate_status_t (which felt strange but is fine I guess) 2. However, gnutls_certificate_verification_status_print() does not handle this well: It prints certificate-related messages. 3. Various missing functions to manipulate OCSP responses, starting at setting basic fields like the version, adding single responses, signing responses and more. gnutls seems to only support the client-side of OCSP. I already implemented most of this in a proof-of-concept (read: ugly) fashion during development of my responder: - Ad (1), (2): I added a new enum member to gnutls_certificate_type_t called GNUTLS_CRT_CRL and used it to produce more meaningful messages using gnutls_certificate_verification_status_print() - Ad (3): I implemented most of the missing functions: setting fields like the version, producedAt, appending single response data, signing responses, setting certs and the nonce extension. ## Applications that this feature may be relevant to: OCSP responder(s) :-) ## Is this feature implemented in other libraries (and which) IIRC, OpenSSL supports manipulating OCSP responses. --- Question is: Is there any interest in adding support for manipulating and signing OCSP responses (and its extensions) to gnutls? (i.e. adopting these changes?) If so, I'll start by cleaning up my mess and publish my repository. Afterwards I'd take care of finishing implementation(including tests), stabilization and extending it. This would also include maintenance (by maintaining my ocsp responder, and only within scope of my spare time :( ) P.S.: Forgot to mention that the OCSP responder is/ will be GPLv3-or-later licensed, but is, like my gnutls repository, unreleased to the general public at this point in time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 11:00:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 10:00:14 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Is there any interest in adding support for manipulating and signing OCSP responses (and its extensions) to gnutls? (i.e. adopting these changes)? Yes, certainly! Would you like to send MRs bringing them in? The only requirements are listed in CONTRIBUTION.md, which is pretty much the ABI must not break within releases. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240117779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 11:07:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 10:07:39 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Mario Biberhofer commented: Alright, I'll once again review it/clean it up (I've let it "rest" for the past few weeks) and then publish the implementation and create an MR. As a teaser, here's a list of the functions I added to the OCSP implementation: ``` int gnutls_ocsp_resp_set_version(gnutls_ocsp_resp_t resp, unsigned int version); int gnutls_ocsp_resp_set_responder_raw_id(gnutls_ocsp_resp_t resp, unsigned type, gnutls_datum_t raw); int gnutls_ocsp_resp_set_produced_at(gnutls_ocsp_resp_t resp, time_t produced_at); int gnutls_ocsp_resp_append_single_resp(gnutls_ocsp_resp_t resp, gnutls_digest_algorithm_t digest, const gnutls_datum_t *issuer_name_hash, const gnutls_datum_t *issuer_key_hash, const gnutls_datum_t *serial_number, gnutls_ocsp_cert_status_t status, time_t *revocation_time, gnutls_x509_crl_reason_t revocation_reason, time_t *next_update, time_t *this_update); int gnutls_ocsp_resp_set_signature_algorithm(gnutls_ocsp_resp_t resp, gnutls_sign_algorithm_t algo); int gnutls_ocsp_resp_set_signature(gnutls_ocsp_resp_t resp, gnutls_datum_t sig); int gnutls_ocsp_resp_sign(gnutls_ocsp_resp_t resp, gnutls_x509_privkey_t sign_key); int gnutls_ocsp_resp_set_status(gnutls_ocsp_resp_t resp, gnutls_ocsp_resp_status_t status); int gnutls_ocsp_resp_set_nonce(gnutls_ocsp_resp_t resp, unsigned int critical, gnutls_datum_t * nonce); int gnutls_ocsp_resp_set_certs(gnutls_ocsp_resp_t resp, gnutls_x509_crt_t * certs, size_t ncerts); ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240122107 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 11:11:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 10:11:31 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Tim R?hsen commented: See also #804 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240124360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 11:11:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 10:11:52 +0000 Subject: [gnutls-devel] GnuTLS | Please add new function gnutls_ocsp_resp_set_single() to allow building an OCSP responder (#804) In-Reply-To: References: Message-ID: Tim R?hsen commented: See #859 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/804#note_240124531 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 12:54:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 11:54:54 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240195188 > + } > + > + has_pcert = 1; > + } > + > + ret = _gnutls_gost_keytrans_decrypt(has_pcert ? &peer_cert.pubkey->params : NULL, > + &privkey->key.x509->params, > + &cek, &ukm, &session->key.key); > + if (ret < 0) { > + gnutls_assert(); > + _gnutls_free_datum(&ukm); > + goto cleanup; > + } > + > + if (ret == 0) > + session->internals.hsk_flags &= ~HSK_CRT_VRFY_EXPECTED; Why is that? Isn't this ciphersuite equivalent to the RSA one? The RSA one doesn't require this flag to be unset. Where is this flag being set, is it in _gnutls_recv_client_certificate()? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240195188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 13:18:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 12:18:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240208693 > + } > + > + has_pcert = 1; > + } > + > + ret = _gnutls_gost_keytrans_decrypt(has_pcert ? &peer_cert.pubkey->params : NULL, > + &privkey->key.x509->params, > + &cek, &ukm, &session->key.key); > + if (ret < 0) { > + gnutls_assert(); > + _gnutls_free_datum(&ukm); > + goto cleanup; > + } > + > + if (ret == 0) > + session->internals.hsk_flags &= ~HSK_CRT_VRFY_EXPECTED; Dropping this now. It was a leftover from old [cptls draft](https://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04), where client should have used non-ephemeral keys when it had sent a certificate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240208693 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 13:19:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 12:19:07 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240209141 > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + > + ret = _gnutls_gost_keytrans_decrypt(has_pcert ? &peer_cert.pubkey->params : NULL, Dropping `have_pcert` part. Only ephemeral keys should be supported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240209141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 14:01:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 13:01:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/algorithms.h: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240231975 > unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */ > unsigned gost_curve; > bool supported; > + gnutls_group_t group; It's not new mapping. It adds backwards mapping to match `group->curve`. An alternative would be to drop `_gnutls_session_supports_group(session, group->id)` check in client key exchange code (where it checks that server's certificate curve is enabled on a client). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240231975 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 15:01:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 14:01:01 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish pushed new commits to merge request !1115 https://gitlab.com/gnutls/gnutls/merge_requests/1115 * 1d23e005 - fixup -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 15:03:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 14:03:04 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish pushed new commits to merge request !1115 https://gitlab.com/gnutls/gnutls/merge_requests/1115 * ac33e269 - gnutls_hkdf{expand, extract}: new API functions exposed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 15:04:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 14:04:50 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: All discussions on Merge Request !1115 were resolved by Aniketh Girish https://gitlab.com/gnutls/gnutls/merge_requests/1115 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 16:35:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 15:35:35 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240333402 > + cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); > + gnutls_pcert_st peer_cert; > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); Sorry, it is not a code issue... To my understanding that's the protocol right? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240333402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 16:40:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 15:40:59 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240336611 > + cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); > + gnutls_pcert_st peer_cert; > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); Yes. It's a `GNUTLS.GostR3410-KeyTransport` wrapped in another struct. I did not like an idea of parsing a struct just to parse contents, so I ended up with this kind of code. If you'd prefer, I can add a struct wrapping `GNUTLS.GostR3410-KeyTransport` and parse it's contents to get single item (key transport struct itself). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240336611 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 16:46:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 15:46:35 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The API seems reasonable. Some quick comments on it: - `int gnutls_ocsp_resp_set_responder_raw_id(gnutls_ocsp_resp_t resp, unsigned type, gnutls_datum_t raw);` The third option it is more consistent with the rest of the API to be a pointer to datum_t. - `gnutls_ocsp_resp_sign` This sign function cannot handle RSA-PSS or changing signature algorithm (RSA-SHA256 vs RSA-SHA512). An update may be to be similar to `gnutls_privkey_sign_hash2` and have as input the specific signature algorithm `gnutls_sign_algorithm_t` and flags. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240340083 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 17:57:36 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 16:57:36 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 * b26b7dac - _gnutls_pk_derive: add argument for nonce * 2ce1d97e - nettle: add support for GOST key derivation * a9f53b9d - Add GOST key transport support * 97ec7971 - Declare groups corresponding to GOST curves * 3723f8a7 - ecc: define curve->group relationship * 2173b08b - groups: add function to return group by curve * 5095cd89 - Add support for VKO GOST key exchange -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 17:57:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 16:57:51 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Updated MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240381302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 17:58:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 16:58:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240381441 > + goto cleanup; > + } > + > + ret = 0; > + > +cleanup: > + asn1_delete_structure(&kx); > + _gnutls_free_datum(&enc); > + _gnutls_free_datum(&imit); > + > + return ret; > +} > + > +/* Returns 1 if decode used ephemeral key */ > +int > +_gnutls_gost_keytrans_decrypt(gnutls_pk_params_st *pub, Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240381441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 5 20:39:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 05 Nov 2019 19:39:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240453691 > + _gnutls_gen_cert_client_crt, > + NULL, > + gen_vko_gost_client_kx, > + _gnutls_gen_cert_client_crt_vrfy, > + _gnutls_gen_cert_server_cert_req, > + > + proc_vko_gost_server_crt, > + _gnutls_proc_crt, > + NULL, > + proc_vko_gost_client_kx, > + _gnutls_proc_cert_client_crt_vrfy, > + _gnutls_proc_cert_cert_req > +}; > + > +static int > +calc_ukm(gnutls_session_t session, gnutls_datum_t *ukm) Done. Removed several UKM-related mallocs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240453691 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 09:25:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 08:25:17 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Mario Biberhofer commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770 > int gnutls_ocsp_resp_set_responder_raw_id(gnutls_ocsp_resp_t resp, unsigned type, gnutls_datum_t raw); The third option it is more consistent with the rest of the API to be a pointer to datum_t. All right, I'll change that. > gnutls_ocsp_resp_sign This sign function cannot handle RSA-PSS or changing signature algorithm (RSA-SHA256 vs RSA-SHA512). An update may be to be similar to gnutls_privkey_sign_hash2 and have as input the specific signature algorithm gnutls_sign_algorithm_t and flags. Ah, I'll take a look at `gnutls_privkey_sign_hash2` then. Currently I expected the signature algorithm to be set using `gnutls_ocsp_resp_set_signature_algorithm` before calculating and appending the signature using `gnutls_ocsp_resp_sign` (it throws an error if the signature algorithm is not set in the given `gnutls_ocsp_resp_t` data) I guess I could remove `gnutls_ocsp_resp_set_signature_algorithm` and `gnutls_ocsp_resp_set_signature` from the public API then? Should I keep it for testing/toy purposes? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 12:13:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 11:13:32 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) References: Message-ID: Miroslav Lichvar created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1116 Project:Branches: mlichvar/gnutls:prf-crash to gnutls/gnutls:master Author: Miroslav Lichvar This fixes a crash that I came across while developing a TLS application. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 13:24:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 12:24:50 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 * 3052786a - Add support for VKO GOST key exchange -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:36:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:36:47 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * dc85323d - nettle/gost: provide GOST keywrapping support * 020289a4 - nettle/gost: add support for GOST VKO algorithm * b26b7dac - _gnutls_pk_derive: add argument for nonce * 2ce1d97e - nettle: add support for GOST key derivation * a9f53b9d - Add GOST key transport support * 97ec7971 - Declare groups corresponding to GOST curves * 3723f8a7 - ecc: define curve->group relationship * 2173b08b - groups: add function to return group by curve * 3052786a - Add support for VKO GOST key exchange * c4a568a2 - Support GOST certificate request values * b818da92 - Add GOST cipher suites * 4255551e - Add GOST values to cipher suites priorities * a5a17a64 - tests: add tests for KX-GOST-VKO using different key variants * 1bb2eead - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 04133ed6 - cli-debug: include GOST VKO into KX list * 7cc6f8ca - priority: add GROUP-GOST-ALL keyword * e018b546 - ext/signature: use GOST signatures for GOST ciphersiuites * 2a051fa8 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 5a930447 - tls13-server-kx-neg: add test for GOST-enabled server and client * a621fef4 - lib: fix group selection in case of GOST cipher suites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:41:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:41:40 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240855164 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + What about this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240855164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:47:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:47:25 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240859516 > + cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); > + gnutls_pcert_st peer_cert; > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); It is simple so it is fine. Would we ever need to re-use this part, or would `_gnutls_gost_keytrans_encrypt` be a better fit for it? (e.g., make the encoding part of the encryption) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240859516 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:54:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:54:52 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1117 Branches: tmp-cfb8-fixes to master Author: Daiki Ueno Supersedes !1084. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:56:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:56:44 +0000 Subject: [gnutls-devel] GnuTLS | cipher cfb8 decrypt fixes (!1084) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Closing in favor of !1117 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1084#note_240867940 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 14:56:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 13:56:45 +0000 Subject: [gnutls-devel] GnuTLS | cipher cfb8 decrypt fixes (!1084) In-Reply-To: References: Message-ID: Merge Request !1084 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1084 Project:Branches: gd7/gnutls:gd-master-cfb8-fixes to gnutls/gnutls:master Author: G?nther Deschner Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1084 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 15:48:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 14:48:58 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240908116 > + cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); > + gnutls_pcert_st peer_cert; > + int has_pcert = 0; > + gnutls_datum_t ukm; > + gnutls_datum_t cek; > + int len; > + > + if (group == NULL) > + return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); > + > + DECR_LEN(data_size, 1); > + if (data[0] != (ASN1_TAG_SEQUENCE | ASN1_CLASS_STRUCTURED)) > + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + i += 1; > + > + ret = asn1_get_length_der(&data[i], data_size, &len); I wouldn't like to touch `_gnutls_gost_keytrans_decrypt()` as that part is directly usable for CMS files (yes, there is no support for CMS in GnuTLS, I just hope to return to that topic sometimes in the future). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240908116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 15:51:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 14:51:59 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240910016 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + >From my point of view decryption part does not contain any significant parts of code that can serve as an oracle. The only "problematic" item might be an `memcmp()` at the end of `lib/nettle/gost/gost-wrap.c`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_240910016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 6 16:15:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 06 Nov 2019 15:15:27 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: G?nther Deschner commented: Changes (including the test code) look fine, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117#note_240925556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 10:45:16 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 09:45:16 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, you may want to increase the CI running time to 2h for the emulator builds to pass reliably. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116#note_241295280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 10:46:14 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 09:46:14 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) In-Reply-To: References: Message-ID: Merge Request !1116 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1116 Project:Branches: mlichvar/gnutls:prf-crash to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 10:46:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 09:46:51 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM, though a rerun with a longer CI timeout is needed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116#note_241296237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 11:15:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 10:15:13 +0000 Subject: [gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/859#note_241312890 Let's remove them to reduce impact to future changes and updates. If we need them for specific functionality testing we can keep them as internal functions with an underscore. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_241312890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 11:28:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 10:28:05 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241321055 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + There is `gnutls_memcmp` for it. However going through `_gnutls_gost_keytrans_decrypt`, it is possible to distinguish with timing the ukm comparison failure vs the key unwrap failure. The key transport as per RSA is an oracle itself which allows anyone (client) to send arbitrary data to the server and time its results or try many inputs until something succeeds and that help the attacker to deduce something about the key. I do not know the particulars of this key exchange but it looks like something risky to add or enable by default (in gost or non-gost setup). As I do not know the algorithm, I do not have an attack, but only hints that such thing may exist. Are there public papers on this algorithm that describe its resistance to RSA-style bleichenbacher oracle attacks? What I'm trying to avoid here is a big rewrite in the future like we did for the RSA. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241321055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 14:06:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 13:06:17 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241419975 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + I will explain this in the documentation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241419975 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 16:35:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 15:35:23 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * 7f0ca214 - crypto-selftests: test CFB8 ciphers with different chunksizes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 16:41:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 15:41:47 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 * 8f51a4ec - nettle/gost: provide GOST keywrapping support * f0da4adf - nettle/gost: add support for GOST VKO algorithm * e9f9d34e - _gnutls_pk_derive: add argument for nonce * cdc4fc28 - nettle: add support for GOST key derivation * 7f93e7f5 - Add GOST key transport support * 36a3974d - Declare groups corresponding to GOST curves * 1cc1ee4f - ecc: define curve->group relationship * 1412ef05 - groups: add function to return group by curve * 9e4cc364 - Add support for VKO GOST key exchange -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 16:43:41 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 15:43:41 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241523285 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + Updated the documentation. Basically at this point we compare `hash(client_random, server_random)` with the data provided in cleartext in KX message. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241523285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 16:44:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 15:44:04 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/auth/vko_gost.c: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241523534 > + goto cleanup; > + } > + > + if (info != NULL && info->ncerts != 0) { > + ret = _gnutls_get_auth_info_pcert(&peer_cert, > + session->security_parameters. > + server_ctype, info); > + > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; > + } > + > + has_pcert = 1; > + } > + Also changed `memcmp` to Nettle's `memeql_sec`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241523534 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 16:58:52 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 15:58:52 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * 2a84645f - crypto-selftests: test CFB8 ciphers with different chunksizes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 17:11:05 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 16:11:05 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) In-Reply-To: References: Message-ID: Merge Request !1116 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1116 Project:Branches: mlichvar/gnutls:prf-crash to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 17:19:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 16:19:57 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * b6f3d105 - crypto-selftests: test CFB8 ciphers with different chunksizes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 17:40:55 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 16:40:55 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * 714d527c - crypto-selftests: test CFB8 ciphers with different chunksizes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 18:25:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 17:25:32 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * ab030c15 - .gitlab-ci.yml: bump configure cache version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 7 23:12:45 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 07 Nov 2019 22:12:45 +0000 Subject: [gnutls-devel] GnuTLS | prf: don't crash when called before handshake completion (!1116) In-Reply-To: References: Message-ID: Merge Request !1116 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1116 Project:Branches: mlichvar/gnutls:prf-crash to gnutls/gnutls:master Author: Miroslav Lichvar Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 10:11:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 09:11:13 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1117 https://gitlab.com/gnutls/gnutls/merge_requests/1117 * 98ac6220 - nettle: use included CFB8 implementation if nettle is 3.5 * 7e9663dd - crypto-selftests: test CFB8 ciphers with different chunksizes * 30baf001 - .gitlab-ci.yml: bump configure cache version -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 10:53:38 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 09:53:38 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1097 https://gitlab.com/gnutls/gnutls/merge_requests/1097 * 6eadc827 - Add support for VKO GOST key exchange -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 10:55:53 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 09:55:53 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: I've updated KX message decoding a bit to follow [OpenSSL PR](https://github.com/openssl/openssl/pull/10376). If you'd prefer I can change this to defining proper `TLSGostKeyTransportBlob` structure and to parsing it in KX to get `GostR3410-KeyTransport` contents. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097#note_241887078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 10:57:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 09:57:31 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 8f51a4ec - nettle/gost: provide GOST keywrapping support * f0da4adf - nettle/gost: add support for GOST VKO algorithm * e9f9d34e - _gnutls_pk_derive: add argument for nonce * cdc4fc28 - nettle: add support for GOST key derivation * 7f93e7f5 - Add GOST key transport support * 36a3974d - Declare groups corresponding to GOST curves * 1cc1ee4f - ecc: define curve->group relationship * 1412ef05 - groups: add function to return group by curve * 6eadc827 - Add support for VKO GOST key exchange * 527e7bed - Support GOST certificate request values * 58f4a045 - Add GOST cipher suites * 27854630 - Add GOST values to cipher suites priorities * edd351e8 - tests: add tests for KX-GOST-VKO using different key variants * 1744ef96 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 01c319a8 - cli-debug: include GOST VKO into KX list * 5803c241 - priority: add GROUP-GOST-ALL keyword * f4ce990c - ext/signature: use GOST signatures for GOST ciphersiuites * ef2f28eb - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 7d618f39 - tls13-server-kx-neg: add test for GOST-enabled server and client * bb6a6525 - lib: fix group selection in case of GOST cipher suites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 11:02:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 10:02:57 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_241890776 > _gnutls_aead_cipher_deinit(handle); > gnutls_free(handle); > } > + > +int gnutls_hkdf_expand(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, > + const unsigned int *info, size_t info_size, @dueno Would it make sense to check if `info` is of the size `info_size`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_241890776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 12:35:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 11:35:59 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Merge Request !1117 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1117 Branches: tmp-cfb8-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 13:38:50 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 12:38:50 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117#note_241974831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 13:38:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 12:38:56 +0000 Subject: [gnutls-devel] GnuTLS | nettle: backport fixes to cfb8_decrypt (!1117) In-Reply-To: References: Message-ID: Merge Request !1117 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1117 Branches: tmp-cfb8-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 16:31:09 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 15:31:09 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242091503 > _gnutls_aead_cipher_deinit(handle); > gnutls_free(handle); > } > + > +int gnutls_hkdf_expand(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, > + const unsigned int *info, size_t info_size, I don't think it is necessary, and I don't know how it could be implemented. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242091503 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 16:32:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 15:32:46 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242092362 > + hkdf_expand(&ctx, (nettle_hash_update_func*)hmac_sha256_update, > + (nettle_hash_digest_func*)hmac_sha256_digest, SHA256_DIGEST_SIZE, > + info_size, info, out_size, out); > + break; > + } > + case GNUTLS_MAC_SHA384:{ > + struct hmac_sha384_ctx ctx; > + > + hmac_sha384_set_key(&ctx, SHA384_DIGEST_SIZE, secret); > + hkdf_expand(&ctx, (nettle_hash_update_func*)hmac_sha384_update, > + (nettle_hash_digest_func*)hmac_sha384_digest, SHA384_DIGEST_SIZE, > + info_size, info, out_size, out); > + break; > + } > + default: > + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); Since this is a public API, better not return an "internal error". `GNUTLS_E_INVALID_REQUEST` would be more appropriate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242092362 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 16:33:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 15:33:10 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/includes/gnutls/crypto.h: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242092569 > > void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle); > > +/* HKDF API */ > + > +int gnutls_hkdf_extract(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, size_t secret_size, > + const unsigned int dst); > +int gnutls_hkdf_expand(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, > + const unsigned int *info, size_t info_size, > + unsigned out_size, void *out); Still `out_size` is before `out`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242092569 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 16:46:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 15:46:43 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish pushed new commits to merge request !1115 https://gitlab.com/gnutls/gnutls/merge_requests/1115 * 984ae4ec - gnutls_hkdf{expand, extract}: new API functions exposed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 16:52:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 15:52:10 +0000 Subject: [gnutls-devel] GnuTLS | WIP: gnutls_hkdf{expand, extract}: new API functions exposed (!1115) In-Reply-To: References: Message-ID: Aniketh Girish commented on a discussion on lib/includes/gnutls/crypto.h: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242104220 > > void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle); > > +/* HKDF API */ > + > +int gnutls_hkdf_extract(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, size_t secret_size, > + const unsigned int dst); > +int gnutls_hkdf_expand(gnutls_mac_algorithm_t algorithm, > + const unsigned int *secret, > + const unsigned int *info, size_t info_size, > + unsigned out_size, void *out); Ah missed out on that one. Fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1115#note_242104220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 21:21:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 20:21:20 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: All discussions on Merge Request !1097 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1097 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 8 21:30:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 20:30:25 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Merge Request !1097 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1097 Project:Branches: GostCrypt/gnutls:gost-split-2 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 9 00:03:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 08 Nov 2019 23:03:18 +0000 Subject: [gnutls-devel] GnuTLS | GOST key exchange support (!1097) In-Reply-To: References: Message-ID: Merge Request !1097 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1097 Project:Branches: GostCrypt/gnutls:gost-split-2 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 9 01:17:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 09 Nov 2019 00:17:37 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 03fe7c08...3d4928e4 - 9 commits from branch `master` * 562405fa - Support GOST certificate request values * 2a750e46 - Add GOST cipher suites * 6ea9e392 - Add GOST values to cipher suites priorities * e6851a57 - tests: add tests for KX-GOST-VKO using different key variants * a5c355a6 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 20aa47eb - cli-debug: include GOST VKO into KX list * 22a65b65 - priority: add GROUP-GOST-ALL keyword * 2e35ea9b - ext/signature: use GOST signatures for GOST ciphersiuites * f59519f3 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 98d43eb7 - tls13-server-kx-neg: add test for GOST-enabled server and client * 93c3bd10 - lib: fix group selection in case of GOST cipher suites * ff92848f - SignatureAlgorithms: force-enable GOST signatures for GOST KX * 29613f07 - tls12-server-kx-neg: add tests without GOST signature algorithms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 10 12:10:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 10 Nov 2019 11:10:56 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1118 Project:Branches: GostCrypt/gnutls:fix-coverity to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Fix Coverity issue 1455324 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 10 14:32:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 10 Nov 2019 13:32:15 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1119 Project:Branches: GostCrypt/gnutls:gost-split-3 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 10 16:18:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 10 Nov 2019 15:18:08 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1119 https://gitlab.com/gnutls/gnutls/merge_requests/1119 * 85d81863 - ext/signature: use GOST signatures for GOST ciphersiuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 11 14:55:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 Nov 2019 13:55:46 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1118#note_242864671 > _gnutls_free_datum(&enc); > cleanup: > gnutls_pk_params_release(&pub); > +cleanup_asn: Should we rename the cleanup labels? They seem to be mixing numbering with specific labels. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118#note_242864671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 11 14:59:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 Nov 2019 13:59:30 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the naming, LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118#note_242867374 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 11 21:52:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 Nov 2019 20:52:18 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1118 https://gitlab.com/gnutls/gnutls/merge_requests/1118 * baba4094 - vko: fix possible unitilized scalar access -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 11 21:52:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 Nov 2019 20:52:37 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/vko.c: https://gitlab.com/gnutls/gnutls/merge_requests/1118#note_243068031 > _gnutls_free_datum(&enc); > cleanup: > gnutls_pk_params_release(&pub); > +cleanup_asn: Reworked the patch to avoid renaming labels. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118#note_243068031 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 11 23:14:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 11 Nov 2019 22:14:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix cross-compilation of the Guile bindings (!1120) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1120 Project:Branches: civodul/gnutls:wip-cross-compilation to gnutls/gnutls:master Author: civodul The first patch should fix cross-compilation of the Guile bindings as reported at https://bugs.debian.org/943905. The second one fixes a harmless but annoying warning during compilation, as reported at the same place. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 12 11:49:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 Nov 2019 10:49:30 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Merge Request !1118 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1118 Project:Branches: GostCrypt/gnutls:fix-coverity to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 12 11:49:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 Nov 2019 10:49:43 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: All discussions on Merge Request !1118 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1118 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 12 11:49:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 12 Nov 2019 10:49:56 +0000 Subject: [gnutls-devel] GnuTLS | vko: fix possible unitilized scalar access (!1118) In-Reply-To: References: Message-ID: Merge Request !1118 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1118 Project:Branches: GostCrypt/gnutls:fix-coverity to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 11:58:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 10:58:33 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243928311 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, That's a part which I think is the most questionable in terms of policy. How can we have an implementation which supports GOST but enables it conditionally. For example debian or fedora may want to support GOST but not enable it by default (i.e., enable it via a crypto policy). The reason is that this is a national standard, not widely accepted and enabling by default will trigger pushback to the whole effort of gost support. What are the options we have here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243928311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:03:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:03:15 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931013 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Well, if it's possible to enable GOST ciphersuites via configfile (crypto policy) I'm fine with that. I had the feeling that GnuTLS's config files are disable-only. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931013 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:04:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:04:10 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931505 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Indeed. The configuration file as it is now, it allows you to disable globally algorithms. There is no way to enable algorithms globally (in fedora we have a hack with @SYSTEM but it does not extend beyond fedora, nor maybe a good idea). Maybe we can allow the config file to override or append to the default priorities. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931505 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:04:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:04:59 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931986 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Would that be a good solution for the gost ecosystem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243931986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:24:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:24:32 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243945726 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Yes. However I'm a bit reluctant about allowing generic enable in the config file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243945726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:40:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:40:40 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243954660 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Is your concern about enabling a disabled algorithm? If the enable would be restricted to existing but not explicitly enabled by policy, would it be ok? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243954660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:44:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:44:27 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243956661 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, I'm thinking about users enabling sha1/md5/etc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243956661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:48:47 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:48:47 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243958794 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", Wouldn't that be an obstacle in enabling gost system-wide? What if we disable TLS1.3 explicitly to clients and servers which enable GOST? Alternatively, should we be passing the ciphersuite list to the version negotiation extension to identify whether TLS1.3 should be skipped? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243958794 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 12:56:57 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 11:56:57 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243962959 > typedef struct { > uint8_t id[2]; /* used to be (in TLS 1.2) hash algorithm , PK algorithm */ > uint8_t tls_sem; /* should match the protocol version's tls_sig_sem. */ > + uint8_t is_gost : 1; I do not think that the `:1` would result in great benefit. If we care about the memory consumption, what about making `tls_sem` a flags option and introduce the TLS_SEMANTICS flag and GOST? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243962959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 13:00:06 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 12:00:06 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243964434 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, MD5 as a signature hash algorithm I think is marked as insecure, and if we follow the idea above it will not be "markable" as secure. It could be added in the priority strings, though once negotiated gnutls will fail as it is marked as insecure. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243964434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 13:45:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 12:45:34 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243994597 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", I have been thinking about this for quite some time. Just disabling TLS1.3 if GOST ciphersuite is enabled leads to lots of failures if/once GOST is a part of default setup. For now I've just failed to create a proper list of all possible setups and 'best' outcomes. I plan to return to that while actually implementing GOST TLS 1.3 support (which will use a completely different ciphersuite). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243994597 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 13:46:30 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 12:46:30 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243995092 > typedef struct { > uint8_t id[2]; /* used to be (in TLS 1.2) hash algorithm , PK algorithm */ > uint8_t tls_sem; /* should match the protocol version's tls_sig_sem. */ > + uint8_t is_gost : 1; I'll give it a thought, especially since `tls_sem` is not just a flag, but two flags. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243995092 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 13:51:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 12:51:39 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243997839 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, ok then. Should `disable-then-enable` cause a fatal error or just a huge warning (and leave algo disabled)? As an alternative approach I'm thinking about implementing just `enable-gost-tls12` option in the config file, which might be easier to handle. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243997839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 20:56:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 19:56:51 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1119 https://gitlab.com/gnutls/gnutls/merge_requests/1119 * baba4094...5330fe5a - 2 commits from branch `master` * 1779453b - lib: fix group selection in case of GOST cipher suites * 0f9fc2e0 - Support GOST certificate request values * 2449e344 - Add GOST cipher suites * 86f9e995 - Add GOST values to cipher suites priorities * 13c5386a - tests: add tests for KX-GOST-VKO using different key variants * d8303c52 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 7b391a3d - tls13-server-kx-neg: add test for GOST-enabled server and client * 14765f24 - ext/signature: use GOST signatures for GOST ciphersiuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 20:56:49 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 19:56:49 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * baba4094...5330fe5a - 2 commits from branch `master` * 1779453b - lib: fix group selection in case of GOST cipher suites * 0f9fc2e0 - Support GOST certificate request values * 2449e344 - Add GOST cipher suites * 86f9e995 - Add GOST values to cipher suites priorities * 13c5386a - tests: add tests for KX-GOST-VKO using different key variants * d8303c52 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 7b391a3d - tls13-server-kx-neg: add test for GOST-enabled server and client * 14765f24 - ext/signature: use GOST signatures for GOST ciphersiuites * 502e70d1 - cli-debug: include GOST VKO into KX list * e85bb974 - priority: add GROUP-GOST-ALL keyword * 319692a1 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 17659ce7 - SignatureAlgorithms: force-enable GOST signatures for GOST KX * a5a29c09 - tls12-server-kx-neg: add tests without GOST signature algorithms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 13 22:35:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 13 Nov 2019 21:35:24 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_244307020 > typedef struct { > uint8_t id[2]; /* used to be (in TLS 1.2) hash algorithm , PK algorithm */ > uint8_t tls_sem; /* should match the protocol version's tls_sig_sem. */ > + uint8_t is_gost : 1; Reworked this piece of code to use `sign_entry->pk` to detect GOST signatures. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_244307020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 14 13:04:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 Nov 2019 12:04:25 +0000 Subject: [gnutls-devel] GnuTLS | Fix cross-compilation of the Guile bindings (!1120) In-Reply-To: References: Message-ID: Merge Request !1120 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1120 Project:Branches: civodul/gnutls:wip-cross-compilation to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 14 13:04:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 14 Nov 2019 12:04:37 +0000 Subject: [gnutls-devel] GnuTLS | Fix cross-compilation of the Guile bindings (!1120) In-Reply-To: References: Message-ID: Tim R?hsen commented: LGTM, thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1120#note_244606269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 15 10:51:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 Nov 2019 09:51:33 +0000 Subject: [gnutls-devel] GnuTLS | check_if_port_listening will fail with old iproute2 (#860) References: Message-ID: Dmitry Eremin-Solenikov created an issue: https://gitlab.com/gnutls/gnutls/issues/860 With iproute2 version 2.6.39 `check_if_port_listening()` shell function will fail because `ss` does not include `LISTEN` in the listing: ``` $ ss -anl Recv-Q Send-Q Local Address:Port Peer Address:Port 0 50 *:28090 *:* 0 50 *:8090 *:* 0 128 *:8191 *:* ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/860 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 15 12:27:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 15 Nov 2019 11:27:58 +0000 Subject: [gnutls-devel] GnuTLS | Fix cross-compilation of the Guile bindings (!1120) In-Reply-To: References: Message-ID: Merge Request !1120 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1120 Project:Branches: civodul/gnutls:wip-cross-compilation to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 09:38:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 08:38:08 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1119 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701421 > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, I makes sense to me -- Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701424 > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", What kind of failures you have in mind? I see failures more likely if TLS1.3 remains enabled while GOST is advertised, because version and ciphersuite negotiation are typically done in different steps by servers. The failures will be when connecting either to TLS1.3 GOST servers, or to TLS1.3-enabled servers which optionally support GOST under TLS1.2. If we ship the current behavior the errors will happen mainly in the future when TLS1.3 GOST servers are being deployed (not sure how popular are servers supporting TLS1.3 and enable TLS1.2 GOST). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 09:41:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 08:41:12 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701632 > uint16_t sign_algorithms_size; > } sig_ext_st; > > +static inline bool Looks a better approach, thanks! A more suitable location for it seems to me to be `algorithms.h`. There it is most likely to be noticed if the GOST definition of a signature algorithm changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701632 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 09:43:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 08:43:01 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701719 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", Note that we do similarly for SRP ciphersuites which are TLS1.2 only. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245701719 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 14:49:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 13:49:10 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729348 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", Yes, but SRP is enabled explicitly. I'd like to be able to enable GOST by default (even if it's done in system-wide config) and not to loose ability to use TLS 1.3 when connecting to compatible servers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729348 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 14:49:31 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 13:49:31 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729388 > uint16_t sign_algorithms_size; > } sig_ext_st; > > +static inline bool ok, I'll move -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 14:50:07 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 13:50:07 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729461 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, Fine, I'll work on this option support. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245729461 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 16:06:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 15:06:34 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_245737269 Sorry, I don't know what's wrong. `make files-update` gives the following output: ``` ***************************************************************** Checking whether included libopts matches the system's. If the check fails upgrade the included libopts. ***************************************************************** test "`autoopts-config libsrc|awk -F '-' '{print $NF}'|sed 's/.tar.gz//'`" = "`cat ./src/libopts/autoopts/options.h |grep OPTIONS_VERSION_STRING|cut -d '"' -f 2|sed 's/:/./g'`" make: *** No rule to make target 'libdane/libgnutls-dane.la', needed by 'abi-dump-latest'. Stop. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_245737269 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 16:13:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 15:13:23 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245737963 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", I understand, but how could we tackle the time-bomb problem with TLS1.3 and GOST? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_245737963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 16:15:42 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 15:15:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fix compilation in fedora30 (!1096) In-Reply-To: References: Message-ID: Merge Request !1096 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1096 Project:Branches: nmav/gnutls:tmp-update-libopts to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 17 16:15:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 17 Nov 2019 15:15:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fix compilation in fedora30 (!1096) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This is already deprecated as we moved to F31. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1096#note_245738151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 20 15:19:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 20 Nov 2019 14:19:48 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) In-Reply-To: References: Message-ID: civodul commented: Good point @ametzler. Unless I'm mistaken, we actually don't need `%libdir`, given that the `.so` file is in the extension directory. Let me take a closer look... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838#note_247873495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 20 15:33:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 20 Nov 2019 14:33:56 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) In-Reply-To: References: Message-ID: civodul commented: On an FHS distro like Debian, the installed `gnutls.scm` can simply do: ```scheme (load-extension "guile-gnutls-v-2" "scm_init_gnutls") ``` That works because `guile-gnutls-v-2.so` is installed in the directory returned by `pkg-config guile-2.2 --variable extensiondir`. However, that won't work in the general case where `libdir` for GnuTLS is not necessarily the same as `libdir` for Guile. I think the solution for Debian is to make the `load-extension` change above. For upstream GnuTLS though, I'm not sure how this could be addressed. Thoughts? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838#note_247884322 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 20 16:15:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 20 Nov 2019 15:15:39 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) References: Message-ID: civodul created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1121 Project:Branches: civodul/gnutls:wip-arch-independent-scm to gnutls/gnutls:master Author: civodul This is an attempt to make `gnutls.scm` architecture-independent as discussed in #838. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 20 16:16:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 20 Nov 2019 15:16:46 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) In-Reply-To: References: Message-ID: civodul commented: !1121 is an attempt to do the right thing automatically when possible. Feedback welcome! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838#note_247918094 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 20 16:29:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 20 Nov 2019 15:29:34 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_247928039 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, @nmav current design proposal: `enable-gost-tls12` would control if 'NORMAL' will point to GOST-enable or GOST-disabled KX list. This would allow one to use this option in the config file or to override it manually via priorities. Optional item: add function call to override this option. Alernative proposal (since for TLS 1.3 we will use ecdhe instead of VKO): `enable-gost-tls` option that controls cipher lists in the same way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_247928039 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 02:42:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 01:42:33 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_248259822 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", Currently proposed approach is quite in style with Eric's response (negotiate 1.3, then fail). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_248259822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 02:50:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 01:50:59 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1119 https://gitlab.com/gnutls/gnutls/merge_requests/1119 * 676ae412...6ace855b - 3 commits from branch `master` * 3ea47893 - lib: fix group selection in case of GOST cipher suites * 77686f93 - Support GOST certificate request values * 1e90e5f6 - Add GOST cipher suites * 90eb8323 - Add GOST values to cipher suites priorities * 9413226f - tests: add tests for KX-GOST-VKO using different key variants * 11f60ed7 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 330ea3c7 - tls13-server-kx-neg: add test for GOST-enabled server and client * aaad87f9 - ext/signature: use GOST signatures for GOST ciphersiuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 02:51:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 01:51:04 +0000 Subject: [gnutls-devel] GnuTLS | Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !920 https://gitlab.com/gnutls/gnutls/merge_requests/920 * 676ae412...6ace855b - 3 commits from branch `master` * 3ea47893 - lib: fix group selection in case of GOST cipher suites * 77686f93 - Support GOST certificate request values * 1e90e5f6 - Add GOST cipher suites * 90eb8323 - Add GOST values to cipher suites priorities * 9413226f - tests: add tests for KX-GOST-VKO using different key variants * 11f60ed7 - tests: added testcases for ciphersuite/KX negotiation with VKO-GOST * 330ea3c7 - tls13-server-kx-neg: add test for GOST-enabled server and client * aaad87f9 - ext/signature: use GOST signatures for GOST ciphersiuites * 91a1867e - cli-debug: include GOST VKO into KX list * e88ad5ac - priority: add GROUP-GOST-ALL keyword * 7325c579 - gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests * 258af6ea - SignatureAlgorithms: force-enable GOST signatures for GOST KX * 881d8000 - tls12-server-kx-neg: add tests without GOST signature algorithms -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 16:09:56 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 15:09:56 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: do not install generated fuzzers and tools (!52) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot was it intentional that these files were installed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/52#note_248633408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 16:10:43 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 15:10:43 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: do not install generated fuzzers and tools (!52) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/52 Branches: tmp-correct-installed-files to master Author: Nikos Mavrogiannopoulos Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 17:12:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 16:12:17 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: do not install generated fuzzers and tools (!52) In-Reply-To: References: Message-ID: Merge Request !52 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/52 Branches: tmp-correct-installed-files to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 17:12:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 16:12:17 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: do not install generated fuzzers and tools (!52) In-Reply-To: References: Message-ID: Tim R?hsen commented: Your are right, that is not intentional. I can't think of a use case where these need to be installed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/52#note_248673957 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 17:12:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 16:12:25 +0000 Subject: [gnutls-devel] libtasn1 | fuzz: do not install generated fuzzers and tools (!52) In-Reply-To: References: Message-ID: Merge Request !52 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/52 Branches: tmp-correct-installed-files to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 21 17:27:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 21 Nov 2019 16:27:32 +0000 Subject: [gnutls-devel] GnuTLS | Please prefer PFS ciphers over plain RSA ones. (#862) References: Message-ID: sebastianas created an issue: https://gitlab.com/gnutls/gnutls/issues/862 ## Description of problem: Ciphers with priority normal prefer non-PFS cipher over PFS cipher. ## Version of gnutls used: 3.6.10 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Steps to Reproduce: Connect to a server which supports TLS_RSA_AES_256_GCM_SHA384 and TLS_DHE_RSA_AES_256_GCM_SHA384 but has no server preference. ## Actual results: Connections happens with TLS_RSA_AES_256_GCM_SHA384. ## Expected results: Connections happens with TLS_DHE_RSA_AES_256_GCM_SHA384. According to *gnutls-cli --list --priority NORMAL* the TLS_ECDHE_* cipher come before TLS_RSA_* but unfortunately the TLS_DHE_RSA_* cipher come last. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/862 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 22 07:38:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 22 Nov 2019 06:38:33 +0000 Subject: [gnutls-devel] GnuTLS | provide a function to feed TLS messages from record layer (#850) In-Reply-To: References: Message-ID: Aniketh Girish commented: @dueno Can you please provide me with few pointers to help me get started with this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/850#note_248898604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 22 15:22:17 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 22 Nov 2019 14:22:17 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1122 Project:Branches: GostCrypt/gnutls:minimal-check to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 22 18:26:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 22 Nov 2019 17:26:01 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Merge Request !1122 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1122 Project:Branches: GostCrypt/gnutls:minimal-check to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 20:56:33 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 19:56:33 +0000 Subject: [gnutls-devel] GnuTLS | Please prefer PFS ciphers over plain RSA ones. (#862) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It is intentional that DHE-RSA is after RSA. The DHE-RSA ciphersuites have several issues under tls1.2 or earlier and the most important is that it in libraries like gnutls which enforce a consistent security level, they make it impossible for a client to recover from a server which sends a DH key which is below the bar. That is, unfortunately a very common misconfiguration, and this is why RSA is preferred to DHE. See also: https://www.gnutls.org/faq.html#prime-not-acceptable -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/862#note_249441003 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 20:56:34 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 19:56:34 +0000 Subject: [gnutls-devel] GnuTLS | Please prefer PFS ciphers over plain RSA ones. (#862) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #862: https://gitlab.com/gnutls/gnutls/issues/862 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/862 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 21:02:01 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 20:02:01 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441312 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, I think a very specific solution would result to very similar and incompatible options if we ever add another national standard in the future. What about an option that appends or replaces the default (+NORMAL) priority strings? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441312 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 21:08:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 20:08:40 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441723 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", I read it, and makes sense in the "protocol" view, but not necessarily with this project view. When we brought TLS1.3 we took extensive measures to eliminate these exact scenarios. gnutls will not fail if you negotiate - srp - rsa-psk - supplemental data - anonymous ciphersuites That sets in my opinion, a bar which we shouldn't get under for the GOST. We should have connection failures only as a result of a bug, not by design (see also my comment on #862 - it is a similar protocol issue). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 21:16:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 20:16:24 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249442200 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", I also understand we are about to to make an ugly compromise; disabling tls1.3 globally in order to enable tls1.2/gost globally will break other tls1.3-only applications (too early for them but they will happen). Do you have a plan for the deployment of gost ciphersuites? Would it make sense to document this as a feature with known issues instead and keep the failure behavior you suggest? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249442200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Nov 23 21:20:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 20:20:29 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from debian.axhn@manchmal.in-ulm.de): gnutls: Missing authority check in the certificate revocation check routines (#861) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, Verifying the CRL is optional in gnutls. I remember that my original view on that was that you download the CRL verify it, and then use it as stored locally. There is no need to verify it, each and every time. You can verify a CRL once using `certtool --verify-crl`, and then keep using it. There is a specific flag for applications `GNUTLS_CERTIFICATE_VERIFY_CRLS` which they can set to verify the CRL explicitly. Does this answer your concern? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/861#note_249442494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 24 00:18:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 23 Nov 2019 23:18:39 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Merge Request !1122 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1122 Project:Branches: GostCrypt/gnutls:minimal-check to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 24 12:38:58 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 Nov 2019 11:38:58 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249515749 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", TLS 1.3 GOST ciphersuites are in development currently. Most probably a corresponding draft will be posted once the standard itself is ready. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249515749 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 24 12:47:24 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 Nov 2019 11:47:24 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249516487 > #endif > #ifdef ENABLE_DHE > GNUTLS_KX_DHE_RSA, > +#endif > +#ifdef ENABLE_GOST > + GNUTLS_KX_VKO_GOST_12, I'd prefer appending rather than replacing `NORMAL`. However the problem is that priorities in the pgroup are static. We already have handlers that change priority lists (`_gnutls_priority_update_fips()` and `_gnutls_priority_update_non_aesni()`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249516487 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Nov 24 13:06:12 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 24 Nov 2019 12:06:12 +0000 Subject: [gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249518715 > + }, > + { > + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert", > + .server_ret = 0, > + .client_ret = 0, > + .have_cert_cred = 1, > + .have_gost12_512_cert = 1, > + .not_on_fips = 1, > + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2", > + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION, > + .exp_version = GNUTLS_TLS1_2, > + }, > + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST > + * but this is unsuppored for now */ > + { > + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert", I definitely wouldn't like disabling TLS 1.3 if GOST is enabled on client side. On the server side the question of disabling GOST or TLS 1.3 should depend on certificates available. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249518715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 25 22:39:02 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 Nov 2019 21:39:02 +0000 Subject: [gnutls-devel] GnuTLS | Certtool doesn't add CDP from the template (#765) In-Reply-To: References: Message-ID: Reassigned Issue 765 https://gitlab.com/gnutls/gnutls/issues/765 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Nov 25 22:41:28 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 25 Nov 2019 21:41:28 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL distribution points to non-self-signed certificates (!1123) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1123 Project:Branches: nmav/gnutls:tmp-fix-crl-dist-points to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This fix ensures that CRL distribution points are present in certtool-generated chains. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 26 08:17:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 Nov 2019 07:17:25 +0000 Subject: [gnutls-devel] GnuTLS | enable SMIMECapabilities when generating certificates (#863) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/issues/863 ## Description of the feature: [RFC 4262](https://tools.ietf.org/html/rfc4262) indicates an X.509v3 extension for storing SMIME capabilities in an X.509 certificate. [RFC 8551](https://tools.ietf.org/html/rfc8551) defines the values that can go in that extension. The extension OID is: ``` smimeCapabilities OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} ``` For example, a capability we might have could be represented in the certtool template, conditioned to only be requested if `email_protection_key` is set: `smime_compress_zlib` -- if it is set in the template, and `email_protection_key` is set, then it would add an S/MIME Capabilities X.509v3 extension (or append to any existing one), containing the `id-alg-zlibCompression` OID from [RFC 3274](https://tools.ietf.org/html/rfc3274): ``` id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } ``` and if `smime_authenc_aesgcm256` is set tin the template, and `email_protection_key` is set, then it would add an S/MIME Capabilities X.509v3 extension (or append to any existing one), containing the appropriate identifier from [RFC 5084](https://tools.ietf.org/html/rfc5084). (alternately, if you think the user should be able to set the ordering, we could define a fancier configuration syntax that knows a set of S/MIME capabilities, and allows the user to identify them in a list in the template, like so: smime_capabilities = aesgcm256,zlib But i think the single flag (and making sensible ordering choices) fits more closely with the current certtool template interface. ## Applications that this feature may be relevant to: Using certtool-generated X.509 certificate for e-mail purposes with S/MIME. ## Is this feature implemented in other libraries (and which) I believe this can be achieved by some complicated gymnastics in OpenSSL's configuration syntax, but -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Nov 26 17:46:25 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 26 Nov 2019 16:46:25 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL distribution points to non-self-signed certificates (!1123) In-Reply-To: References: Message-ID: Merge Request !1123 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1123 Project:Branches: nmav/gnutls:tmp-fix-crl-dist-points to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 11:43:59 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 10:43:59 +0000 Subject: [gnutls-devel] GnuTLS | Certtool doesn't add CDP from the template (#765) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1123 (https://gitlab.com/gnutls/gnutls/merge_requests/1123) Issue #765: https://gitlab.com/gnutls/gnutls/issues/765 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 11:44:00 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 10:44:00 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL distribution points to non-self-signed certificates (!1123) In-Reply-To: References: Message-ID: Merge Request !1123 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1123 Project:Branches: nmav/gnutls:tmp-fix-crl-dist-points to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 15:00:27 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 14:00:27 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This made the MacOSX build to fail: https://travis-ci.org/gnutls/gnutls/builds/616119588?utm_medium=notification&utm_source=email -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251189629 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 15:03:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 14:03:46 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I wonder why is that; it doesn't seem related on the first view. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251191792 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 15:07:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 14:07:44 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Tim R?hsen commented: libssl isn't installed, as it seems. It's a wget issue, though I wonder how could wget been installed without proper libssl ? ``` dyld: Library not loaded: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib Referenced from: /usr/local/bin/wget Reason: image not found ./bootstrap: line 738: 90882 Abort trap: 6 wget --mirror --level=1 -nd -q -A.po -P 'po/.reference' https://translationproject.org/latest/gnutls/ The command "PATH=/usr/local/opt/gettext/bin:$PATH ./bootstrap" exited with 134. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251194235 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Nov 27 15:18:04 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 27 Nov 2019 14:18:04 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_251201120 Aha, that means that your libopts/autogen is not the same as one used for master. Could you update to 5.18.16? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_251201120 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 09:17:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 08:17:51 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Installing openssl explicitly didn't solve the issue. If you have more experience with brew/macosx any help will be appreciated. https://travis-ci.org/nmav/gnutls/builds/618080049 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251621537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 09:57:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 08:57:48 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS3.6.7.1 cannot process validity field according to RFC5280 (#864) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hi, I believe that's related to #207. It is an intentional behavior. Hopefully we can fix that soon. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/864#note_251646993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 09:58:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 08:58:44 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS3.6.7.1 cannot process validity field according to RFC5280 (#864) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm closing it as duplicate of #207, let's continue the discussion there. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/864#note_251647617 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 09:59:37 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 08:59:37 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS3.6.7.1 cannot process validity field according to RFC5280 (#864) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #864: https://gitlab.com/gnutls/gnutls/issues/864 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 10:11:19 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 09:11:19 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Tim R?hsen commented: It *did* solve the problem. But now you run into another issue. My brew installation for wget2 is ``` brew update brew install gnutls brew install nettle brew outdated autoconf || brew upgrade autoconf brew outdated automake || brew upgrade automake brew outdated libtool || brew upgrade libtool brew install doxygen brew outdated gettext || brew upgrade gettext brew install flex brew install libidn brew install xz brew install lbzip2 brew install lzip brew install libgcrypt brew install grep brew install gawk brew link --force gettext ``` At least the last line `brew link --force gettext` could solve the current issue. With this you won't need the `PATH=/usr/local/opt/gettext/bin:$PATH` under `script:` in `.travis.yml`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251656137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 10:13:13 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 09:13:13 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Tim R?hsen commented: Oh wait - the current issue is `./bootstrap.conf: line 78: ./gnulib//gnulib-tool: No such file or directory`. Solve this first. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_251657367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 14:55:32 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 13:55:32 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-verify does not mention expired certificates (#839) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It seems the "problem" is in the API (`gnutls_pkcs7_verify`) which does not return the status (like `gnutls_certificate_verify_peers`) does. We may need a new API for that information. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/839#note_251794750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 14:55:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 13:55:35 +0000 Subject: [gnutls-devel] GnuTLS | certtool --p7-verify does not mention expired certificates (#839) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 15:09:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 14:09:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2() succeeds decoding the empty string (!1124) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1124 Project:Branches: nmav/gnutls:tmp-fix-base64 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This is a behavioral change of the API but it conforms to the RFC4648 expectations. While that's a "correct" change in the terms of RFC compliance, it may break existing applications that may rely on that broken behavior of the API. Seeing [codesearch at debian](https://codesearch.debian.net/search?q=gnutls_base64_decode2&literal=1&perpkg=1), that API doesn't seem to be popular so any breakage should be limited. Resolves: #834 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1124 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 15:55:51 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 14:55:51 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2() succeeds decoding the empty string (!1124) In-Reply-To: References: Message-ID: Merge Request !1124 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1124 Project:Branches: nmav/gnutls:tmp-fix-base64 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1124 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 16:10:10 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 15:10:10 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) In-Reply-To: References: Message-ID: Reassigned Issue 834 https://gitlab.com/gnutls/gnutls/issues/834 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 16:15:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 15:15:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2() succeeds decoding the empty string (!1124) In-Reply-To: References: Message-ID: Merge Request !1124 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1124 Project:Branches: nmav/gnutls:tmp-fix-base64 to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1124 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 16:15:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 15:15:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via commit 8183854917d100a9475d854cdb0f7c0a931ccd4d Issue #834: https://gitlab.com/gnutls/gnutls/issues/834 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Nov 28 16:15:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 28 Nov 2019 15:15:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_base64_decode2 gives an error on empty input (#834) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1124 (https://gitlab.com/gnutls/gnutls/merge_requests/1124) Issue #834: https://gitlab.com/gnutls/gnutls/issues/834 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 10:06:46 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 09:06:46 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS3.6.7.1 cannot process validity field according to RFC5280 (#864) In-Reply-To: References: Message-ID: llqll commented: ok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/864#note_252162642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 11:00:18 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 10:00:18 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @ametzler does the MR address the issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838#note_252196342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 13:09:29 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 12:09:29 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That was it. It seems to work now! https://travis-ci.org/nmav/gnutls/builds/618562394 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_252292513 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 15:33:39 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 14:33:39 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Unfortunately, that fails when merged in master :( https://travis-ci.org/gnutls/gnutls/jobs/618571086 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_252388321 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 16:14:35 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 15:14:35 +0000 Subject: [gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 16:14:40 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 15:14:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls uses libidn2 internal symbols which were dropped (#832) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 16:14:44 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 15:14:44 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 16:26:11 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 15:26:11 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Tim R?hsen commented: Again libssl is missing on Travis. Did you somehow forget it to move to master (.travis-ci-yml) ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_252448890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 16:40:08 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 15:40:08 +0000 Subject: [gnutls-devel] coverage | create fuzz-coverage badge (!5) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/coverage/merge_requests/5 Branches: tmp-new-badge to master Author: Nikos Mavrogiannopoulos Signed-off-by: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/coverage/merge_requests/5 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 19:14:20 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 18:14:20 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Andreas Metzler commented: The only difference I see post-patch is this one: ~~~ --- 0.old/usr/share/guile/site/2.2/gnutls.scm 2019-11-29 19:10:46.922255125 +0100 +++ 1.new/usr/share/guile/site/2.2/gnutls.scm 2019-11-29 19:08:53.512220016 +0100 @@ -519,10 +519,15 @@ (eval-when (expand load eval) (define %libdir (or (getenv "GNUTLS_GUILE_EXTENSION_DIR") + + ;; The .scm file is supposed to be architecture-independent. Thus, + ;; save 'extensiondir' only if it's different from what Guile expects. "/usr/lib/x86_64-linux-gnu/guile/2.2/extensions")) (unless (getenv "GNUTLS_GUILE_CROSS_COMPILING") - (load-extension (string-append %libdir "/guile-gnutls-v-2") + (load-extension (if %libdir + (string-append %libdir "/guile-gnutls-v-2") + "guile-gnutls-v-2") "scm_init_gnutls"))) (cond-expand -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_252516974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 19:24:23 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 18:24:23 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Andreas Metzler commented: Adding echos in configure.ac to debug ~~~ if test "$guileextensiondir" = "`$PKG_CONFIG guile-$GUILE_EFFECTIVE_VERSION --variable extensiondir`" ~~~ like this ~~~ echo DEBUG start echo "$guileextensiondir" $PKG_CONFIG guile-$GUILE_EFFECTIVE_VERSION --variable extensiondir echo DEBUG end ~~~ results in ~~~ DEBUG start $(GUILE_EXTENSION) /usr/lib/x86_64-linux-gnu/guile/2.2/extensions DEBUG end ~~~ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121#note_252518983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 20:25:15 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 19:25:15 +0000 Subject: [gnutls-devel] GnuTLS | Run tests under minimal configuration (!1122) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: No .travis.yml is exactly the same. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1122#note_252534137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 23:16:48 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 22:16:48 +0000 Subject: [gnutls-devel] coverage | create fuzz-coverage badge (!5) In-Reply-To: References: Message-ID: Merge Request !5 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/coverage/merge_requests/5 Branches: tmp-new-badge to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/coverage/merge_requests/5 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Nov 29 23:16:54 2019 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 29 Nov 2019 22:16:54 +0000 Subject: [gnutls-devel] coverage | include fips-mode tests into coverage (!4) In-Reply-To: References: Message-ID: Merge Request !4 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/coverage/merge_requests/4 Branches: tmp-include-fips to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/coverage/merge_requests/4 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: