From gnutls-devel at lists.gnutls.org Wed Jan 1 05:09:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 04:09:26 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from debian.axhn@manchmal.in-ulm.de): gnutls: Missing authority check in the certificate revocation check routines (#861) In-Reply-To: References: Message-ID: GnuTLS bot commented: @support-bot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/861#note_266232609 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 05:09:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 04:09:25 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#893) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/issues/893 The following issues require labels: - [ ] [enable SMIMECapabilities when generating certificates](https://gitlab.com/gnutls/gnutls/issues/863) - [ ] [Service Desk (from debian.axhn at manchmal.in-ulm.de): gnutls: Missing authority check in the certificate revocation check routines](https://gitlab.com/gnutls/gnutls/issues/861) - [ ] [check_if_port_listening will fail with old iproute2](https://gitlab.com/gnutls/gnutls/issues/860) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/893 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 05:09:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 04:09:25 +0000 Subject: [gnutls-devel] GnuTLS | enable SMIMECapabilities when generating certificates (#863) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dkg This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/863#note_266232603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 05:09:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 04:09:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Use git commit or ChangeLog date instead of build date (!928) In-Reply-To: References: Message-ID: Merge Request !928 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/928 Project:Branches: bmwiedemann/gnutls:date to gnutls/gnutls:master Author: Bernhard M_ Wiedemann Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 05:09:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 04:09:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Use git commit or ChangeLog date instead of build date (!928) In-Reply-To: References: Message-ID: GnuTLS bot commented: @bmwiedemann This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/928#note_266232611 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:15:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:15:46 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: i686-linux-gnu: verify executables are 32-bit (!1146) In-Reply-To: References: Message-ID: Merge Request !1146 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1146 Project:Branches: nmav/gnutls:tmp-i686-build to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1146 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:31:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:31:19 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: All discussions on Merge Request !1121 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1121 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:31:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:31:30 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings not multi-arch safe (#838) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1121 (https://gitlab.com/gnutls/gnutls/merge_requests/1121) Issue #838: https://gitlab.com/gnutls/gnutls/issues/838 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:31:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:31:30 +0000 Subject: [gnutls-devel] GnuTLS | guile: Arrange to make 'gnutls.scm' architecture-independent. (!1121) In-Reply-To: References: Message-ID: Merge Request !1121 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1121 Project:Branches: civodul/gnutls:wip-arch-independent-scm to gnutls/gnutls:master Author: civodul Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:33:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:33:02 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from debian.axhn@manchmal.in-ulm.de): gnutls: Missing authority check in the certificate revocation check routines (#861) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #861: https://gitlab.com/gnutls/gnutls/issues/861 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/861 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:33:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:33:02 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from debian.axhn@manchmal.in-ulm.de): gnutls: Missing authority check in the certificate revocation check routines (#861) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm closing it due to no follow up. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/861#note_266243034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:35:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:35:01 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for reporting this. Would you like to send an MR to address it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892#note_266243208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 09:57:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 08:57:36 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 10:15:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 09:15:30 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266245389 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 I've added this package. That should be fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266245389 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 17:04:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 16:04:47 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266275114 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 Thanks, LGTM ! Now there is test `mini-overhead` running forever in runner 'UB+ASAN-Werror.Fedora.x86_64.clang'. Any help/idea appreciated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266275114 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 18:45:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 17:45:44 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 35215ef5 - UBSAN: Fail tests if UB detected * d4554056 - Fix implicit value change in verify-high.c * fe90799b - handshake.c: Suppress warning in fuzzing build * a7fe03cc - rnd-fuzzer.c: Suppress shift sanitization check * b898f76b - status_request.c: Silence -Wsign-compare * 40afddeb - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * ceac2555 - Fix 2x -Wunused-function in tests/ * c4295cf7 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c [skip ci] * 188b47b2 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * aa583c8e - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 716e2104 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 33af811f - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 6f664846 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 7f356b77 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 01d07998 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 8b1f9077 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 6ab507d1 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 3ebc3148 - Fix checks in mpi.c:__gnutls_x509_write_int() * 396c95e4 - Suppress integer UB checks in record.c:record_read_headers() * a65f97da - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 3901ea3f - Use check_for_datefudge in tests * 691e6df7 - Fix NULL ptr access in _gnutls_iov_iter_next() * 7af39508 - Temporarily disable test 'eagain.sh' until #884 is fixed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 18:50:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 17:50:31 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: All discussions on Merge Request !1136 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1136 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 18:50:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 17:50:30 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266281221 > stage: stage1-testing > image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD > script: > + - apt-get install -y datefudge:amd64 Added the following exceptions to `devel/ubsan.supp`, all unsigned-integer-overflows which *should* be avoided but are *not* UB. ``` buffers.c:1135:36: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int' #0 0x7fa51f193919 in get_last_packet /gnutls/lib/buffers.c:1135:36 #1 0x7fa51f192982 in _gnutls_handshake_io_recv_int /gnutls/lib/buffers.c:1407:8 #2 0x7fa51f1989be in _gnutls_recv_handshake /gnutls/lib/handshake.c:1522:8 #3 0x7fa51f1a1fe3 in handshake_client /gnutls/lib/handshake.c:2999:8 #4 0x7fa51f1a11b7 in gnutls_handshake /gnutls/lib/handshake.c:2727:10 #5 0x4f21a7 in client /gnutls/tests/mini-overhead.c:155:9 #6 0x4f1cb2 in start /gnutls/tests/mini-overhead.c:304:3 #7 0x4f1901 in doit /gnutls/tests/mini-overhead.c:325:2 #8 0x4f34ef in main /gnutls/tests/utils.c:254:2 #9 0x7fa51e8281a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #10 0x41c59d in _start (/gnutls/tests/mini-overhead+0x41c59d) SUMMARY: UndefinedBehaviorSanitizer: unsigned-integer-overflow buffers.c:1135:36 in pk.c:668:12: runtime error: negation of 1 cannot be represented in type 'unsigned int' #0 0x7fa51f4352eb in _wrap_nettle_pk_decrypt2 /gnutls/lib/nettle/pk.c:668:12 #1 0x7fa51f23455f in gnutls_privkey_decrypt_data2 /gnutls/lib/privkey.c:1617:10 #2 0x7fa51f414d32 in proc_rsa_client_kx /gnutls/lib/auth/rsa.c:210:6 #3 0x7fa51f1b94e7 in _gnutls_recv_client_kx_message /gnutls/lib/kx.c:570:7 #4 0x7fa51f1a6023 in handshake_server /gnutls/lib/handshake.c:3461:10 #5 0x7fa51f1a121d in gnutls_handshake /gnutls/lib/handshake.c:2730:9 #6 0x4f1e17 in server /gnutls/tests/mini-overhead.c:249:9 #7 0x4f1b69 in start /gnutls/tests/mini-overhead.c:299:3 #8 0x4f1901 in doit /gnutls/tests/mini-overhead.c:325:2 #9 0x4f34ef in main /gnutls/tests/utils.c:254:2 #10 0x7fa51e8281a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #11 0x41c59d in _start (/gnutls/tests/mini-overhead+0x41c59d) SUMMARY: UndefinedBehaviorSanitizer: unsigned-integer-overflow pk.c:668:12 in rsa.c:235:8: runtime error: negation of 1 cannot be represented in type 'unsigned int' #0 0x7fa51f415450 in proc_rsa_client_kx /gnutls/lib/auth/rsa.c:235:8 #1 0x7fa51f1b94e7 in _gnutls_recv_client_kx_message /gnutls/lib/kx.c:570:7 #2 0x7fa51f1a6023 in handshake_server /gnutls/lib/handshake.c:3461:10 #3 0x7fa51f1a121d in gnutls_handshake /gnutls/lib/handshake.c:2730:9 #4 0x4f1e17 in server /gnutls/tests/mini-overhead.c:249:9 #5 0x4f1b69 in start /gnutls/tests/mini-overhead.c:299:3 #6 0x4f1901 in doit /gnutls/tests/mini-overhead.c:325:2 #7 0x4f34ef in main /gnutls/tests/utils.c:254:2 #8 0x7fa51e8281a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #9 0x41c59d in _start (/gnutls/tests/mini-overhead+0x41c59d) SUMMARY: UndefinedBehaviorSanitizer: unsigned-integer-overflow rsa.c:235:8 in ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266281221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 19:05:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 18:05:57 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Copyright year update needed for gnutls :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266282619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 20:54:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 19:54:26 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/suite/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289355 > > noinst_PROGRAMS = eagain-cli mini-record-timing > > -scripts_to_test += eagain.sh > +#scripts_to_test += eagain.sh Let's not disable any tests. That can cause worse problems (regressions) that the issues solved. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289355 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 20:56:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 19:56:08 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289436 > - tests/*.log > - tests/*/*.log > - tests/suite/*/*.log > - retry: 1 > +# retry: 1 Why that change? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 20:59:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 19:59:39 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289607 > - - make -j$(nproc) -C gl > - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C src/gl > - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile Why this sed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:00:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:00:23 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289658 > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile That is not clear why it is done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:00:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:00:53 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289690 > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz That's not necessary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289690 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:02:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:02:07 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289735 > - tests/*.log > - tests/*/*.log > - tests/suite/*/*.log > - retry: 1 > +# retry: 1 > + > +# Two runs, one with normal backend and another with pkcs11 trust store > +UB+ASAN-Werror.Fedora.x86_64.clang: I'd really prefer a separate MR to add an additional clang runner. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266289735 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:07:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:07:46 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on devel/ubsan.supp: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290053 > +unsigned-integer-overflow:str-two-way.h > + > +# tests/mini-overhead won't terminate > +unsigned-integer-overflow:rsa.c What are these? Are they safe to ignore? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:12:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:12:27 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290254 > /* Checks the record headers and returns the length, version and > * content type. > */ > +#ifdef __clang__ Let's think how we can better bring this in separate MR with clang. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:15:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:15:25 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/cert-reencoding.sh: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290398 > fi > > # Check for datefudge > -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` > -if test "$TSTAMP" != "1158969600"; then > - echo $TSTAMP > - echo "You need datefudge to run this test." > - exit 77 > -fi > +#TSTAMP=`datefudge "2006-09-23" date -u +%s || true` No need to keep these as comments. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:18:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:18:13 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/suite/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290569 > > noinst_PROGRAMS = eagain-cli mini-record-timing > > -scripts_to_test += eagain.sh > +#scripts_to_test += eagain.sh If that test doesn't run under ubsan, let's do just that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266290569 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:39:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:39:42 +0000 Subject: [gnutls-devel] GnuTLS | doc: updated copyrights for 2020 (!1147) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1147 Branches: tmp-update-copyright to master Author: Nikos Mavrogiannopoulos This updates the copyright year for documentation and excludes gnulib files from the copyright check. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 21:54:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 20:54:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Sounds fine to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144#note_266292638 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 1 22:16:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jan 2020 21:16:55 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Great cleanup overall! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266293879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:38:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:38:10 +0000 Subject: [gnutls-devel] GnuTLS | doc: updated copyrights for 2020 (!1147) In-Reply-To: References: Message-ID: Merge Request !1147 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1147 Branches: tmp-update-copyright to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:38:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:38:15 +0000 Subject: [gnutls-devel] GnuTLS | doc: updated copyrights for 2020 (!1147) In-Reply-To: References: Message-ID: Merge Request !1147 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1147 Branches: tmp-update-copyright to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:42:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:42:27 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav This issue is in `lib/nettle/` - isn't this better be addressed on the nettle ML ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892#note_266387415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:47:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:47:05 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on tests/suite/Makefile.am: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266389147 > > noinst_PROGRAMS = eagain-cli mini-record-timing > > -scripts_to_test += eagain.sh > +#scripts_to_test += eagain.sh #884 should fix it, please have a look. I tried here, but my fix broke other tests then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266389147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:49:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:49:13 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266390038 > - tests/*.log > - tests/*/*.log > - tests/suite/*/*.log > - retry: 1 > +# retry: 1 As long as some tests knowingly failed I didn't want to retry again (waste of CI CPU resources). Once everything else works, we can add it again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266390038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:54:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:54:52 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266392447 > - - make -j$(nproc) -C gl > - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C src/gl > - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile There are currently different kinds of warnings in those directories that I didn't want to address in this MR. Should I open an issue ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266392447 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 10:58:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 09:58:29 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266394106 > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz Sure ? If you are right, then we have to improve fuzzing :-) IMO, that test doesn't really hurt and we don't have to think about it once we improve the fuzzers. Do we need another issue for that ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266394106 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 11:24:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 10:24:08 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on devel/ubsan.supp: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266415700 > +unsigned-integer-overflow:str-two-way.h > + > +# tests/mini-overhead won't terminate > +unsigned-integer-overflow:rsa.c IMO yes, those are just annoying. We can possibly tweak the code in the future and remove those exceptions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266415700 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 11:58:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 10:58:18 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Although it is in the nettle glue code that is pure gnutls code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892#note_266431758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 12:01:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 11:01:50 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266435021 > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz The second step tests whether the pkcs11 trust store works. That is not fuzzed, and I believe there is little sense in doing so. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266435021 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 12:05:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 11:05:59 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266436431 > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz I remove it then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266436431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 13:03:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 12:03:15 +0000 Subject: [gnutls-devel] GnuTLS | ecore_event_handler_add(): member access within null pointer of type 'struct Ecore_Event_Handler' (#884) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I think it may be easier bringing a framework like libev to replace the ecore in this test rather than continuing maintaining it. Let me check it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/884#note_266454418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:03:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:03:08 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266474413 > - - make -j$(nproc) -C gl > - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C src/gl > - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile test/slow: ``` cipher-override.c: In function ?myaes_setkey?: cipher-override.c:62:3: warning: ?nettle_aes_set_encrypt_key? is deprecated [-Wdeprecated-declarations] 62 | aes_set_encrypt_key(&ctx->aes, keysize, userkey); | ^~~~~~~~~~~~~~~~~~~ In file included from cipher-override.c:18: /usr/include/nettle/aes.h:158:1: note: declared here 158 | aes_set_encrypt_key(struct aes_ctx *ctx, | ^~~~~~~~~~~~~~~~~~~ cipher-override.c:64:3: warning: ?nettle_aes_set_decrypt_key? is deprecated [-Wdeprecated-declarations] 64 | aes_set_decrypt_key(&ctx->aes, keysize, userkey); | ^~~~~~~~~~~~~~~~~~~ In file included from cipher-override.c:18: /usr/include/nettle/aes.h:163:1: note: declared here 163 | aes_set_decrypt_key(struct aes_ctx *ctx, | ^~~~~~~~~~~~~~~~~~~ cipher-override.c: In function ?myaes_encrypt?: cipher-override.c:84:2: warning: ?nettle_aes_encrypt? is deprecated [-Wdeprecated-declarations] 84 | cbc_encrypt(&ctx->aes, (nettle_cipher_func*)aes_encrypt, 16, ctx->iv, src_size, dst, src); | ^~~~~~~~~~~ In file included from cipher-override.c:18: /usr/include/nettle/aes.h:173:1: note: declared here 173 | aes_encrypt(const struct aes_ctx *ctx, | ^~~~~~~~~~~ cipher-override.c: In function ?myaes_decrypt?: cipher-override.c:95:2: warning: ?nettle_aes_decrypt? is deprecated [-Wdeprecated-declarations] 95 | cbc_decrypt(&ctx->aes, (nettle_cipher_func*)aes_decrypt, 16, ctx->iv, src_size, dst, src); | ^~~~~~~~~~~ In file included from cipher-override.c:18: /usr/include/nettle/aes.h:177:1: note: declared here 177 | aes_decrypt(const struct aes_ctx *ctx, | ^~~~~~~~~~~ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266474413 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:29:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:29:38 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1148 Branches: tmp-libev to master Author: Nikos Mavrogiannopoulos That removes a lot of code that was not necessary in the gnutls test suite. Resolves: #884 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:30:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:30:22 +0000 Subject: [gnutls-devel] GnuTLS | ecore_event_handler_add(): member access within null pointer of type 'struct Ecore_Event_Handler' (#884) In-Reply-To: References: Message-ID: Reassigned Issue 884 https://gitlab.com/gnutls/gnutls/issues/884 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:48:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:48:30 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on devel/ubsan.supp: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266492492 > +unsigned-integer-overflow:str-two-way.h > + > +# tests/mini-overhead won't terminate > +unsigned-integer-overflow:rsa.c But would you like to add a more descriptive text to help future (and current) understanding? The information in the suppression is not enough (for me) to understand what is being supressed. Only the name of the file without line or function number is quite vague to understand what it is being suppressed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266492492 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:51:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:51:08 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266493329 > - - make -j$(nproc) -C gl > - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C src/gl > - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile I think a comment such as: "# This ensures that `cipher-override.c` which uses deprecated APIs still compiles" would be helpful to give context. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266493329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:55:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:55:51 +0000 Subject: [gnutls-devel] GnuTLS | tests: use newer nettle APIs in cipher-override.c (!1149) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1149 Project:Branches: nmav/gnutls:tmp-fix-slow-tests to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This fixes warnings seen. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 14:56:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 13:56:09 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266495147 > - - make -j$(nproc) -C gl > - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" > - - make -j$(nproc) -C src/gl > - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile Actually that was easy to fix. i've put https://gitlab.com/gnutls/gnutls/merge_requests/1149 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266495147 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:12:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:12:18 +0000 Subject: [gnutls-devel] GnuTLS | tests: use newer nettle APIs in cipher-override.c (!1149) In-Reply-To: References: Message-ID: Merge Request !1149 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1149 Project:Branches: nmav/gnutls:tmp-fix-slow-tests to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:15:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:15:24 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Tim R?hsen commented: Great ! Do you care about the CI images !? I split !1136 into two parts (gcc and clang) and rebase when this is merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266502299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:16:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:16:27 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * dd974b50 - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:17:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:17:22 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've added libev into them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266503011 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:26:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:26:04 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Tim R?hsen commented: Debian already failed with something unrelated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266506159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:26:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:26:18 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * e4457ce4 - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:26:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:26:56 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * 50a36aff - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:38:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:38:24 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * c9fe278f - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:42:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:42:52 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * 34db325a - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 15:47:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 14:47:15 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * 13184850 - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 16:06:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 15:06:19 +0000 Subject: [gnutls-devel] GnuTLS | tests: use newer nettle APIs in cipher-override.c (!1149) In-Reply-To: References: Message-ID: Merge Request !1149 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1149 Project:Branches: nmav/gnutls:tmp-fix-slow-tests to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 16:10:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 15:10:07 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hmmm, it was more tricky than expected, we should be there though. The Fedora CI is still missing libev. Most likely that will be fixed with the latest image update. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266522746 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:18:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:18:03 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * fba9533e...3cfa1699 - 6 commits from branch `master` * 8941cacd - UBSAN: Fail tests if UB detected * a9a3a97d - Fix implicit value change in verify-high.c * b908dfb0 - handshake.c: Suppress warning in fuzzing build * 3353a7ee - rnd-fuzzer.c: Suppress shift sanitization check * 277c59a6 - status_request.c: Silence -Wsign-compare * 22f8dbe0 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 4c33bfa8 - Fix 2x -Wunused-function in tests/ * dc95c245 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 6b3e054f - Use check_for_datefudge in tests * 7c341581 - Fix NULL ptr access in _gnutls_iov_iter_next() * 7608af02 - Fix '-Werror=unused-const-variable=' in fuzz/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:23:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:23:12 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266554253 > + - export UBSAN_OPTIONS=print_stacktrace=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" > + - export CXXFLAGS="$CFLAGS" > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile > - make -j$(nproc) > - - make check -j$(nproc) > - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure > - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" > + - sed -i 's/-Werror//g' fuzz/Makefile tests/Makefile tests/slow/Makefile > + - make check -j$(nproc) -C fuzz > + - make check -j$(nproc) -C tests > + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" > - make clean > + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile Because of several autogen issues like this: ``` cli-debug-args.c:345:41: error: suggest parentheses around arithmetic in operand of '|' [-Werror=parentheses] 345 | # define OPTPROC_BASE OPTPROC_TRANSLATE | OPTPROC_NXLAT_OPT | ^ ``` IMO, a comment in `.gitlab-ci.yml` is not needed since we all see these warning every time we compile. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266554253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:24:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:24:42 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented: Reduced to gcc UB+ASAN only. Will open another MR for adding the clang UB-ASAN runner. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266554793 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:25:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:25:18 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on devel/ubsan.supp: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266554995 > +unsigned-integer-overflow:str-two-way.h > + > +# tests/mini-overhead won't terminate > +unsigned-integer-overflow:rsa.c Removed as not need for the gcc sanitizer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266554995 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:30:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:30:00 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented: Fedora 29-31 images fail to upload: `Error committing the finished image: error adding layer with blob "sha256:5a970a0084d29c816f0ac8a7dd217c73229a842f70b3f0be4f16b4b532fa6a2e": Error processing tar file(exit status 1): write /usr/lib64/libLLVM-9.so: no space left on device` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266557948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 17:54:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 16:54:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge Request !984 was reopened by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/984 Branches: tmp-ed448 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 20:55:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 19:55:34 +0000 Subject: [gnutls-devel] libtasn1 | .gitlab-ci.yml: use fedora 31 (!54) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/54 Branches: tmp-update-to-f31 to master Author: Nikos Mavrogiannopoulos This updates CI to use fedora 31, removing the need to keep f30 as a built image. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/54 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 21:54:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 20:54:10 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: We may have overblown that image and there may be a lower limit from gitlab. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266631208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 21:59:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 20:59:49 +0000 Subject: [gnutls-devel] libtasn1 | .gitlab-ci.yml: use fedora 31 (!54) In-Reply-To: References: Message-ID: Merge Request !54 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/54 Branches: tmp-update-to-f31 to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/54 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 2 22:00:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jan 2020 21:00:18 +0000 Subject: [gnutls-devel] build-images | fedora30: split into fedora and mingw (!27) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/build-images/merge_requests/27 Branches: tmp-separate-mingw to master Author: Nikos Mavrogiannopoulos This allows for two smaller images that can be used to test different cases. The rename allows depending on the latest version without CI changes. Signed-off-by: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/merge_requests/27 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 08:36:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 07:36:10 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * d4a1f69b...3cfa1699 - 2 commits from branch `master` * cf714621 - ecore cli: updated and rewritten to use libev -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 08:55:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 07:55:53 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * e0fc66ad - ecore cli: updated and rewritten to use libev * e9586ee8 - tests/suite: do not include scripts into dist -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 09:36:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 08:36:44 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * 544e1aae - ecore cli: updated and rewritten to use libev * baf30be8 - tests/suite: do not include scripts into dist -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 09:43:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 08:43:30 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1148 https://gitlab.com/gnutls/gnutls/merge_requests/1148 * acb025f0 - 1 commit from branch `master` * f0b41c5d - ecore cli: updated and rewritten to use libev * caf49d00 - tests/suite: do not include scripts into dist -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 09:47:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 08:47:01 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've split the mingw/wine image from the main builder images resulting to much smaller images. You may want to rebase this on master. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266742709 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:16:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:16:01 +0000 Subject: [gnutls-devel] GnuTLS | No default verification profile (#895) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/895 When verifying a certificate and checking for acceptable parameters we do not set a system-wide verification profile outside TLS connections. A verification profile is now only added using a configuration parameter. We should provide in a major update a default verification profile that corresponds to NORMAL level. Affected functions: is_level_acceptable() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/895 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:18:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:18:57 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * acb025f0 - 1 commit from branch `master` * b7d3b604 - UBSAN: Fail tests if UB detected * 2e3dd625 - Fix implicit value change in verify-high.c * a9522f9c - handshake.c: Suppress warning in fuzzing build * 8700fe03 - rnd-fuzzer.c: Suppress shift sanitization check * 4a8a03d3 - status_request.c: Silence -Wsign-compare * 48a95ea7 - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 299781c7 - Fix 2x -Wunused-function in tests/ * 77ae9486 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 7f5620ee - Use check_for_datefudge in tests * 3f616fe5 - Fix NULL ptr access in _gnutls_iov_iter_next() * 72deaf98 - Fix '-Werror=unused-const-variable=' in fuzz/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:39:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:39:11 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @rockdaboot it was a long fight but I think we no longer need to ship the ecore code! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266761565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:43:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:43:13 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav That is really awesome ! Dropping that legacy code is a good choice :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266763402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:44:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:44:23 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266763821 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: I thought I had already commented about it, but could not find it. Shouldn't we remove the separate asan build if we are merging it with ubsan? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266763821 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:56:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:56:27 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1145 https://gitlab.com/gnutls/gnutls/merge_requests/1145 * fba9533e...acb025f0 - 11 commits from branch `master` * af83068f - x509: reject certificates having duplicate extensions * 91e81138 - fuzz: import certificate with and without sanity checks * dad16399 - gnutls_x509_crt_get_extension_info: optimize when critical equals NULL -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 10:59:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 09:59:17 +0000 Subject: [gnutls-devel] build-images | fedora30: split into fedora and mingw (!27) In-Reply-To: References: Message-ID: Merge Request !27 was closed by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/build-images/merge_requests/27 Branches: tmp-separate-mingw to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/merge_requests/27 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:15:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:15:29 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Merge Request !1148 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1148 Branches: tmp-libev to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:33:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:33:14 +0000 Subject: [gnutls-devel] GnuTLS | ecore_event_handler_add(): member access within null pointer of type 'struct Ecore_Event_Handler' (#884) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1148 (https://gitlab.com/gnutls/gnutls/merge_requests/1148) Issue #884: https://gitlab.com/gnutls/gnutls/issues/884 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:33:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:33:14 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Merge Request !1148 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1148 Branches: tmp-libev to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:34:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:34:47 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * f0b41c5d...55cf9d1d - 3 commits from branch `master` * 420133ab - UBSAN: Fail tests if UB detected * bc346caa - Fix implicit value change in verify-high.c * 415c25aa - handshake.c: Suppress warning in fuzzing build * 035fe5ac - rnd-fuzzer.c: Suppress shift sanitization check * 348c2b66 - status_request.c: Silence -Wsign-compare * 8592153f - certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set * 0fa5dc50 - Fix 2x -Wunused-function in tests/ * 20eceef4 - Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch] * 65546301 - Use check_for_datefudge in tests * 7294cf93 - Fix NULL ptr access in _gnutls_iov_iter_next() * 47277554 - Fix '-Werror=unused-const-variable=' in fuzz/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:40:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:40:28 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) References: Message-ID: Edward Stangler created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1150 Project:Branches: estanglerbm/gnutls:estanglerbm-getrandom to gnutls/gnutls:master Author: Edward Stangler Fixes dummy getrandom() when errno = EAGAIN. Fixes #892. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:42:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:42:04 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Edward Stangler commented: MR sent. Hope I did that right. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892#note_266786726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:48:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:48:23 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1151 Branches: tmp-clang-ubsan+asan to master Author: Tim R?hsen Add a CI runner which combines clang's UBSAN and ASAN. Together with !1136 (which adds a CI runner for combined gcc's UBSAN + ASAN), this enables us to drop runner 'asan.Fedora.x86_64' after some merging. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:52:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:52:53 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/896 The runner shows green/success, but fails early with ``` 3051 $ mkdir -p build && cd build && dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time && make -j$(nproc) && make check -j$(nproc) 3052 /usr/bin/bash: line 109: dash: command not found ``` We should not use `&&` to concatenate commands. Instead each command should be on a separate line to let the runner fail. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:54:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:54:43 +0000 Subject: [gnutls-devel] GnuTLS | ecore cli: updated and rewritten to use libev (!1148) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Great! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1148#note_266791278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:56:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:56:51 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266792091 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: Right. See my comments on !1151. I think we should do that in a separate MR, as some 'merging' is needed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266792091 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 11:57:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 10:57:44 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Could you please drop first commit and its reversion? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150#note_266792495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 12:02:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 11:02:41 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I am not sure the `&&` is the issue. I've seen failures like that in various constructions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896#note_266797422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 12:07:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 11:07:04 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Tim R?hsen commented: AFAIR, I had similar issues with `&&` that could be solved by that way. Do the commands run in bash ? Then we could use `set -e`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896#note_266805818 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 12:29:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 11:29:59 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Tim R?hsen commented: I made a test with that Fedora28 image (removed dash ;-)). Bash is the default shell. A small test script shows that `set -e` within the script did not stop the script on the missing `dash` when more commands were concatenated with `&&`. Putting each command on a separate line and the script stopped at error (as it should). My conclusion: do not use `&&` in the CI yaml. As long as you want to stop the runner on (any) error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896#note_266816264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 12:54:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 11:54:44 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Ok, would you like to create an MR to remove the '&&' from the config? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896#note_266824009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 12:59:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 11:59:47 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266825796 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: I am not sure which comments you mean. I checked it but I do not see something relevant to the asan. Note that here I refer that you are adding a duplicate of the 'asan' runner as part of the UB+asan runner. Is that correct, or it is not a duplicate? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266825796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:04:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:04:35 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266828078 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: In the MR description. The old asan runner does some more/different stuff, just compare. Of course I can merge that within the MR and drop the old runner. Is that what you ask for ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266828078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:10:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:10:23 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Edward Stangler pushed new commits to merge request !1150 https://gitlab.com/gnutls/gnutls/merge_requests/1150 * c30b616f - Fixes dummy getrandom() when errno = EAGAIN. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:12:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:12:27 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Edward Stangler commented: Done, I think. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150#note_266831470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:20:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:20:52 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Tim R?hsen commented: Just pushed branch `tmp-ci-remove-command-concat`. I'll create an MR when the pipeline succeeds. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896#note_266833939 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:50:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:50:10 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266844137 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: I see that it additionally runs the fuzzer test suite for the various CPUID overrides: ```make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=``` and the additional run of ```make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.``` I think it makes sense to merge these to the new runner as there is little value to run them separately and in fact they can benefit from the ubsan runner as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266844137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:50:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:50:51 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266844426 > retry: 1 > > # Two runs, one with normal backend and another with pkcs11 trust store > -ubsan-Werror.Fedora.x86_64: Let me provide a patch on top of what you have. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136#note_266844426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:55:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:55:18 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * d367f1c3 - .gitlab-ci.yml: merged ASAN and UBSAN runs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:56:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:56:41 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 57c39b9f - .gitlab-ci.yml: merged ASAN and UBSAN runs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:57:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:57:26 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 482bf0d2 - .gitlab-ci.yml: merged ASAN and UBSAN runs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 13:59:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 12:59:10 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1136 https://gitlab.com/gnutls/gnutls/merge_requests/1136 * 1abc1986 - .gitlab-ci.yml: merged ASAN and UBSAN runs -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 14:01:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 13:01:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) In-Reply-To: References: Message-ID: llqll commented: This problem was discovered when I verified the certificate chain below. The leaf.pem is leaf certificate. The 1.pem includes intermediate certificates and root certificate. **The command:** ``` certtool --verify --load-ca-certificate 1.pem --infile leaf.pem ``` **The verify result:** ``` Loaded CAs (2 available) error parsing CRTs: ASN1 parser: Error in DER parsing. ``` The above problem were found through single-step debugging.?gnutls can't check object identifier value correctly? **the leaf.pem:** ``` -----BEGIN CERTIFICATE----- MIISWDCCEECgAwIBAgIQCHtGjysjHCK0GhceTMWcazANBgkqhkiG9w0BAQsFADBq MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQ0wCwYDVQQDDARiMzI2MRowGAYJKoZIhvcNAQkBFgts aTFAMTYzLmNvbTAeFw0wMTAxMDEwMTAwMDBaFw0zNTEyMjMxMTIzMzRaMIGnMRkw FwYR+oAAAAAOAQ76gAAAAA5jb20TAkNOMRgwFgYDVQQIEw9HdWFuZ2RvbmcgU2hl bmcxETAPBgNVBAcTCFNoZW56aGVuMTowOAYDVQQKEzFTaGVuemhlbiBUZW5jZW50 IENvbXB1dGVyIFN5c3RlbXMgQ29tcGFueSBMaW1pdGVkMQwwCgYDVQQLDANSJkQx EzARBgNVBAMTCnd3dy5xcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrkUSS/IGpuOhgAJKS2Gg27pLkgPsiVkJjIl44FzbhAQ32728MeM13rUin g8DiKA3I6vBOTjjPkSLitMbF9FKI3AhkJG9FklafFfxT7qG6gv9B2cSIygU9/Bty QnyiHjtpuoMZzp3avsmYpGukid7+39zGFV07oDlGKSPPi798LPP1C7Vd7jBgUHLW q5HMsZ/Ic4HwzSOpFyJ5bVZZ63mAxYCl3o5L7M4GnZ4oX2EqkGzEPBDQceUiyraI v5mPm6pufl/TacOxBOxgS3p0vwyn47Eui0hjrsFh47h6N2DimGRXhwzLRst4e7N5 eGuxBg8zzNhrVgD4FFSmoU0TiRIhAgMBAAGjgg26MIINtjAfBgNVHSMEGDAWgBSS PopRSpZMfPAxCvUPCu4TZmh38DAdBgNVHQ4EFgQUh+yXnzo4iuTfdGxHEnZILmTB rpEwggsBBgNVHREEggr4MIIK9IIKd3d3LnFxLmNvbYIOMTB5ZWFycy5xcS5jb22C CzIwMTAucXEuY29tggsyMDExLnFxLmNvbYILMjAxMi5xcS5jb22CCzIwMTQucXEu Y29tggsyMDE2LnFxLmNvbYILMjAxOC5xcS5jb22CDjNnLnRlY2gucXEuY29tggk2 MS5xcS5jb22CDmFyc2VuYWwucXEuY29tghRhc3Ryby5mYXNoaW9uLnFxLmNvbYIR YXN0cm8ubGFkeS5xcS5jb22CDGFzdHJvLnFxLmNvbYIVYXVzdHJhbGlhbm9wZW4u cXEuY29tggthdXRvLnFxLmNvbYILYmFieS5xcS5jb22CD2Jhci50ZWNoLnFxLmNv bYIPYmJzLmxpc3QucXEuY29tggxiZWxsYS5xcS5jb22CCWJpLnFxLmNvbYIOYml6 bmV4dC5xcS5jb22CDWJqLmpqai5xcS5jb22CCWJqLnFxLmNvbYINYmoyMDIyLnFx LmNvbYILYm9hby5xcS5jb22CD2J1c2luZXNzLnFxLmNvbYIRYndmLnNwb3J0cy5x cS5jb22CDWNhbXB1cy5xcS5jb22CCWNkLnFxLmNvbYIOY2RwYW5kYS5xcS5jb22C DGNoaW5hLnFxLmNvbYILY2l0eS5xcS5jb22CC2Nvc3QucXEuY29tggljcC5xcS5j b22CCWNxLnFxLmNvbYIKY3VsLnFxLmNvbYIJY3kucXEuY29tggxkYWppYS5xcS5j b22CDWRhbGlhbi5xcS5jb22CCmRhby5xcS5jb22CE2Rhby5ydXNoaWRhby5xcS5j b22CEGRhdGEuYXV0by5xcS5jb22CDmRhdGEucmUucXEuY29tggtkaWdpLnFxLmNv bYIQZGlnaS50ZWNoLnFxLmNvbYIOZWNvbm9teS5xcS5jb22CCmVkdS5xcS5jb22C DmVuLjIwMTIucXEuY29tggplbnQucXEuY29tgg9ldXJvMjAxMi5xcS5jb22CC2Zh Y3QucXEuY29tghJmYW5zLnNwb3J0cy5xcS5jb22CDmZhc2hpb24ucXEuY29tghJm Y2JhcmNlbG9uYS5xcS5jb22CDmZpbmFuY2UucXEuY29tgglmai5xcS5jb22CEmZv LnJ1c2hpZGFvLnFxLmNvbYIMZm94dWUucXEuY29tghRmdXRzYWwuc3BvcnRzLnFx LmNvbYIMZ2FtZXMucXEuY29tgglnZC5xcS5jb22CC2dvbGYucXEuY29tgg1nb25n eWkucXEuY29tghFncmVlbi5uZXdzLnFxLmNvbYIJZ3kucXEuY29tgg1nejIwMTAu cXEuY29tgg1oYW5oYW4ucXEuY29tgg1oYi5qamoucXEuY29tggloYi5xcS5jb22C CmhlYS5xcS5jb22CDWhlYWx0aC5xcS5jb22CDGhlYmVpLnFxLmNvbYIMaGVuYW4u cXEuY29tghNoaXN0b3J5Lm5ld3MucXEuY29tgg5oaXN0b3J5LnFxLmNvbYIJaG4u cXEuY29tggtob29wLnFxLmNvbYIMaG91c2UucXEuY29tgg5pLm1hdGNoLnFxLmNv bYILaWFpby5xcS5jb22CDmlhcHAueHcucXEuY29tggxpbGlrZS5xcS5jb22CC2lw YWQucXEuY29tggppcnMucXEuY29tgglpdC5xcS5jb22CDGppYWp1LnFxLmNvbYIK ampqLnFxLmNvbYILam9rZS5xcS5jb22CCmpveS5xcS5jb22CCWpzLnFxLmNvbYIK a2JzLnFxLmNvbYIRa2JzLnNwb3J0cy5xcS5jb22CC2tlcHUucXEuY29tggpraWQu cXEuY29tggtreHl4LnFxLmNvbYIPbGVhcm5pbmcucXEuY29tgg5sZXF1aXBlLnFx LmNvbYILbGlicy5xcS5jb22CD2xpdXhpYW5nLnFxLmNvbYIJbG4ucXEuY29tgg1s dXh1cnkucXEuY29tgglseS5xcS5jb22CEW0ubmJhY2hpbmEucXEuY29tggttYXBw LnFxLmNvbYIRbWVkaWEubmV3cy5xcS5jb22CDG1lZGlhLnFxLmNvbYIKbWlsLnFx LmNvbYILbWluaS5xcS5jb22CD21pbmkyMDE1LnFxLmNvbYIPbWluaXNpdGUucXEu Y29tghNtaW5pc2l0ZTIwMDkucXEuY29tghNtaW5pc2l0ZTIwMTIucXEuY29tghRt b25leS5maW5hbmNlLnFxLmNvbYIMbW9uZXkucXEuY29tghFuYmEuc3BvcnRzLnFx LmNvbYIQbmJhLnN0YXRzLnFxLmNvbYIPbmJhY2hpbmEucXEuY29tggpuZXcucXEu Y29tggtuZXdzLnFxLmNvbYIObmV3c2FwcC5xcS5jb22CC28ueHcucXEuY29tggxw YW5lbC5xcS5jb22CCnBpdS5xcS5jb22CDnByaXZhY3kucXEuY29tghFxb3MucmVw b3J0LnFxLmNvbYILcmFpbi5xcS5jb22CCXJlLnFxLmNvbYIScmVwb3J0Lm5ld3Mu cXEuY29tggpyc3MucXEuY29tgglydS5xcS5jb22CEnJ1LnJ1c2hpZGFvLnFxLmNv bYIOcnVmb2Rhby5xcS5jb22CCXNoLnFxLmNvbYINc29jY2VyLnFxLmNvbYITc29j Y2VyLnN0YXRzLnFxLmNvbYIOc29jaWV0eS5xcS5jb22CDHNwYWNlLnFxLmNvbYIN c3BvcnRzLnFxLmNvbYIRc3RhdHMuMjAxNi5xcS5jb22CEXN0ZXZlLWpvYnMucXEu Y29tggxzdG9jay5xcS5jb22CD3N1cGVyLmR3LnFxLmNvbYIJc3oucXEuY29tgg10 Lm5ld3MucXEuY29tggt0ZWNoLnFxLmNvbYIOdGhpbmtlci5xcS5jb22CCnRoci5x cS5jb22CDXRpYW5xaS5xcS5jb22CC3RpbWUucXEuY29tgg10ai5qamoucXEuY29t ggl0ai5xcS5jb22CCnRudy5xcS5jb22CEXRvcmNoLjIwMTEucXEuY29tgg90cmVu ZC5jcS5xcS5jb22CDHYuZW50LnFxLmNvbYIQdi5mYXNoaW9uLnFxLmNvbYINdi5u ZXdzLnFxLmNvbYIPdi5zcG9ydHMucXEuY29tggx2YWx1ZS5xcS5jb22CC3Zob3Qu cXEuY29tghB2aWV3Lm5ld3MucXEuY29tghB2aWV3Lnl1dHUucXEuY29tghF2aXAu c3BvcnRzLnFxLmNvbYIMdmxpa2UucXEuY29tggl2cy5xcS5jb22CDXcuYXV0by5x cS5jb22CCXdjLnFxLmNvbYISd2NiYS5zcG9ydHMucXEuY29tghN3ZWF0aGVyLm5l d3MucXEuY29tgg53ZWF0aGVyLnFxLmNvbYIQd2ltYmxlZG9uLnFxLmNvbYIMd29y bGQucXEuY29tgg93b3JsZGN1cC5xcS5jb22CE3d3dy53b3JsZGN1cC5xcS5jb22C Cnd4bi5xcS5jb22CEHhpYW4ubmV3cy5xcS5jb22CC3hpYW4ucXEuY29tghF4bmMu c3BvcnRzLnFxLmNvbYINeHByaXplLnFxLmNvbYIJeHcucXEuY29tghB4dy50aWFu cWkucXEuY29tgg54dy50aW1lLnFxLmNvbYILeXNscC5xcS5jb22CCXpqLnFxLmNv bYIMenAuY3EucXEuY29tgg56dC5uZXdzLnFxLmNvbYIGcXEuY29tMA4GA1UdDwEB /wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwbwYDVR0fBGgw ZjAxoC+gLYYraHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1NlY3VyZVNpdGVDQUcy LmNybDAxoC+gLYYraHR0cDovL2NybDQuZGlnaWNlcnQuY29tL1NlY3VyZVNpdGVD QUcyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxo dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBsBggrBgEFBQcB AQRgMF4wIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwLmRjb2NzcC5jbjA5BggrBgEF BQcwAoYtaHR0cDovL2NybC5kaWdpY2VydC1jbi5jb20vU2VjdXJlU2l0ZUNBRzIu Y3J0MAwGA1UdEwEB/wQCMAAwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDuS723 dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWyYu93ZAAAEAwBHMEUCIGwZ 6wsRXCaOh0RlEXKREH65rQrR63dwYfk5uUW2m4oGAiEAx9al5CvmOEHWyVXRDwt5 UbqgRebFlnneNGR9I9+pAsoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/ XqCDDwAAAWyYu95cAAAEAwBGMEQCIGckmcN5ryYoxb2vSb6W28KrmYDjor1UNK1L v2FqvK9XAiAZG+ybkCMM+80nh3fY0DHGKbs7SvPAxAT2RP8A31qqNzANBgkqhkiG 9w0BAQsFAAOCAgEAuiGBHjH0Yr5DXSESnsVMBJEkJPEjexPyXX4c9CXeFc52Zqgx evzwXg5FmDYmIsEmm8Fu3or9NcFyO4luQyFmG/OW1i/PIiscS3w8ysi+7TSCPhXO zooCCq/XLEO67ELM4zcMvi0WW3u8cS+2KA9zba0uUFAAyIBxBn3th9IaJahuDJLN HXWfzOP1a3xRNE1ceRuCDHtdanZ+7I98a+/1YfduWcLZVCNmJyoO2HwUE0KX7SSy uyKIs0pFAxRhp25Tm645KTee5EioUtsquhhDIrk/vJ8GqNuGvKHvThymuuPmAgQy NDz8TEamfyFf5Omj5MLRcjPt4gnIW6TQOQcWFi9qthAp0gyI49uPD7PHU15dSmCS AEjSwvJ1nXer+lgWVhsCovfZlwiG8ynE5uFc4fRIfEsHDHo3lcQC4c1pLiZuFbLT 2sjGVX6SYOuVVEgU4WPPZCLPVj8sKQgYkd3/SM/dhcjwge+lMA5b3o0AO9MMhB2o xcGyP3WXq71XHlilwef6vvekmf04UO0FtQQCCMUza5J/9XVwM3PjEoTS7nLCixHY eKf3rSgOrq7vAc/FUTCP58MlppvyPGz1pXZ1q7sycHcC6F38B6e1t1MmFVVaYm6m SKy5lnIIyLrPIXboQw7MlB+V0zWh7FO1bClmLdVaHyg07V1v5rkzM4Lpmj8= -----END CERTIFICATE----- ``` **the 1.pem(two certificates):** ``` -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo 6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262 ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4 kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6 AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN 1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8 6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT 4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL 0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0 W0ebRMo2T0FNhUhm -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+ WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY 4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em 1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo /6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+ NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv 6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN 2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7 TQ/vJrJvgyxVSgOH -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886#note_266847921 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 14:14:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 13:14:50 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Merge Request !1136 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1136 Branches: tmp-check-fuzz to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 14:49:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 13:49:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Which object identifier is it? Are you sure the encoding is correct? If I use dumpasn1 I get invalid encoding too: ``` <06 11 FA 80 00 00 00 0E 01 0E FA 80 00 00 00 0E 63 6F 6D> 193 17: OBJECT IDENTIFIER '' : Error: OID has invalid encoding. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886#note_266865603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 14:53:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 13:53:10 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1152 Branches: tmp-ci-remove-command-concat to master Author: Tim R?hsen Remove command concatenation with `&&` as this may hide failures of commands. This change revealed an error in documentation, see https://gitlab.com/gnutls/gnutls/-/jobs/393255657. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 15:07:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 14:07:04 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) In-Reply-To: References: Message-ID: llqll commented: I'm not sure if this oid is valid. This leaf certificate was generated by the fuzzing tool. its content is ``` Certificate: Data: ... Subject: 2.1998768.0.0.14.1.14.1998848.0.0.14.99.111.109 = CN, ST = Guangdong Sheng, L = Shenzhen, O = Shenzhen Tencent Computer Systems Company Limited, OU = R&D, CN = www .qq.com Subject Public Key Info: ... ``` The oid you detected is 2.1998768.0.0.14.1.14.1998848.0.0.14.99.111.109 . This oid may be invalid, but the problem that `asn1_get_object_id_der` function always checks the second byte instead of the leading byte of object identifier value really exists. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886#note_266872344 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:13:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:13:10 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * 42feb713 - doc/cha-gtls-app.texi: Fix reference to gnutls.texi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:31:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:31:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886) In-Reply-To: References: Message-ID: Issue was moved to another project. New issue location: https://gitlab.com/gnutls/libtasn1/issues/25 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:31:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:31:40 +0000 Subject: [gnutls-devel] libtasn1 | gnutls can't check object identifier value correctly (#25) References: Message-ID: llqll created an issue: https://gitlab.com/gnutls/libtasn1/issues/25 An error occurred when I verified a certificate, and the certificate contains an object identifier(TLV) of `"0x06,0x11, 0xfa, 0x80, 0x0, 0x0, 0x0, 0xe, 0x1, 0xe, 0xfa, 0x80,0x0, 0x0, 0x0, 0xe, 0x63, 0x6f"`. The error is "error parsing CRTs: ASN1 parser: Error in DER parsing." Through debugging,I found that an error occurred while parsing that object identifier. The reason is the leading octet have the value 0x80. But,in the object identifier value, the leading octet is 0xfa. The basis of this check is `x.690 8.19` (Encoding of an object identifier value). ![image text](https://github.com/llqll/image/raw/master/g2.png) After careful debugging, I found that the `asn1_get_object_id_der` function always checks the second byte instead of the leading byte of object identifier value. ![image text](https://github.com/llqll/image/raw/master/g1.png) In lib/decoding.c : asn1_get_object_id_der(), the `der` points to the length of the TLV structure instead of the tag? and `der[len_len + k]` is the second byte of the object identifier value instead of the leading byte. Therefore, the function cannot properly check the encoding of the object identifier. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/25 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:37:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:37:21 +0000 Subject: [gnutls-devel] libtasn1 | asn1_get_object_id_der: enhance the range of decoded OIDs (!55) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/55 Branches: tmp-oid-fix to master Author: Nikos Mavrogiannopoulos The function would only successfully decode OIDs that started with a single octet. This fixes that limitation. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/55 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:38:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:38:25 +0000 Subject: [gnutls-devel] libtasn1 | gnutls can't check object identifier value correctly (#25) In-Reply-To: References: Message-ID: Reassigned Issue 25 https://gitlab.com/gnutls/libtasn1/issues/25 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/25 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:39:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:39:23 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Fedora doesn't package the `dbtoepub` package. So building the epub fails. Since there are many possible solutions, I let you decide / fix. I also tried to fix the external reference using an @xref - but `make syntax-check` doesn't like it. Again, I can't decide what solution you prefer and thus it's the best if you fix it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152#note_266911897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:43:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:43:46 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: All discussions on Merge Request !1136 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1136 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:43:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:43:54 +0000 Subject: [gnutls-devel] libtasn1 | gnutls can't check object identifier value correctly (#25) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Interesting. It seems that the OID decoder in libtasn1 was limited in what it could do, though this report is the first one that I see in the project's lifetime. Let's fix that. I've opened https://gitlab.com/gnutls/libtasn1/merge_requests/55 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/25#note_266913539 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:43:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:43:57 +0000 Subject: [gnutls-devel] GnuTLS | UB detected, but test suite stays silent (#878) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1136 (https://gitlab.com/gnutls/gnutls/merge_requests/1136) Issue #878: https://gitlab.com/gnutls/gnutls/issues/878 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/878 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:43:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:43:57 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1136 (https://gitlab.com/gnutls/gnutls/merge_requests/1136) Issue #882: https://gitlab.com/gnutls/gnutls/issues/882 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:43:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:43:57 +0000 Subject: [gnutls-devel] GnuTLS | UB+ASAN: Fail tests if UB detected (!1136) In-Reply-To: References: Message-ID: Merge Request !1136 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1136 Branches: tmp-check-fuzz to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:47:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:47:03 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Is that necessary? My experience is very limited feedback from that mailing list. What is the expectation from sending it to that list? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_266914646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:47:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:47:36 +0000 Subject: [gnutls-devel] libtasn1 | asn1_get_object_id_der: enhance the range of decoded OIDs (!55) In-Reply-To: References: Message-ID: Milestone changed to Release of libtasn1 4.15.1 ( https://gitlab.com/gnutls/libtasn1/-/milestones/2 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/55 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:51:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:51:37 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 1abc1986...804ad246 - 2 commits from branch `master` * 18292c8d - Add runner for combined clang UBSAN+ASAN * 7bdf9680 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 470ef836 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 0661f1cd - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * f40c1b37 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 604d3a34 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 02ddcb95 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * ea3fc95c - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 6a4dd3be - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * b1086b05 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * d3647d38 - Fix checks in mpi.c:__gnutls_x509_write_int() * 3d737c92 - Suppress integer UB checks in record.c:record_read_headers() * 929c325f - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 16:58:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 15:58:14 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * 5f359fdb - .gitlab-ci.yml: identify on runtime to db2epub directory -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:00:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:00:13 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * c1aa9325 - .gitlab-ci.yml: identify on runtime to db2epub directory -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:00:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:00:26 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm not sure what is the problem with the `ref`. I'll try to check later if I can. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152#note_266920346 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:01:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:01:06 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Tim R?hsen commented: It is informative to others and it's the central point for GNU releases. I can only refer to my experience from other projects - people (automatically) scan that mailing list and not version tags in a repo (well, maybe some do). I saw the FSF making monthly summaries of new releases as well... where should they the the information from if not from the ML ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_266920591 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:02:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:02:04 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) In-Reply-To: References: Message-ID: Daiki Ueno commented: @rockdaboot thanks, and sorry for not getting back to you earlier. > The Q still is: should we allow iov_base being NULL or not. That seems like a good point: even though POSIX doesn't mention any limitation on the iov_base value, the empty case can be handled with an empty vector instead. I couldn't find such checks even in Linux kernel's iov_iter.c and related code. So perhaps we should try to fix the caller (crypto-selftests.c) as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882#note_266920990 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:03:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:03:54 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Tim R?hsen commented: You likely have a script for preparation and uploading to ftp.gnu.org (if not let me know) - so we can possibly generate the email there as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_266921662 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:07:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:07:36 +0000 Subject: [gnutls-devel] GnuTLS | lib/iov.c:119: null pointer passed as argument 2 to memcpy() (#882) In-Reply-To: References: Message-ID: Tim R?hsen commented: @dueno NP. I leave that decision to you, there is so much more on my list ;-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/882#note_266922932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:20:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:20:23 +0000 Subject: [gnutls-devel] GnuTLS | Improving speed of test suite (#674) In-Reply-To: References: Message-ID: Tim R?hsen commented: > the contribution to the total running time is not clear from the above since we run the tests in parallel No, the CI runners at Gitlab run in sequence since `$(nproc)` returns 1. Will pick one or another of the tests and profile them. I recognized some tests are just sitting and waiting (0% CPU utilization) for a long time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/674#note_266927773 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 17:55:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 16:55:40 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/897 Just tested the Debian.x86_64 runner with ``` - make -j2 - make check -j10 ``` instead of `-j$(nproc)`. The decrease in time is much, 26m15 compared to 38m15 before. new: https://gitlab.com/rockdaboot/gnutls/-/jobs/393464776 old: https://gitlab.com/rockdaboot/gnutls/-/jobs/393106579 This was just a punch into the dark... possibly we can tune those values to achieve even better results. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 19:17:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 18:17:03 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: What about just -j? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_266964277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 20:21:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 19:21:07 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Tim R?hsen commented: Well, just give it a try :-) My thoughts: since we only have one CPU core in a CI, -j2 makes sense for CPU intensive jobs with slightly I/O - like for compiling and linking. Since our test suite often waits with 0% CPU, a slightly larger value would be better. I tried -j10 just as a quick shot. -j4 or -j5 is likely better since with too many parallel CPU intensive processes we might see avoidable cache misses which even slow down the overall time. You can checkout / clone branch `tmp-ci-parallel-tests` from https://gitlab.com/rockdaboot/gnutls.git, change the values and push it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_266982680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 20:21:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 19:21:14 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * f798d173 - doc: updated epub.texi from gnutls.texi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 20:36:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 19:36:04 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Merge Request !1152 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1152 Branches: tmp-ci-remove-command-concat to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 20:46:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 19:46:35 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: My point is that any fixed number will be very fragile depending on various factors which we do not control (i.e., how many cpus assigned by the provider, load etc). The `make -j` spawns as much as it can and stops when the cpu load increases. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_266989803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 22:17:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 21:17:45 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Tim R?hsen commented: We have to try it out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_267008280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 22:34:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 21:34:44 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * 6d663947 - doc: updated epub.texi from gnutls.texi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 23:03:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 22:03:13 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * 3e156f03 - doc: updated epub.texi from gnutls.texi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 3 23:16:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 22:16:00 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1152 https://gitlab.com/gnutls/gnutls/merge_requests/1152 * 420133ab...804ad246 - 13 commits from branch `master` * 1f6a3966 - Remove && command concatenation in .gitlab-ci.yml * a2186f98 - .gitlab-ci.yml: identify on runtime to db2epub directory * 127ad2de - doc: updated epub.texi from gnutls.texi -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 00:26:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 23:26:56 +0000 Subject: [gnutls-devel] GnuTLS | Remove && command concatenation in .gitlab-ci.yml (!1152) In-Reply-To: References: Message-ID: Merge Request !1152 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1152 Branches: tmp-ci-remove-command-concat to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1152 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 00:26:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jan 2020 23:26:56 +0000 Subject: [gnutls-devel] GnuTLS | SSL-3.0 CI runner fails unrecognized (#896) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1152 (https://gitlab.com/gnutls/gnutls/merge_requests/1152) Issue #896: https://gitlab.com/gnutls/gnutls/issues/896 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/896 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 13:43:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 12:43:38 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1153 Project:Branches: nmav/gnutls:tmp-oid-fix to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos libtasn1 4.15.0 or earlier allow encoding and decoding of invalid OIDs, but more recent versions may stop accepting them. Ensure that our test suite includes OIDs which can be decoded by all versions of libtasn1. Relates: https://gitlab.com/gnutls/libtasn1/issues/25 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 13:45:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 12:45:01 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thanks. Could you also increase the CI timeout to 2h or higher and restart the timedout jobs? (see Settings/CICD/General pipelines/Timeout) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150#note_267172380 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 14:45:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 13:45:16 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1154 Branches: tmp-ci-make-j to master Author: Tim R?hsen This speeds up the Gitlab CI runners. E.g. measured timings of the Debian.x86_64 runner show ~40% speedup (down from 38 to 23 minutes). Closes #897 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 14:46:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 13:46:36 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Tim R?hsen commented: The algorithm behind `make -j` (without argument) is not very well documented. But a test revealed pretty good timings (23 minutes) in comparison to my first random test (26 minutes). See https://gitlab.com/rockdaboot/gnutls/pipelines/106982529 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_267179166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 15:19:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 14:19:54 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented: The failures indicate that there are some issues with -jN with N>1: with the docs and with cross-compilation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267185395 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 15:36:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 14:36:00 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Tim R?hsen commented: A I suspected, -j is very excessive with using memory, from the failed MinGW32 runner: ``` 6132 ../libtool: line 11056: 10860 Segmentation fault $STRIP $cwrapper 6133 cc1: out of memory allocating 1611600 bytes after a total of 3878912 bytes 6134 cc1: out of memory allocating 1590000 bytes after a total of 3878912 bytes 6135 i686-w64-mingw32-strip: './dn2.exe': No such file 6136 i686-w64-mingw32-strip: './rsa-psk-cb.exe': No such file 6138 cc1: out of memory allocating 1618800 bytes after a total of 3874816 bytes 6139 i686-w64-mingw32-strip: './system-prio-file.exe': No such file ``` -j just starts everything that is possible in parallel. That eats huge amounts of Gigabytes... too much for the CI environment. My machine also starts to choke with `make -j`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897#note_267186978 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 17:39:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 16:39:27 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 2423c426 - Use make with -j$(($(nproc) + 5)) for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 18:49:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 17:49:11 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 28facbf7 - Use make with -j$(($(nproc) + 5)) for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 19:18:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 18:18:21 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * fd25dcc7 - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 19:22:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 18:22:42 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' without argument for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 057f0be8 - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 19:43:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 18:43:17 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav The cross runners don't like -j with higher values than 1 (means no parallel builds possible). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267213424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 19:51:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 18:51:55 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented: And on the other runners tests randomly fail, I guess due to timing issues. Work-around is to reduce the number of parallel tests (now 16) - or we make those tests timing resistent (=stable), which may be be a lot of work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267214144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 19:58:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 18:58:38 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * c759ba55 - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 4 23:03:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jan 2020 22:03:32 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * e09f7487 - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:32:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:32:20 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Merge Request !1150 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1150 Project:Branches: estanglerbm/gnutls:estanglerbm-getrandom to gnutls/gnutls:master Author: Edward Stangler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:33:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:33:20 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Issue was closed by Edward Stangler via commit c30b616f00f14cbad2f971d38947b4af8c6fc774 Issue #892: https://gitlab.com/gnutls/gnutls/issues/892 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:33:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:33:20 +0000 Subject: [gnutls-devel] GnuTLS | Fixes dummy getrandom() when errno = EAGAIN. (!1150) In-Reply-To: References: Message-ID: Merge Request !1150 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1150 Project:Branches: estanglerbm/gnutls:estanglerbm-getrandom to gnutls/gnutls:master Author: Edward Stangler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:33:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:33:20 +0000 Subject: [gnutls-devel] GnuTLS | Dummy getrandom() definition can cause have_getrandom() = 1, causing TLS failure (#892) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1150 (https://gitlab.com/gnutls/gnutls/merge_requests/1150) Issue #892: https://gitlab.com/gnutls/gnutls/issues/892 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:54:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:54:26 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267250664 > - export CCACHE_BASEDIR=${PWD} > - export CCACHE_DIR=${PWD}/cache > - export CC="ccache gcc" > + - export BUILDJOBS=2 Why the separation between build and test jobs? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267250664 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:55:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:55:24 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267250708 > - guile_snarf=/usr/bin/guile-snarf2.2 > - export GUILE GUILD guile_snarf > - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode > - - make -C doc stamp-vti > - - make -C doc stamp-1 > - - make -C doc stamp_enums > - - make -j$(nproc) > - - make -C doc gnutls.html > - - make -C doc/latex gnutls.pdf > + - make -j$BUILDJOBS -C doc stamp-vti If there are issues with the parallel invocation of jobs, we may want to run it without any parallelization or fix it to something non-configurable and document the reason. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267250708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 06:57:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 05:57:38 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The failures in the qemu-based runners seem to be due to memory limitations. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267250789 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 11:43:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 10:43:15 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 03876ce8 - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 12:18:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 11:18:40 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269529 > - export CCACHE_BASEDIR=${PWD} > - export CCACHE_DIR=${PWD}/cache > - export CC="ccache gcc" > + - export BUILDJOBS=2 Described now in-place. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 12:19:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 11:19:12 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: All discussions on Merge Request !1154 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1154 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 12:19:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 11:19:12 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269578 > - guile_snarf=/usr/bin/guile-snarf2.2 > - export GUILE GUILD guile_snarf > - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode > - - make -C doc stamp-vti > - - make -C doc stamp-1 > - - make -C doc stamp_enums > - - make -j$(nproc) > - - make -C doc gnutls.html > - - make -C doc/latex gnutls.pdf > + - make -j$BUILDJOBS -C doc stamp-vti Looks good now with small enough -j. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269578 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 12:21:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 11:21:52 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269756 No sure about that. It often the same tests that fail, e.g. `tests/key-material-dtls.log`: ``` server:347: error: Resource temporarily unavailable, try again. wseq:0001000000000002 error in 191 ``` This looks like async I/O failed with EAGAIN... maybe just a timing issue !? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_267269756 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 12:26:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 11:26:22 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/898 As you might have seen, the OSS-Fuzz build fails for gnutls. This also breaks the OSS-Fuzz builds for Wget and Wget2. How many test need libev ? Can we possibly skip those tests if libev isn't available ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 13:17:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 12:17:00 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 150e79db - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 13:47:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 12:47:13 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That is only required when building with full test suite. If with give --disable-full-test-suite it should be fine -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267280098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 15:43:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 14:43:26 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: IMO, that's not enough. Then *all* projects have to change their build recipes. And we are talking about `test/suite/eagain-cli.c` only, from what I see. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267289529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 17:06:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 16:06:00 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: How many projects is that? That is only for master branch access. I think it is fair to require what is needed for testing on a devel environment. Releases are not impacted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267297352 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 17:39:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 16:39:19 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: Binary releases are not impacted. But doesn't all the distro/package maintainers have to update their recipes ? Their builds contain 'make check' and that will break... so they have to figure out what is going on and add another build dependency. That's quite some friction. We already SKIP tests if certain libraries or tools are not present. Why not add that libev / eagain to that list ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267300375 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 17:44:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 16:44:59 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * a4416c9a - Use make with crafted -j for CI builds and tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:07:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:07:30 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: No they not be affected as they are building release tarballs that do not have the full test suite. Skipping tests is bad practice as an accidental change in ci can reduce test coverage without anyone noticing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267302680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:27:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:27:19 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1155 Branches: tmp-soft-libev to master Author: Tim R?hsen Closes #898 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:31:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:31:09 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: You mean they don't run any tests ? At least for Debian packages are (often ?) built directly from git. I am not an expert here, but did building some Debian packages. Anyways, with your argument we should enforce the existence of e.g. 'datefudge'. Any developer can install it. Why do we SKIP so many tests if it is not available ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267304686 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:31:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:31:40 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: Made up !1155 in case you change your mind :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267304738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:36:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:36:40 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: > No they not be affected as they are building release tarballs that do not have the full test suite. So you are sure that *all* the distros use `--disable-full-test-suite` ? How do you know ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267305126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:48:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:48:48 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: No I do not know. What I say is that it doesn't matter because that code does not run there. The full test suite is disabled on releases. It only is available if you build from master branch in git. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267306205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 18:49:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 17:49:21 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thus libev is not required there but only when you build from master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267306233 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 19:06:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 18:06:55 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/898#note_267307724 Tim R?hsen ? @rockdaboot wrote: > You mean they don't run any tests ? At least for Debian packages are (often ?) built directly from git. I am not an expert here, but did building some Debian packages. Hello Tim, Debian's GnuTLS packages are normally based on release tarballs. I have occasionally uploaded GIT snapshots to experimental to get some pre-release testing but in that case I did not simply tar up the git repo but ran "make dist" on the checkout. So even in that case we were not running the CI testsuite but the release-tarball machinery. (The Debian packaging itself is also kept in a GIT repository but that is unrelated.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267307724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 19:10:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 18:10:16 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented: I still think that there are package managers or users that build from git master. Stopping the build if libev is not available does more harm than good, IMO. I am currently making two patches against OSS-Fuzz for wget and wget2 due to this. And it takes a while to download and build the image as these projects build all their dependencies from git master. It's just a PITA for me. Next step is to create/push branches, create PR for OSS-Fuzz. There are more people involved and wasting their time. And if it turns out there is an error, the game goes into another iteration... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267308314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 5 19:13:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 05 Jan 2020 18:13:02 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/898#note_267308619 Thanks for the correction and information. You are fine as long as you don't run `./configure` in a checked out gnutls/ directory. If you do, ./configure stops with an error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267308619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 09:01:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 08:01:41 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Sorry for that. I create one for gnutls as well: https://github.com/google/oss-fuzz/pull/3186 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898#note_267432181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 12:43:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 11:43:18 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) References: Message-ID: Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1156 Project:Branches: xnox/gnutls:topsrcdir to gnutls/gnutls:master Author: Dimitri John Ledkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 13:18:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 12:18:58 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Tim R?hsen commented: Good finding ! What is the reason that you decided for `$(abspath ...)` instead of using `$(abs_top_srcdir)/...` ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156#note_267542329 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 15:30:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 14:30:56 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1156 was reviewed by Dimitri John Ledkov -- Dimitri John Ledkov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1156#note_267612222 Because I did not know that the other one exists =) Let me check it to the existing variable, instead of calling a function by hand. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 15:55:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 14:55:17 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1156 https://gitlab.com/gnutls/gnutls/merge_requests/1156 * 85e76bbd - tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 15:55:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 14:55:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: All discussions on Merge Request !1156 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/merge_requests/1156 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 16:27:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 15:27:26 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) References: Message-ID: Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1157 Project:Branches: xnox/gnutls:supported-version to gnutls/gnutls:master Author: Dimitri John Ledkov Add a new configure time option which will mark TLS versions prior to v1.2. This will still compile-in TLS1.0/1.1 DTLS0.9/1.0 support, however it will have supported=0. Meaning that, even though it is selected by the priority string (eg. NORMAL or +VERS-TLS1.0) it would not be usable, unless supported-version = tls1.0 is also specified in the config file. Note this is a "soft" enable, if the priority string did not elect TLS1.0 supported-version = tls1.0 will not enable it (ie. priority string -VERS-TLS-ALL:+VERS-TLS1.3 will not gain tls1.0 just because supported-version=tls1.0 is declared). Similarly disabled-version continues to blacklist the algorithm, and suppored-version will not be enabled. The overall goal, is to bring GnuTLS on par with OpenSSL in Debian/Ubuntu, where TLS1.0/1.1 are disabled by default, yet user-admin can enable it back on with a configuration file. Unlike Debian, however, Ubuntu would like to achieve as a compiled-in default without any configuration files. Meaning config file should only be needed to be created to turn tls1.0/1.1 back, but by default library without config files does not use tls1.0/1.1. Add a description of the new feature/bug fix. Reference any relevant bugs. This is a bit work in progress. I believe the pipelines should pass with or without this new configure-time option. But i'm not yet fully happy with functionality & negative tests coverage. I will add more tests, but the feature code is otherwise ready for review and comments, as it appears to behave the way I described above. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 16:28:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 15:28:36 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1157 https://gitlab.com/gnutls/gnutls/merge_requests/1157 * a7527d01 - Allow marking unsupported available protocol versions as supported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 17:06:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 16:06:25 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_set_secret_hook_function: new function (!1112) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/constate.c: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_267665474 > ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block); > if (ret < 0) > return gnutls_assert_val(ret); > + I guess there will be a trade-off if we go that route, between: - how much we can make the API generic - how much we can make the QUIC implementation simpler, based on the API The current approach is aligned to the latter, so the QUIC implementation wouldn't need to track the encryption level changes, but rely on the states managed by GnuTLS (which can also be used by #849). On the other hand, if we align to the former, all we need is to just generalize the existing keylog stuff with a callback like OpenSSL (I started thinking that it might be actually a better approach). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1112#note_267665474 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 17:23:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 16:23:24 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Merge Request !1156 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1156 Project:Branches: xnox/gnutls:topsrcdir to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 17:23:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 16:23:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Merge Request !1156 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1156 Project:Branches: xnox/gnutls:topsrcdir to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 17:23:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 16:23:43 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE (!1156) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thank you ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1156#note_267675999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 21:37:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 20:37:54 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1155 was reviewed by Dmitry Eremin-Solenikov -- Dmitry Eremin-Solenikov started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/merge_requests/1155#note_267770230 > -*** libev4 was not found. > -***]]) > + AC_SUBST([LIBEV_LIBS], [$LIBEV]) It would be nice to `AC_MSG_WARN` that several tests are disabled due to `libev` absense. LGTM otherwise. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 22:09:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 21:09:02 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_267811588 > .major = 3, > .minor = 1, > .transport = GNUTLS_STREAM, > +#ifdef ENABLE_TLS11_SUPPORTED It might be better to `AC_DEFINE([TLS11_SUPPORTED], ...)` in configure.ac and just use `TLS11_SUPPORTED`/`TLS10_SUPPORTED` here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_267811588 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 6 22:10:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jan 2020 21:10:35 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_267811987 > return GNUTLS_E_INVALID_REQUEST; > } > > +int _gnutls_version_mark_supported(const char *name) > +{ > +#ifndef DISABLE_SYSTEM_CONFIG > + version_entry_st *p; > + > + for (p = sup_versions; p->name != NULL; p++) > + if (c_strcasecmp(p->name, name) == 0) { > + p->supported = 1; This would allow admin to enable versions disabled via `_gnutls_version_mark_disabled()`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_267811987 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:42:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:42:43 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'd prefer not to skip tests in `suite/` so we do not accidentally lose coverage due to changes in some distribution image. It has happened in the past that softhsm disappeared from some images and bugs were introduced in that part of the code during the time it went undetected (almost a year). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155#note_268002451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:44:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:44:34 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) In-Reply-To: References: Message-ID: Tim R?hsen commented: Let me update this MR with AC_MSG_WARN (just in case the issue pops up again) and then we just close it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155#note_268003452 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:47:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:47:29 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1155 https://gitlab.com/gnutls/gnutls/merge_requests/1155 * 85e76bbd...14794f57 - 2 commits from branch `master` * a6a930f0 - SKIP tests/suite/eagain if libev not available -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:47:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:47:37 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1153 https://gitlab.com/gnutls/gnutls/merge_requests/1153 * c30b616f...14794f57 - 4 commits from branch `master` * 3288f441 - tests: replace invalid extension OIDs with valid ones -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:47:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:47:36 +0000 Subject: [gnutls-devel] GnuTLS | SKIP tests/suite/eagain if libev not available (!1155) In-Reply-To: References: Message-ID: Merge Request !1155 was closed by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1155 Branches: tmp-soft-libev to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:48:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:48:21 +0000 Subject: [gnutls-devel] GnuTLS | Hard requirement of libev breaks builds (#898) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen Issue #898: https://gitlab.com/gnutls/gnutls/issues/898 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 10:51:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 09:51:38 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1153 https://gitlab.com/gnutls/gnutls/merge_requests/1153 * 0e77b9d6 - tests: replace invalid extension OIDs with valid ones -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 12:30:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 11:30:34 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268059807 > return GNUTLS_E_INVALID_REQUEST; > } > > +int _gnutls_version_mark_supported(const char *name) > +{ > +#ifndef DISABLE_SYSTEM_CONFIG > + version_entry_st *p; > + > + for (p = sup_versions; p->name != NULL; p++) > + if (c_strcasecmp(p->name, name) == 0) { > + p->supported = 1; Hm, that's not intended. Priority strings actually remove algos from the list, whilst mark_disabled does not. This thus will result in behaviour dependant on the ordering of "supported-version" and "disabled-version", which I do not like. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268059807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 12:53:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 11:53:02 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268069397 > return GNUTLS_E_INVALID_REQUEST; > } > > +int _gnutls_version_mark_supported(const char *name) > +{ > +#ifndef DISABLE_SYSTEM_CONFIG > + version_entry_st *p; > + > + for (p = sup_versions; p->name != NULL; p++) > + if (c_strcasecmp(p->name, name) == 0) { > + p->supported = 1; I wonder if supported-versions should then toggle "obsolete" field of the protocol version instead. And configure time option marking tls1.1/1.0 as obsolete=1. Or if disabled-versions should keep a list, and toggle all the disabled versions to zero at the end of parsing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268069397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 12:55:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 11:55:24 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm wondering whether this will make settings more complicated. So with this the intention is to introduce a "soft" disable, which it can later be re-enabled using configuration. The approach we took before was that whatever is disabled explicitly in release it cannot be re-enabled. The reason is to avoid someone overriding the software distributor's expectations in terms of minimum security. That is, the system ships with a minimum bar, and applications or admins can go higher with more strict config. It is documented as: ``` It intentionally does not allow switching algorithms or protocols which were disabled or marked as insecure during compile time to the secure set. This is to prevent the feature from being used to attack the system. ``` What you are suggesting is to not have a minimum bar but instead bar which can go either ways on run-time. This eliminates the intended use, but more than that I think that makes things quite more complicated. I understand from the ML communication is that you prefer not to use configuration files in the default case (e.g., to disable tls1.1 and tls1.0, but could you share more background why is that? It could be that the model we selected is flawed, and there can be a better way to do it, but I would like to understand why introduce additional complexity when we can handle the issue with a configuration file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268070486 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 13:35:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 12:35:16 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: yes the proposed implementation in this PR currently buggy, I will fix it up. The intention was for disabled-version to trump supported-version. "expectations in terms of minimum security" is never a one-way street. What may be universally viewed as secure/insecure, may not be viewed as such by someone else. For example, using "disabled-versions = tls1.3" is usually done out of distrust or lack of current compliance, rather than because tls1.3 is broken. Or disabling/enabling ECC/GOST/etc. Plus I want to introduce a distinction, between what is not compiled in (ie. the removed GPG support), and what is compiled in (TLS1.3) and what is compiled-in yet not enabled by default (i.e. TLS1.0 or GOST, or FIPS, or invest NOT-GOST). So yes, this is a soft-disable, to make it just enough annoying for people to move off TLS1.0. I cannot just drop TLS1.0 just yet, without allowing users to access it unfortunately, but I must start sunsetting it. TLSv1.2 is at 96.5% support in the SSl Pulse. Meaning 3.5% public sites (+ lots private ones) will be inaccessible if I just drop TLS1.0, thus an escape hatch is needed. Eventually I would want to stop compiling TLS1.0/1.1 support at all, but I envision that might only be viable in 2-4 years time. In Debian and Ubuntu, we currently do not ship a gnutls configuration file. Introducing a configuration file is cumbersome (this is to say users will be grumpy, given that previously it was not required). It can be bypassed with an environment variable. And one has to ensure that the configuration file is copied around into chroots/containers/initrd/snap along with the library. And any LSM confinements (apparmor,selinux,smack,etc) need to be adjusted to permit access to it. Overall, I wouldn't want to rely on neglecting to copy a config file around to enforce a particular distributor minimum requirements. To contrast, Fedora, for example, compiles gnutls with default priority string set to "@SYSTEM" meaning that the library has never worked, unless a config file that defines SYSTEM is available *or* the app specifies their own priority string. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268088856 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 15:03:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 14:03:30 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) References: Message-ID: Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1158 Project:Branches: xnox/gnutls:override-default-priority to gnutls/gnutls:master Author: Dimitri John Ledkov libgnutls: Add system-wide default-priority-string override. Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 16:18:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 15:18:13 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#893) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #893: https://gitlab.com/gnutls/gnutls/issues/893 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/893 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 16:53:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 15:53:56 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/900 >From https://curl.haxx.se/mail/lib-2020-01/0021.html ``` For GnuTLS 3.3.0 and later I *suspect* it inits itself in a thread-safe manner. Their docs isn't very clear on this subject: https://gnutls.org/manual/html_node/Initialization.html#Initialization ``` We should check the docs... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 17:12:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 16:12:16 +0000 Subject: [gnutls-devel] GnuTLS | Check truncation of snprintf() (#901) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/901 It is possible that a truncation remains unnoticed and we continue working with truncated strings (filenames ?)... IMO not a good thing to do. >From Jeffrey Walton: ``` FYI... On Sun, Dec 22, 2019 at 11:25 AM Jeffrey Walton wrote: > > Hi Everyone, > > I'm catching a dirty compile with GnuTLS 3.6.11.1 on Fedora 31. > > ... > dn.c: In function 'append_elements': > dn.c:83:9: warning: '.?' directive output may be truncated writing 2 > bytes into a region of size between 1 and 192 [-Wformat-truncation=] > 83 | "%s.?%u", tmpbuffer1, k2); > | ^~ > dn.c:83:6: note: directive argument in the range [1, 2147483647] > 83 | "%s.?%u", tmpbuffer1, k2); > | ^~~~~~~~ > dn.c:82:4: note: 'snprintf' output between 4 and 204 bytes into a > destination of size 192 > 82 | snprintf(tmpbuffer2, sizeof(tmpbuffer2), > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 83 | "%s.?%u", tmpbuffer1, k2); > | ~~~~~~~~~~~~~~~~~~~~~~~~~ > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I./../../gl > -I./../../gl -I./../includes -I./../includes -I./.. > -I/usr/local/include -DNDEBUG -Wtype-limits -fno-common -Wall > -I/usr/local/include -I/usr/local/include > -I/usr/local/include/p11-kit-1 -g2 -O2 -march=native -fPIC -pthread > -MT prov-seed.lo -MD -MP -MF .deps/prov-seed.Tpo -c prov-seed.c -fPIC > -DPIC -o .libs/prov-seed.o > dn.c: In function '_gnutls_x509_parse_dn_oid': > dn.c:368:10: warning: '.?' directive output may be truncated writing 2 > bytes into a region of size between 1 and 192 [-Wformat-truncation=] > 368 | "%s.?%u", tmpbuffer1, k2); > | ^~ > dn.c:368:7: note: directive argument in the range [1, 2147483647] > 368 | "%s.?%u", tmpbuffer1, k2); > | ^~~~~~~~ > dn.c:367:5: note: 'snprintf' output between 4 and 204 bytes into a > destination of size 192 > 367 | snprintf(tmpbuffer2, sizeof(tmpbuffer2), > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 368 | "%s.?%u", tmpbuffer1, k2); > | ~~~~~~~~~~~~~~~~~~~~~~~~~ > attributes.c: In function '_x509_parse_attribute': > attributes.c:138:9: warning: '.values.?' directive output may be > truncated writing 9 bytes into a region of size between 1 and 192 > [-Wformat-truncation=] > 138 | "%s.values.?%u", tmpbuffer1, indx + 1); > | ^~~~~~~~~ > attributes.c:138:6: note: using the range [0, 4294967295] for directive argument > 138 | "%s.values.?%u", tmpbuffer1, indx + 1); > | ^~~~~~~~~~~~~~~ > attributes.c:137:4: note: 'snprintf' output between 11 and 211 bytes > into a destination of size 192 > 137 | snprintf(tmpbuffer3, sizeof(tmpbuffer3), > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 138 | "%s.values.?%u", tmpbuffer1, indx + 1); > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > dn.c: In function '_gnutls_x509_get_dn_oid': > dn.c:528:10: warning: '.?' directive output may be truncated writing 2 > bytes into a region of size between 1 and 192 [-Wformat-truncation=] > 528 | "%s.?%u", tmpbuffer1, k2); > | ^~ > dn.c:528:7: note: directive argument in the range [1, 2147483647] > 528 | "%s.?%u", tmpbuffer1, k2); > | ^~~~~~~~ > dn.c:527:5: note: 'snprintf' output between 4 and 204 bytes into a > destination of size 192 > 527 | snprintf(tmpbuffer2, sizeof(tmpbuffer2), > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 528 | "%s.?%u", tmpbuffer1, k2); > | ~~~~~~~~~~~~~~~~~~~~~~~~~ > > ... > extensions.c: In function '_gnutls_write_new_othername': > extensions.c:803:36: warning: '.otherName.type-id' directive output > may be truncated writing 18 bytes into a region of size between 1 and > 128 [-Wformat-truncation=] > 803 | snprintf(name2, sizeof(name2), "%s.otherName.type-id", name); > | ^~~~~~~~~~~~~~~~~~ > extensions.c:803:2: note: 'snprintf' output between 19 and 146 bytes > into a destination of size 128 > 803 | snprintf(name2, sizeof(name2), "%s.otherName.type-id", name); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > extensions.c:812:36: warning: '.otherName.value' directive output may > be truncated writing 16 bytes into a region of size between 1 and 128 > [-Wformat-truncation=] > 812 | snprintf(name2, sizeof(name2), "%s.otherName.value", name); > | ^~~~~~~~~~~~~~~~ > extensions.c:812:2: note: 'snprintf' output between 17 and 144 bytes > into a destination of size 128 > 812 | snprintf(name2, sizeof(name2), "%s.otherName.value", name); > > ... > verify-high2.c: In function 'load_dir_certs': > verify-high2.c:407:40: warning: 'snprintf' output may be truncated > before the last format character [-Wformat-truncation=] > 407 | snprintf(path, sizeof(path), "%s/%s", > | ^ > verify-high2.c:407:5: note: 'snprintf' output 2 or more bytes > (assuming 257) into a destination of size 256 > 407 | snprintf(path, sizeof(path), "%s/%s", > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 408 | dirname, d->d_name); > | ~~~~~~~~~~~~~~~~~~~ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/901 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 19:14:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 18:14:53 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 * bb06691e - libgnutls: Add system-wide default-priority-string override. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 7 21:14:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 07 Jan 2020 20:14:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) References: Message-ID: S?bastien Blin created an issue: https://gitlab.com/gnutls/gnutls/issues/902 Hi. I am a Jami dev and we use GnuTLS since a long time, so first, thank you so much for the lib. During the last 3 days I was debugging an issue we have since some days on some Android devices (mostly Android 9 devices, tested with a One Plus 5) In fact, this bug revealed another bug we have since a long time ago, introduced by: https://git.jami.net/savoirfairelinux/ring-daemon/commit/0b2db06aaf1ce4f53d2e0ca6fff7736b916ed571 "contrib: update gnutls to 3.6.10" With this patch, and for now, only on Android 9 (I also tried with 7 and 10, seems not reproductible). I didn't have the feedback for now for iOS. I didn't reproduce on windows, mac os nor GNU/Linux. However, between gnutls 3.6.7 and gnutls 3.6.8 I observer, on the Android 9 device a big delay during the gnutls_handshake. Indeed, creating a SIP call take about 2 sec when built with gnutls 3.6.7, and 5 seconds with gnutls 3.6.8. So I am wondering: Did gnutls_handshake get a major modification between 3.6.8 and 3.6.7? Do you know what can causes this regression? If I can do anything to help you more? If anybody else has a similar problem. All versions since 3.6.8 seems impacted. 3.6.7 is not. Have a nice day, -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 02:10:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 01:10:23 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268378545 > #define OVERRIDES_SECTION "overrides" > #define MAX_ALGO_NAME 128 > > +static void _clear_default_system_priority(void) > +{ > + if (system_wide_default_priority_string) { > + gnutls_free(_gnutls_default_priority_string); Not sure if this is a correct use of `gnutls_free` or if `free` should be used. Allocated with `strdup()`. Also, I wonder if there is some kind of a maximum length priority string, to statically allocate this. But maybe not (or like too large). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268378545 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 02:16:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 01:16:21 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268379235 > #define OVERRIDES_SECTION "overrides" > #define MAX_ALGO_NAME 128 > > +static void _clear_default_system_priority(void) > +{ > + if (system_wide_default_priority_string) { > + gnutls_free(_gnutls_default_priority_string); Oh, there is MAX_ALGO_NAME, just there.... I guess 128 would be the longest priority string one can specify as an override. A bit restrictive, but should be enough to do something sensible, and then like use disable-* things to tweak it further. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268379235 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 03:48:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 02:48:41 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1157 https://gitlab.com/gnutls/gnutls/merge_requests/1157 * b600d821 - Address review comment re:disabled-versions and add more tests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 04:08:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 03:08:02 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1157 https://gitlab.com/gnutls/gnutls/merge_requests/1157 * 504cf7ed - Use defines for supported field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 04:08:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 03:08:10 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: All discussions on Merge Request !1157 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/merge_requests/1157 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 04:18:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 03:18:37 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov started a new discussion on lib/algorithms/protocols.c: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268397528 > .major = 3, > .minor = 1, > .transport = GNUTLS_STREAM, > - .supported = 1, > + .supported = TLS1_0_SUPPORTED, I've addressed to ensure that `disabled-version =` trumps `supported-version =`, whilst both fiddle with `.supported` field. I now wonder if the code will be simpler if I use `supported-version =` config option to toggle `.obsolete = TLS1_0_SUPPORTED` field. Thus, keeping it completely separate from `disabled-version=`/`.supported`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268397528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 08:40:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 07:40:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The numbers you present seem quite high for a handshake. What values do you see in `gnutls-cli --benchmark-tls-kx` before and after 3.6.8? There is nothing obvious in the changelog that could have caused a performance regression. Do you use some special mode (e.g., FIPS), and specific ciphersuites? What ciphersuites do you see in the handshakes you describe? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902#note_268455999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 08:54:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 07:54:06 +0000 Subject: [gnutls-devel] GnuTLS | Check truncation of snprintf() (#901) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm marking it as backlog, as I do not see an immediate practical value. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/901#note_268460020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 09:00:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 08:00:32 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I am not sure what is the request here. `gnutls_global_init` should not be called after 3.3.0 thus it shouldn't matter whether it is thread safe or not (for the record it is). If the request is to document that it is thread safe, we could provide that, but we already say that gnutls is thread safe by design: https://www.gnutls.org/manual/gnutls.html#Thread-safety -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900#note_268462127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 09:52:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 08:52:55 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Tim R?hsen commented: Ok, but people seem to miss this. The report is from "the real world"... people may read docs in other ways than we do. IMO, there should *at least* be some words about the thread-safety of gnutls_global_init, together with a link to the Thread-safety section you mention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900#note_268484096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:29:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:29:37 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Yes the proposed implementation in this PR currently buggy, I will fix it up. The intention was for disabled-version to trump supported-version. > "expectations in terms of minimum security" is never a one-way street. What may be universally viewed as secure/insecure, may not be viewed as such by someone else. For example, using "disabled-versions = tls1.3" is usually done out of distrust or lack of current compliance, rather than because tls1.3 is broken. Or disabling/enabling ECC/GOST/etc. True. This is also the reason I think changing the approach is a slippery slope. The approach you are suggesting is not limited to protocol versions only, it will need to extend to hash algorithms (sha1, etc) as they become deprecated, or key exchange algorithms. That cannot be done with this patch set. The minimum bar configuration will still be there, however there will be some different config option for the protocols. > Plus I want to introduce a distinction, between what is not compiled in (ie. the removed GPG support), and what is compiled in (TLS1.3) and what is compiled-in yet not enabled by default (i.e. TLS1.0 or GOST, or FIPS, or invest NOT-GOST). So yes, this is a soft-disable, to make it just enough annoying for people to move off TLS1.0. I cannot just drop TLS1.0 just yet, without allowing users to access it unfortunately, but I must start sunsetting it. TLSv1.2 is at 96.5% support in the SSl Pulse. Meaning 3.5% public sites (+ lots private ones) will be inaccessible if I just drop TLS1.0, thus an escape hatch is needed. Eventually I would want to stop compiling TLS1.0/1.1 support at all, but I envision that might only be viable in 2-4 years time. > In Debian and Ubuntu, we currently do not ship a gnutls configuration file. Introducing a configuration file is cumbersome (this is to say users will be grumpy, given that previously it was not required). It can be bypassed with an environment variable. And one has to ensure that the configuration file is copied around into chroots/containers/initrd/snap along with the library. And any LSM confinements (apparmor,selinux,smack,etc) need to be adjusted to permit access to it. Overall, I wouldn't want to rely on neglecting to copy a config file around to enforce a particular distributor minimum requirements. `chroot()` environments do not have an issue with the configuration because it is loaded at process load, before chroot. Containers the same as they are build from packages and you have direct control on the dependencies. You've got a point though with the fact that a specific confinement can restrict control of the configuration file and we have no way to enforce its reading. > To contrast, Fedora, for example, compiles gnutls with default priority string set to "@system" meaning that the library has never worked, unless a config file that defines SYSTEM is available *or* the app specifies their own priority string. There are few options that I see here. - One that you suggest is change the logic and have the built-in be the "default" level that a distribution may want. That would require though a re-framing of the config as it is now, to make it possible to raise/lower the default bar according to what is desired, in all algorithm sets. - The other is simpler, and is to add an option to error when the default configuration file is not present. That way a distributor can be assured that its configuration is used or the application fails. @lumag @xnox What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_268598770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:33:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:33:48 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268600620 > #define OVERRIDES_SECTION "overrides" > #define MAX_ALGO_NAME 128 > > +static void _clear_default_system_priority(void) > +{ > + if (system_wide_default_priority_string) { > + gnutls_free(_gnutls_default_priority_string); Unfortunately priority strings can get quite long when a specific option is required (e.g., when starting with `NONE`). I think leaving it to use allocated memory is fine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268600620 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:36:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:36:17 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268601921 > #define OVERRIDES_SECTION "overrides" > #define MAX_ALGO_NAME 128 > > +static void _clear_default_system_priority(void) > +{ > + if (system_wide_default_priority_string) { > + gnutls_free(_gnutls_default_priority_string); You can use `gnutls_strdup()` instead. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268601921 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:40:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:40:30 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on tests/system-override-default-priority-string.sh: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268604006 > + fail "expected connection to fail (2)" > + > +export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}" > +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} /dev/null || > + fail "expected connection to succeed (1)" > + > +kill ${PID} > +wait > + > +cat <<_EOF_ > ${TMPFILE} > +SYSTEM=NORMAL > +[overrides] > +default-priority-string = > +_EOF_ > + > +# Check that an empty default-priority-string results in an built-one being used Why succeed on that case? Shouldn't an empty one be reported as a misconfiguration? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268604006 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:42:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:42:17 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on tests/system-override-default-priority-string.sh: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268604922 > + fail "expected connection to fail (2)" > + > +export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}" > +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} /dev/null || > + fail "expected connection to succeed (1)" > + > +kill ${PID} > +wait > + > +cat <<_EOF_ > ${TMPFILE} > +SYSTEM=NORMAL > +[overrides] > +default-priority-string = > +_EOF_ > + > +# Check that an empty default-priority-string results in an built-one being used Hmmm, I see that fail on invalid is unset. Please ignore this comment. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268604922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 13:43:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 12:43:35 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That looks good to me. @lumag any concerns? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268605554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 17:45:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 16:45:23 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268751226 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str); > + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); > + if (strlen(p) > 0) { > + _gnutls_default_priority_string = strdup(p); `gnutls_strdup()` here please. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268751226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 17:46:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 16:46:27 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268751770 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str); > + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); > + if (strlen(p) > 0) { > + _gnutls_default_priority_string = strdup(p); > + if (!_gnutls_default_priority_string) { > + _gnutls_debug_log("cfg: failed setting default-priority-string %d\n", > + errno); Reset it to `DEFAULT_PRIORITY_STRING`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268751770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 17:47:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 16:47:19 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov started a new discussion on tests/system-override-default-priority-string.sh: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268752126 > +fi > + > +if test "${WINDIR}" != ""; then > + exit 77 > +fi > + > +. "${srcdir}/scripts/common.sh" > + > +export GNUTLS_DEBUG_LEVEL=3 > +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem > +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem > + > +cat <<_EOF_ > ${TMPFILE} > +[overrides] > +default-priority-string = NONE > +_EOF_ You can put this into static data file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268752126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 17:49:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 16:49:54 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268753317 I like this idea. It would allow one to globally enable e.g. GOST ciphersuites (or disable AES+SHA if one would like to). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_268753317 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 18:09:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 17:09:33 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Merge Request !1145 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1145 Project:Branches: nmav/gnutls:tmp-check-dup-extensions to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 18:19:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 17:19:08 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Looks good to me. Does it cover the needs of @j29280? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131#note_268766382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 18:19:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 17:19:13 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Merge Request !1131 was approved by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1131 Project:Branches: nmav/gnutls:tmp-ocsp-check to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 19:16:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 18:16:19 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1159 Branches: tmp-ocsp-revocation to master Author: Daiki Ueno This makes the OCSP based certificate verification adhere to the convention used throughout the library: "The 'GNUTLS_CERT_INVALID' flag is always set on a verification error and more detailed flags will also be set when appropriate." ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 20:09:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 19:09:17 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/auth/psk_passwd.c: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268804100 > + > +static bool username_matches(const gnutls_datum_t *username, > + const char *line, size_t line_size) > +{ > + int retval; > + unsigned i; > + gnutls_datum_t hexline, hex_username = { NULL, 0 }; > + > + /* move to first ':' */ > + i = 0; > + while ((i < line_size) && (line[i] != '\0') > + && (line[i] != ':')) { > + i++; > + } > + > + if (line[0] == '#') { Thank you, good catch. Fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268804100 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 20:15:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 19:15:31 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/psk.c: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268805993 > if (info == NULL) > return NULL; > > - if (info->username[0] != 0) > + if (info->username[0] != 0 && !_gnutls_has_embedded_null(info->username, info->username_len)) Yes. See: https://gitlab.com/gnutls/gnutls/blob/ajuaristi-issue-586/lib/auth/psk.h#L76 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268805993 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 20:18:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 19:18:30 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented on a discussion on lib/str.h: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268806941 > return 1; > } > > +inline static int _gnutls_has_embedded_null(const char *str, unsigned size) I don't know. IIRC this function was already implemented somewhere else, and I just copied it here, made it static, and removed it from all the other places. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_268806941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 20:20:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 19:20:35 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1160 Project:Branches: GostCrypt/gnutls:gost-priorities to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 20:22:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 19:22:26 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: This allows one to use `NONE:+VERS-TLS1.2:+GOST-ALL` as GOST-only priority string. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_268808466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 21:57:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 20:57:02 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: Hmmm. ``` /builds/GostCrypt/gnutls/tests/suite/tls-fuzzer/tlsfuzzer /builds/GostCrypt/gnutls/tests/suite INFO:__main__:Server process started INFO:__main__:test-tls13-certificate-verify.py:started server:stderr:|<3>| ASSERT: attributes.c[_x509_parse_attribute]:103 server:stderr:|<3>| ASSERT: attributes.c[_x509_parse_attribute]:174 server:stderr:|<3>| ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110 server:stderr:|<3>| ASSERT: x509.c[get_alt_name]:1816 server:stderr:|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 server:stderr:HTTP Server listening on IPv4 0.0.0.0 port 53240...bind() failed: Address already in use server:stderr:HTTP Server listening on IPv6 :: port 53240...done ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_268836002 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 8 23:45:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 08 Jan 2020 22:45:04 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1161 Project:Branches: GostCrypt/gnutls:gost-split-6 to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov As a part of GOST-CTR ciphersuite support add support for following algorithms: * MAGMA-CTR-ACPKM cipher * KUZNYECHIK-CTR-ACPKM cipher * MAGMA-CMAC MAC * KUZNYECHIK-CMAC MAC ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 03:13:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 02:13:41 +0000 Subject: [gnutls-devel] GnuTLS | fuzzying: add GOST traces and certificates (#880) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav I've now prepared files for all fuzzers except client/server ones. 1. Should I extend pkcs12 fuzzer with using password for those files or we are fine having just "1234" (not a valid password)? 2. How to submit these files? Would you like to review them somehow? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/880#note_268910567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 06:17:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 05:17:24 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1159 https://gitlab.com/gnutls/gnutls/merge_requests/1159 * 459383cb - tests: add test for revoked OCSP response -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 07:50:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 06:50:25 +0000 Subject: [gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1145 (https://gitlab.com/gnutls/gnutls/merge_requests/1145) Issue #887: https://gitlab.com/gnutls/gnutls/issues/887 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 07:50:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 06:50:26 +0000 Subject: [gnutls-devel] GnuTLS | x509: reject certificates having duplicate extensions (!1145) In-Reply-To: References: Message-ID: Merge Request !1145 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1145 Project:Branches: nmav/gnutls:tmp-check-dup-extensions to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 09:17:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 08:17:08 +0000 Subject: [gnutls-devel] GnuTLS | Add CRL and CRQ fuzzers (#903) References: Message-ID: Dmitry Eremin-Solenikov created an issue: https://gitlab.com/gnutls/gnutls/issues/903 Currently we fuzzy test parsing of certificates, private keys and pkcs7/8/12 files. It would be good to fuzzy test parsing of certificate requests and certificate revocation lists. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/903 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:15:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:15:02 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: All discussions on Merge Request !1154 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1154 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:18:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:18:47 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/cert-session.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269031202 > _gnutls_audit_log(session, > "The certificate was revoked via OCSP\n"); > check_failed = 1; > + *ostatus |= GNUTLS_CERT_INVALID; Regarding the commit message: why not set both flags ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269031202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:19:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:19:26 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on tests/status-request-revoked.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269031583 > +/* > + * Copyright (C) 2015 Nikos Mavrogiannopoulos Is this correct ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269031583 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:23:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:23:34 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on tests/status-request-revoked.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269034009 > + > + gnutls_certificate_set_verify_function(x509_cred, > + cert_verify_callback); > + > + gnutls_certificate_set_x509_trust_mem(x509_cred, &ca_cert, GNUTLS_X509_FMT_PEM); > + > + gnutls_transport_set_int(session, fd); > + > + /* Perform the TLS handshake > + */ > + do { > + ret = gnutls_handshake(session); > + } > + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); > + > + if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) { Why is it a success if we see GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM here ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269034009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:42:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:42:35 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/cert-session.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269045999 > _gnutls_audit_log(session, > "The certificate was revoked via OCSP\n"); > check_failed = 1; > + *ostatus |= GNUTLS_CERT_INVALID; I don't quite get it: do you mean to write: `*ostatus |= GNUTLS_CERT_INVALID | GNUTLS_CERT_REVOKED` in a single line instead of two lines? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269045999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:49:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:49:38 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/cert-session.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269050820 > _gnutls_audit_log(session, > "The certificate was revoked via OCSP\n"); > check_failed = 1; > + *ostatus |= GNUTLS_CERT_INVALID; Sorry, somehow I saw the second line as red with a -. Now all is good (maybe I had hallucinations...) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269050820 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:50:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:50:56 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1159 https://gitlab.com/gnutls/gnutls/merge_requests/1159 * 1c337869 - tests: add test for revoked OCSP response -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:51:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:51:17 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/status-request-revoked.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269051841 > +/* > + * Copyright (C) 2015 Nikos Mavrogiannopoulos Updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269051841 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:51:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:51:38 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: All discussions on Merge Request !1159 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/1159 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:51:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:51:37 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/status-request-revoked.c: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269051999 > + > + gnutls_certificate_set_verify_function(x509_cred, > + cert_verify_callback); > + > + gnutls_certificate_set_x509_trust_mem(x509_cred, &ca_cert, GNUTLS_X509_FMT_PEM); > + > + gnutls_transport_set_int(session, fd); > + > + /* Perform the TLS handshake > + */ > + do { > + ret = gnutls_handshake(session); > + } > + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); > + > + if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) { Good point, removed the check. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269051999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 10:54:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 09:54:44 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Merge Request !1159 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1159 Branches: tmp-ocsp-revocation to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 11:00:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 10:00:31 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269057562 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 12:01:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 11:01:16 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Daniel Stenberg commented: Tim's quote is from an email by me. I've written code using GnuTLS since 2005 and our code (curl) still works to build with older GnuTLS versions. We have calls to gnutls_global_init() in the code base. I decided I should check up on the current state of this function and need for it, and the docs for the function is still there and it says the function isn't thread-safe. Then I found this initialization page that says we don't need to call gnutls_global_init - but it doesn't explicitly say anything about thread safety. I didn't actually consider to then search for the dedicated thread-safety page, which I of course should have... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900#note_269093521 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 12:55:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 11:55:25 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1159 https://gitlab.com/gnutls/gnutls/merge_requests/1159 * ac913633 - tests: add test for revoked OCSP response -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:06:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:06:32 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1162 Project:Branches: nmav/gnutls:tmp-fix-doc to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This documents and clarifies the thread safeness of gnutls_global_init() and its constraints. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:07:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:07:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Ok, but people seem to miss this. The report is from "the real world"... people may read docs in other ways than we do. IMO, there should *at least* be some words about the thread-safety of gnutls_global_init, together with a link to the Thread-safety section you mention. I understand, I have overreacted in my first response, sorry for that. We want these reports so we can improve documentation. > I've written code using GnuTLS since 2005 and our code (curl) still works to build with older GnuTLS versions. We have calls to gnutls_global_init() in the code base. Hmm, older versions than 3.3.0 may have problems. I've created https://gitlab.com/gnutls/gnutls/merge_requests/1162 to document as precisely as I could the behavior. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900#note_269137971 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:11:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:11:06 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Reassigned Issue 900 https://gitlab.com/gnutls/gnutls/issues/900 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:12:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:12:53 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1162#note_269142061 > The original behavior of requiring explicit initialization can obtained by setting the > GNUTLS_NO_EXPLICIT_INIT environment variable to 1, or by using the macro GNUTLS_SKIP_GLOBAL_INIT > in a global section of your program --the latter works in systems with > -support for weak symbols only.}. > +support for weak symbols only.}. @funcref{gnutls_global_init} in > +versions after 3.3.0 is thread-safe. Is it possible to ref 'thread-safe' to https://www.gnutls.org/manual/gnutls.html#Thread-safety ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162#note_269142061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:17:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:17:21 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1162 https://gitlab.com/gnutls/gnutls/merge_requests/1162 * 5c11b599 - doc: clarify thread safeness in gnutls_global_init() -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:25:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:25:30 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269148435 > SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512, > SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512. > Catch all which enables all algorithms from NORMAL priority is SIGN-ALL. > +Shortcut which enables all GOST algorithms is SIGN-GOST-ALL. Based on your irc question, we do not have to enable all. It is better to only enable items which we consider safe and document that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269148435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:27:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:27:46 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269149603 > catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509' > for legacy reasons. > > + at item Generic @tab nitpick: why not just `GOST`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269149603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:28:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:28:46 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269150041 > } > } Not a comment on this line, but on the commit. Shouldn't the message be less error prone? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269150041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:33:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:33:11 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Fair question, let's wait for his answer before merging. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131#note_269152181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:49:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:49:38 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269160752 > SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512, > SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512. > Catch all which enables all algorithms from NORMAL priority is SIGN-ALL. > +Shortcut which enables all GOST algorithms is SIGN-GOST-ALL. I don't think that fragmenting GOST support further will bring us any benefits. However I'll think about removing old `SIGN-GOSTR341001` (which uses old GOST R 34.11-94 digest) from `SIGN-GOST-ALL`. Let me check when is it to be phased out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269160752 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:50:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:50:22 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269161130 > catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509' > for legacy reasons. > > + at item Generic @tab Do you mean `GOST` instead of `GOST-ALL`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269161130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 13:51:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 12:51:38 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269161865 > } > } True. I will correct. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269161865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:28:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:28:54 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: jgh commented: So far as I can see, yes this looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131#note_269182588 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:38:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:38:14 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Merge Request !1131 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1131 Project:Branches: nmav/gnutls:tmp-ocsp-check to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:38:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:38:20 +0000 Subject: [gnutls-devel] GnuTLS | Provide flag to identify sessions that an OCSP response was requested (!1131) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1131#note_269204392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:38:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:38:13 +0000 Subject: [gnutls-devel] GnuTLS | It is not possible for server to check whether client requested OCSP stapling (#829) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1131 (https://gitlab.com/gnutls/gnutls/merge_requests/1131) Issue #829: https://gitlab.com/gnutls/gnutls/issues/829 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:39:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:39:23 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269205034 > catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509' > for legacy reasons. > > + at item Generic @tab Yes. I'm thinking we need something that is described similarly to how `SUITE128` is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269205034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:40:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:40:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Resolve "Add CRL and CRQ fuzzers" (!1163) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1163 Branches: 903-add-crl-and-crq-fuzzers to master Author: Nikos Mavrogiannopoulos Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code Closes #903 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1163 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:44:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:44:44 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) In-Reply-To: References: Message-ID: All discussions on Merge Request !1162 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1162 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:44:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:44:49 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) In-Reply-To: References: Message-ID: Merge Request !1162 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1162 Project:Branches: nmav/gnutls:tmp-fix-doc to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 14:49:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 13:49:41 +0000 Subject: [gnutls-devel] GnuTLS | fuzzying: add GOST traces and certificates (#880) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Should I extend pkcs12 fuzzer with using password for those files or we are fine having just "1234" (not a valid password)? I think we should use the same password it can be tested by the same fuzzer. > How to submit these files? Would you like to review them somehow? Add them in `fuzz/*.in/` with SHA1 hash instead of their name. If you verified the fuzzer parses them we do not need additional review. I'll approve the MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/880#note_269211829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 15:59:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 14:59:07 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_269257308 Does this patch fixes it?[patch.txt](/uploads/8417dbac5e767de85f0f7531406c02de/patch.txt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_269257308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 16:01:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 15:01:34 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Shouldn't we separate the values for freebsd and Linux? I liked the original version that used nproc more, as it would transparently improve the CI as the cores of the shared systems increase. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_269258914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 16:21:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 15:21:16 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS docs are not clear about thread-safety of intialization ? (#900) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1162 (https://gitlab.com/gnutls/gnutls/merge_requests/1162) Issue #900: https://gitlab.com/gnutls/gnutls/issues/900 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/900 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 16:21:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 15:21:16 +0000 Subject: [gnutls-devel] GnuTLS | doc: clarify thread safeness in gnutls_global_init() [ci skip] (!1162) In-Reply-To: References: Message-ID: Merge Request !1162 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1162 Project:Branches: nmav/gnutls:tmp-fix-doc to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 18:04:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 17:04:48 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * d3ee878e...68d111e3 - 516 commits from branch `master` * de7a5228 - nettle: vendor in Curve448 and Ed448 implementation * a0a1d669 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 22:51:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 21:51:29 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1160 https://gitlab.com/gnutls/gnutls/merge_requests/1160 * 615cae54 - lib/priority: add SIGN-GOST-ALL keyword * 6d8dd070 - priority: add more GOST shortcuts * 3bc47654 - priority: add new GOST-ALL shortcut * 0f081a96 - priority: make priority matching less error-prone * 679ea924 - NEWS: expand documentation for GOST priority strings -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 22:52:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 21:52:30 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269459454 > SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512, > SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512. > Catch all which enables all algorithms from NORMAL priority is SIGN-ALL. > +Shortcut which enables all GOST algorithms is SIGN-GOST-ALL. Removed `SIGN-GOSTR341001`. Changed description to mention 'secure GOST algorithms' instead of 'all GOST algorithms'. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269459454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 23:40:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 22:40:31 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 * dd6997ec - Review comments. * 28799cbe - Ensure default-priority-string is unlimited in length. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 9 23:50:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 22:50:01 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: All discussions on Merge Request !1158 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/merge_requests/1158 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 00:24:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 23:24:26 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion on doc/cha-gtls-app.texi: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269480546 > catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509' > for legacy reasons. > > + at item Generic @tab done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160#note_269480546 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 00:24:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 23:24:27 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1160 https://gitlab.com/gnutls/gnutls/merge_requests/1160 * b8b92db9 - priority: add new GOST-ALL shortcut * b30d8821 - priority: make priority matching less error-prone * 6dd2e52e - NEWS: expand documentation for GOST priority strings -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 00:24:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jan 2020 23:24:40 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: All discussions on Merge Request !1160 were resolved by Dmitry Eremin-Solenikov https://gitlab.com/gnutls/gnutls/merge_requests/1160 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 01:37:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 00:37:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) In-Reply-To: References: Message-ID: S?bastien Blin commented: > The numbers you present seem quite high for a handshake. In fact it's the time for the whole connection not just the handshake, but yeah it's indeed quite high Ok, it will take some time for me to test, I have a big todo list for now, but I think I will take some time to do a bisect to get the commit (but first I will list here the negotiated ciphers used) > gnutls-cli --benchmark-tls-kx Not sure I will be able to get the difference for Android? > Do you use some special mode (e.g., FIPS), and specific ciphersuites? What ciphersuites do you see in the handshakes you describe? For the ciphersuites I will give more details asap, but it's not really special. For example between a GNU/Linux and Android (8 so without the issue) with 3.6.10 (both sides): ``` [1578615382.359|38541|tls_session.cpp :891 ] [TLS] session established: (TLS1.3)-(DHE-FFDHE8192)-(RSA-PSS-RSAE-SHA384)-(AES-256-GCM) [1578615382.359|38541|sips_transport_ice.cpp:530 ] [TLS] using cipher TLS_DHE_RSA_AES_256_GCM_SHA384 (0x009F) ``` I will post more details as soon as possible. However, I talked with the dev for iOS and she reproduces the issue, so we also downgrade gnutls on iOS (but not macos). So: 1. I will post the ciphersuites with different devices and gnutls versions 2. Will try to bisect to locate the bad commit (yeay only ~150 commits) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902#note_269492212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 09:21:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 08:21:02 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269589264 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > - p = clear_spaces(value, str); > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str, UINT_MAX); str has maximum size less than UINT_MAX. This can lead into an overflow as I understand it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269589264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 09:22:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 08:22:38 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269589927 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > - p = clear_spaces(value, str); > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str, UINT_MAX); Was your intention to allocate an additional variable here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269589927 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 09:28:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 08:28:07 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Ok, I think that's the problem: > `(TLS1.3)-(DHE-FFDHE8192)-(RSA-PSS-RSAE-SHA384)-(AES-256-GCM)` You negotiate Finite Field Diffie-Hellman with 8k parameters. That's an enormous value, and indeed it will be very slow on android or even normal PCs. On gnutls 3.6.8 an additional safety check was introduced for FFDHE which would reduce its speed as you noticed. So the issue I think was identified. What can be a solution? Reduce the FFDHE negotiated size or use elliptic curves. FFDHE is not negotiated by default by gnutls so you should be explicitly enabling it. I'd recommend to use +GROUP-X25519 and that will drop the connection time significantly. To give you some idea of the scale: ``` (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 19.04 transactions/sec - avg. handshake time: 52.52 ms - standard deviation: 2.10 ms (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 199.52 transactions/sec - avg. handshake time: 5.01 ms - standard deviation: 0.85 ms ``` X25519 is 10 times more efficient than FFDHE3072. The different with 8192, will be on great scale. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902#note_269592415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 10:31:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 09:31:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 90506ba8 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 11:07:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 10:07:55 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging 90506ba8d8f01971a7bb8ee207fd6661b1dda94c into 2e52d307be9f971c721a94a908f487df5e8e483b - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-9146aedf288119ac8e7b8f51d018e32efbd9bda5) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_269650109 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 11:22:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 10:22:45 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !1159 https://gitlab.com/gnutls/gnutls/merge_requests/1159 * 50c1b8c4 - ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation * d916a006 - tests: add test for revoked OCSP response -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 11:28:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 10:28:16 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Daiki Ueno commented: @nmav suggested that we should set `GNUTLS_CERT_INVALID` flag not only when the certificate is revoked, but also the client doesn't receive proper OCSP response. The test doesn't currently exercise those cases, but this is a fairly trivial change. So I will go with this as is unless there are strong objections. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269661606 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 12:21:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 11:21:53 +0000 Subject: [gnutls-devel] GnuTLS | Fix tests execution when FIPS mode is compiled but not enforced. (!1164) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1164 Project:Branches: GostCrypt/gnutls:fix-fips-gost to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 12:50:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 11:50:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * e0d3da56 - nettle: vendor in Curve448 and Ed448 implementation * 983b8a44 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 12:50:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 11:50:39 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: My concern was the text `The GNUTLS_CERT_INVALID flag is always set on a verification error and more detailed flags will also be set when appropriate.` from the manual. We don't do that on OCSP errors. This requirement is unfortunately historical baggage and applications do not need to check for this flag, but since we documented like that I think we should follow it as there will always be applications that will check whether the GNUTLS_CERT_INVALID flag is set to indicate error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159#note_269706537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 12:51:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 11:51:01 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Merge Request !1159 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1159 Branches: tmp-ocsp-revocation to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 13:16:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 12:16:44 +0000 Subject: [gnutls-devel] GnuTLS | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation (!1159) In-Reply-To: References: Message-ID: Merge Request !1159 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1159 Branches: tmp-ocsp-revocation to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1159 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 13:27:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 12:27:28 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging 983b8a445635f41723bd77ad3e2b03df6467cab3 into 2e52d307be9f971c721a94a908f487df5e8e483b - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-75b5bd61131eea444b229911189dae21c3371f38) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_269723726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 14:07:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 13:07:30 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 38dd5aed - nettle: vendor in Curve448 and Ed448 implementation * a3824457 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 14:43:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 13:43:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging a382445715b47d25840b62d4c9cf3b7cd9ac2495 into 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-8ec153c4c14d6d94b7c0a10d41c3b105248d38cd) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_269764817 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 15:02:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 14:02:51 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269775801 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > - p = clear_spaces(value, str); > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str, UINT_MAX); I'm not intending to allocate any new strings here, just clear the whitespace like it is done for every other key (without allocating any new memory). However other keys are cleared to MAX_ALGO_NAME which is 128 and it was said that's too low for priority-string. It does feel like we do need to put a limit on default-priority-string, but i don't know what is a sensible one. Microsoft C specifies string literals as 2048. What should default-priority-string be capped at? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269775801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 15:23:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 14:23:46 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269787402 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > - p = clear_spaces(value, str); > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str, UINT_MAX); May be obvious to you, but just to clarify the `MAX_ALGO_NAME` is used because that's the size of the `str` buffer. A 2k buffer looks fine to me as limit. In that case the original form of `clear_spaces()` may be more suitable, as it will allow a clever compiler or analyzer to catch overflows. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_269787402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 17:11:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 16:11:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) In-Reply-To: References: Message-ID: Savoir-faire Linux commented: Indeed removing the FFDHE* and using SEGP instead or ECDHE is nearly instantaneous. Thank you for the quick answer! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902#note_269847222 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 17:39:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 16:39:57 +0000 Subject: [gnutls-devel] GnuTLS | Fix tests execution when FIPS mode is compiled but not enforced. (!1164) In-Reply-To: References: Message-ID: Merge Request !1164 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1164 Project:Branches: GostCrypt/gnutls:fix-fips-gost to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 18:10:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 17:10:23 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * a5d381e8 - nettle: vendor in Curve448 and Ed448 implementation * f19dea3a - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 18:45:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 17:45:10 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging f19dea3ad74b13a2b3e90580180ab0db616579ad into 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-16e88385533baab0b3b9faca9606398f3510da3a) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_269889516 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 19:30:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 18:30:27 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 * c23fe638 - Bump MAX_ALGO_NAME to 2048, default-priority-string can be long. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 19:32:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 18:32:13 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: All discussions on Merge Request !1158 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/merge_requests/1158 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 10 22:27:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jan 2020 21:27:21 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: In terms of "default" built-ins, I'd love to be able to provide at configure time "disabled-versions" list. And for example, allow people to "reset" it by using 'disabled-versions =' which would explicitly reset the list of disabled-versions back to none. This is similar to the ini-syntax that systemd units use to reset/override otherwise additive keys with system drop-ins. I don't think enforcing the presence of the configuration file is sensible. Especially since until now, no config was provided or necessary. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_269965736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 07:06:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 06:06:25 +0000 Subject: [gnutls-devel] libtasn1 | WIP: asn1_decode_simple_ber: added support for constructed definite octet string (!56) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/libtasn1/merge_requests/56 Branches: tmp-ber-constructed-octet-string to master Author: Nikos Mavrogiannopoulos This allows to decode the whole set of BER encodings for OCTET STRINGs. ## Checklist * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/56 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 10:22:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 09:22:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 6a15a7e8 - nettle: vendor in Curve448 and Ed448 implementation * 4c29a3e5 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 10:58:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 09:58:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging 4c29a3e55b6f17a4ad3b6cea0d75e569d34db7b2 into 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-fcf0832baf5181c784953be6b92dd2cfbc885f81) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270066040 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 11:16:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 10:16:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * a7ea9279 - nettle: vendor in Curve448 and Ed448 implementation * 24fec50c - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 11:53:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 10:53:04 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 11 alerts** when merging 24fec50cf34835e069bf552a71c5b516d31f1686 into 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-c1699504a151c9f0e659cc053a9139240ce8d89b) **new alerts:** * 11 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270075397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 13:03:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 12:03:34 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_ber: added support for constructed definite octet string (!56) In-Reply-To: References: Message-ID: Milestone changed to Release of libtasn1 4.15.1 ( https://gitlab.com/gnutls/libtasn1/-/milestones/2 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/56 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 13:22:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 12:22:45 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I've added support for this type of encoding in libtasn1: https://gitlab.com/gnutls/libtasn1/merge_requests/56 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/830#note_270084604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 13:32:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 12:32:06 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Merge Request !1160 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1160 Project:Branches: GostCrypt/gnutls:gost-priorities to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 14:09:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 13:09:33 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_ber: added support for constructed definite octet string (!56) In-Reply-To: References: Message-ID: Merge Request !56 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/56 Branches: tmp-ber-constructed-octet-string to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/56 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 14:10:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 13:10:37 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 5527b713 - nettle: vendor in Curve448 and Ed448 implementation * 8458248a - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 14:33:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 13:33:08 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented: I have resurrected this MR with the code from the upstream nettle master. It still contains a bunch of code bundled, but those are basically a carbon copy as the import process is now automated with a script: https://gitlab.com/gnutls/gnutls/blob/8458248ae5c14b9049aa8ab868db0e9cea10c6f4/lib/nettle/ed448/import-from-nettle.sh @lumag, @nmav, could you take a look if you have time? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270092378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 19:01:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 18:01:51 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented: I will do the following before asking for merge: - remove configure option to disable Ed448; it makes little sense to have that option now that the code is in nettle - add interop test against OpenSSL -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270118333 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 20:33:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 19:33:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 926f2da2 - nettle: vendor in Curve448 and Ed448 implementation * cb5ab926 - algorithms: implement X448 key exchange and Ed448 signature scheme -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 21:40:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 20:40:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) References: Message-ID: Airtower created an issue: https://gitlab.com/gnutls/gnutls/issues/904 I'm working on implementing multi-staple in mod_gnutls, and when testing with gnutls-cli found that it would never log more than one stapled response. A look at the code shows that it uses only `gnutls_ocsp_status_request_get` to get the response, not `gnutls_ocsp_status_request_get2`. Versions of gnutls tested: * 3.6.9 from Ubuntu * local build of master at 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 You can find my server-side WIP for mod_gnutls in the [wip-ocsp-multi-staple on Github](https://github.com/airtower-luna/mod_gnutls/tree/wip-ocsp-multi-staple), if you'd like to test with it. I have a patch that fixes the logging issue (https://gitlab.com/airtower-luna/gnutls/commit/8faf6902c7e19eb093e5929608e9e38251d0c9bc), but the same problem affects the `--save-ocsp` option. What would be the best way to fix that? Dumping multiple DER responses into one file seems questionable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 21:46:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 20:46:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Log all stapled OCSP responses when running with --verbose (!1165) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1165 Project:Branches: airtower-luna/gnutls:tmp-cli-multi-staple to gnutls/gnutls:master Author: Airtower Log all stapled OCSP responses when running `gnutls-cli --verbose` by looping over the number of certificates. Response data is only requested if `ENABLED_OPT(VERBOSE)`. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1165 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 21:47:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 20:47:48 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) In-Reply-To: References: Message-ID: Airtower commented: I've created !1165 for the partial fix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904#note_270143875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 21:53:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 20:53:29 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) References: Message-ID: Markus Weber created an issue: https://gitlab.com/gnutls/gnutls/issues/905 ## Description of problem: The Type "Registered ID" with Index Nr. 8 is missing in the GnuTLS-Build of Debian 10.2 (Buster). https://www.alvestrand.no/objectid/2.5.29.17.html This prevents the Connection of wget to ElasticSearch secured with SearchGuard https://docs.search-guard.com/latest/tls-in-production ## Version of gnutls used: # apt search gnutls | grep installed libcurl3-gnutls/stable,stable,now 7.64.0-4 amd64 [installed,automatic] libgnutls30/stable,stable,now 3.6.7-4 amd64 [installed] libsoup2.4-1/stable,stable,now 2.64.2-2 amd64 [installed,automatic] python3-pycurl/stable,stable,now 7.43.0.2-0.1 amd64 [installed,automatic] ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian 10.2 (buster) ## How reproducible: wget against a https-Server, which has a Certificate, that uses a custom oid in the "Subject Alternative Name"-Field ## Actual results: /usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V --2020-01-11 20:16:09-- https://server:9200/_cluster/health?pretty=true Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem' Resolving server.fqdn (server.fqdn)... 1.2.3.4 Connecting to server.fqdn (server.fqdn)|1.2.3.4|:9200... connected. GnuTLS: Unknown Subject Alternative name in X.509 certificate. Unable to establish SSL connection. CRITICAL - Could not connect to server server.fqdn ## Expected results: >From another System with Debian 9.11 /usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V --2020-01-11 20:45:37-- https://server.fqdn:9200/_cluster/health?pretty=true Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem' Resolving server.fqdn (server.fqdn)... 1.2.3.4 Connecting to de1app3.doitll.com (server.fqdn)|1.2.3.4|:9200... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Basic realm="Search Guard" Reusing existing connection to [server.fqdn]:9200. HTTP request sent, awaiting response... 200 OK Length: 462 [application/json] Saving to: ?/tmp/tmp.dV2lmBXb4g-check_elasticsearch? /tmp/tmp.dV2lmBXb4g-check_elasticsearch 100%[=============================================================================================================================================>] 462 --.-KB/s in 0s 2020-01-11 20:45:38 (15.4 MB/s) - ?/tmp/tmp.dV2lmBXb4g-check_elasticsearch? saved [462/462] OK - elasticsearch (cluster) is running. status: green; timed_out: false; ... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 11 22:14:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jan 2020 21:14:56 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Markus Weber commented: an easier Reproduction is via direct wget: >From Debian 9.11 Elasticsearch Server ``` wget https://localhost:9200/ --2020-01-11 21:57:48-- https://localhost:9200/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:9200... connected. The certificate's owner does not match hostname ?localhost? ``` And here from Debian 10.2 Elasticsearch Server ``` wget https://localhost:9200/ --2020-01-11 21:57:24-- https://localhost:9200/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:9200... connected. GnuTLS: Unknown Subject Alternative name in X.509 certificate. Unable to establish SSL connection. ``` The Certificate shows this Field: X509v3 Subject Alternative Name: Registered ID:1.2.3.4.5.5, DNS:ecs1.me.com, IP Address:172.16.0.10 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270145958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 10:28:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 09:28:48 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270181158 After pondering a bit, I (again) realized that bundling the EC code makes it incompatible with the different nettle releases, because it touches the layout of internal data structures. I will probably go without the bundled code and enable Curve448/Ed448 only when the nettle has support for it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270181158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 12:44:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 11:44:42 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270193054 I thought that you were trying to import most of relevant ECC code, so there won't be a dependency on nettle version. A decision to depend on external code should also work, of course. I'd very much prefer to drop most of `lib/nettle/gost`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270193054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 13:02:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 12:02:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix tests execution when FIPS mode is compiled but not enforced. (!1164) In-Reply-To: References: Message-ID: Merge Request !1164 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1164 Project:Branches: GostCrypt/gnutls:fix-fips-gost to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1164 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 13:03:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 12:03:53 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: Merge Request !830 was reopened by Dmitry Eremin-Solenikov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/830 Project:Branches: GostCrypt/gnutls:pkcs12-signed to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/830 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 13:05:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 12:05:17 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Signed PKCS#12 support (!830) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov commented: @nmav thank you, I'll get back to this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/830#note_270194836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 13:38:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 12:38:21 +0000 Subject: [gnutls-devel] GnuTLS | Extend GOST priority settings and documentation (!1160) In-Reply-To: References: Message-ID: Merge Request !1160 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1160 Project:Branches: GostCrypt/gnutls:gost-priorities to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 17:27:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 16:27:51 +0000 Subject: [gnutls-devel] GnuTLS | tests/priorities: add tests for GOST ciphersuites enablement (!1166) References: Message-ID: Dmitry Eremin-Solenikov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1166 Project:Branches: GostCrypt/gnutls:gost-prio-tests to gnutls/gnutls:master Author: Dmitry Eremin-Solenikov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 12 23:21:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 12 Jan 2020 22:21:13 +0000 Subject: [gnutls-devel] GnuTLS | tests/priorities: add tests for GOST ciphersuites enablement (!1166) In-Reply-To: References: Message-ID: Dmitry Eremin-Solenikov pushed new commits to merge request !1166 https://gitlab.com/gnutls/gnutls/merge_requests/1166 * b320b69b - lib: fix _kx_priority_gost termination item -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 11:38:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 10:38:00 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 38c097af - algorithms: implement X448 key exchange and Ed448 signature scheme * 2b4b2529 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 11:42:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 10:42:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270436667 That's true in theory, but it's extremely hard to ensure that we don't break anything as nettle evolves, e.g., the `privkey-keygen` test is failing in the GOST's ECC path when it is linked against the current nettle master. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270436667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:02:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:02:40 +0000 Subject: [gnutls-devel] GnuTLS | tests/priorities: add tests for GOST ciphersuites enablement (!1166) In-Reply-To: References: Message-ID: Merge Request !1166 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1166 Project:Branches: GostCrypt/gnutls:gost-prio-tests to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:14:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:14:52 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * f022da30 - algorithms: implement X448 key exchange and Ed448 signature scheme * 0c24f577 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:15:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:15:41 +0000 Subject: [gnutls-devel] GnuTLS | tests/priorities: add tests for GOST ciphersuites enablement (!1166) In-Reply-To: References: Message-ID: Merge Request !1166 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1166 Project:Branches: GostCrypt/gnutls:gost-prio-tests to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1166 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:49:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:49:43 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Log all stapled OCSP responses when running with --verbose (!1165) In-Reply-To: References: Message-ID: Merge Request !1165 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1165 Project:Branches: airtower-luna/gnutls:tmp-cli-multi-staple to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1165 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:53:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:53:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: For the save-ocsp, indeed the DER form is not very flexible, but we can use the PEM form for saving. Breaking `--save-ocsp` may be difficult as there may be test suites using it, but we may introduce a new option to save in PEM form and mark `--save-ocsp` as deprecated so it doesn't even show in the --help. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904#note_270507755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 13:59:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 12:59:13 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: To make a TPM2 support right we need to duplicate an existing ecosystem and I have given up on that. I see using something like a pkcs11 to TPM2 have more benefit vs cost, than this addition. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594#note_270511008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:24:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:24:10 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_270526277 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str); > + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); > + if (strlen(p) > 0) { > + _gnutls_default_priority_string = gnutls_strdup(p); > + if (!_gnutls_default_priority_string) { > + _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; > + _gnutls_debug_log("cfg: failed setting default-priority-string %d\n", Sorry I missed that. What's the purpose of printing errno here? What about just memory error? I'm thinking that we don't use the errno on any other memory allocation failures and using it only here will not be providing much value. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_270526277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:26:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:26:04 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Apart from the errno comment, could you merge the changes to a single commit? After that I'll merge it in master. Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_270527471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:26:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:26:11 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Reassigned Merge Request 1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:33:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:33:39 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > In terms of "default" built-ins, I'd love to be able to provide at configure time "disabled-versions" list. And for example, allow people to "reset" it by using "disabled-versions =" which would explicitly reset the list of disabled-versions back to none. This is similar to the ini-syntax that systemd units use to reset/override otherwise additive keys with system drop-ins. But that would seem to me very restricted, as it focuses only in one aspect of settings (tls versions). The rest of the settings (algorithms, hashes, etc.) will not be covered, and that will lead to a piecemeal approach and feels to me that the handling of that disablement will become very complex if not unmanageable. For example with the patch you propose I see how I can disable TLS1.0 and TLS1.1 on configure time, but how do I do the same for SHA256? Even a version like TLS1.2 cannot be handled by the configure logic. > I don't think enforcing the presence of the configuration file is sensible. Especially since until now, no config was provided or necessary. True, I was not thinking about a universal requirement, but one that is asked during configure time. So distributions which require a config can do so. > Or maybe I should just stop compiling in TLSv1.1 and lower, and just be done with it. True. That may be a way out. I am not sure how far we can get for it. I know we could not convince the fedora community to move from TLS1.0 and TLS1.1. As long as browsers enable them, it would be very hard to differ from a library like gnutls. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_270532318 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:40:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:40:46 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I do not have any script. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_270536587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:41:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:41:46 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153#note_270537130 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:41:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:41:52 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Merge Request !1153 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1153 Project:Branches: nmav/gnutls:tmp-oid-fix to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:42:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:42:38 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: A small note: it might be good to mention why those OIDs were incorrect. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153#note_270537681 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:50:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:50:45 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Log all stapled OCSP responses when running with --verbose (!1165) In-Reply-To: References: Message-ID: Merge Request !1165 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1165 Project:Branches: airtower-luna/gnutls:tmp-cli-multi-staple to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1165 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:54:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:54:44 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Let me write it here. Valid OIDs are starting from 0, 1 or 2. Several of the removed OIDs during testing were starting from something larger than 2. libtasn1 unfortunately did not error out on invalid OIDs, not was able to cover the whole set of OIDs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153#note_270545360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 14:55:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 13:55:10 +0000 Subject: [gnutls-devel] GnuTLS | tests: replace invalid extension OIDs with valid ones (!1153) In-Reply-To: References: Message-ID: Merge Request !1153 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1153 Project:Branches: nmav/gnutls:tmp-oid-fix to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 15:18:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 14:18:38 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Thank you for reporting this. I digged it a little and I think the check that causes this error is unnecessary. Could you attach some certificate chain that fails with that error when given to `certtool -e`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270561246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 15:24:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 14:24:17 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 20f5d667 - algorithms: implement X448 key exchange and Ed448 signature scheme * a6d712c6 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 15:25:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 14:25:46 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented: I think I'm done with this; reviews appreciated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_270565817 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 16:30:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 15:30:52 +0000 Subject: [gnutls-devel] GnuTLS | WIP: validate_name_constraints_node: eliminate known SAN check (!1167) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1167 Project:Branches: nmav/gnutls:tmp-san-fix to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos The known SAN check was incorrect as it was hard-coding the supported at the time SANs, and it was not necessary as the previous code would only return a supported SAN and the follow-up code did not depend unknown SANs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1167 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 17:46:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 16:46:53 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_270679062 > if (ret < 0) > return 0; > } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { > - if (c_strcasecmp(name, "insecure-hash")==0) { > + if (c_strcasecmp(name, "default-priority-string")==0) { > + _clear_default_system_priority(); > + p = clear_spaces(value, str); > + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); > + if (strlen(p) > 0) { > + _gnutls_default_priority_string = gnutls_strdup(p); > + if (!_gnutls_default_priority_string) { > + _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; > + _gnutls_debug_log("cfg: failed setting default-priority-string %d\n", It is out of memory error only. Will drop. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158#note_270679062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 19:54:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 18:54:53 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 * cd280248 - Drop errno. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 19:54:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 18:54:57 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: All discussions on Merge Request !1158 were resolved by Dimitri John Ledkov https://gitlab.com/gnutls/gnutls/merge_requests/1158 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 19:55:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 18:55:43 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1158 https://gitlab.com/gnutls/gnutls/merge_requests/1158 * 0ae82294...2e52d307 - 9 commits from branch `master` * 454eb184 - libgnutls: Add system-wide default-priority-string override. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 20:50:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 19:50:03 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Markus Weber commented: On the Debian-Buster certtool-Version 3.6.7 ``` user at host:~$ certtool -e --infile=node.acme.com.pem error parsing CRTs: Unknown Subject Alternative name in X.509 certificate. ``` On my Playground with ArchLinux certtool-Version 3.6.11 ``` [user at host]$ certtool -e --infile=node.acme.com.pem |<1>| There was a non-CA certificate in the trusted list: C=DE,ST=Bavaria,L=xxx,O=acme,OU=ECS,CN=node.acme.com. Subject: CN=node.acme.com,OU=ECS,O=acme,L=xxx,ST=Bavaria,C=DE Issuer: EMAIL=certs at acme.com,CN=ecs1-CA,OU=xxx,O=xxx,L=xxx,ST=Bavaria,C=DE Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=node.acme.com,OU=ECS,O=acme,L=xxx,ST=Bavaria,C=DE Issuer: EMAIL=certs at acme.com,CN=ecs1-CA,OU=xxx,O=xxx,L=xxx,ST=Bavaria,C=DE Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. ``` The Configuration for this Certificate is: ``` nsComment=DoitLL Infrastructure nsCertType=client, server crlDistributionPoints=crlDistributionPoint0_sect subjectAltName=RID:1.2.3.4.5.5, DNS:node.acme.com, IP:127.0.0.1, DNS:cluster.acme.com extendedKeyUsage=serverAuth, clientAuth keyUsage=digitalSignature, nonRepudiation, keyEncipherment subjectKeyIdentifier=hash basicConstraints=critical,CA:FALSE [crlDistributionPoint0_sect] fullname=URI:http://www.acme.com/certs/elasticsearch-crl.pem ``` I created a Test-Certificate and attached it ``` -----BEGIN CERTIFICATE----- MIIFhzCCA2+gAwIBAgIIVRr27nlGS/4wDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV BAYTAkRFMRAwDgYDVQQIEwdCYXZhcmlhMQ4wDAYDVQQHEwVHbG9ubjEWMBQGA1UE ChMNSERMLVN5bmVyZ2llczEPMA0GA1UECxMGRG9pdExMMRAwDgYDVQQDEwdlY3Mx LUNBMR8wHQYJKoZIhvcNAQkBFhBjZXJ0c0Bkb2l0bGwuY29tMB4XDTIwMDExMzAw MDAwMFoXDTIxMDExMjIzNTk1OVowZDELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0Jh dmFyaWExDjAMBgNVBAcTBUdsb25uMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNF Q1MxFjAUBgNVBAMTDW5vZGUuYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDMkJJqHU7N7qOrZ2CaBbiAlVuo/OmgLDdJqSiIOSSTM5CgChj0 nZ2A/K5sY4cAmqdc10SxC8Gf3I/wMQcBLRXwUckpRJcauOCQOAf4KBu5S2ZddXf0 2mB4i/Oj5lRPri3CRQZjPeB/AXUaM73efLT94uHjnxNnoGsE5gMrfLcGGZGbwPxq 7wXL42UjS+svKblnhs32jjAr+5480KqU/ln5j7wZFpZ7gh8rfdv4Ye/D7lZeZWmM w521oD62yn5F4dlv6X6qO6XA8xubU11rw6BJB+9qPU1nyRr+RTpksj5/2kX7zxik oamizIviJd2cHuUMDFvUQl7rD046sMi1gFiNAgMBAAGjggETMIIBDzAMBgNVHRMB Af8EAjAAMB0GA1UdDgQWBBSPwl4fSMJ0Stb0X6FFJnMPSic1pTALBgNVHQ8EBAMC BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDkGA1UdEQQyMDCIBSoD BAUFgg1ub2RlLmFjbWUuY29thwR/AAABghJjbHVzdGVyLmRvaXRsbC5jb20wQAYD VR0fBDkwNzA1oDOgMYYvaHR0cDovL3d3dy5hY21lLmNvbS9jZXJ0cy9lbGFzdGlj c2VhcmNoLWNybC5wZW0wEQYJYIZIAYb4QgEBBAQDAgbAMCQGCWCGSAGG+EIBDQQX FhVEb2l0TEwgSW5mcmFzdHJ1Y3R1cmUwDQYJKoZIhvcNAQELBQADggIBAB1ezzld haFOqtftCjDeX6h3LogqVdUx12X313ysOKThBS3b9zOnhJY5OSMwyMfXS+p8LYNV XYILX23/MmLwYFVOIwLt9ii+FBonCIVUPSeR1sZcNPUoOExEpbPK1gWyPlW6J7B9 K95Xme0hUUVGaLxUvkjpi8XeLnqMz18V5DIh/tVZ+ssvSjeOc6tE80imFxyKYF4h LNN9i7c2pg0vwBvUEIg8sdGLT8m4JCzhgejv8DY6QlOpzvXihXp3MPmtRmgVrIw5 LLMCsoz+JtsjIrEcwlYG6q5/84tCHyF/dZ/m73LR+o61aRX3Y6TlS2vodUX2dwrO 7VbMeQsrc5xrYpJrcm+an5RLoP5WwVPGmc0HKnAsc3lp40FYodnMLiWnvvbsUoOc Y8lRqOeD3EZtNQHwOEQ5K/O0gH9nulP9PFG9+KMiGQHcTmrubVkKmy/q0ev1wjgN 2C72UZj1ZGhJEyJDB/iGOKtHwCkiO0fJzcfMk22leG8BSIuqWfT9iaA/x9iQuRP8 8o18zN/3jjQxm7ramI+UH/paosyOAZG00ssEfcwbs3c5LR3YJdRAGelh3wNqED7/ C8pRU4J5KEmj/mdqm8g/WyJNhvy24JLSceF3mu7TPfxJ1yV8d27SOoMPo+yZzJEt MSE41z6ZaVuQe0Kkh85sI1YbBNM7UGCxLnHn -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270761620 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 23:42:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 22:42:10 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Merge Request !1158 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1158 Project:Branches: xnox/gnutls:override-default-priority to gnutls/gnutls:master Author: Dimitri John Ledkov Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 23:42:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 22:42:19 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Merge Request !1158 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1158 Project:Branches: xnox/gnutls:override-default-priority to gnutls/gnutls:master Author: Dimitri John Ledkov Assignee: Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 23:42:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 22:42:23 +0000 Subject: [gnutls-devel] GnuTLS | libgnutls: Add system-wide default-priority-string override. (!1158) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 23:47:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 22:47:11 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I cannot seem to be able to reproduce the error with the attached certificate. All I see is: ``` Subject: CN=node.acme.com,OU=ECS,O=acme,L=Glonn,ST=Bavaria,C=DE Issuer: EMAIL=certs at doitll.com,CN=ecs1-CA,OU=DoitLL,O=HDL-Synergies,L=Glonn,ST=Bavaria,C=DE Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. ``` Could you attach the full chain? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270839342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 13 23:53:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 22:53:52 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Markus Weber commented: the CA-cert is this: ``` -----BEGIN CERTIFICATE----- MIIGUjCCBDqgAwIBAgIIa9Kynm+Yny8wDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV BAYTAkRFMRAwDgYDVQQIEwdCYXZhcmlhMQ4wDAYDVQQHEwVHbG9ubjEWMBQGA1UE ChMNSERMLVN5bmVyZ2llczEPMA0GA1UECxMGRG9pdExMMRAwDgYDVQQDEwdlY3Mx LUNBMR8wHQYJKoZIhvcNAQkBFhBjZXJ0c0Bkb2l0bGwuY29tMB4XDTE4MTIyMzAw MDAwMFoXDTM4MTIyMjIzNTk1OVowgYsxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdC YXZhcmlhMQ4wDAYDVQQHEwVHbG9ubjEWMBQGA1UEChMNSERMLVN5bmVyZ2llczEP MA0GA1UECxMGRG9pdExMMRAwDgYDVQQDEwdlY3MxLUNBMR8wHQYJKoZIhvcNAQkB FhBjZXJ0c0Bkb2l0bGwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAuMXaYQVVoBxazAkDbwed/+H6CbaD7Mb93mT+Nm6mTG1DnMTuUQaV7NdsvH3U giafEpBwZTU/HEfSTyvktQEvuziRNRfrdBSzmXzrFMRA/8LBZNuRGWQtX4WjpeIH nOrjyt9NCxkcV0cyJWba8jq899XAEV7aEBjLis2lWxoRpsepRr8MqyUfyYzxOeVw iJs8K5jQcLW/SBCgs0WgGhlGtZ7/PBzuEfVEsRjdIquGdEcQyAiSOAdYkjv4k1h3 2CMmONnmddMzDsdLISng6sE0FKeqPbfejxTcKoRyxgqFk/YiOjSV/u+0nfxnhrIi MgTqRxa6f0fIG+YVjm/xnFZuo0u95Hic+0SM8UWLVzzJJYL8dN86QplqxrTKV+sU flf9lYkU36M838Lu8EdTeSKO159ppTQpBCzTlCsS+0Ks8gg9rP1LdVLCZNgXOApB PxkriKp95Cr1UuBmke+f0vKz0HOMCDFaGQFAZC+w8A0sJSpaxKfuyvlimRV7Y9i/ 21UyFh9hmRzQQf1niqLDeX1S31XugcchwnWmyxl5zQvjRpT6W43pWnDzSbkQFf+G q/ZaSOq/ZzeEM3oFqXmIlmLiYV4RrzvkN5ji/MwUTLqjHLMeRS6ovc542jbmg4fD 7pU+gGx8Ligjj0CAAdX65ZqFo3BHr0a86aCAim0fWhX6M00CAwEAAaOBtzCBtDAS BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQd70/FyrK+D7lRvb+7YME9sn2L ZjALBgNVHQ8EBAMCAQYwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL3d3dy5kb2l0 bGwuY29tL2NlcnRzL2VjczEtY3JsLnBlbTARBglghkgBhvhCAQEEBAMCAAcwJAYJ YIZIAYb4QgENBBcWFURvaXRMTCBJbmZyYXN0cnVjdHVyZTANBgkqhkiG9w0BAQsF AAOCAgEAambWvcF0+9IttVcLPLmrv5WLnkV6A6KVEFbZZ5uzebZ2xQcXyX7Qo7Vw eCufjuPa9mmUxxQFBCM0ePB1zdy7KG61plr1rRmN64MttR1q9JZvP/ZfkmDYntnY m0JIkghadtEJdaH6K9ZpCpGvLvdnLwIw7rUM7QWuTWbwgv+i5CmBILLdwPW7r88X caD8m+KZW8mlx0+oNp9zwpQLXSZBSDemdEwS5VSuER7W20Q8dVQak9QyQgVdOiPP 0upuSGRhXyt+K21o4kTws5R0t8ymwPVUhW14KWaC+1t3r4c0Fd22VL1anKHueZml bVDDWAXWRV3e6xIq2qvK/mob+VJ7Nn8BLciazlO4YHK8RAOsgNIKNPerTgpYDSoy 9hbtjlQFVdGqenjFGAE0fKR7jgEWfAIlqNhCJLF/lVIYJtNvRHJkrmR+1kZShUkU H7BcFpgjOKyNLNbs5b7bVaIajul+ADwkO3pskD3O18zw4STqPtNlnKzgKWTDw3c4 vC5de44aORdn17leMIeu+7NZsKKkd+A9b8LrEgYlMmA3GQLFMDATK+0YbB0oHcMs bEvho4jRuPdc6e81JZmB9UHVtfvxXV7T3Oc21hrzIPjQ4S7XPah07PafIPgbimqy UgFLiwJKnFwSGm86f8VcPblitza79WEJ+S60lWcRTN2wjMN9CZg= -----END CERTIFICATE----- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270841010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 00:00:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 23:00:30 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Can you reproduce it with this certificate chain? I get: ``` Subject: CN=node.acme.com,OU=ECS,O=acme,L=Glonn,ST=Bavaria,C=DE Issuer: EMAIL=certs at doitll.com,CN=ecs1-CA,OU=DoitLL,O=HDL-Synergies,L=Glonn,ST=Bavaria,C=DE Checked against: EMAIL=certs at doitll.com,CN=ecs1-CA,OU=DoitLL,O=HDL-Synergies,L=Glonn,ST=Bavaria,C=DE Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` ``` $ certtool --version certtool 3.6.11 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270842399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 00:05:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 13 Jan 2020 23:05:39 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Markus Weber commented: I can confirm, that it works with certtool 3.6.11 (like that included in ArchLinux). But the Version 3.6.7 from a fully patched Debian 10.2 Buster produces the Error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270843653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 08:09:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 07:09:51 +0000 Subject: [gnutls-devel] GnuTLS | Please update ca.pem with SHA256 hashsum (#906) References: Message-ID: Dimitri John Ledkov created an issue: https://gitlab.com/gnutls/gnutls/issues/906 I'm struggling to convert PEM certificates into CSR to tweak and resign them. The ca.pem certificate that is listed in the docs and used in compat tests only has MD5 and SH1 hashes. Can you also please add SHA256 hash to it? As per ssl-pulse survey there are no SHA1 certs on the public internet anymore and Ubuntu/Debian OpenSSL rejects SHA1 certs in default configuration. (SECLEVEL=2) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 08:10:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 07:10:50 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * aec4a882 - NEWS: mention X448 and Ed448 change [ci skip] -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 08:16:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 07:16:01 +0000 Subject: [gnutls-devel] GnuTLS | Please update ca.pem with SHA256 hashsum (#906) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: I think I am confused by my gui tools, it is using sha256. Signature Algorithm: sha256WithRSAEncryption -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/906#note_270944605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 08:16:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 07:16:01 +0000 Subject: [gnutls-devel] GnuTLS | Please update ca.pem with SHA256 hashsum (#906) In-Reply-To: References: Message-ID: Issue was closed by Dimitri John Ledkov Issue #906: https://gitlab.com/gnutls/gnutls/issues/906 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 08:36:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 07:36:39 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I'm adding @ametzler as this seems to be debian-specific. It looks related to support for RegisteredID added in 3.6.9. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270952763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 10:23:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 09:23:13 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Ander Juaristi commented: @nmav @rockdaboot does this look good to you? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_271016263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 16:18:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 15:18:12 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) References: Message-ID: Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1168 Project:Branches: xnox/gnutls:openssl-min1.2 to gnutls/gnutls:master Author: Dimitri John Ledkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 16:41:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 15:41:21 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I would like to comment on the conditional nature of supporting x448. The issues that I see, is (a) it will make the question does gnutls support x448 complex to answer (if nettle supports it, and if gnutls is build with this nettle) and (b) it makes it harder to reliably test that algorithm on CI (you actually handle this by adding a test, but no asan/ubsan or valgrind tests are run on that). We may need more complex APIs to handle these in a developer-friendly way to answer questions such as "how can I check if x448 is supported in my application?". Should we ask instead @nielsmoller for a release on nettle? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271314588 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 16:50:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 15:50:47 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Merge Request !1157 was closed by Dimitri John Ledkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1157 Project:Branches: xnox/gnutls:supported-version to gnutls/gnutls:master Author: Dimitri John Ledkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 16:50:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 15:50:46 +0000 Subject: [gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: I think I tend to agree with you. The most natural "disable this set; enable that set" of things beyond just the tls versions is "do only gost" or "do only fips". And this patch doesn't enable such a usecase trivially. Cause it would be cute to effectively have a "fat" gnutls that can do sslv3 / gost / fips / "normal v1.2+" tls / legacy tls "profiles" and allow trivially enforce or switch between them, without breaking API or ABI. But this is not it. I'm happy with the default-priority-string override. As it allows me as a distribution to set "v1.2+ tls, medium profile, non-fips/non-gost" by default, and allow users to override it with their preferred priority string. Preparing the code base to disable TLSv1.0/v1.1 at configure/compile time, like SSLv3 is imho a bit pre-mature at the moment. Thus I think I will close this, unmerged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157#note_271320554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 16:55:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 15:55:24 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271323751 A new nettle release would certainly help, but even then I suspect that we need to support building with older nettle releases for certain transitional time. For (b), can't it be handled in the nettle's CI, once this has been merged? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271323751 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 18:47:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 17:47:39 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Andreas Metzler commented: You diagnosis looks correct. I have downloaded the two pems in the report, cat-ed them together and ran `certtool --verify-chain --verify-hostname=node.acme.com --infile=/tmp/chain.pem` with all 3.5 and 3.6 uploads to Debian. * 3.5.0-1 to 3.5.9-1 work, * 3.5.10-1 to 3.5.19-1 and 3.6.0-1 up to an including 3.6.8-2 produce "Unknown Subject Alternative name in X.509 certificate.", * 3.6.9-1 and later are fine. So this is a regression in 3.5.10 that was fixed in 3.6.9 (Or in Debian releases a regression from stretch/9 to buster/10.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_271409121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 19:21:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 18:21:54 +0000 Subject: [gnutls-devel] GnuTLS | Malformed FFDHE key shares in TLS 1.3 are rejected incorrectly (#907) References: Message-ID: Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/907 When a key_share in TLS 1.3 includes an FFDHE group, but the value is a single byte of value 0, the connection is rejected with `internal_error` instead of `illegal_parameter` reproducer in https://github.com/tomato42/tlsfuzzer/pull/553: `PYTHONPATH=. python scripts/test-tls13-ffdhe-groups.py 'ffdhe2048 - 0 as key share'` tlsfuzzer output: ``` ffdhe2048 - 0 as key share ... Error encountered while processing node (child: ) with last message being: Error while processing Traceback (most recent call last): File "scripts/test-tls13-ffdhe-groups.py", line 470, in main runner.run() File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 237, in run node.process(self.state, msg) File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1680, in process raise AssertionError(problem_desc) AssertionError: Expected alert description "illegal_parameter" does not match received "internal_error" Basic FFDHE group tests in TLS 1.3 Check if invalid, malformed and incompatible group key_shares are rejected by server version: 1 Test end successful: 0 failed: 1 'ffdhe2048 - 0 as key share' ``` GnuTLS (0ddd79afb4714) output: ``` |<5>| REC[0xd303e0]: Allocating epoch #0 |<2>| added 2 protocols, 43 ciphersuites, 18 sig algos and 9 groups into priority list * Accepted connection from IPv4 127.0.0.1 port 39428 on Tue Jan 14 19:16:49 202 |<5>| REC[0xd303e0]: Allocating epoch #1 |<3>| ASSERT: buffers.c[get_last_packet]:1168 |<5>| REC[0xd303e0]: SSL 3.0 Handshake packet received. Epoch 0, length: 420 |<5>| REC[0xd303e0]: Expected Packet Handshake(22) |<5>| REC[0xd303e0]: Received Packet Handshake(22) with length: 420 |<5>| REC[0xd303e0]: Decrypted Packet[0] Handshake(22) with length: 420 |<4>| HSK[0xd303e0]: CLIENT HELLO (1) was received. Length 416[416], frag offset 0, frag length: 416, sequence: 0 |<4>| HSK[0xd303e0]: Client's version: 3.3 |<4>| EXT[0xd303e0]: Parsing extension 'Supported Versions/43' (5 bytes) |<4>| EXT[0xd303e0]: Found version: 3.4 |<4>| EXT[0xd303e0]: Found version: 3.3 |<4>| EXT[0xd303e0]: Negotiated version: 3.4 |<4>| EXT[0xd303e0]: Parsing extension 'Supported Groups/10' (4 bytes) |<4>| EXT[0xd303e0]: Received group FFDHE2048 (0x100) |<4>| EXT[0xd303e0]: Selected group FFDHE2048 |<4>| EXT[0xd303e0]: Parsing extension 'Signature Algorithms/13' (12 bytes) |<4>| EXT[0xd303e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 |<4>| EXT[0xd303e0]: rcvd signature algo (8.9) RSA-PSS-SHA256 |<4>| EXT[0xd303e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512 |<4>| EXT[0xd303e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384 |<4>| EXT[0xd303e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256 |<4>| HSK[0xd303e0]: Received safe renegotiation CS |<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility |<3>| ASSERT: server_name.c[gnutls_server_name_get]:239 |<4>| HSK[0xd303e0]: Requested server name: '' |<4>| HSK[0xd303e0]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509) |<4>| checking cert compat with RSA-PSS-RSAE-SHA256 |<4>| checking cert compat with RSA-PSS-SHA256 |<4>| Selected signature algorithm: RSA-PSS-SHA256 |<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0xd303e0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0xd303e0]: Selected version TLS1.3 |<4>| EXT[0xd303e0]: Parsing extension 'Key Share/51' (262 bytes) |<4>| EXT[0xd303e0]: Received key share for FFDHE2048 |<4>| HSK[0xd303e0]: Selected group FFDHE2048 (256) |<3>| ASSERT: key_share.c[server_use_key_share]:379 |<3>| ASSERT: key_share.c[key_share_recv_params]:559 |<3>| ASSERT: hello_ext.c[hello_ext_parse]:274 |<3>| ASSERT: extv.c[_gnutls_extv_parse]:69 |<3>| ASSERT: hello_ext.c[_gnutls_parse_hello_extensions]:307 |<3>| ASSERT: handshake.c[read_client_hello]:828 |<3>| ASSERT: handshake.c[_gnutls_recv_handshake]:1577 |<3>| ASSERT: handshake.c[handshake_server]:3358 Error in handshake: The scanning of a large integer has failed. |<5>| REC: Sending Alert[2|80] - Internal error |<5>| REC[0xd303e0]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7 |<5>| REC[0xd303e0]: Start of epoch cleanup |<5>| REC[0xd303e0]: End of epoch cleanup |<5>| REC[0xd303e0]: Epoch #0 freed |<5>| REC[0xd303e0]: Epoch #1 freed ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/907 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 19:25:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 18:25:13 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/905#note_271423007 Fixed in commit 55c76aab7620aa2609bb488a8ab72c7d782e8424 Author: Karsten Ohme Date: Sat Jun 22 00:39:56 2019 +0200 Support for Generalname registeredID from RFC 5280 in subject alt name If I find time in the next days I can also bisect to find where it broke between 3.5.9 and 3.5.10. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_271423007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 19:27:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 18:27:08 +0000 Subject: [gnutls-devel] GnuTLS | Duplicated key_shares from client are not detected by GnuTLS server (#908) References: Message-ID: Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/908 When in TLS 1.3 the client advertises two key_shares for the same group, the server does not notice that, instead it continues the connection (sends ServerHello with its key_share). IOW, GnuTLS doesn't implement the check described in https://tools.ietf.org/html/rfc8446#section-4.2.8: ``` Clients MUST NOT offer multiple KeyShareEntry values for the same group. Clients MUST NOT offer any KeyShareEntry values for groups not listed in the client's "supported_groups" extension. Servers MAY check for violations of these rules and abort the handshake with an "illegal_parameter" alert if one is violated. ``` Reproducer: https://github.com/tomato42/tlsfuzzer/pull/553 `PYTHONPATH=. python scripts/test-tls13-ffdhe-groups.py 'ffdhe2048 - duplicated key share entry'` tlsfuzzer output: ``` ffdhe2048 - duplicated key share entry ... Error encountered while processing node (child: ) with last message being: Error while processing Traceback (most recent call last): File "scripts/test-tls13-ffdhe-groups.py", line 470, in main runner.run() File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 235, in run RecordHeader2))) AssertionError: Unexpected message from peer: Handshake(server_hello) Basic FFDHE group tests in TLS 1.3 Check if invalid, malformed and incompatible group key_shares are rejected by server version: 1 Test end successful: 0 failed: 1 'ffdhe2048 - duplicated key share entry' ``` gnutls output: ``` |<5>| REC[0xd303e0]: Allocating epoch #0 |<2>| added 2 protocols, 43 ciphersuites, 18 sig algos and 9 groups into priority list * Accepted connection from IPv4 127.0.0.1 port 39456 on Tue Jan 14 19:17:58 202 |<5>| REC[0xd303e0]: Allocating epoch #1 |<3>| ASSERT: buffers.c[get_last_packet]:1168 |<5>| REC[0xd303e0]: SSL 3.0 Handshake packet received. Epoch 0, length: 680 |<5>| REC[0xd303e0]: Expected Packet Handshake(22) |<5>| REC[0xd303e0]: Received Packet Handshake(22) with length: 680 |<5>| REC[0xd303e0]: Decrypted Packet[0] Handshake(22) with length: 680 |<4>| HSK[0xd303e0]: CLIENT HELLO (1) was received. Length 676[676], frag offset 0, frag length: 676, sequence: 0 |<4>| HSK[0xd303e0]: Client's version: 3.3 |<4>| EXT[0xd303e0]: Parsing extension 'Supported Versions/43' (5 bytes) |<4>| EXT[0xd303e0]: Found version: 3.4 |<4>| EXT[0xd303e0]: Found version: 3.3 |<4>| EXT[0xd303e0]: Negotiated version: 3.4 |<4>| EXT[0xd303e0]: Parsing extension 'Supported Groups/10' (4 bytes) |<4>| EXT[0xd303e0]: Received group FFDHE2048 (0x100) |<4>| EXT[0xd303e0]: Selected group FFDHE2048 |<4>| EXT[0xd303e0]: Parsing extension 'Signature Algorithms/13' (12 bytes) |<4>| EXT[0xd303e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 |<4>| EXT[0xd303e0]: rcvd signature algo (8.9) RSA-PSS-SHA256 |<4>| EXT[0xd303e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512 |<4>| EXT[0xd303e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384 |<4>| EXT[0xd303e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256 |<4>| HSK[0xd303e0]: Received safe renegotiation CS |<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility |<3>| ASSERT: server_name.c[gnutls_server_name_get]:239 |<4>| HSK[0xd303e0]: Requested server name: '' |<4>| HSK[0xd303e0]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509) |<4>| checking cert compat with RSA-PSS-RSAE-SHA256 |<4>| checking cert compat with RSA-PSS-SHA256 |<4>| Selected signature algorithm: RSA-PSS-SHA256 |<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0xd303e0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256 |<4>| HSK[0xd303e0]: Selected version TLS1.3 |<4>| EXT[0xd303e0]: Parsing extension 'Key Share/51' (522 bytes) |<4>| EXT[0xd303e0]: Received key share for FFDHE2048 |<4>| HSK[0xd303e0]: Selected group FFDHE2048 (256) |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<2>| EXT[0xd303e0]: server generated FFDHE2048 shared key |<4>| HSK[0xd303e0]: Safe renegotiation succeeded |<4>| HSK[0xd303e0]: SessionID: 0efa6ab1f6c10f577b1dc58831d7274953157b7602bfc407a0c83e2fef7ebeea |<4>| EXT[0xd303e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: sending key share for FFDHE2048 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<4>| EXT[0xd303e0]: Sending extension Key Share/51 (260 bytes) |<4>| EXT[0xd303e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Sending extension Supported Versions/43 (2 bytes) |<4>| EXT[0xd303e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello' |<4>| EXT[0xd303e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello' |<4>| HSK[0xd303e0]: SERVER HELLO was queued [346 bytes] |<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 346 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 351 |<5>| REC[0xd303e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6 |<4>| REC[0xd303e0]: Sent ChangeCipherSpec |<5>| REC[0xd303e0]: Initializing epoch #1 |<5>| REC[0xd303e0]: Epoch #1 ready |<4>| HSK[0xd303e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256 |<4>| EXT[0xd303e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (SRP/12) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (SRTP/14) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (ALPN/16) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Key Share/51) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Cookie/44) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Early Data/42) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions' |<4>| EXT[0xd303e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions' |<4>| HSK[0xd303e0]: ENCRYPTED EXTENSIONS was queued [6 bytes] |<4>| HSK[0xd303e0]: CERTIFICATE was queued [874 bytes] |<4>| checking cert compat with RSA-PSS-RSAE-SHA256 |<4>| checking cert compat with RSA-PSS-SHA256 |<4>| HSK[0xd303e0]: signing TLS 1.3 handshake data: using RSA-PSS-SHA256 and PRF: SHA256 |<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60 |<4>| HSK[0xd303e0]: CERTIFICATE VERIFY was queued [264 bytes] |<4>| HSK[0xd303e0]: sending finished |<4>| HSK[0xd303e0]: FINISHED was queued [36 bytes] |<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 6 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 28 |<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 874 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 896 |<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 264 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[3] Handshake(22) in epoch 1 and length: 286 |<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 36 and min pad: 0 |<5>| REC[0xd303e0]: Sent Packet[4] Handshake(22) in epoch 1 and length: 58 |<2>| WRITE: -1 returned from 0x5, errno: 104 |<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:722 |<3>| ASSERT: handshake-tls13.c[_gnutls13_handshake_server]:469 Error in handshake: The TLS connection was non-properly terminated. |<5>| REC: Sending Alert[2|10] - Unexpected message |<2>| WRITE: -1 returned from 0x5, errno: 32 |<3>| ASSERT: buffers.c[errno_to_gerr]:230 |<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:722 |<3>| ASSERT: record.c[_gnutls_send_tlen_int]:588 |<5>| REC[0xd303e0]: Start of epoch cleanup |<5>| REC[0xd303e0]: Epoch #0 freed |<5>| REC[0xd303e0]: End of epoch cleanup |<5>| REC[0xd303e0]: Epoch #1 freed ^[[2;2~^CExiting via signal 2 ``` Tested with 0ddd79afb4714 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 19:27:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 18:27:06 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: That would be great. I am afraid that the regression is present on master as well and only work arounded because of registered ID being supported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_271423630 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 19:28:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 18:28:01 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake is slow on some Android devices (Android 9) (#902) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #902: https://gitlab.com/gnutls/gnutls/issues/902 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/902 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 20:46:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 19:46:34 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli logs only the first stapled OCSP response (#904) In-Reply-To: References: Message-ID: Airtower commented: Sounds good to me. The interface would still be simple (just give one path), and PEM is easy to split up and convert if needed. I'll take a look at implementing that when I have time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/904#note_271454582 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 14 22:28:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 21:28:40 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: When does the 1024-bit DSA cause a problem? The problem with DSA under TLS is that it only defines behavior for 1024-bit keys and everything else is undefined. Is there some system which this problem exists and we should add in the CI? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_271492967 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 00:07:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 14 Jan 2020 23:07:45 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: Even at lowest seclevel 0, openssl enforces at least 80 bits of security for the EDH keys. Now I'm not sure if 1k DSA is less than that. I can retry this again. Potentially the 1k DSA will need to be then version limited to run against openssl 1.0.2x only, and be skipped with 1.1.0 / 1.1.1 series. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_271523460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:38 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.6.8 and one failed self test on Fedora 29, x86_64 (#784) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #784: https://gitlab.com/gnutls/gnutls/issues/784 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) In-Reply-To: References: Message-ID: GnuTLS bot commented: @llqll This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873#note_271574127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:38 +0000 Subject: [gnutls-devel] GnuTLS | Need testcases for multi-component ocsp stapling (#871) In-Reply-To: References: Message-ID: GnuTLS bot commented: @j29280 This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/871#note_271574131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:38 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.6.8 and one failed self test on Fedora 29, x86_64 (#784) In-Reply-To: References: Message-ID: GnuTLS bot commented: @noloader This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/784#note_271574134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #873: https://gitlab.com/gnutls/gnutls/issues/873 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 05:08:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 04:08:38 +0000 Subject: [gnutls-devel] GnuTLS | Need testcases for multi-component ocsp stapling (#871) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #871: https://gitlab.com/gnutls/gnutls/issues/871 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/871 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 08:37:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 07:37:21 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271620844 True that would not be great but still ok, but (a) is still a concern. The library crypto state would been unclear and an application that would use ed448 may not be portable across the board of distributions. A solution that comes to mind would be to enable the `next` branch of gnutls and move 3.6.x to maintenance mode. That would enable forcing dependencies to a newer nettle and allow us to do more drastic changes as well. We would still depend on a nettle release for 3.7.0 to be able to be released. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271620844 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 08:39:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 07:39:07 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Limiting the tests to openssl 1.0.2 seem fine with me. We already do that for the SSL3.0 tests. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_271621439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 10:42:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 09:42:35 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271686296 I'm still skeptical that such a drastic change in the development process would pay for this single curve addition. While that's true that there will be inconsistency between multiple distributions, it's already the case as for e.g., GOST. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271686296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:06:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:06:34 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'd prefer to wait for GOST DSA changes to be merged into nettle before asking for the next release, if it wouldn't delay things for too long (given current review speed I have hopes). Also I don't have a strong opinion whether incorporating whole ecc code into GnuTLS is a good or bad idea. (I have tried to limit amount of code to be necessary for gost curves, which resulted in the dependecy on nettle's ecc internals. It doesn't seem possible for ed448.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271701194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:06:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:06:54 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271701516 I'd prefer to wait for GOST DSA changes to be merged into nettle before asking for the next release, if it wouldn't delay things for too long (given current review speed I have hopes). Also I don't have a strong opinion whether incorporating whole ecc code into GnuTLS is a good or bad idea. (I have tried to limit amount of code to be necessary for gost curves, which resulted in the dependecy on nettle's ecc internals. It doesn't seem possible for ed448.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271701516 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:12:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:12:30 +0000 Subject: [gnutls-devel] GnuTLS | OCSP: server does not request client OCSP staples (#876) In-Reply-To: References: Message-ID: Reassigned Issue 876 https://gitlab.com/gnutls/gnutls/issues/876 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/876 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:12:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:12:55 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/auth/ecdhe.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271705185 > return gnutls_assert_val(ret); > > /* RFC7748 requires to mask the MSB in the final byte */ > - if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { > + if (ecurve->id == GNUTLS_ECC_CURVE_X25519 || > + ecurve->id == GNUTLS_ECC_CURVE_X448) { > session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; I think this is not correct: ``` When receiving such an array, implementations of X25519 (but not X448) MUST mask the most significant bit in the final byte. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271705185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:14:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:14:44 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1169 Project:Branches: nmav/gnutls:tmp-tls13-ocsp to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling (#876). ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:15:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:15:51 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/auth/ecdhe.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271706914 > } > > /* RFC7748 requires to mask the MSB in the final byte */ > - if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { > + if (ecurve->id == GNUTLS_ECC_CURVE_X25519 || > + ecurve->id == GNUTLS_ECC_CURVE_X448) { > session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; And this also shouldn't apply to x448. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271706914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 11:42:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 10:42:06 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Can we run tests in CI against both 1.0.2 and 1.1.1? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_271722725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 12:49:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 11:49:29 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1169 https://gitlab.com/gnutls/gnutls/merge_requests/1169 * 6ab20d77 - tls13: do not send OCSP responses as client without server requesting * df0b4c78 - tls13: request OCSP responses as a server -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 12:50:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 11:50:02 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1169 https://gitlab.com/gnutls/gnutls/merge_requests/1169 * 8d319655 - tls13: request OCSP responses as a server -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 14:27:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 13:27:45 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > Can we run tests in CI against both 1.0.2 and 1.1.1? If you mean overall, what we have now is a run on fedora28 which has 1.0.x, and the rest of the CI which is running on 1.1.1. If you mean on the same image, we do not (which is unfortunate as it would make our reported coverage more accurate). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_271821200 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 14:44:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 13:44:11 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * d6de02bf - algorithms: implement X448 key exchange and Ed448 signature scheme * 6cab0610 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 14:45:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 13:45:10 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 14:46:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 13:46:24 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/984 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/auth/ecdhe.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_271834138 > + if (ecurve->id == GNUTLS_ECC_CURVE_X25519 || > + ecurve->id == GNUTLS_ECC_CURVE_X448) { > session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; Good catch, fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 15 19:17:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jan 2020 18:17:56 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Andreas Metzler commented: Daiki Ueno @dueno wrote > A new nettle release would certainly help, but even then I suspect that we need to support building with older nettle releases for certain transitional time. Could you explain a little bit why you think that would be necessary? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_272089009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 16 07:47:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Jan 2020 06:47:23 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Andreas Metzler commented: Nikos Mavrogiannopoulos @nmav wrote > That would be great. I am afraid that the regression is present on master as well and only work arounded because of registered ID being supported. Good morning, Succeeded on buster after downgrading gperf to 3.0.4: c565d16ef6595d4f87f3f6db90f44097fb2e07b8 is the first bad commit x509: optimize subject alternative name access That reads SAN and IAN early on import, significantly reducing the running time of functions which iterate over the alternative names of a certificate, e.g., gnutls_x509_crt_check_hostname(). Relates #165 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_272281707 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 16 20:10:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Jan 2020 19:10:56 +0000 Subject: [gnutls-devel] GnuTLS | Duplicated key_shares from client are not detected by GnuTLS server (#908) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: When there are entries in key_share that don't correspond to groups in supported_groups, the handshake is also not aborted. Test case for this is in `test-tls13-obsolete-curves.py` (added by https://github.com/tomato42/tlsfuzzer/pull/540) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/908#note_272776107 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 16 23:26:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Jan 2020 22:26:46 +0000 Subject: [gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Hmm, I had hopes for a more clear case. The problem is that we fail while reading the SAN if we do not support the name. The ones we do not support in master are: - x400Address - ediPartyName It does not make sense to add support for them, and maybe there are not even certificates containing that we can test with. However it would be good to skip these names instead of failing them and mark them under an UNKNOWN field. I'll change the bug description to reflect that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_272839150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 17 16:04:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jan 2020 15:04:48 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 0ae82294...4023d63f - 31 commits from branch `master` * 2127b56f - nettle: vendor in Curve448 and Ed448 implementation * e335b4ee - algorithms: implement X448 key exchange and Ed448 signature scheme * 0fd8aae9 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 17 16:08:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jan 2020 15:08:54 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_273224442 What in my mind was that it might cause a trouble on Debian as nettle will bump the ABI, but if it is not the case, that would be cool :-) Anyway, after discussing on Matrix, we decided to go with bundling for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_273224442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 17 16:33:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jan 2020 15:33:36 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * e55608fc - nettle: vendor in Curve448 and Ed448 implementation * a5f6d795 - algorithms: implement X448 key exchange and Ed448 signature scheme * d5df0d21 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 17 22:13:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jan 2020 21:13:55 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: ignore tests when algorithms are unavailable (!1170) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1170 Project:Branches: nmav/gnutls:tmp-fix-gnutls-cli-debug to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos When gnutls-cli-debug is run on systems where a particular algorithm is disabled, ensure that we don't stop the testing; in that case we ignore the test. This makes gnutls-cli-debug run in Fedora31 with crypto policies set. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 18 07:45:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jan 2020 06:45:39 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: ignore tests when algorithms are unavailable (!1170) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1170 https://gitlab.com/gnutls/gnutls/merge_requests/1170 * 6f11aaff - gnutls-cli-debug: ignore tests when algorithms are unavailable -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 18 09:14:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jan 2020 08:14:43 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 90cbcdd8 - nettle: vendor in Curve448 and Ed448 implementation * a428bdfe - algorithms: implement X448 key exchange and Ed448 signature scheme * 90093cbb - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 18 09:48:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jan 2020 08:48:25 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 227688ed - nettle: vendor in Curve448 and Ed448 implementation * b81ff901 - algorithms: implement X448 key exchange and Ed448 signature scheme * 0bbe82c8 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 18 14:51:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jan 2020 13:51:41 +0000 Subject: [gnutls-devel] GnuTLS | Bring support for TPM 2.0 (#594) In-Reply-To: References: Message-ID: Reassigned Issue 594 https://gitlab.com/gnutls/gnutls/issues/594 Assignee changed from Nikos Mavrogiannopoulos to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/594 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 18 14:52:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jan 2020 13:52:31 +0000 Subject: [gnutls-devel] GnuTLS | Skip unknown SubjectAlternativeNames when importing a certificate (#905) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: For debian it may make more sense to bring the registered name support. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_273500923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 10:09:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 09:09:56 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 3569ae50 - nettle: vendor in Curve448 and Ed448 implementation * 4c08ca2f - algorithms: implement X448 key exchange and Ed448 signature scheme * e7e22dd3 - .gitlab-ci.yml: add target to build against nettle master -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 10:52:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 09:52:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * 0ae82294...4023d63f - 70 commits from branch `master` * 1624d32a - nettle/gost: export gost28147_decrypt_simple for magma cipher * b427d686 - nettle/gost: add Magma code * 9e38485f - nettle/gost: add Kuznyechik code * 767cd804 - nettle/gost: add CMAC-64/Magma/Kuznyechik code * 115fa946 - nettle/gost: add ACPKM rekeying code * 041fede1 - lib: add Magma/Kuznyechik ciphers support * 304ee736 - lib: add Magma/Kuznyechik OMAC support * d74a4ae2 - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * 29a628e2 - cipher/mac: enhance handlers with setkey callback * 8950f337 - crypto-api: add _gnutls_cipher_set_key wrapper() * cc73ae3b - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM * ab986d7a - lib: support nonce generation by addition to sequence number * d856de40 - nettle/int: add GOST KEXP15 key export/import support * 3d00f4fc - nettle/int: add GOST KDF support * cf2ffc88 - lib: gost KEG key export generation support * 40516f38 - auth: add VKO_KDF_GOST support * fe07834a - nettle/int: add TLSTREE implementation * 7248f860 - lib: support TLSTREE rekeying * 35b8af60 - handshake: use proper data length for Finished messages * 1d19c433 - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * 5728cc53 - Add GOST values to cipher suites priorities * 660525c3 - priority: add new GOST ciphers/macs/KX to priority tables * 53a42ede - tests/priorities: account for new ciphers/macs/ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 11:02:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 10:02:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * da9f87a5 - auth: add VKO_KDF_GOST support * a5caa643 - nettle/int: add TLSTREE implementation * f9059d90 - lib: support TLSTREE rekeying * effab795 - handshake: use proper data length for Finished messages * 699f235a - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * 93d25d4b - Add GOST values to cipher suites priorities * b088f73d - priority: add new GOST ciphers/macs/KX to priority tables * 5f657019 - tests/priorities: account for new ciphers/macs/ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 12:14:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 11:14:33 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * da9f0f52 - nettle: vendor in Curve448 and Ed448 implementation * cd882002 - algorithms: implement X448 key exchange and Ed448 signature scheme * ba9b03f3 - .gitlab-ci.yml: add target to build against nettle master * a3cd033a - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 12:55:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 11:55:15 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 94e65cde - nettle: vendor in Curve448 and Ed448 implementation * 1a062e7a - algorithms: implement X448 key exchange and Ed448 signature scheme * 37c3a0a0 - .gitlab-ci.yml: add target to build against nettle master * a6b0fb9e - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 19:06:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 18:06:13 +0000 Subject: [gnutls-devel] GnuTLS | Skip unknown SubjectAlternativeNames when importing a certificate (#905) In-Reply-To: References: Message-ID: Andreas Metzler commented: Nikos Mavrogiannopoulos @nmav wrote > For debian it may make more sense to bring the registered name support. I have asked Debian-release for approval. https://bugs.debian.org/949310 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_273659725 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 19:56:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 18:56:23 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * 352ea99b - lib: gost KEG key export generation support * c8c482af - auth: add VKO_KDF_GOST support * 64962e62 - nettle/int: add TLSTREE implementation * e75f9366 - lib: support TLSTREE rekeying * 1fb98f96 - handshake: use proper data length for Finished messages * ae673222 - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * 6c0c3f16 - Add GOST values to cipher suites priorities * 5d71c5ce - priority: add new GOST ciphers/macs/KX to priority tables * 89292091 - tests/priorities: account for new ciphers/macs/ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 21:48:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 20:48:32 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * 58142dfc - auth: add VKO_KDF_GOST support * 06d502b9 - nettle/int: add TLSTREE implementation * 1d2933cf - lib: support TLSTREE rekeying * b93dbda5 - handshake: use proper data length for Finished messages * 18c5ac22 - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * 0d09c2b3 - Add GOST values to cipher suites priorities * 4307e6aa - priority: add new GOST ciphers/macs/KX to priority tables * 1fd5903c - tests/priorities: account for new ciphers/macs/ciphersuites -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 22:20:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 21:20:37 +0000 Subject: [gnutls-devel] GnuTLS | Mark SHA1 as insecure for any use (#910) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/910 We currently mark SHA1 as insecure for use in certificates, however with [the recent developments](https://en.wikipedia.org/wiki/SHA-1#Birthday-Near-Collision_Attack_%E2%80%93_first_practical_chosen-prefix_attack) it may make sense to mark SHA1 as insecure for any use in the next major update. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 22:28:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 21:28:55 +0000 Subject: [gnutls-devel] libtasn1 | gnutls can't check object identifier value correctly (#25) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !55 (https://gitlab.com/gnutls/libtasn1/merge_requests/55) Issue #25: https://gitlab.com/gnutls/libtasn1/issues/25 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/25 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 19 22:28:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 19 Jan 2020 21:28:55 +0000 Subject: [gnutls-devel] libtasn1 | asn1_get_object_id_der: enhance the range of decoded OIDs (!55) In-Reply-To: References: Message-ID: Merge Request !55 was merged Merge Request url: https://gitlab.com/gnutls/libtasn1/merge_requests/55 Branches: tmp-oid-fix to master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/merge_requests/55 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:15:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:15:09 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1171 Project:Branches: GostCrypt/gnutls:fix-gost-pkcs12 to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:18:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:18:37 +0000 Subject: [gnutls-devel] GnuTLS | fuzz in gost pkcs7/8/12 files (!1172) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1172 Project:Branches: GostCrypt/gnutls:gost-fuzz-1 to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:20:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:20:11 +0000 Subject: [gnutls-devel] GnuTLS | fuzz in gost pkcs7/8/12 files (!1172) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: A part of work related to #880 . No TLS traces yet. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1172#note_273697344 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:34:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:34:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * 86ff468d - priority: extend GOST keywords to contain MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:38:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:38:09 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1173 Project:Branches: GostCrypt/gnutls:legacy-gost-512 to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:38:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:38:22 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP argument defined for Russian certificates (!1174) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1174 Project:Branches: GostCrypt/gnutls:ogrnip to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 01:42:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 00:42:39 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * 862504f2 - cli: benchmark MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:09:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:09:17 +0000 Subject: [gnutls-devel] GnuTLS | fuzz in gost pkcs7/8/12 files (!1172) In-Reply-To: References: Message-ID: Merge Request !1172 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1172 Project:Branches: GostCrypt/gnutls:gost-fuzz-1 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:12:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:12:58 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: ignore tests when algorithms are unavailable (!1170) In-Reply-To: References: Message-ID: Merge Request !1170 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1170 Project:Branches: nmav/gnutls:tmp-fix-gnutls-cli-debug to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:13:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:13:19 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Tim R?hsen commented: Your commit message says you changed key length from 64 to 32. I can't see that reflected in the commit. Can you explain a bit ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273890632 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:15:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:15:24 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @xnox any update on version limiting the 1k DSA test? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_273891957 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:18:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:18:36 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * d4f604be - nettle: vendor in Curve448 and Ed448 implementation * fe09de51 - algorithms: implement X448 key exchange and Ed448 signature scheme * 05261a26 - .gitlab-ci.yml: add target to build against nettle master * 9e945ccf - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 7dec05b8 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:22:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:22:37 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Merge Request !1169 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1169 Project:Branches: nmav/gnutls:tmp-tls13-ocsp to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:32:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:32:13 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Tim R?hsen started a new discussion on lib/tls13/certificate_request.c: https://gitlab.com/gnutls/gnutls/merge_requests/1169#note_273903505 > goto cleanup; > } > > +#ifdef ENABLE_OCSP > + /* We always advertise our support for OCSP responses */ This comment irritates me. Shouldn't it be "... for OCSP stapling" ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169#note_273903505 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:39:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:39:40 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 0ae82294...4023d63f - 43 commits from branch `master` * 158b19f5 - Add runner for combined clang UBSAN+ASAN * 266335a3 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 19c7a4c0 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * d5b79cce - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 0214bbef - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 891b5bfb - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 9308ffcb - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 67df579f - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 4cc60404 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 8aba6c4c - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * a7a749e6 - Fix checks in mpi.c:__gnutls_x509_write_int() * b27719d6 - Suppress integer UB checks in record.c:record_read_headers() * 664236dc - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:50:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:50:31 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 0ae82294...4023d63f - 39 commits from branch `master` * 6f286bce - Use make with crafted -j for CI builds and tests * b57e0b71 - tests/key-material-dtls.c: Try again on GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:52:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:52:18 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_273916122 Rebased with your fix. Let's see - the issue in `key-material-dtls` was just an example. Likely there are more tests affected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_273916122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 11:58:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 10:58:20 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 678021ea - Use make with crafted -j for CI builds and tests * 89c1712c - tests/key-material-dtls.c: Try again on GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:01:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:01:19 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented: > Shouldn't we separate the values for freebsd and Linux? Yes, as the FreeBSD runner has more than one core, it is fast enough. I restored the original 'gmake -j$(sysctl hw.ncpu | awk '{print $2}')`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_273922761 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:06:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:06:57 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen commented: > I liked the original version that used nproc more Added a hard-coded value since the FreeBSD runner doesn't know 'nproc'. And Gitlab won't give us more than 1 core as long as nobody throws money at them. Is that expected in the near future ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_273925912 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:39:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:39:54 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/x509/pkcs12.c: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273950489 > if (me->id == GNUTLS_MAC_GOSTR_94 || > me->id == GNUTLS_MAC_STREEBOG_256 || > me->id == GNUTLS_MAC_STREEBOG_512) { > key_len = 32; @rockdaboot For typical usecases `key_len` is set to be equal to `mac_size`. For GOST case we override `key_len = 32`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273950489 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:40:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:40:25 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/x509/pkcs12.c: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273950809 > sizeof(salt), > iter, > pass, > - mac_size, > + key_len, However when generating a key, I incorrectly used `mac_size` (= 64 for Streebog-512) instead of `key_len`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273950809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:41:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:41:37 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Merge Request !1171 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1171 Project:Branches: GostCrypt/gnutls:fix-gost-pkcs12 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:41:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:41:53 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: All discussions on Merge Request !1171 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1171 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:41:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:41:52 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/x509/pkcs12.c: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273953975 > sizeof(salt), > iter, > pass, > - mac_size, > + key_len, Ah, got it :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171#note_273953975 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 12:47:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 11:47:30 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/merge_requests/1144 * af71a7d8 - priority: extend GOST keywords to contain MAGMA/KUZNYECHIK * 3b572619 - cli: benchmark MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 13:03:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 12:03:08 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli-debug: ignore tests when algorithms are unavailable (!1170) In-Reply-To: References: Message-ID: Merge Request !1170 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1170 Project:Branches: nmav/gnutls:tmp-fix-gnutls-cli-debug to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 13:03:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 12:03:35 +0000 Subject: [gnutls-devel] GnuTLS | fuzz in gost pkcs7/8/12 files (!1172) In-Reply-To: References: Message-ID: Merge Request !1172 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1172 Project:Branches: GostCrypt/gnutls:gost-fuzz-1 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 13:08:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 12:08:35 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP argument defined for Russian certificates (!1174) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1174 https://gitlab.com/gnutls/gnutls/merge_requests/1174 * 3ab9cc73 - x509: add OGRNIP DN entry definition used by qualified GOST certificates -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 13:43:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 12:43:40 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * a67aa7c0 - nettle: vendor in Curve448 and Ed448 implementation * 83b9fa17 - algorithms: implement X448 key exchange and Ed448 signature scheme * de9d6f92 - .gitlab-ci.yml: add target to build against nettle master * f1523859 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * ee511a2a - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 14:25:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 13:25:15 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 5aed760e - nettle: vendor in Curve448 and Ed448 implementation * 0a6ef113 - algorithms: implement X448 key exchange and Ed448 signature scheme * 3ad9b666 - .gitlab-ci.yml: add target to build against nettle master * de3281b6 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 16e82360 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 15:58:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 14:58:01 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: All discussions on Merge Request !984 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/984 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 17:38:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 16:38:25 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1169 https://gitlab.com/gnutls/gnutls/merge_requests/1169 * f39b85db - tls13: request OCSP responses as a server -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 17:38:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 16:38:35 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: All discussions on Merge Request !1169 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/merge_requests/1169 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 17:38:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 16:38:31 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/tls13/certificate_request.c: https://gitlab.com/gnutls/gnutls/merge_requests/1169#note_274160694 > goto cleanup; > } > > +#ifdef ENABLE_OCSP > + /* We always advertise our support for OCSP responses */ Makes sense. updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169#note_274160694 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 17:40:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 16:40:31 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP DN entry definition used by qualified GOST certificates (!1174) In-Reply-To: References: Message-ID: Merge Request !1174 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1174 Project:Branches: GostCrypt/gnutls:ogrnip to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 17:40:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 16:40:57 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP DN entry definition used by qualified GOST certificates (!1174) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: It would be nice to have some certificate with all of these OIDs to test we can decode, but nevertheless, it is fine as it is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174#note_274162074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 18:00:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 17:00:19 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP DN entry definition used by qualified GOST certificates (!1174) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I will add a couple of certificates. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174#note_274172517 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 18:00:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 17:00:25 +0000 Subject: [gnutls-devel] GnuTLS | x509: add OGRNIP DN entry definition used by qualified GOST certificates (!1174) In-Reply-To: References: Message-ID: Merge Request !1174 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1174 Project:Branches: GostCrypt/gnutls:ogrnip to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 18:17:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 17:17:31 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Merge Request !1169 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1169 Project:Branches: nmav/gnutls:tmp-tls13-ocsp to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 18:45:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 17:45:01 +0000 Subject: [gnutls-devel] GnuTLS | tls13: fix issues with client OCSP responses (!1169) In-Reply-To: References: Message-ID: Merge Request !1169 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1169 Project:Branches: nmav/gnutls:tmp-tls13-ocsp to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 18:45:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 17:45:01 +0000 Subject: [gnutls-devel] GnuTLS | OCSP: server does not request client OCSP staples (#876) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1169 (https://gitlab.com/gnutls/gnutls/merge_requests/1169) Issue #876: https://gitlab.com/gnutls/gnutls/issues/876 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/876 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 22:41:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 21:41:49 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: use correct key length when using STREEBOG-512 (!1171) In-Reply-To: References: Message-ID: Merge Request !1171 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1171 Project:Branches: GostCrypt/gnutls:fix-gost-pkcs12 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1171 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 20 22:49:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jan 2020 21:49:28 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: This change has been discussed and coordinated with @beldmit , who is supporting OpenSSL's GOST engine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173#note_274276838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 06:58:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 05:58:59 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: What is this parameter's status according to the (new) protocol? Are they optional or they must not be present? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173#note_274364807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 07:45:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 06:45:04 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Dmitry Belyavskiy commented: They were present in the systems certified before 2018 and they SHOULD be present for the A and B parameter sets. I don't remember if they MAY or SHOULD NOT be present for the C parameter set. My implementation does not complain when they are present with C but does not write them to a certificate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173#note_274376881 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 10:47:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 09:47:36 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1175 Project:Branches: nmav/gnutls:tmp-mark-gost94-as-broken to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Although there are no practical attacks known on the algorithms, one is known to be weaker than its theoretical strength, legacy and the other has no practical uses for Internet PKI. Mark them as insecure to reduce the attack surface. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 10:48:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 09:48:39 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I am not sure whether we should bundle this in, in 3.6.x series or we should wait for 3.7. @gnutls any opinions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175#note_274487264 You're receiving this email because you have been mentioned on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 11:49:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 10:49:20 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'd vote for 3.7 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175#note_274530384 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 11:50:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 10:50:15 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Merge Request !1175 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1175 Project:Branches: nmav/gnutls:tmp-mark-gost94-as-broken to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 13:15:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 12:15:40 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: it's an API change so I don't think it belongs in a patch release; more important question is _when_ should the 3.7 release happen -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175#note_274581850 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 14:41:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 13:41:47 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Any objections ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_274635252 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 21 22:59:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 21 Jan 2020 21:59:35 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on .gitignore: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_274931991 > lib/minitasn1/Makefile > lib/minitasn1/Makefile.in > lib/nettle/libcrypto.la > +lib/nettle/curve448 > +lib/nettle/curve448/ecc-curve448-*.h > +lib/nettle/eccdata* I'd suggest to move it to `lib/nettle/backport` (or other suitable subdir). Otherwise it might be easy to confuse GnuTLS and nettle's code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_274931991 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 05:26:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 04:26:32 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * eb280773 - nettle: vendor in Curve448 and Ed448 implementation * f0466b08 - algorithms: implement X448 key exchange and Ed448 signature scheme * 9982eff8 - .gitlab-ci.yml: add target to build against nettle master * b8956899 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 74625b98 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 2ea58bc6 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 05:49:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 04:49:28 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * ecc4bacd - nettle: vendor in Curve448 and Ed448 implementation * 0bedcc8e - algorithms: implement X448 key exchange and Ed448 signature scheme * 7fc2e033 - .gitlab-ci.yml: add target to build against nettle master * 68cf8f78 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * a89f148d - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 4191abb4 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 07:19:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 06:19:40 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 18d1e586 - nettle: vendor in Curve448 and Ed448 implementation * 17a5a516 - algorithms: implement X448 key exchange and Ed448 signature scheme * 14544d6b - .gitlab-ci.yml: add target to build against nettle master * fee94e87 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 3534c140 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 15406266 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 09:25:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 08:25:11 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 20c197aa - nettle: vendor in Curve448 and Ed448 implementation * c36dae02 - algorithms: implement X448 key exchange and Ed448 signature scheme * 6441ef00 - .gitlab-ci.yml: add target to build against nettle master * 28f76f91 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * e727fb47 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 3739f469 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 10:46:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 09:46:28 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: All discussions on Merge Request !984 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/984 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 10:46:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 09:46:28 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on .gitignore: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275136328 > lib/minitasn1/Makefile > lib/minitasn1/Makefile.in > lib/nettle/libcrypto.la > +lib/nettle/curve448 > +lib/nettle/curve448/ecc-curve448-*.h > +lib/nettle/eccdata* Done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275136328 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 12:29:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 11:29:33 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav In branch 'tmp-release-script' you'll find `devel/release`, which is basically a copy from wget2. You might need to amend it a little bit - but once it works for libtasn1, it's very easy to upload a new release. So you would make the next release similar to - git checkout master - amend NEWS and configure.ac - add a new git tag - git push --follow-tags Now run the `devel/release` script to build the tarball and to upload it to ftp.gnu.org. For a first test run you can comment out the ftp command near the bottom. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_275201359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 12:32:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 11:32:11 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Tim R?hsen commented: I also added `devel/announcement_template.txt` - this needs some editing before using it as email template for info-gnu. But once you updated with all the links etc, the next time it is just the NEWS and version numbers that needs an update. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/18#note_275202884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 22 12:45:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jan 2020 11:45:03 +0000 Subject: [gnutls-devel] GnuTLS | p11-kit-trust: investigate whether CKA_NSS_{SERVER, EMAIL}_DISTRUST_AFTER can be used (#912) References: Message-ID: Nikos Mavrogiannopoulos created an issue: https://gitlab.com/gnutls/gnutls/issues/912 p11-kit now supports the [`CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER` PKCS#11 option](https://github.com/p11-glue/p11-kit/releases/tag/0.23.19). We should investigate where in the PKCS#11 validation this fits, and how we should use it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/912 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 03:22:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 02:22:55 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/984 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/algorithms/mac.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275649509 > + {.name = "SHAKE-256", > + .oid = HASH_OID_SHAKE_256, > + .id = GNUTLS_MAC_SHAKE_256}, nit: we do not seem to use it anywhere but we don't set block size here although in SHA3 we do. -- Nikos Mavrogiannopoulos started a new discussion on tests/privkey-keygen.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275649511 > digest = GNUTLS_DIG_SHA512; > + else if (algorithm == GNUTLS_PK_EDDSA_ED448) > + digest = GNUTLS_DIG_SHAKE_256; That looks strange given that we do not claim its implementation. I'm not sure what's the best solution here. What about amending its documentation to mention that it is an allowed option on X448 signatures? -- Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275649513 > + - popd > + - SUBMODULE_NOFETCH=1 ./bootstrap > + - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-doc --disable-guile --disable-gost @lumag Is the disable-gost necessary? Will new versions of nettle work with gnutls or gnutls should have been compiled with `--disable-gost`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 03:26:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 02:26:54 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Although it is extensive, based on the previous discussions that's probably the most reasonable solution. Would it be possible to add a certificate in fuzzer (gnutls_x509_parser_fuzzer.c) and a trace for client and server fuzzers? Given the assert triggered in gost-cpa I think we should re;y on that infrastructure for new curves. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275649994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 03:30:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 02:30:23 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Merge Request !1173 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1173 Project:Branches: GostCrypt/gnutls:legacy-gost-512 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 06:51:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 05:51:47 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * af5e42ab - nettle: vendor in Curve448 and Ed448 implementation * 014a542a - algorithms: implement X448 key exchange and Ed448 signature scheme * 4d0631e8 - .gitlab-ci.yml: add target to build against nettle master * b5a1c293 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 4252ee38 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 609d1a78 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 06:53:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 05:53:55 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/privkey-keygen.c: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275693886 > > if (algorithm == GNUTLS_PK_EDDSA_ED25519) > digest = GNUTLS_DIG_SHA512; > + else if (algorithm == GNUTLS_PK_EDDSA_ED448) > + digest = GNUTLS_DIG_SHAKE_256; I've rewritten this part to use `gnutls_pubkey_get_preferred_hash_algorithm` so no algorithm-specific code is needed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275693886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 07:07:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 06:07:35 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 07596231 - algorithms: implement X448 key exchange and Ed448 signature scheme * 978773fc - .gitlab-ci.yml: add target to build against nettle master * 0f7baad9 - .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build * 6071e027 - .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine * 198489c1 - tlsfuzzer: enable tests for X448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 08:45:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 07:45:36 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: @lumag @nmav So, reverting to 1k DSA results in testsuite failures of testcompat-openssl.sh against 1.1.1d, but since that is running test case in parallel, it's hard to tell which ones are failing. Let me re-run that in serial to understand which test cases fail. I fear that 1.1.1d rejects 1k DSA keys even at SECLEVEL=0 and there is no way to go even lower than that, unless one overrides and provides a custom security callback function. I think 1k DSA should only be tested against openssl 1.0.2 series. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_275725419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 09:34:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 08:34:21 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275758739 I'm not familiar with the fuzzer code, but would it be sufficient to put a DER certificate in `fuzzer/gnutls_x509_parser_fuzzer.in`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275758739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 10:00:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 09:00:54 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275772226 The fuzzer code is very small and should be easy to read (see `fuzz/gnutls_x509_parser_fuzzer.c`). So it does call gnutls_x509_crt_import() with GNUTLS_X509_FMT_DER - so a DER cert is the right thing to have. To check the code coverage of a single fuzzer: ``` ./configure --enable-code-coverage --disable-doc make clean make make check -C fuzz TESTS=gnutls_x509_parser_fuzzer make code-coverage-capture xdg-open file:///usr/oms/src/gnutls/GnuTLS-3.6.12-coverage/index.html ``` So you can see if the new code is really covered by the fuzzer when used with the existing corpora in `fuzz/gnutls_x509_parser_fuzzer.in` (in this case the "fuzzer" is compiled as a unit-test). Possibly, you need to run the real fuzzer first to generate new corpora (= new discovered code paths). To do that, see `fuzz/README.md` and best go with clang fuzzing, then let the fuzzer run for ~10 minutes and check code coverage again. The switch between 'test' and 'fuzzer' mode requires a rebuild starting with `./configure...`. Let me know if I can help. E.g. you add the cert to the branch, I check it out, generate new corpora and add them via git commit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275772226 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 10:05:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 09:05:55 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/merge_requests/1168 * 24208f7c - Drop DSS params from v1.2 tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 10:18:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 09:18:06 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented: Why/How does the minimal.fedora runner run on `OS/Arch: windows/amd64` ??? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275782610 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 10:53:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 09:53:53 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275806633 > <<: *Debian_cross_template > + > +nettle-master.Fedora: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > + script: > + - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git > + - export NETTLE_DIR=${PWD}/nettle > + - pushd nettle-git > + - ./.bootstrap > + - ./configure --disable-documentation --prefix=$NETTLE_DIR > + - make -j$(nproc) > + - make -j$(nproc) install > + - popd > + - SUBMODULE_NOFETCH=1 ./bootstrap > + - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-doc --disable-guile --disable-gost Current nettle master does not work with GnuTLS. I'm going to submit a pull request soon. What is the timeline for 3.6.12? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275806633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 11:01:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 10:01:11 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov commented: So, I dropped DSS params from the v1.2 tests, as those should use RSA keys. And then I was able to drop back to 1k DSA keys. Please rereview, wait for pipeline, and merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168#note_275811476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 11:13:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 10:13:35 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1176 Project:Branches: GostCrypt/gnutls:fix-gost-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 11:14:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 10:14:10 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: TODO: maybe add a test against nettle's master. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_275819341 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 11:31:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 10:31:16 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275830249 Thanks. I'm not sure if it is sufficient, but if I copy the key and cert in `fuzz/gnutls_pkcs12_key_parser_fuzzer.in` and `fuzz/gnutls_x509_parser_fuzzer.in`, those fuzzer seem to cover sufficient code path, e.g., the `GNUTLS_PK_EDDSA_ED448` branch in `_gnutls_x509_read_pubkey`. ```sh $ certtool -i --infile doc/credentials/x509/cert-ed448.pem --outfile cert-ed448.der --outder $ cp cert-ed448.der fuzz/gnutls_x509_parser_fuzzer.in $ openssl pkcs12 -export -in doc/credentials/x509/cert-ed448.pem -inkey doc/credentials/x509/key-ed448.pem -out ed448.p12 -name "Ed448 key and cert" $ cp ed448.p12 fuzz/gnutls_pkcs12_key_parser_fuzzer.in ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275830249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 12:11:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 11:11:16 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275856219 That sounds good then. OSS-Fuzz will throw millions of modified versions of the key and cert at the code and likely creates new corpora. We download those from time to time to get in sync. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275856219 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 12:36:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 11:36:39 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/merge_requests/1168 * 68b3b9f8 - Drop DSS params from v1.2 tests -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 13:52:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 12:52:13 +0000 Subject: [gnutls-devel] GnuTLS | Received TLS alert from the server: User canceled (90) (#913) References: Message-ID: Alla Gofman created an issue: https://gitlab.com/gnutls/gnutls/issues/913 ## Description of problem: FileZilla client 3.46.x built against GnuTLS 3.6.7 - Failed to retrieve directory listing when connecting in TLS 1.3 ## Version of gnutls used: GnuTLS 3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) ## How reproducible: Open FTP over SSL connection to remote server with protocol TLS 1.3 Directory listing fails ERROR: | GNUTLS_A_USER_CANCELED | 90 | User canceled | I use Apache Mina ftp server. We test other clients, one based on Apache FTP client and one on python ftp library, which succeeded to connect and retrieve directory listing. Steps to Reproduce: * one * two * three ## Actual results: Please see FileZilla Ccient log in debug level: * Status: Resolving address of ******** * Status: Connecting to ******... * Status: Connection established, waiting for welcome message... * Status: Initializing TLS... * Status: Verifying certificate... * Status: TLS connection established. * Status: Logged in * Status: Retrieving directory listing of "/"... * Command: CWD / * Response: 250 Directory changed to / * Command: TYPE I * Response: 200 Command TYPE okay. * Command: PORT 137,72,216,12,225,198 * Response: 200 Command PORT okay. * Command: MLSD * Response: 150 File status okay; about to open data connection. * **Error: Received TLS alert from the server: User canceled (90)** * Error: Could not read from transfer socket: ECONNABORTED - Connection aborted * Response: 226 Closing data connection. * Error: Failed to retrieve directory listing * Status: Connection closed by server * Status: Disconnected from server ## Expected results: Shows directory tree -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 14:35:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 13:35:50 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @dueno has one in the ed448 patch. Maybe bring this on top of that MR? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_275951732 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 14:37:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 13:37:50 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275952977 > <<: *Debian_cross_template > + > +nettle-master.Fedora: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > + script: > + - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git > + - export NETTLE_DIR=${PWD}/nettle > + - pushd nettle-git > + - ./.bootstrap > + - ./configure --disable-documentation --prefix=$NETTLE_DIR > + - make -j$(nproc) > + - make -j$(nproc) install > + - popd > + - SUBMODULE_NOFETCH=1 ./bootstrap > + - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-doc --disable-guile --disable-gost I'd like to release it the first days of February. I'd leave a week between the last big merge and the release to give us some time with oss-fuzz -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275952977 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 14:39:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 13:39:52 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: > `OS/Arch: windows/amd64` Where did you see that? Is that where the VM of gitlab is running? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_275954287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 14:54:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 13:54:24 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/merge_requests/1151 was reviewed by Nikos Mavrogiannopoulos -- Nikos Mavrogiannopoulos started a new discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275963750 > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; I think that looks quite strange. Maybe we change msg to unsigned int instead? -- Nikos Mavrogiannopoulos started a new discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275963753 > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; same here about changing msg to unsigned. -- Nikos Mavrogiannopoulos started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275963755 > */ > +#ifdef __clang__ > +// "implicit-signed-integer-truncation:record.c" in UBSAN suppression file doesn't work. Not sure what we are suppressing here. Would you like to add more info about it in the comment? -- Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275963758 > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful Is there something to discuss in this MR or should we remove the text? -- Nikos Mavrogiannopoulos started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275963762 > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Is it due to our code? If yes, should we open an issue with what remains? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 14:54:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 13:54:48 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Other than the comments, it looks fine to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_275964037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 16:26:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 15:26:56 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno pushed new commits to merge request !984 https://gitlab.com/gnutls/gnutls/merge_requests/984 * 3cadae8e - fuzz: import key, certificate, and traces using Ed448 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 16:28:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 15:28:46 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276030294 I've added necessary files in 3cadae8ec935443f4d645168c56b662cfd380d99 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276030294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 17:17:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 16:17:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1175 https://gitlab.com/gnutls/gnutls/merge_requests/1175 * d54ced3a - GOSTR341194: mark as insecure for digital signatures -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 17:35:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 16:35:40 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276074559 https://gitlab.com/gnutls/gnutls/-/jobs/410984532 A few lines up from the bottom. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276074559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 17:54:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 16:54:34 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276085450 > int ret; > hello_ext_ctx_st ctx; > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; No - we need enum type safety here. `gnutls_ext_flags_t` is a collection of some single bit values. `GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK` is *not* a `gnutls_ext_flags_t`. Since an enum has no fixed type (every compiler is free to use any integer type, signed or unsigned), we'll either need this cast *or* we have to make `GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK` a `gnutls_ext_flags_t`. I chose the first possibility. If you like the second possibility more, I can change it (but fear it will become even more strange). Using unsigned int for `msg` doesn't really help here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276085450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 17:54:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 16:54:54 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276085651 > size_t i; > hello_ext_ctx_st ctx; > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; same as above -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276085651 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:40:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:40:30 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276106819 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers I can't tell. You get ``` $ cat tests/suite/testcompat-tls13-openssl.log Compatibility checks using OpenSSL ################################################# # Client mode tests (gnutls cli-openssl server) # ################################################# Checking TLS 1.3 with AES-128-GCM... Checking TLS 1.3 with AES-256-GCM... Checking TLS 1.3 with CHACHA20-POLY1305... Checking TLS 1.3 with AES-128-CCM... Checking TLS 1.3 with AES-128-CCM-8... Checking TLS 1.3 with GROUP-X25519... Checking TLS 1.3 with GROUP-SECP256R1... Checking TLS 1.3 with GROUP-SECP384R1... Checking TLS 1.3 with GROUP-SECP521R1... Checking TLS 1.3 with double rekey... Checking TLS 1.3 with HRR... Checking TLS 1.3 with DHE-PSK with AES-128-GCM... Checking TLS 1.3 with RSA client cert and GROUP-SECP256R1... Checking TLS 1.3 with secp256r1 client cert and GROUP-SECP256R1... Checking TLS 1.3 with Ed25519 client cert and GROUP-SECP256R1... Checking TLS 1.3 with RSA-PSS client cert and GROUP-SECP256R1... Checking TLS 1.3 with Ed25519 certificate... Checking TLS 1.3 with secp256r1 certificate... Checking TLS 1.3 with RSA-PSS certificate... Checking TLS 1.3 with resumption... *** This is a resumed session Checking TLS 1.3 with resumption and HRR... *** This is a resumed session Checking TLS 1.3 with resumption with early data... *** Fatal error: The TLS connection was non-properly terminated. *** Server has terminated the connection abnormally. Failure: Failed FAIL testcompat-tls13-openssl.sh (exit status: 1) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276106819 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:45:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:45:05 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276108885 > - tests/suite/*/*.log > retry: 1 > > +# Two runs, one with normal backend and another with pkcs11 trust store > +UB+ASAN-Werror.Fedora.x86_64.clang: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > + script: > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful Some tests fail, likely due to 'nullability' and 'nonnull-attribute'. I couldn't find a good solution for these and then saw that OSS-Fuzz avoids these two sanitizer settings. If you don't want to investigate into these (I don't have the time to), then let's remove or amend the comment. I like to keep these comments for someone else to investigate later - but that is a matter of favor. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276108885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:47:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:47:09 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276109767 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Not sure it helps we may want something like that: ``` diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index 6d17941b8e..bf71af6177 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -59,7 +59,7 @@ SERV=openssl OPENSSL_CLI="$SERV" if test -z "$OUTPUT";then -OUTPUT=/dev/null +OUTPUT=testcompat-tls13-openssl.verbose.$$.log fi >${OUTPUT} @@ -234,7 +234,7 @@ run_client_suite() { echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..." testdir=`create_testdir tls13-openssl-resumption` eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data + launch_bare_server $$ s_server -debug -msg -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data PID=$! wait_server ${PID} ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276109767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:48:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:48:29 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276110363 > - tests/suite/*/*.log > retry: 1 > > +# Two runs, one with normal backend and another with pkcs11 trust store > +UB+ASAN-Werror.Fedora.x86_64.clang: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > + script: > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful I have seen several pendantic issues such as errors memcpy(x, NULL, 0) rejected as errors by such sanitizers. I think these are generally regarded as not very useful errors. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276110363 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:49:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:49:56 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276110997 > /* Checks the record headers and returns the length, version and > * content type. > */ > +#ifdef __clang__ > +// "implicit-signed-integer-truncation:record.c" in UBSAN suppression file doesn't work. Don't see any issue now when romving that block... let me test on the CI again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276110997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 18:51:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 17:51:00 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276111418 > int ret; > hello_ext_ctx_st ctx; > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; `gnutls_ext_flags_t` is to help identifying individual values. As we go to masks it doesn't make much sense, because there is is no guarrantee they value will contain only the enumerated values (it can be an OR of them), and thus it can be confusing as one could expect an actual enumerated value, however on the debugger you'll see something unrelated. As such, in my opinion, it makes more sense to make it unsigned to remove ambiguities. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276111418 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:04:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:04:00 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 6ab20d77...564756ee - 11 commits from branch `master` * 78394d18 - Add runner for combined clang UBSAN+ASAN * 9b5c2ad7 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * de55e570 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 7f4433db - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * b1858173 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * c632c092 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 5ed72020 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 29414013 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * d3585cf3 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * fdd6e2cf - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 73ba1cad - Fix checks in mpi.c:__gnutls_x509_write_int() * 253d6617 - Suppress integer UB checks in record.c:record_read_headers() * 616dfd02 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 5791c193 - xxx -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:10:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:10:43 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/hello_ext.c: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276119131 > int ret; > hello_ext_ctx_st ctx; > > - msg &= GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; > + msg &= (gnutls_ext_flags_t) GNUTLS_EXT_FLAG_SET_ONLY_FLAGS_MASK; Ok, but the mask must be guaranteed unsigned then (by a cast) or we run into another sanitizer issue (implicitly converting negative numbers into unsigned). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276119131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:12:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:12:47 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276119983 > - tests/suite/*/*.log > retry: 1 > > +# Two runs, one with normal backend and another with pkcs11 trust store > +UB+ASAN-Werror.Fedora.x86_64.clang: > + stage: stage1-testing > + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD > + script: > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful I amend the comment, so we have documented why we don't include those settings. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276119983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:21:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:21:43 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276123599 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers >From the ...verbose.$$.log: Maybe you can see something, I can't: ``` Checking TLS 1.3 with resumption with early data... Processed 0 CA certificate(s). Resolving '127.0.0.1:37904'... Connecting to '127.0.0.1:37904'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=GnuTLS Test Server (RSA certificate)', issuer `CN=GnuTLS Test CA', serial 0x4de0b4ca, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:39:39 UTC', expires `2038-10-12 08:39:40 UTC', pin-sha256="ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE=" Public Key ID: sha1:482334530a8931384a5aeacab6d2a6dece1d2b18 sha256:6429dcdb1f84533b60e9286712fc2d707c6eb325ea2794492cd0832dcfa554d1 Public Key PIN: pin-sha256:ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE= - Certificate[1] info: - subject `CN=GnuTLS Test CA', issuer `CN=GnuTLS Test CA', serial 0x00, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:36:30 UTC', expires `2038-10-12 08:36:33 UTC', pin-sha256="Q6gIwA8tsmcqv+Fmom0cnzs9jZGV+iyqEIx0AQtfCQE=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276123599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:25:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:25:01 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276125359 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers All the connections say the same about the Status, but since that last test, all continue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276125359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 19:27:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 18:27:21 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 4c3441b9 - xxx -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 23 20:51:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 19:51:12 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 4786fe1b - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * c035e863 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 2d9f04d0 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 05517b53 - Fix checks in mpi.c:__gnutls_x509_write_int() * 436ef982 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 00:10:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jan 2020 23:10:53 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'm fine with any merge order. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276212951 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 06:54:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 05:54:47 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276274826 Interesting. It seems gitlab runners are running on windows: ``` Running with gitlab-runner 12.6.0 (ac8e767a) on windows-shared-runners-manager Hs8mheX5 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276274826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 06:55:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 05:55:57 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.12 (Dec 1, 2019?Feb 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/26 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 06:56:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 05:56:44 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge Request !984 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/984 Branches: tmp-ed448 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 06:57:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 05:57:01 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM. Could you add a NEWS entry before merging? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276275212 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 08:30:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 07:30:47 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276297639 It's already [added](https://gitlab.com/gnutls/gnutls/merge_requests/984/diffs#9f621eb5fd3bcb2fa5c7bd228c9b1ad42edc46c8_30_30). Thank you all for the reviews and the suggestions! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984#note_276297639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 08:31:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 07:31:41 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: All discussions on Merge Request !984 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/merge_requests/984 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 08:31:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 07:31:56 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: implement X448 key exchange and Ed448 signature scheme (!984) In-Reply-To: References: Message-ID: Merge Request !984 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/984 Branches: tmp-ed448 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 08:57:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 07:57:13 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276306454 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Probably the interesting part is on the openssl part of the log -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276306454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 10:06:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 09:06:02 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) References: Message-ID: Pierre Ossman (Work account) created an issue: https://gitlab.com/gnutls/gnutls/issues/914 ## Description of problem: It seems the macOS assembler doesn't support that instruction as I get: ``` x86-common.c:154:no such instruction: `xgetbv' x86-common.c:154:no such instruction: `xgetbv' ``` ## Version of gnutls used: 3.6.10 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Custom build. ## How reproducible: Steps to Reproduce: * Build using gcc (also clang?) for macOS ## Actual results: Build error above. ## Expected results: Completed build. ## Additional info: Others seem to have been hit by this and are working around it: https://github.com/asmjit/asmjit/issues/78 https://chromium.googlesource.com/libyuv/libyuv/+/master/source/cpu_id.cc#123 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 10:15:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 09:15:40 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Suggested patch: ```diff diff -up gnutls-3.6.10/lib/accelerated/x86/x86-common.c.xgetbv gnutls-3.6.10/lib/accelerated/x86/x86-common.c --- gnutls-3.6.10/lib/accelerated/x86/x86-common.c.xgetbv 2020-01-24 10:06:30.782100264 +0100 +++ gnutls-3.6.10/lib/accelerated/x86/x86-common.c 2020-01-24 10:08:04.851463216 +0100 @@ -151,7 +151,9 @@ static unsigned check_4th_gen_intel_feat #if defined(_MSC_VER) && !defined(__clang__) xcr0 = _xgetbv(0); #else - __asm__ ("xgetbv" : "=a" (xcr0) : "c" (0) : "%edx"); + // Apple's assembler doesn't support xgetbv: + // __asm__ ("xgetbv" : "=a" (xcr0) : "c" (0) : "%edx"); + __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a" (xcr0) : "c" (0) : "%edx"); #endif /* Check if xmm and ymm state are enabled in XCR0. */ return (xcr0 & 6) == 6; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_276350680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 10:16:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 09:16:57 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Crap. More issues after that: ``` macosx/ghash-x86_64.s:1332:no such instruction: `vzeroupper' macosx/ghash-x86_64.s:1334:no such instruction: `vmovdqu (%rsi),%xmm2' macosx/ghash-x86_64.s:1335:no such instruction: `vpshufd $78,%xmm2,%xmm2' macosx/ghash-x86_64.s:1338:no such instruction: `vpshufd $255,%xmm2,%xmm4' macosx/ghash-x86_64.s:1339:no such instruction: `vpsrlq $63,%xmm2,%xmm3' macosx/ghash-x86_64.s:1340:no such instruction: `vpsllq $1,%xmm2,%xmm2' macosx/ghash-x86_64.s:1341:no such instruction: `vpxor %xmm5,%xmm5,%xmm5' macosx/ghash-x86_64.s:1342:no such instruction: `vpcmpgtd %xmm4,%xmm5,%xmm5' macosx/ghash-x86_64.s:1343:no such instruction: `vpslldq $8,%xmm3,%xmm3' macosx/ghash-x86_64.s:1344:no such instruction: `vpor %xmm3,%xmm2,%xmm2' macosx/ghash-x86_64.s:1347:no such instruction: `vpand L$0x1c2_polynomial(%rip),%xmm5,%xmm5' macosx/ghash-x86_64.s:1348:no such instruction: `vpxor %xmm5,%xmm2,%xmm2' ... ``` This is with open darwin's port of cctools 782. I guess that's a bit too old for what GnuTLS wants. Can better checks be added? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_276351278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 10:39:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 09:39:59 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276366233 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers [testcompat-tls13-openssl.verbose.235986.log](/uploads/f1ab9e1b8fd49b69e3fb40cac810be38/testcompat-tls13-openssl.verbose.235986.log) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276366233 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 10:48:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 09:48:03 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276370612 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Now added -msgfile outfile on a second run. [outfile](/uploads/123eff775204f96cff6ee563062c4a51/outfile) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276370612 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 13:01:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 12:01:44 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276453141 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers It is strange. If compiled with clang and these options gnutls-cli` behaves differently when sending early data. The "new" behavior makes openssl s_server to quit and thus resumption which is what is tested by this test fails. When I compile with just clang-9 and not these flags it works. Could it be a bug of one of these sanitizers that we are seeing here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276453141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 13:02:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 12:02:50 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @lumag is that ready for merging or do you plan more updates related to that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173#note_276453652 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 13:03:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 12:03:29 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The other one is already merged. Maybe you can update and remove the `--disable-gost` from the nettle-master run to test it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276453953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 13:05:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 12:05:31 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/gost/ecc-gost256cpa.c: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276454899 > #define ecc_256_modp ecc_mod > #define ecc_256_modq ecc_mod > > static const struct ecc_curve _gnutls_gost_256cpa = Now with 448 we include ecc-internal.h -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276454899 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 13:06:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 12:06:13 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/gost/ecc-gost256cpa.c: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276455220 > ECC_PIPPENGER_K, > ECC_PIPPENGER_C, > > +#ifdef HAVE_NETTLE_CURVE448_MUL Should we depend on the curve448 ecc-internal implementation? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276455220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 14:10:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 13:10:25 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @nmav ready for merging -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173#note_276494685 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 14:46:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 13:46:21 +0000 Subject: [gnutls-devel] GnuTLS | x509: include digestParamSet into GOST 512-bit curves A and B params (!1173) In-Reply-To: References: Message-ID: Merge Request !1173 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1173 Project:Branches: GostCrypt/gnutls:legacy-gost-512 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 14:48:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 13:48:58 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: We do compile gnutls on macosx [via travis-ci](https://travis-ci.org/gnutls/gnutls/builds/). Have you checked if there is something different there and it works? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_276517745 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 14:58:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 13:58:00 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: I would guess it's just a more up to date toolchain. As I mentioned, we have a rather old cctools. We also use gcc rather than clang (we want to have the same compiler for all our targets). Any idea if the configure script can detect what instructions are supported and adapt the build? An upgrade of our toolchain is unfortunate non-trivial and we'd like to avoid having to do that right now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_276523490 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 17:26:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 16:26:08 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276623023 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Possible, but how likely is it ? Maybe a suppressed UB or leak triggers it ? (devel/ubsan.supp and devel/lsan.supp). Could you test with the sanitizer options but without the suppression files to see if we see sanitizer output ? If there is, we could work on a real code fix... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276623023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 20:00:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 19:00:25 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/nettle/gost/ecc-gost256cpa.c: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276681674 > ECC_PIPPENGER_K, > ECC_PIPPENGER_C, > > +#ifdef HAVE_NETTLE_CURVE448_MUL No, I wouldn't like doing that at this moment. I hope to get all necessary bits in and then update imported code to include GOST curves and digital signatures support. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276681674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 20:06:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 19:06:43 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1176 https://gitlab.com/gnutls/gnutls/merge_requests/1176 * 6ab20d77...ab2dd96b - 18 commits from branch `master` * 06e044f9 - lib/nettle/gost: restore compatibility with nettle master * 00f7859b - .gitlab-ci.yml: remove --disable-gost from nettle-master test -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 20:08:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 19:08:30 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276696135 Rebased on top of current master and removed this switch. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276696135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 20:29:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 19:29:03 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1161 https://gitlab.com/gnutls/gnutls/merge_requests/1161 * 0ae82294...ab2dd96b - 57 commits from branch `master` * 98013b02 - nettle/gost: export gost28147_decrypt_simple for magma cipher * d0a833b3 - nettle/gost: add Magma code * ef0ffd6d - nettle/gost: add Kuznyechik code * 8cbd343c - nettle/gost: add CMAC-64/Magma/Kuznyechik code * c2b054ca - nettle/gost: add ACPKM rekeying code * 83ab423f - lib: add Magma/Kuznyechik ciphers support * 0720fc44 - lib: add Magma/Kuznyechik OMAC support * 3ef43e1e - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * 95629ca8 - cipher/mac: enhance handlers with setkey callback * 1638fb7a - crypto-api: add _gnutls_cipher_set_key wrapper() * 75f5d29a - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 21:10:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 20:10:04 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I would like to focus on the upcoming release and It looks a strange error and it may take long to figure. Would it make sense to bring clang only without sanitizers(or the sanitizers that work) and the fixes. We should keep an open mr for the remaining. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276719150 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 21:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 20:11:17 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: BTW even in that case you should try to rebase on master as there may be issues introduced in between -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276719427 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 22:00:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 21:00:05 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: If you use `--disable-hardware-acceleration` you can work around the old toolchain by disabling acceleration. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_276731839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 22:25:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 21:25:41 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/gost/ecc-gost256cpa.c: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276738303 > ECC_PIPPENGER_K, > ECC_PIPPENGER_C, > > +#ifdef HAVE_NETTLE_CURVE448_MUL I do not have a better suggestion, as options seem to be equally bad, so I resolve this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176#note_276738303 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 22:26:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 21:26:38 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Merge Request !1176 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1176 Project:Branches: GostCrypt/gnutls:fix-gost-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 24 23:16:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 24 Jan 2020 22:16:52 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update 448 fuzzer traces and other fuzz improvements (!1177) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1177 Project:Branches: nmav/gnutls:tmp-fuzzers-update to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This fixes the ed448 fuzz traces, and improves the fuzzer tools as well as adds better instructions for creating a fuzz trace. Most likely even this is not enough and we should automate that creation of traces instead. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 06:07:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 05:07:56 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: All discussions on Merge Request !1176 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/merge_requests/1176 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 06:08:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 05:08:08 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/gost: restore compatibility with nettle master (!1176) In-Reply-To: References: Message-ID: Merge Request !1176 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1176 Project:Branches: GostCrypt/gnutls:fix-gost-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 06:14:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 05:14:35 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update ed448 fuzzer traces and other fuzz improvements (!1177) In-Reply-To: References: Message-ID: Merge Request !1177 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1177 Project:Branches: nmav/gnutls:tmp-fuzzers-update to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 06:47:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 05:47:10 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1161 https://gitlab.com/gnutls/gnutls/merge_requests/1161 * 55269658 - lib: add Magma/Kuznyechik ciphers support * 607c7176 - lib: add Magma/Kuznyechik OMAC support * 3d32a71a - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * c63ae64b - cipher/mac: enhance handlers with setkey callback * 0c85874c - crypto-api: add _gnutls_cipher_set_key wrapper() * ec5e30b1 - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 08:51:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 07:51:15 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update ed448 fuzzer traces and other fuzz improvements (!1177) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1177 https://gitlab.com/gnutls/gnutls/merge_requests/1177 * 06e044f9...920805c9 - 3 commits from branch `master` * c5417511 - fuzzers: when provided with a parameter they will run on a single file * a60004a3 - fuzzers: added ed448 keys * 82149df0 - README-adding-traces.md: updated with more precise information * 9058ceda - fuzz: fixed Ed448 fuzzer traces -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 09:22:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 08:22:30 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update ed448 fuzzer traces and other fuzz improvements (!1177) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1177 https://gitlab.com/gnutls/gnutls/merge_requests/1177 * e9e5f969 - fuzzers: added ed448 keys * f410a405 - README-adding-traces.md: updated with more precise information * 448526ac - fuzz: fixed Ed448 fuzzer traces -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 09:30:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 08:30:20 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1161 https://gitlab.com/gnutls/gnutls/merge_requests/1161 * dc8d12cb - lib: add Magma/Kuznyechik ciphers support * 42654c23 - lib: add Magma/Kuznyechik OMAC support * 5fdf1bcd - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * c32b1803 - cipher/mac: enhance handlers with setkey callback * 66bb68d6 - crypto-api: add _gnutls_cipher_set_key wrapper() * b82e0a4c - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 11:21:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 10:21:20 +0000 Subject: [gnutls-devel] GnuTLS | Create files in gl/ licenced lgpl2+ instead of lgpl3+ (!1178) References: Message-ID: Tim R?hsen created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1178 Branches: tmp-gl-lgpl2 to master Author: Tim R?hsen The gnulib files in gl/ are LGPL3+ and get linked into libgnutls which is assumed to be LGPG2+. This patch fixes the gnulib part to LGPL2+. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:15:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:15:52 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update ed448 fuzzer traces and other fuzz improvements (!1177) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1177 https://gitlab.com/gnutls/gnutls/merge_requests/1177 * 124f8a96 - fuzzers: added ed448 keys * 9bf69f83 - README-adding-traces.md: updated with more precise information * f38cc1ae - fuzz: fixed Ed448 fuzzer traces -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:16:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:16:03 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 47a5f1e1...920805c9 - 14 commits from branch `master` * 0e1b7b6e - Add runner for combined clang UBSAN+ASAN * 5b6cca52 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 7a41d0ec - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 4a883a94 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 3ec1f715 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * da59ffa8 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * f4761511 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * ea558369 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * aca01edf - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 6f850b2d - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 057278b5 - Fix checks in mpi.c:__gnutls_x509_write_int() * 32e5a9c9 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:24:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:24:37 +0000 Subject: [gnutls-devel] GnuTLS | Create files in gl/ licenced lgpl2+ instead of lgpl3+ (!1178) In-Reply-To: References: Message-ID: Merge Request !1178 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1178 Branches: tmp-gl-lgpl2 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:25:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:25:00 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: Actually, the issue is gone here (clang 8.0.1-7 on Debian unstable). I got a lot of updates (libc, clang, llvm) and it's now rebased on master. Will push it now and we'll see... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276836123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:27:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:27:25 +0000 Subject: [gnutls-devel] GnuTLS | Create files in gl/ licenced lgpl2+ instead of lgpl3+ (!1178) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav In the embedded unicode files we have some with LGPL3+ or GPL2. Just want you to know... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1178#note_276836381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:49:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:49:50 +0000 Subject: [gnutls-devel] GnuTLS | Received TLS alert from the server: User canceled (90) (#913) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I do not think this is the right place to post this report. Filezilla is an application using gnutls and you may want to start by reporting to it initially. If it proves to be a gnutls error we can check it out again. From a quick glimpse all I see is the server terminating the session with an alert (user cancelled). Unless the TLS over FTP protocol defines that behavior I do not know what filezilla can do to work that out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/913#note_276838367 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 12:49:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 11:49:51 +0000 Subject: [gnutls-devel] GnuTLS | Received TLS alert from the server: User canceled (90) (#913) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos Issue #913: https://gitlab.com/gnutls/gnutls/issues/913 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 13:06:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 12:06:38 +0000 Subject: [gnutls-devel] GnuTLS | Create files in gl/ licenced lgpl2+ instead of lgpl3+ (!1178) In-Reply-To: References: Message-ID: Merge Request !1178 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1178 Branches: tmp-gl-lgpl2 to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 13:34:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 12:34:06 +0000 Subject: [gnutls-devel] GnuTLS | fuzz: update ed448 fuzzer traces and other fuzz improvements (!1177) In-Reply-To: References: Message-ID: Merge Request !1177 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1177 Project:Branches: nmav/gnutls:tmp-fuzzers-update to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1177 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 15:14:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 14:14:15 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav The new runner succeeds in the CI as well - just restarted Debian.x86_64, but this seems unrelated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276854930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 18:08:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 17:08:59 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * c5417511...a963369e - 7 commits from branch `master` * 8c88bd2e - Add runner for combined clang UBSAN+ASAN * 2f17617e - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * f5f0fdf3 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * a4a0bdc1 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * fb1f5feb - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * c0ae9d64 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 38b8fc0e - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 5f7431dd - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * e70d6518 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 7eb25c9d - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * b5a8972b - Fix checks in mpi.c:__gnutls_x509_write_int() * faec845c - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 21:30:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 20:30:33 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: @nmav Run it two times now, seems to succeed reproducible. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276905541 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 21:42:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 20:42:04 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Did you mean to remove `--disable-tls13-interop`? It is still set. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276906337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 22:03:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 21:03:15 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: Oh no - I thought I had that done :-( Thanks for pointing out :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276911350 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 23:05:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 22:05:51 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * f7e2693b - Add runners for clang/LLVM UBSAN and ASAN * 8d3800e3 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * be2a2015 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * d863b070 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * b3da2fd0 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 5976191d - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * c948994f - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 7be9fcfd - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 7812eb9d - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * 6fba7040 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * b983ea06 - Fix checks in mpi.c:__gnutls_x509_write_int() * 5bc04a3f - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 25 23:07:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 22:07:18 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang combined ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented: Found the issue... it seems that clang/llvm has an issue when combining UBSAN and ASAN. Maybe that is why OSS-Fuzz separates them. Sigh, have to separate them into two runners. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276919281 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 00:20:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 25 Jan 2020 23:20:11 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: updated to latest upstream (!1179) References: Message-ID: Nikos Mavrogiannopoulos created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1179 Project:Branches: nmav/gnutls:tmp-update-tlsfuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos This updates tlsfuzzer to latest upstream. It uncovered a minor issue in key shares handling which has a fix included. This results to these bug reports against tlsfuzzer: - https://github.com/tomato42/tlsfuzzer/issues/633 - https://github.com/tomato42/tlsfuzzer/issues/632 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 09:29:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 08:29:47 +0000 Subject: [gnutls-devel] GnuTLS | Malformed FFDHE key shares in TLS 1.3 are rejected incorrectly (#907) In-Reply-To: References: Message-ID: Reassigned Issue 907 https://gitlab.com/gnutls/gnutls/issues/907 Assignee changed to Nikos Mavrogiannopoulos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/907 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 11:06:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 10:06:43 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: updated to latest upstream (!1179) In-Reply-To: References: Message-ID: Merge Request !1179 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1179 Project:Branches: nmav/gnutls:tmp-update-tlsfuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:37:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:37:40 +0000 Subject: [gnutls-devel] GnuTLS | Malformed FFDHE key shares in TLS 1.3 are rejected incorrectly (#907) In-Reply-To: References: Message-ID: Issue was closed by Nikos Mavrogiannopoulos via merge request !1179 (https://gitlab.com/gnutls/gnutls/merge_requests/1179) Issue #907: https://gitlab.com/gnutls/gnutls/issues/907 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/907 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:37:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:37:41 +0000 Subject: [gnutls-devel] GnuTLS | tlsfuzzer: updated to latest upstream (!1179) In-Reply-To: References: Message-ID: Merge Request !1179 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1179 Project:Branches: nmav/gnutls:tmp-update-tlsfuzzer to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:47:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:47:24 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Merge Request !1154 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1154 Branches: tmp-ci-make-j to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:48:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:48:13 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM. The benefit is unfortunately to the faster jobs, but maybe at some point we can optimize the qemu-based ones as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154#note_276984925 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:56:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:56:10 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: This may be better merged on top of the `-j` MR, but as it is LGTM. We kind of increase our jobs significantly, but that doesn't seem to be a problem so far so no reason to keep it out for that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_276985831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 13:56:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 12:56:15 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Merge Request !1151 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1151 Branches: tmp-clang-ubsan+asan to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 14:12:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 13:12:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1175 https://gitlab.com/gnutls/gnutls/merge_requests/1175 * 47a5f1e1...92052ce8 - 24 commits from branch `master` * 90dd04a8 - GOSTR341194: mark as insecure for digital signatures -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 14:45:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 13:45:35 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: All discussions on Merge Request !1154 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/merge_requests/1154 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 14:51:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 13:51:45 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1154 https://gitlab.com/gnutls/gnutls/merge_requests/1154 * 6ab20d77...a963369e - 32 commits from branch `master` * 6378750c - Use make with crafted -j for CI builds and tests * eeb9a814 - tests/key-material-dtls.c: Try again on GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:22:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:22:53 +0000 Subject: [gnutls-devel] GnuTLS | Speed up CI with more parallelization (#897) In-Reply-To: References: Message-ID: Issue was closed by Tim R?hsen via merge request !1154 (https://gitlab.com/gnutls/gnutls/merge_requests/1154) Issue #897: https://gitlab.com/gnutls/gnutls/issues/897 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:22:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:22:53 +0000 Subject: [gnutls-devel] GnuTLS | Use 'make -j' with higher values for CI builds and tests (!1154) In-Reply-To: References: Message-ID: Merge Request !1154 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1154 Branches: tmp-ci-make-j to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:25:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:25:43 +0000 Subject: [gnutls-devel] =?utf-8?b?R251VExTIHwg4qq78J2Vt/Cdlo7wnZab8J2Wig==?= =?utf-8?b?8J2WmPCdlpnwnZaX8J2WivCdlobwnZaS8J2WjvCdlpPwnZaMQOKqvCBOYXBv?= =?utf-8?b?bGkgdnMgSnV2ZW50dXMsIDzwnZSP8J2UpvCdlLPwnZSiQEZyZWU+ICgjOTE1?= =?utf-8?q?=29?= References: Message-ID: coklztasaza created an issue: https://gitlab.com/gnutls/gnutls/issues/915 Watch Live Napoli vs Juventus Tv channel [LIVE-FREE]** @Soccer, Serie A live 26/01/2020 Broadcast Today . Serie A Live tv Soccer Live [LIVE-FREE]** Napoli vs Juventus live 26/01/2020 Broadcast Today @. Serie A Live tv Live Stream :: https://v.ht/Watch-Skysportshd-LiveStream-VeS Live Now :: https://v.ht/Watch-Skysportshd-LiveStream-VeS Napoli vs Juventus live streaming: Watch Serie A 4 hours ago - If you want to watch Napoli vs Juventus online, these are the live streaming instructions. ... Watch Napoli vs Juventus online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Serie A on Today. Napoli vs Juventus# @Free:registered: - Facebook Napoli vs Juventus# @Free:registered:. Public. ? Hosted by Fans TV Sports. Interested. Invite. clock. Today, 26/01/2020 at 14:45 UTC+ ... Soccer live score, video stream ... Soccer live score (and video online live stream) ... Here on SofaScore livescore you can find all Serie A ... Napoli vs Juventus Live Stream - Jokerlivestream Watch Napoli vs Juventus Live Stream. Watch this game live and online for free. Serie A. ATTENTION : DONT FORGET LIKE, SHARE TO FOLLOW FORE MORE INFO AND UPDATE Instagram: https://www.instagram.com/Soccer Like us on Facebook: https://www.facebook.com/Soccer Follow us on Twitter: https://twitter.com/Soccer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/915 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:30:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:30:29 +0000 Subject: [gnutls-devel] =?utf-8?b?R251VExTIHwg4qq7V2F0Y2hA8J2WmPCdlpnwnZaX?= =?utf-8?b?8J2WivCdlobwnZaS8J2WjvCdlpPwnZaM4qq8IE5lYSBTYWxhbWlzIHZzIFBh?= =?utf-8?q?ralimni=2C_Tv_channel_=5BLIVE-FREE=5D**_=28=23916=29?= References: Message-ID: coklztasaza created an issue: https://gitlab.com/gnutls/gnutls/issues/916 Watch Live Nea Salamis vs Paralimni Tv channel [LIVE-FREE]** @Soccer, First Division live 26/01/2020 Broadcast Today . First Division Live tv Soccer Live [LIVE-FREE]** Nea Salamis vs Paralimni live 26/01/2020 Broadcast Today @. First Division Live tv Live Stream :: https://v.ht/Watch-Skysportshd-LiveStream-R1Q Live Now :: https://v.ht/Watch-Skysportshd-LiveStream-R1Q Nea Salamis vs Paralimni live streaming: Watch First Division 4 hours ago - If you want to watch Nea Salamis vs Paralimni online, these are the live streaming instructions. ... Watch Nea Salamis vs Paralimni online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the First Division on Today. Nea Salamis vs Paralimni# @Free:registered: - Facebook Nea Salamis vs Paralimni# @Free:registered:. Public. ? Hosted by Fans TV Sports. Interested. Invite. clock. Today, 26/01/2020 at 11:00 UTC+ ... Soccer live score, video stream ... Soccer live score (and video online live stream) ... Here on SofaScore livescore you can find all First Division ... Nea Salamis vs Paralimni Live Stream - Jokerlivestream Watch Nea Salamis vs Paralimni Live Stream. Watch this game live and online for free. First Division. ATTENTION : DONT FORGET LIKE, SHARE TO FOLLOW FORE MORE INFO AND UPDATE Instagram: https://www.instagram.com/Soccer Like us on Facebook: https://www.facebook.com/Soccer Follow us on Twitter: https://twitter.com/Soccer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/916 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:32:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:32:00 +0000 Subject: [gnutls-devel] =?utf-8?b?R251VExTIHwg4qq7V2F0Y2hA8J2WmPCdlpnwnZaX?= =?utf-8?b?8J2WivCdlobwnZaS8J2WjvCdlpPwnZaM4qq8IE5hbnRlcyB2cyBCb3JkZWF1?= =?utf-8?q?x=2C_Tv_channel_=5BLIVE-FREE=5D**_=28=23917=29?= References: Message-ID: coklztasaza created an issue: https://gitlab.com/gnutls/gnutls/issues/917 Watch Live Nantes vs Bordeaux Tv channel [LIVE-FREE]** @Soccer, Ligue 1 live 26/01/2020 Broadcast Today . Ligue 1 Live tv Soccer Live [LIVE-FREE]** Nantes vs Bordeaux live 26/01/2020 Broadcast Today @. Ligue 1 Live tv Live Stream :: https://v.ht/Watch-Skysportshd-LiveStream-Jke Live Now :: https://v.ht/Watch-Skysportshd-LiveStream-Jke Nantes vs Bordeaux live streaming: Watch Ligue 1 4 hours ago - If you want to watch Nantes vs Bordeaux online, these are the live streaming instructions. ... Watch Nantes vs Bordeaux online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Ligue 1 on Today. Nantes vs Bordeaux# @Free:registered: - Facebook Nantes vs Bordeaux# @Free:registered:. Public. ? Hosted by Fans TV Sports. Interested. Invite. clock. Today, 26/01/2020 at 11:00 UTC+ ... Soccer live score, video stream ... Soccer live score (and video online live stream) ... Here on SofaScore livescore you can find all Ligue 1 ... Nantes vs Bordeaux Live Stream - Jokerlivestream Watch Nantes vs Bordeaux Live Stream. Watch this game live and online for free. Ligue 1. ATTENTION : DONT FORGET LIKE, SHARE TO FOLLOW FORE MORE INFO AND UPDATE Instagram: https://www.instagram.com/Soccer Like us on Facebook: https://www.facebook.com/Soccer Follow us on Twitter: https://twitter.com/Soccer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/917 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:33:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:33:43 +0000 Subject: [gnutls-devel] =?utf-8?b?R251VExTIHwg4qq7V2F0Y2hA8J2WmPCdlpnwnZaX?= =?utf-8?b?8J2WivCdlobwnZaS8J2WjvCdlpPwnZaM4qq8IFJvYW5uZSB2cyBDaGFsb24v?= =?utf-8?q?Saone=2C_Tv_channel_=5BLIVE-FREE=5D**_=28=23918=29?= References: Message-ID: coklztasaza created an issue: https://gitlab.com/gnutls/gnutls/issues/918 Watch Live Roanne vs Chalon/Saone Tv channel [LIVE-FREE]** @Basketball, LNB live 26/01/2020 Broadcast Today . LNB Live tv Basketball Live [LIVE-FREE]** Roanne vs Chalon/Saone live 26/01/2020 Broadcast Today @. LNB Live tv Live Stream :: https://v.ht/Watch-Skysportshd-LiveStream-Upn Live Now :: https://v.ht/Watch-Skysportshd-LiveStream-Upn Roanne vs Chalon/Saone live streaming: Watch LNB 4 hours ago - If you want to watch Roanne vs Chalon/Saone online, these are the live streaming instructions. ... Watch Roanne vs Chalon/Saone online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the LNB on Today. Roanne vs Chalon/Saone# @Free:registered: - Facebook Roanne vs Chalon/Saone# @Free:registered:. Public. ? Hosted by Fans TV Sports. Interested. Invite. clock. Today, 26/01/2020 at 11:00 UTC+ ... Basketball live score, video stream ... Basketball live score (and video online live stream) ... Here on SofaScore livescore you can find all LNB ... Roanne vs Chalon/Saone Live Stream - Jokerlivestream Watch Roanne vs Chalon/Saone Live Stream. Watch this game live and online for free. LNB. ATTENTION : DONT FORGET LIKE, SHARE TO FOLLOW FORE MORE INFO AND UPDATE Instagram: https://www.instagram.com/Basketball Like us on Facebook: https://www.facebook.com/Basketball Follow us on Twitter: https://twitter.com/Basketball -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/918 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 16:35:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 15:35:41 +0000 Subject: [gnutls-devel] =?utf-8?b?R251VExTIHwg4qq7V2F0Y2hA8J2WmPCdlpnwnZaX?= =?utf-8?b?8J2WivCdlobwnZaS8J2WjvCdlpPwnZaM4qq8IEFTIFJvbWEgdnMgTGF6aW8s?= =?utf-8?q?_Tv_channel_=5BLIVE-FREE=5D**_=28=23919=29?= References: Message-ID: coklztasaza created an issue: https://gitlab.com/gnutls/gnutls/issues/919 Watch Live AS Roma vs Lazio Tv channel [LIVE-FREE]** @Soccer, Serie A live 26/01/2020 Broadcast Today . Serie A Live tv Soccer Live [LIVE-FREE]** AS Roma vs Lazio live 26/01/2020 Broadcast Today @. Serie A Live tv Live Stream :: https://v.ht/Watch-Skysportshd-LiveStream-TZp Live Now :: https://v.ht/Watch-Skysportshd-LiveStream-TZp AS Roma vs Lazio live streaming: Watch Serie A 4 hours ago - If you want to watch AS Roma vs Lazio online, these are the live streaming instructions. ... Watch AS Roma vs Lazio online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Serie A on Today. AS Roma vs Lazio# @Free:registered: - Facebook AS Roma vs Lazio# @Free:registered:. Public. ? Hosted by Fans TV Sports. Interested. Invite. clock. Today, 26/01/2020 at 12:00 UTC+ ... Soccer live score, video stream ... Soccer live score (and video online live stream) ... Here on SofaScore livescore you can find all Serie A ... AS Roma vs Lazio Live Stream - Jokerlivestream Watch AS Roma vs Lazio Live Stream. Watch this game live and online for free. Serie A. ATTENTION : DONT FORGET LIKE, SHARE TO FOLLOW FORE MORE INFO AND UPDATE Instagram: https://www.instagram.com/Soccer Like us on Facebook: https://www.facebook.com/Soccer Follow us on Twitter: https://twitter.com/Soccer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/919 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 18:56:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 17:56:56 +0000 Subject: [gnutls-devel] GnuTLS | Avoid pushd/popd bashism in testsuite (!1180) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1180 Project:Branches: ametzler/gnutls:tmp-20200126-bashismintest to gnutls/gnutls:master Author: Andreas Metzler pushd/popd are not available in posix sh, avoid error with /bin/sh = dash ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 21:16:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 20:16:24 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos pushed new commits to merge request !1175 https://gitlab.com/gnutls/gnutls/merge_requests/1175 * 6378750c...808b86f5 - 3 commits from branch `master` * 9ec9fe6c - GOSTR341194: mark as insecure for digital signatures -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 22:19:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 21:19:36 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @tomato42 if I try to use something like that: ``` "tests" : [ {"name" : "test-tls13-post-handshake-auth.py", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", "--query", "**REAUTH**\n", "--pha-as-reply"] ``` what I get from tlsfuzzer is: ``` INFO:__main__:test-tls13-post-handshake-auth.py:started test-tls13-post-handshake-auth.py:stderr:Traceback (most recent call last): test-tls13-post-handshake-auth.py:stderr: File "scripts/test-tls13-post-handshake-auth.py", line 495, in test-tls13-post-handshake-auth.py:stderr: main() test-tls13-post-handshake-auth.py:stderr: File "scripts/test-tls13-post-handshake-auth.py", line 206, in main test-tls13-post-handshake-auth.py:stderr: bytearray(pha_query))) test-tls13-post-handshake-auth.py:stderr:TypeError: string argument without an encoding ERROR:__main__:test-tls13-post-handshake-auth.py:failure:0.31s:1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_277046798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 26 23:01:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 26 Jan 2020 22:01:39 +0000 Subject: [gnutls-devel] GnuTLS | testcompat-openssl: improve testing against secured OpenSSL versions. (!1168) In-Reply-To: References: Message-ID: Dimitri John Ledkov pushed new commits to merge request !1168 https://gitlab.com/gnutls/gnutls/merge_requests/1168 * 6ab20d77...4a841c30 - 41 commits from branch `master` * 5c754237 - testcompat-openssl: improve testing against secured OpenSSL versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 09:39:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 08:39:24 +0000 Subject: [gnutls-devel] GnuTLS | Avoid pushd/popd bashism in testsuite (!1180) In-Reply-To: References: Message-ID: Merge Request !1180 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1180 Project:Branches: ametzler/gnutls:tmp-20200126-bashismintest to gnutls/gnutls:master Author: Andreas Metzler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 09:39:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 08:39:19 +0000 Subject: [gnutls-devel] GnuTLS | Avoid pushd/popd bashism in testsuite (!1180) In-Reply-To: References: Message-ID: Merge Request !1180 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/merge_requests/1180 Project:Branches: ametzler/gnutls:tmp-20200126-bashismintest to gnutls/gnutls:master Author: Andreas Metzler Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 09:46:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 08:46:37 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/merge_requests/1151 * 876c9a95...25eb1dfa - 10 commits from branch `master` * ec548672 - Add runners for clang/LLVM UBSAN and ASAN * 1d4b6cdd - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 9412c75a - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 8e941973 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * ce540e02 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * fa9814d1 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 072babbb - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * e003f4c0 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 3d791bfe - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * d33b16f9 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 97f76d94 - Fix checks in mpi.c:__gnutls_x509_write_int() * 1c5ba9ac - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 12:50:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 11:50:06 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_277295816 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers I accidentally had `--disable-tls13-interop` in my ASAN tests, that why they succeeded. `testcompat-tls13-openssl.sh` fails even with the most basic address sanitize options. Tested with clang-8, clang-9 and clang-10. The sanitizer itself doesn't trigger. So there must be some subtleties going on - not sure why OSS-Fuzz with it's many projects doesn't stumble upon it somewhere. ``` CFLAGS="-fsanitize=address" CC=clang ./configure --disable-guile --disable-doc --disable-hardware-acceleration make clean make -j$(nproc) make check -j$(nproc) -C tests TESTS="setcredcrash" make check -j$(nproc) -C tests/suite TESTS=testcompat-tls13-openssl.sh ``` The setcredcrash line just builds everything in `tests/`, else `testcompat-tls13-openssl.sh` will SKIP. Like a dependency issue in `tests/suite/Makefile.am`. Either we leave the ASAN runner away or we use `--disable-tls13-interop` until we tracked down the real issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1151#note_277295816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 17:52:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 16:52:46 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: @juaristi it does not seem to pass the CI -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/917#note_277546980 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 17:55:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 16:55:04 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion on lib/str.h: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_277548273 > return 1; > } > > +inline static int _gnutls_has_embedded_null(const char *str, unsigned size) Feel free to make it bool, the introduction of bool in best practices for project are relative recent so there is old code not using it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_277548273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 17:56:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 16:56:47 +0000 Subject: [gnutls-devel] GnuTLS | support non-NULL-terminated PSKs (!917) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: The LGTM issue can most likely be solved by a rebase, but the ABI error, I do not know. Is it related to the new changes? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/917#note_277549203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 18:38:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 17:38:56 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 * 6ab20d77...25eb1dfa - 42 commits from branch `master` * edcfb161 - nettle/gost: export gost28147_decrypt_simple for magma cipher * 48e3f3a6 - nettle/gost: add Magma code * 11ef8b76 - nettle/gost: add Kuznyechik code * 4d9db7dc - nettle/gost: add CMAC-64/Magma/Kuznyechik code * 0e1e470d - nettle/gost: add ACPKM rekeying code * 681c509d - lib: add Magma/Kuznyechik ciphers support * 689a1a99 - lib: add Magma/Kuznyechik OMAC support * 00037eef - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * 0a09de44 - cipher/mac: enhance handlers with setkey callback * 6fa60064 - crypto-api: add _gnutls_cipher_set_key wrapper() * 0ce2540f - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM * b76e7e45 - lib: support nonce generation by addition to sequence number * abac2286 - nettle/int: add GOST KEXP15 key export/import support * d06841da - nettle/int: add GOST KDF support * 7518da60 - lib: gost KEG key export generation support * 6c329397 - auth: add VKO_KDF_GOST support * e9685285 - nettle/int: add TLSTREE implementation * fa8e1493 - lib: support TLSTREE rekeying * 61e01df9 - handshake: use proper data length for Finished messages * 4bd88860 - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * cbe16017 - priority: extend GOST keywords to contain MAGMA/KUZNYECHIK * bf511772 - cli: benchmark MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 27 19:58:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jan 2020 18:58:18 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1161 https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 * 06e044f9...25eb1dfa - 20 commits from branch `master` * edcfb161 - nettle/gost: export gost28147_decrypt_simple for magma cipher * 48e3f3a6 - nettle/gost: add Magma code * 11ef8b76 - nettle/gost: add Kuznyechik code * 1833446f - nettle/gost: add CMAC-64/Magma/Kuznyechik code * cea03d8d - nettle/gost: add ACPKM rekeying code * 972ecc3a - lib: add Magma/Kuznyechik ciphers support * 2ab3ee50 - lib: add Magma/Kuznyechik OMAC support * aa0e193a - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * f61d9973 - cipher/mac: enhance handlers with setkey callback * 1d77567b - crypto-api: add _gnutls_cipher_set_key wrapper() * 0c9c3fb4 - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 02:11:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 01:11:37 +0000 Subject: [gnutls-devel] GnuTLS | add support for local threads with studio and ibm compilers (!1181) References: Message-ID: Bj?rn Jacke created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 Project:Branches: bjacke/gnutls:localthreads to gnutls/gnutls:master Author: Bj?rn Jacke Add a description of the new feature/bug fix. Reference any relevant bugs. add support for local threads with studio and ibm compilers ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 08:41:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 07:41:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1144 https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 * 1833446f - nettle/gost: add CMAC-64/Magma/Kuznyechik code * cea03d8d - nettle/gost: add ACPKM rekeying code * 972ecc3a - lib: add Magma/Kuznyechik ciphers support * 2ab3ee50 - lib: add Magma/Kuznyechik OMAC support * aa0e193a - selftests: add test vectors for MAGMA/KUZNYECHIK-OMAC * f61d9973 - cipher/mac: enhance handlers with setkey callback * 1d77567b - crypto-api: add _gnutls_cipher_set_key wrapper() * 0c9c3fb4 - crypto-selftest: add test vectors for MAGMA/KUZNYECHIK-CTR-ACPKM * 96ef0b08 - lib: support nonce generation by addition to sequence number * 6d745d3b - nettle/int: add GOST KEXP15 key export/import support * 4b565ff5 - nettle/int: add GOST KDF support * 7d668121 - lib: gost KEG key export generation support * 2cb66df5 - auth: add VKO_KDF_GOST support * c8cd2224 - nettle/int: add TLSTREE implementation * cd45a916 - lib: support TLSTREE rekeying * 818b7eff - handshake: use proper data length for Finished messages * 34943d5d - ciphersuites: add new GOST CTR_ACPKM_OMAC ciphersuites * 947fae4a - priority: extend GOST keywords to contain MAGMA/KUZNYECHIK * 0100d214 - cli: benchmark MAGMA/KUZNYECHIK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 08:57:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 07:57:44 +0000 Subject: [gnutls-devel] GnuTLS | no such instruction: `xgetbv' when compiling for macOS (#914) In-Reply-To: References: Message-ID: Pierre Ossman (Work account) commented: Thanks. That should be sufficient workaround for us for now. Feel free to close this issue if you want. We can revisit it once we've upgraded our toolchain. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/914#note_277847968 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 09:21:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 08:21:19 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **introduces 1 alert** when merging 0100d214396d28945e054b5c95393f6eac2724fe into 25eb1dfa7a84b4fe465c4fe333f95e6eb8a9325f - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-8c1772003aab724fb0e305926d28cc0085576bf6) **new alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144#note_277858778 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 10:46:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 09:46:55 +0000 Subject: [gnutls-devel] GnuTLS | add support for local threads with studio and ibm compilers (!1181) In-Reply-To: References: Message-ID: Merge Request !1181 was approved by Tim R?hsen Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 Project:Branches: bjacke/gnutls:localthreads to gnutls/gnutls:master Author: Bj?rn Jacke Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 10:47:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 09:47:08 +0000 Subject: [gnutls-devel] GnuTLS | add support for local threads with studio and ibm compilers (!1181) In-Reply-To: References: Message-ID: Merge Request !1181 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 Project:Branches: bjacke/gnutls:localthreads to gnutls/gnutls:master Author: Bj?rn Jacke Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 10:47:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 09:47:17 +0000 Subject: [gnutls-devel] GnuTLS | add support for local threads with studio and ibm compilers (!1181) In-Reply-To: References: Message-ID: Tim R?hsen commented: Thank you ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1181#note_277913696 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 10:51:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 09:51:56 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 * 5b20a0ee - Add runners for clang/LLVM UBSAN and ASAN * 84812c99 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 352de531 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 58c3ee85 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * af1186da - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 4cb57594 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * c80d752e - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 14482927 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * ac25c589 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * b75969ed - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * 10e27467 - Fix checks in mpi.c:__gnutls_x509_write_int() * 6144bb8f - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 10:59:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 09:59:13 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/920 `testcompat-tls13-openssl.sh` fails even with the most basic clang/llvm address sanitize options. Tested with clang-8, clang-9 and clang-10. The sanitizer itself doesn't trigger (or at least there is no output). So there must be some subtleties going on - not sure why OSS-Fuzz with it's many projects doesn't stumble upon it somewhere. ``` CFLAGS="-fsanitize=address" CC=clang ./configure --disable-guile --disable-doc --disable-hardware-acceleration make clean make -j$(nproc) make check -j$(nproc) -C tests TESTS="setcredcrash" make check -j$(nproc) -C tests/suite TESTS=testcompat-tls13-openssl.sh ``` The setcredcrash line just builds everything in `tests/`, else `testcompat-tls13-openssl.sh` will SKIP. Like a dependency issue in `tests/suite/Makefile.am`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:04:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:04:03 +0000 Subject: [gnutls-devel] GnuTLS | Missing dependency rule in tests/suite/Makefile.am (#921) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/921 The following SKIPs ``` ./configure --disable-doc make clean make -j$(nproc) make check -j$(nproc) -C tests/suite TESTS=testcompat-tls13-openssl.sh ``` due to ``` $ cat tests/suite/testcompat-tls13-openssl.log /usr/bin/datefudge: 107: exec: ../../tests/datefudge-check: not found You need datefudge to run this test SKIP testcompat-tls13-openssl.sh (exit status: 77) ``` This is annoying because you have to `make check` before you can test the single test above. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/921 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:06:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:06:13 +0000 Subject: [gnutls-devel] GnuTLS | Merge CI clang UBSAN + ASAN runners (#922) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/issues/922 This is only blocked by #920 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:09:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:09:06 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: do not go try calculating pbkdf2 with 0 iterations (!1182) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 Project:Branches: GostCrypt/gnutls:fix-pkcs12-iter to gnutls/gnutls:master Author: Dmitry Baryshkov Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20356. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:10:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:10:04 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: All discussions on Merge Request !1151 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:10:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:10:05 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277929792 > + - ./bootstrap > + - export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=$(pwd)/devel/ubsan.supp > + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp > + - export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer > + - export CC=clang > + - export CXX=clang++ > + > +# This makes several tests fail, needs discussion if helpful > +# - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=undefined,integer,nullability,bool,alignment,null,enum,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > +# This is from OSS-Fuzz (20.12.2019) > + - export CFLAGS="-std=c99 -O1 -g -Werror -fno-omit-frame-pointer -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr,address,leak,alignment -fno-sanitize-recover=all -fsanitize-recover=unsigned-integer-overflow -fsanitize-address-use-after-scope" > + > + - export CXXFLAGS="$CFLAGS" > + > +# --disable-tls13-interop because tests/suite/testcompat-tls13-openssl.sh fails with clang sanitizers Opened issues #920, #921 and #922. In the meantime, `--disable-tls13-interop` has to used in the ASAN runner. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277929792 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:34:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:34:20 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/alert.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277953388 > data[1], name); > > if ((ret = > - _gnutls_send_int(session, GNUTLS_ALERT, -1, > + _gnutls_send_int(session, GNUTLS_ALERT, (gnutls_handshake_description_t) -1, handshake description is used here to check which version should go into record header and it should just differ from `GNUTLS_HANDSHAKE_CLIENT_HELLO`. Maybe it would be cleaner to introduce `GNUTLS_HANDSHAKE_AFTER_HANDSHAKE` or `GNUTLS_HANDSHAKE_NOT_HANDSHAKE`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277953388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:37:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:37:17 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/alert.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277956388 > data[1], name); > > if ((ret = > - _gnutls_send_int(session, GNUTLS_ALERT, -1, > + _gnutls_send_int(session, GNUTLS_ALERT, (gnutls_handshake_description_t) -1, handshake description is used here to check which version should go into record header and it should just differ from `GNUTLS_HANDSHAKE_CLIENT_HELLO`. It would be easier to use `GNUTLS_HANDSHAKE_ANY` here. BTW: shouldn't we include it into `gnutls_handshake_description_t` enum? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277956388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:39:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:39:10 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/num.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277958512 > { > data[0] = num >> 16; > data[1] = num >> 8; > - data[2] = num; > + data[2] = (uint8_t) num; `num & 0xff`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277958512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:39:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:39:27 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/mpi.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277958800 > s_len = 0; > if (flags & GNUTLS_X509_INT_LZ) > result = _gnutls_mpi_print_lz(mpi, NULL, &s_len); > - else if (GNUTLS_X509_INT_LE) > + else if (flags & GNUTLS_X509_INT_LE) Mea culpa :-( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277958800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:40:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:40:49 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277960508 > if (ret != 0) > return ret; > > - ret = _gnutls_recv_in_buffers(session, type, -1, ms); > + ret = _gnutls_recv_in_buffers(session, type, (gnutls_handshake_description_t) -1, ms); `GNUTLS_HANDSHAKE_ANY`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277960508 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:43:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:43:03 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277962689 > } > sigalg = ret; > > - se = _gnutls_sign_to_entry(sigalg); > + se = _gnutls_sign_to_entry((gnutls_sign_algorithm_t) sigalg); It might be cleaner to change `sigalg` to `gnutls_sign_algorithm_t` and use `se != NULL` instead of `sigalg < 0` further on. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277962689 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:52:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:52:56 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/alert.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277969687 > data[1], name); > > if ((ret = > - _gnutls_send_int(session, GNUTLS_ALERT, -1, > + _gnutls_send_int(session, GNUTLS_ALERT, (gnutls_handshake_description_t) -1, I think so as well and wonder why `GNUTLS_HANDSHAKE_ANY` isn't included in the enum. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277969687 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:56:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:56:19 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/num.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277971900 > { > data[0] = num >> 16; > data[1] = num >> 8; > - data[2] = num; > + data[2] = (uint8_t) num; Isn't that just a matter of favor ? I think (uint8_t) makes it clearer, while & 0xff still leaves the right side as uint32_t - which might trigger another compiler warning (implicit 32bit to 8bit conversion). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277971900 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 11:58:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 10:58:23 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/mpi.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277973162 > s_len = 0; > if (flags & GNUTLS_X509_INT_LZ) > result = _gnutls_mpi_print_lz(mpi, NULL, &s_len); > - else if (GNUTLS_X509_INT_LE) > + else if (flags & GNUTLS_X509_INT_LE) Can we resolve this ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277973162 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 12:08:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 11:08:02 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/num.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277979131 > { > data[0] = num >> 16; > data[1] = num >> 8; > - data[2] = num; > + data[2] = (uint8_t) num; Sure -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_277979131 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:12:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:12:01 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen pushed new commits to merge request !1151 https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 * f84d9a1a...a11282d2 - 2 commits from branch `master` * 0ec4eb75 - Add runners for clang/LLVM UBSAN and ASAN * 91baa213 - Fix -Wtypedef-redefinition in tests/tls13/anti_replay.c * 0ec3252c - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * 77a953b5 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * a4e12c32 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * da7a2d60 - Fix "implicit conversion from type 'int' of value -1 to 'unsigned'" * e6eb6cb3 - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * 643d814c - Fix "implicit conversion from type 'int' < 0 to 'unsigned'" * d6f614a6 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" * b4b153b0 - Fix "implicit conversion from type 'uint32_t' to 'uint8_t' with value >255" * a53814fe - Fix checks in mpi.c:__gnutls_x509_write_int() * 03a70ed7 - Fix "implicit conversion from type 'int' -1 to 'unsigned'" -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:12:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:12:55 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/alert.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_278016135 > data[1], name); > > if ((ret = > - _gnutls_send_int(session, GNUTLS_ALERT, -1, > + _gnutls_send_int(session, GNUTLS_ALERT, (gnutls_handshake_description_t) -1, Changed some more lines from -1 to GNUTLS_HANDSHAKE_ANY. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_278016135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:13:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:13:22 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: All discussions on Merge Request !1151 were resolved by Tim R?hsen https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:44:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:44:13 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: do not go try calculating pbkdf2 with 0 iterations (!1182) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: LGTM. What I realized from this MR is that `GNUTLS_E_INVALID_REQUEST` may not be the right error code when input file is invalid. However that's not because of this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182#note_278036682 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:44:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:44:18 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: do not go try calculating pbkdf2 with 0 iterations (!1182) In-Reply-To: References: Message-ID: Merge Request !1182 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 Project:Branches: GostCrypt/gnutls:fix-pkcs12-iter to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 13:47:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 12:47:21 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I have tried debugging this. It looks like it's openssl who behaves differently and shuts down early. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278038585 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:11:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:11:26 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Tim R?hsen commented on a discussion on lib/alert.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_278055482 > data[1], name); > > if ((ret = > - _gnutls_send_int(session, GNUTLS_ALERT, -1, > + _gnutls_send_int(session, GNUTLS_ALERT, (gnutls_handshake_description_t) -1, Putting GNUTLS_HANDSHAKE_ANY into the enum breaks the ABI checker. But I think, it's the right thing to do. @nmav ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_278055482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:17:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:17:03 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: But you also have no explanation (or theory) ? My theory is, the client behaves differently (different bits on the wire). Because the openssl server is otherwise not affected - it simply doesn't know about how the client has been built. We could make a tcpdump (with and without ASAN) and compare both. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278059703 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:19:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:19:50 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Things are worse. I can reproduce such failure even on non-sanitizer build locally. And I can not reproduce the failure if I run the server and the client by hand. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278061432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:23:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:23:30 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: Oh, I never could reproduce it without -fsanitize=address. This feels like either a timing / race-condition issue or about stdin/stdout/stderr handling. What shell are you using ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278063827 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:24:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:24:44 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: Here: OpenSSL 1.1.1d 10 Sep 2019 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278064616 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:28:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:28:03 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: OpenSSL 1.1.1d 10 Sep 2019 GNU bash, version 5.0.11(1)-release (x86_64-pc-linux-gnu) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278066699 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:29:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:29:21 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Note: s_server quits on his own, it exits on its own at some point. Removing -early_data from respective server command line make it work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278067546 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 14:33:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 13:33:57 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: BTW ``` Checking TLS 1.3 with Ed448 certificate... curve448/cnd-copy.c:46:10: runtime error: negation of 1 cannot be represented in type 'mp_limb_t' (aka 'unsigned long') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curve448/cnd-copy.c:46:10 in curve448/sec-tabselect.c:58:24: runtime error: negation of 1 cannot be represented in type 'mp_limb_t' (aka 'unsigned long') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curve448/sec-tabselect.c:58:24 in curve448/sec-tabselect.c:56:38: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curve448/sec-tabselect.c:56:38 in curve448/ecc-curve448.c:99:14: runtime error: unsigned integer overflow: 4294967296 + 18446744069414584320 cannot be represented in type 'unsigned long' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curve448/ecc-curve448.c:99:14 in curve448/ecc-mul-g-eh.c:64:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curve448/ecc-mul-g-eh.c:64:16 in ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278070513 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 15:05:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 14:05:13 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: Running the test script with `bash -x` prints the actual command lines of the server and client. No I started the server in one console and the client in a second console: Server: ``` $ openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data Using default temp DH parameters ACCEPT ``` Now starting client: ``` $ ../../src/gnutls-cli -p 43445 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL --earlydata /tmp/tls13-openssl-resumption.qF8l0q/earlydata.txt --insecure --inline-commands Processed 0 CA certificate(s). Resolving '127.0.0.1:43445'... Connecting to '127.0.0.1:43445'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=GnuTLS Test Server (RSA certificate)', issuer `CN=GnuTLS Test CA', serial 0x4de0b4ca, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:39:39 UTC', expires `2038-10-12 08:39:40 UTC', pin-sha256="ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE=" Public Key ID: sha1:482334530a8931384a5aeacab6d2a6dece1d2b18 sha256:6429dcdb1f84533b60e9286712fc2d707c6eb325ea2794492cd0832dcfa554d1 Public Key PIN: pin-sha256:ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE= - Certificate[1] info: - subject `CN=GnuTLS Test CA', issuer `CN=GnuTLS Test CA', serial 0x00, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:36:30 UTC', expires `2038-10-12 08:36:33 UTC', pin-sha256="Q6gIwA8tsmcqv+Fmom0cnzs9jZGV+iyqEIx0AQtfCQE=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: ``` The output in the server console is ``` No early data received DONE shutting down SSL CONNECTION CLOSED ``` But the client is still waiting - I had to manually ctrl-d. The server clearly says "No early data received". *Without* ASAN, the server says ``` openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data Using default temp DH parameters ACCEPT No early data received -----BEGIN SSL SESSION PARAMETERS----- MIGDAgEBAgIDBAQCEwIEILIL+Ng522T/+Y/32o1W59+8WwnnV6AkKIk+pNDsdSVl BDAlRh28LW5ilioqwzOBltY/bphABnQnfAIlWcP72SJkmNNKQXXxSgZjY8/A24Jq uFahBgIEXjA/QqIEAgIcIKQGBAQBAAAArgYCBBRRkzivBAICQAA= -----END SSL SESSION PARAMETERS----- Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 Supported Elliptic Groups: P-256:P-384:P-521:X25519:X448:0x0100:0x0101:0x0102:0x0103:0x0104 Shared Elliptic groups: P-256:P-384:P-521:X25519:X448 CIPHER is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported ``` And again we see "No early data received". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278092842 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 15:36:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 14:36:21 +0000 Subject: [gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: that looks like string/bytes confusion in the script, could you try https://github.com/tomato42/tlsfuzzer/pull/635 ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868#note_278130347 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 15:39:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 14:39:23 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: More or less so, except that the script uses `gnutls-cli ...... --inline-commands <<< '^resume^'` Again, I could not reproduce server exit during handshake manually. However under the script the server terminates early! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278132428 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 15:39:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 14:39:59 +0000 Subject: [gnutls-devel] GnuTLS | pkcs12: do not go try calculating pbkdf2 with 0 iterations (!1182) In-Reply-To: References: Message-ID: Merge Request !1182 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 Project:Branches: GostCrypt/gnutls:fix-pkcs12-iter to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1182 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 15:51:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 14:51:09 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: Added -d9 to the client command line and compared success and failure output. I currently have the strong feeling that the failure (with ASAN) doesn't find `writev` in the configure run. Because the failure output had `ASSERT: buffers.c[_gnutls_writev_emu]:464` and from there on everything seems to go wrong. The success output doesn't use `_gnutls_writev_emu`. Will come back... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278141036 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 16:39:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 15:39:28 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: Don't know what's wrong now - currently the test always fails, no matter if build with ASAN or not and no matter if I run it manually or not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278196289 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 16:53:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 15:53:00 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) References: Message-ID: labnewbie created an issue: https://gitlab.com/gnutls/gnutls/issues/923 ## Description of problem: When I try to create my public.crt file I get errors: configFileLoad: Unknown error Error loading template: cert.cnf ## Version of gnutls used: 3.6.11 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Windows 2016 ## How reproducible: Steps to Reproduce: * one c:\GnuTLS>certtool.exe --generate-privkey --outfile private.key * two c:\GnuTLS>certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt * three ## Actual results: c:\GnuTLS>certtool.exe --generate-privkey --outfile private.key Generating a 3072 bit RSA private key... c:\GnuTLS>certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt libopts error 0 (No error) calling read for 'cert.cnf' configFileLoad: Unknown error Error loading template: cert.cnf ## Expected results: expecting to create a cert.conf file -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 19:09:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 18:09:01 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: Tim R?hsen commented: So you have `cert.cnf` in the current directory. What is it's content ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/923#note_278323555 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 28 19:32:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jan 2020 18:32:21 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: labnewbie commented: I do. When I use a bogus .cnf name (igiveup.cnf for example) i get a file not found error. so I know it is seeing my correct cert.cnf file. Its contents are based on what Mini publishes https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html#generate-a-self-signed-certificate : # X.509 Certificate options # # DN options # The organization of the subject. organization = "Homelab" # The organizational unit of the subject. #unit = "sleeping dept." # The state of the certificate owner. state = "NY" # The country of the subject. Two letter code. country = "US" # The common name of the certificate owner. cn = "John Smith" # In how many days, counting from today, this certificate will expire. expiration_days = 365 # X.509 v3 extensions # DNS name(s) of the server dns_name = "localhost" # (Optional) Server IP address ip_address = "192.168.86.133" # Whether this certificate will be used for a TLS server tls_www_server Thanks for any help. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/923#note_278338236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 29 14:19:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Jan 2020 13:19:08 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: labnewbie commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/923#note_278762956 I do. When I use a bogus .cnf name (igiveup.cnf for example) i get a file not found error. so I know it is seeing my correct cert.cnf file. Its contents are based on what Minio publishes https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html#generate-a-self-signed-certificate : organization = "Homelab" state = "NY" country = "US" cn = "John Smith" expiration_days = 365 dns_name = "localhost" ip_address = "192.168.86.133" tls_www_server Thanks for any help. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/923#note_278762956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 29 18:02:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Jan 2020 17:02:54 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 Project:Branches: GostCrypt/gnutls:nettle-master-gostdsa to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 29 18:41:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Jan 2020 17:41:57 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **fixes 1 alert** when merging c6ff81a074a9137a08079dfc85df33e13000708c into 5ef8e05c9860f503ed6b36c4ca5217e50c960825 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-05acd4b25dc87d860d7655777f5d6fedf0e6a47f) **fixed alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_278989667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 29 19:20:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Jan 2020 18:20:24 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1183 https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 * b003c88c - nettle/gost: support use GOST DSA support from master branch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 29 19:59:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 29 Jan 2020 18:59:42 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **fixes 1 alert** when merging b003c88c81de8dd0b25b206dba668821bfcf19b1 into 5ef8e05c9860f503ed6b36c4ca5217e50c960825 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-9d18abc7ee72ea5c0d97c09cf68edf3e16579528) **fixed alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279019061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 11:13:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 10:13:05 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Does this address https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20406 ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279381369 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 11:16:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 10:16:25 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279383515 > switch (curve) { > #if ENABLE_GOST > case GNUTLS_ECC_CURVE_GOST256CPA: > - return nettle_get_gost_256cpa(); > case GNUTLS_ECC_CURVE_GOST256CPXA: > + case GNUTLS_ECC_CURVE_GOST256B: > +#if HAVE_NETTLE_GET_GOST_GC256B > + return nettle_get_gost_gc256b(); Is the ifdef needed to distinguish between the bundled and the nettle version? If yes, wouldn't it be more clear to rename the bundled symbol to match the nettle? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279383515 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 11:56:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 10:56:41 +0000 Subject: [gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920) In-Reply-To: References: Message-ID: Tim R?hsen commented: `openssl s_server` behaves differently when starting via TTY in foreground and background (&). In foreground, the test succeeds reliabe. In background the test fails reliable due to openssl server stopping unexpected. I don't have the time to investigate further (tested all kinds of openssl s_server options, without difference). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_279416616 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 13:47:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 12:47:36 +0000 Subject: [gnutls-devel] GnuTLS | Duplicated key_shares from client are not detected by GnuTLS server (#908) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: Moving it to backlog as something nice to have. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/908#note_279488437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 14:50:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 13:50:48 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1183 https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 * ab0905f4 - nettle/gost: support use GOST DSA support from master branch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 14:52:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 13:52:21 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279530798 > switch (curve) { > #if ENABLE_GOST > case GNUTLS_ECC_CURVE_GOST256CPA: > - return nettle_get_gost_256cpa(); > case GNUTLS_ECC_CURVE_GOST256CPXA: > + case GNUTLS_ECC_CURVE_GOST256B: > +#if HAVE_NETTLE_GET_GOST_GC256B > + return nettle_get_gost_gc256b(); Good idea, fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279530798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 14:52:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 13:52:22 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: All discussions on Merge Request !1183 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 15:29:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 14:29:16 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279558537 Yes, it does. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279558537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 30 15:29:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 30 Jan 2020 14:29:54 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Tim R?hsen commented: This pull request **fixes 1 alert** when merging ab0905f46d43b71228fa501d4981f419e710c7f1 into 5ef8e05c9860f503ed6b36c4ca5217e50c960825 - [view on LGTM.com](https://lgtm.com/projects/gl/gnutls/gnutls/rev/pr-9b92954d92f1cec081258eccc4439727acb6c04f) **fixed alerts:** * 1 for FIXME comment --- *Comment posted by [LGTM.com](https://lgtm.com)* -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183#note_279559071 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 08:46:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 07:46:58 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: All discussions on Merge Request !1183 were resolved by Nikos Mavrogiannopoulos https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 08:49:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 07:49:02 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Merge Request !1183 was approved by Nikos Mavrogiannopoulos Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 Project:Branches: GostCrypt/gnutls:nettle-master-gostdsa to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 08:49:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 07:49:11 +0000 Subject: [gnutls-devel] GnuTLS | nettle/gost: support use GOST DSA support from master branch (!1183) In-Reply-To: References: Message-ID: Merge Request !1183 was merged Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 Project:Branches: GostCrypt/gnutls:nettle-master-gostdsa to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1183 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 14:03:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 13:03:18 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113355 > goto cleanup; > } > > + /* Compare with a stored known signature */ After adding a comparison with a known answer, basically both work similarly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113355 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 14:03:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 13:03:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073) In-Reply-To: References: Message-ID: Anderson Sasaki commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113450 > goto cleanup; > } > > - /* Test if the signature we generate matches the stored */ > + ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig); Yes, indeed it makes both tests to behave similarly. There were 2 issues the lab found during FIPS gap analysis: - PK_KNOWN_TEST wouldn't generate a signature for non-deterministic sigs. It would be only a verification test for these. - PK_TEST wouldn't compare the generated signature with a known signature. It only generates a signatures and verify the generated signature. This would be a problem when both signature generation and verification are broken (it could generate a wrong signature and use a broken verification that would result in successful verification). To address these, comparison with a known signature was added to PK_TEST and generation of signature in all cases was added to PK_KNOWN_TEST. Indeed, both work similarly after the changes and maybe could be unified. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 31 16:27:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 31 Jan 2020 15:27:46 +0000 Subject: [gnutls-devel] GnuTLS | Support ciphersuites with matching mac/cipher(/KX) (#924) References: Message-ID: Dmitry Baryshkov created an issue: https://gitlab.com/gnutls/gnutls/issues/924 GOST TLS 1.3 will have two pairs of ciphersuites, each pair using the same cipher and MAC (differing only in external re-keying settings). GnuTLS can not handle this at this moment when generating priority lists. Another use case is supporting ciphersuites during standardisation phase, when one would be using both assigned and private ids. For my tests I have been extending `set_cipher_list()` with `if ce->id == ID1 then also add ciphersuite ID2`, but this does not look like a production code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/924 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: