From gnutls-devel at lists.gnutls.org Wed Jul 1 06:09:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 04:09:07 +0000 Subject: [gnutls-devel] GnuTLS | lib/file.c gnutls_load_file() does not include trailing '\0' if malloc != gnutls_malloc (#1006) In-Reply-To: References: Message-ID: GnuTLS bot commented: @gstrauss This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1006#note_371350338 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 06:09:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 04:09:09 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1047) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1047 The following issues require labels: - [ ] [lib/file.c gnutls_load_file() does not include trailing '{{title}}' if malloc != gnutls_malloc](https://gitlab.com/gnutls/gnutls/-/issues/1006) - [ ] [Service Desk (from robert.merget at rub.de): Raccoon Attack: A new cryptographic Attack on TLS](https://gitlab.com/gnutls/gnutls/-/issues/1005) - [ ] [Does GnuTLS need to check ?last update? or ?next update? of CRL during revoking certificate(s)?](https://gitlab.com/gnutls/gnutls/-/issues/1003) - [ ] [GnuTLS leaks file descriptors in child processes](https://gitlab.com/gnutls/gnutls/-/issues/985) - [ ] [ocsptool: only write the OCSP response to outfile when --outpem is used](https://gitlab.com/gnutls/gnutls/-/issues/975) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 06:09:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 04:09:08 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_Does_GnuTLS_need_to_check_?= =?utf-8?b?4oCcbGFzdCB1cGRhdGXigJ0gb3Ig4oCcbmV4dCB1cGRhdGXigJ0gb2YgQ1JM?= =?utf-8?q?_during_revoking_certificate=28s=29=3F_=28=231003=29?= In-Reply-To: References: Message-ID: GnuTLS bot commented: @yuemonangong This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1003#note_371350346 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 06:09:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 04:09:09 +0000 Subject: [gnutls-devel] GnuTLS | ocsptool: only write the OCSP response to outfile when --outpem is used (#975) In-Reply-To: References: Message-ID: GnuTLS bot commented: @jello This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/975#note_371350353 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 06:09:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 04:09:09 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985) In-Reply-To: References: Message-ID: GnuTLS bot commented: @Courmisch This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_371350349 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 20:39:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 18:39:45 +0000 Subject: [gnutls-devel] GnuTLS | A question about the license of gnutls (#1018) In-Reply-To: References: Message-ID: Michael Catanzaro commented: This should be closed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1018#note_371960509 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 1 22:15:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 01 Jul 2020 20:15:19 +0000 Subject: [gnutls-devel] GnuTLS | A question about the license of gnutls (#1018) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1018: https://gitlab.com/gnutls/gnutls/-/issues/1018 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 2 13:51:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jul 2020 11:51:55 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 was reviewed by Steve Lhomme -- Steve Lhomme commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294#note_372427882 > +#include > + ]],[[ > + if (__builtin_available(macOS 10.8, iOS 5.0, *)) {} `__has_builtin` was [introduced in Clang 8](https://releases.llvm.org/8.0.0/tools/clang/docs/LanguageExtensions.html) (and apparently gcc 6). It depends on what minimum version gnutls supports. But it seems that it would work (in my case at least). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 2 13:56:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jul 2020 11:56:38 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: All discussions on Merge Request !1294 were resolved by Steve Lhomme https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 2 20:25:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jul 2020 18:25:57 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: Merge Request !1294 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 Project:Branches: robUx4/gnutls:macos-connectx to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 2 20:26:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jul 2020 18:26:15 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks; looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294#note_372766321 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 2 20:26:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 02 Jul 2020 18:26:20 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: Merge Request !1294 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 Project:Branches: robUx4/gnutls:macos-connectx to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 15:24:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 13:24:09 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 Project:Branches: asosedkin/gnutls:split-up-tests-s-o-sig-hash to gnutls/gnutls:master Author: Alexander Sosedkin Split up system-overrid-sig-hash.sh so that the errors won't get swallowed or conflated. Also correct unused `srcdir` to `builddir`, which I believe was meant to be set there. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 16:10:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 14:10:22 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on tests/system-override-hash.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373403370 > +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. > + > +builddir="${builddir:-.}" Not your fault, but I would write `: ${builddir=.}` so we don't need to quote. -- Daiki Ueno started a new discussion on tests/system-override-hash.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373403374 > +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" > + > +exec ${builddir}/system-override-hash Not your fault too (because there is no cleanup logic in the original test), but we can't remove `TMPFILE` if we use `exec`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 16:11:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 14:11:19 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Merge Request !1298 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 Project:Branches: asosedkin/gnutls:split-up-tests-s-o-sig-hash to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 16:11:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 14:11:44 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me otherwise, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373404336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 17:04:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 15:04:14 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/system-override-hash.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373457398 > +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. > + > +builddir="${builddir:-.}" > +TMPFILE=c.$$.tmp > +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 > + > +cat <<_EOF_ > ${TMPFILE} > +[overrides] > + > +insecure-hash = sha256 > +insecure-hash = sha512 > +_EOF_ > + > +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" > + > +exec ${builddir}/system-override-hash I've added cleanup and quoting, please take a second look. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373457398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 17:04:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 15:04:59 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/system-override-hash.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373456593 > +# > +# GnuTLS is free software; you can redistribute it and/or modify it > +# under the terms of the GNU General Public License as published by the > +# Free Software Foundation; either version 3 of the License, or (at > +# your option) any later version. > +# > +# GnuTLS is distributed in the hope that it will be useful, but > +# WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > +# General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with GnuTLS; if not, write to the Free Software Foundation, > +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. > + > +builddir="${builddir:-.}" I've replaced it with `builddir=${builddir=.}`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373456593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 17:28:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 15:28:19 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/system-override-hash.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373471239 > +# > +# GnuTLS is free software; you can redistribute it and/or modify it > +# under the terms of the GNU General Public License as published by the > +# Free Software Foundation; either version 3 of the License, or (at > +# your option) any later version. > +# > +# GnuTLS is distributed in the hope that it will be useful, but > +# WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > +# General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with GnuTLS; if not, write to the Free Software Foundation, > +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. > + > +builddir="${builddir:-.}" Thanks, TIL, replaced with `: ${builddir=.}`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298#note_373471239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 21:26:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 19:26:20 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: All discussions on Merge Request !1298 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 3 21:26:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 03 Jul 2020 19:26:28 +0000 Subject: [gnutls-devel] GnuTLS | tests: split up system-override-sig-hash.sh (!1298) In-Reply-To: References: Message-ID: Merge Request !1298 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 Project:Branches: asosedkin/gnutls:split-up-tests-s-o-sig-hash to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1298 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 4 13:25:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jul 2020 11:25:30 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci: disable config.cache for nettle-master builds (!1291) In-Reply-To: References: Message-ID: Merge Request !1291 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 Project:Branches: GostCrypt/gnutls:tmp-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 4 13:27:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jul 2020 11:27:09 +0000 Subject: [gnutls-devel] GnuTLS | build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD) (!1296) In-Reply-To: References: Message-ID: Merge Request !1296 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 Branches: tmp-pthread to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 4 13:27:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jul 2020 11:27:16 +0000 Subject: [gnutls-devel] GnuTLS | build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD) (!1296) In-Reply-To: References: Message-ID: Merge Request !1296 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 Branches: tmp-pthread to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 4 13:27:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jul 2020 11:27:55 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: update for the 3.7.x releases (!1283) In-Reply-To: References: Message-ID: Merge Request !1283 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 Branches: tmp-doc-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 4 13:28:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 04 Jul 2020 11:28:00 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: update for the 3.7.x releases (!1283) In-Reply-To: References: Message-ID: Merge Request !1283 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 Branches: tmp-doc-fixes to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 6 10:19:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jul 2020 08:19:56 +0000 Subject: [gnutls-devel] GnuTLS | Setting tls priority lists is not working correctly (#1046) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1046#note_374022836 On second thought, it might be better that the application shall set the baseline profile before calling `gnutls_priority_set*` functions. For example: ```c gnutls_default_system_priority_set (session, "NORMAL", ...); ... gnutls_priority_set_direct (session, "@SAMBA,SYSTEM:-VERS-SSL3.0", ...); ``` That would mean: - if `SAMBA` or `SYSTEM` configuration is found on the system, use it - if not, use `NORMAL` profile - in any case, disable SSL 3.0 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1046#note_374022836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 6 10:28:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 06 Jul 2020 08:28:12 +0000 Subject: [gnutls-devel] GnuTLS | Setting tls priority lists is not working correctly (#1046) In-Reply-To: References: Message-ID: Andreas Schneider commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1046#note_374028517 This sounds like a better idea! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1046#note_374028517 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 9 02:53:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jul 2020 00:53:11 +0000 Subject: [gnutls-devel] GnuTLS | Export the DH functionality (#894) In-Reply-To: References: Message-ID: Brendan Shanks commented: I had requested this in a gnutls-help post last year, the Wine project currently uses GnuTLS to implement the Windows [bcrypt/CNG](https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal) library and I'm looking to add support for DH. The kind of bcrypt API usage I?m looking to support is similar to this Windows sample code: . Generate a public/private key pair with provided DH parameters, then export the key, import a different public key, derive a secret key, etc. Although `_gnutls_dh_generate_key()` will generate the key pair with provided DH parameters, I think it would be cleaner (and more similar to our key generation code for other algorithms) to allow this from `gnutls_privkey_generate()`. Maybe a `GNUTLS_KEYGEN_` flag could be added so `gnutls_privkey_generate2()` would use DH params from a passed-in `gnutls_keygen_data_st`? I'm also not sure what functions would be used for the key derivation. For example, can PRF be used without a corresponding `gnutls_session_t`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/894#note_376177203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 9 15:29:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jul 2020 13:29:17 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Sander van Grieken commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_376580885 I've run a patched libgnutls on Debian stable for a few weeks, no issues noticed. It seems these patches haven't made it to Stable yet? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_376580885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 9 18:59:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 09 Jul 2020 16:59:47 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_376742842 Sander van Grieken @sandervang wrote > I've run a patched libgnutls on Debian stable for a few weeks, no issues noticed. It seems these patches haven't made it to Stable yet? It is in the review queue. https://bugs.debian.org/960836 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_376742842 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 10:04:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 08:04:22 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 Branches: tmp-dh-z to master Author: Daiki Ueno This implements checks mandated by SP800-56A rev 3, section 5.7.1.1 and 5.7.1.2 step 2. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 10:05:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 08:05:13 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Daiki Ueno commented: @smuellerDD could you take a look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_377082909 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 10:32:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 08:32:32 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Stephan Mueller commented: For both changes, I am good. However, we analyzed SP800-56A rev3 now to the full extent and would need to require the following checks: - Shared secret generation: section 5.7.1.1 (FFC) and 5.7.1.2 (ECC) - this patch covers this check - receipt of remote public key following section 5.6.2.2.2: * FFC: . if PQG are RFC3526 / RFC7919 primes, then apply (at least) the partial validation from section 5.6.2.3.2 . otherwise perform the full validation compliant to section 5.6.2.3.1 * ECC: perform partial validation compliant to 5.6.2.3.4 - generation of local key pair following section 5.6.2.1.3: * FFC: . perform the full validation compliant to section 5.6.2.3.1 * ECC: . perform a full validation compliant to section 5.6.2.3.3 Sorry for the late note. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_377102502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 14:41:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 12:41:55 +0000 Subject: [gnutls-devel] GnuTLS | session resumption: ability to limit resumption to TLS 1.3+ connections (#477) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented: I think a better motivation is that we've even [seen in practice](https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03) that resumption with TLS 1.2 can be quite dangerous. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/477#note_377281406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 18:32:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 16:32:19 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Merge Request !1299 was approved by Dmitry Baryshkov Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 Branches: tmp-dh-z to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 10 18:42:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 10 Jul 2020 16:42:32 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'd also like some kind of test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_377461113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 11 08:08:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 11 Jul 2020 06:08:12 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_377651387 On 2020-07-09 Development of GNU's TLS library Andreas Metzler commented on a discussion: > It is in the review queue. https://bugs.debian.org/960836 It is has now been accepted https://packages.qa.debian.org/g/gnutls28/news/20200703T190229Z.html and should be included in the upcoming point release (10.5). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_377651387 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:30 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS allows version one and two certificates in TLS 1.2 during client authentication (#1030) In-Reply-To: References: Message-ID: GnuTLS bot commented: @Immortalem This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1030#note_379529170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:28 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls 3.6.14 fails to compile on Mac OS Catalina (#1033) In-Reply-To: References: Message-ID: GnuTLS bot commented: @wraitii This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1033#note_379529145 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:36 +0000 Subject: [gnutls-devel] GnuTLS | Service Desk (from Jens.Schleusener@t-online.de): GnuTLS Windows binaries on GitLab not available? (#1014) In-Reply-To: References: Message-ID: GnuTLS bot commented: @support-bot This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1014#note_379529206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:32 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 build regression due to -Wno-type-limits (#1022) In-Reply-To: References: Message-ID: GnuTLS bot commented: @bjacke This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1022#note_379529193 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:30 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not require the Key Usage extension in CA certificates during client certificate authentication. (#1031) In-Reply-To: References: Message-ID: GnuTLS bot commented: @Immortalem This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1031#note_379529168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:32 +0000 Subject: [gnutls-devel] GnuTLS | Signing with imported DSS key fails intermittently (#1023) In-Reply-To: References: Message-ID: GnuTLS bot commented: @hansleidekker This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1023#note_379529189 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:28 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1051) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1051 The following issues require labels: - [ ] [Gnutls 3.6.14 fails to compile on Mac OS Catalina](https://gitlab.com/gnutls/gnutls/-/issues/1033) - [ ] [GnuTLS does not verify the correctness of the parameters in a certificates signatureAlgorithm field](https://gitlab.com/gnutls/gnutls/-/issues/1032) - [ ] [GnuTLS does not require the Key Usage extension in CA certificates during client certificate authentication.](https://gitlab.com/gnutls/gnutls/-/issues/1031) - [ ] [GnuTLS allows version one and two certificates in TLS 1.2 during client authentication](https://gitlab.com/gnutls/gnutls/-/issues/1030) - [ ] [GnuTLS mishandles certificates with no allowed key usage during client certificate authentication](https://gitlab.com/gnutls/gnutls/-/issues/1028) - [ ] [GnuTLS ignores extended key usage during client certificate authentication](https://gitlab.com/gnutls/gnutls/-/issues/1027) - [ ] [GnuTLS ignores name constraints during client certificate authentication](https://gitlab.com/gnutls/gnutls/-/issues/1026) - [ ] [gnutls_x509_crt_export2 can return values greater than 0](https://gitlab.com/gnutls/gnutls/-/issues/1025) - [ ] [Service Desk (from emmawoollacott at gmail.com): Press enquiry - GnuTLS vulnerability](https://gitlab.com/gnutls/gnutls/-/issues/1024) - [ ] [Signing with imported DSS key fails intermittently](https://gitlab.com/gnutls/gnutls/-/issues/1023) - [ ] [3.6.14 build regression due to -Wno-type-limits](https://gitlab.com/gnutls/gnutls/-/issues/1022) - [ ] [ecc_scalar_random in nettle is public but not mangled in GnuTLS](https://gitlab.com/gnutls/gnutls/-/issues/1016) - [ ] [Make in 3.6.11 fails with "error: storage size of 'rsa_pss_params' isn't known" with gcc 4.8.5](https://gitlab.com/gnutls/gnutls/-/issues/1015) - [ ] [Service Desk (from Jens.Schleusener at t-online.de): GnuTLS Windows binaries on GitLab not available?](https://gitlab.com/gnutls/gnutls/-/issues/1014) - [ ] [Getting actual certificate path to a trusted CA](https://gitlab.com/gnutls/gnutls/-/issues/1012) - [ ] [Testsuite error - listening on IPv6, connecting to IPv4](https://gitlab.com/gnutls/gnutls/-/issues/1007) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:33 +0000 Subject: [gnutls-devel] GnuTLS | Make in 3.6.11 fails with "error: storage size of 'rsa_pss_params' isn't known" with gcc 4.8.5 (#1015) In-Reply-To: References: Message-ID: GnuTLS bot commented: @vinay_banakar This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1015#note_379529203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: GnuTLS bot commented: @ametzler This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_379529211 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:09:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:09:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not verify the correctness of the parameters in a certificates signatureAlgorithm field (#1032) In-Reply-To: References: Message-ID: GnuTLS bot commented: @Immortalem This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1032#note_379529158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:08:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:08:32 +0000 Subject: [gnutls-devel] GnuTLS | ecc_scalar_random in nettle is public but not mangled in GnuTLS (#1016) In-Reply-To: References: Message-ID: GnuTLS bot commented: @robUx4 This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1016#note_379529197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:09:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:09:32 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) In-Reply-To: References: Message-ID: GnuTLS bot commented: @codesquid This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012#note_379529208 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 06:09:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 04:09:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2 can return values greater than 0 (#1025) In-Reply-To: References: Message-ID: GnuTLS bot commented: @dmichmer This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1025#note_379529185 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 09:38:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 07:38:06 +0000 Subject: [gnutls-devel] GnuTLS | Mangle/hide GNUTLS-built ecc_scalar_random() (!1300) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 Project:Branches: robUx4/gnutls:mangle-ecc_scalar_random to gnutls/gnutls:master Author: Steve Lhomme GNUTLS builds `ecc-random.c` but `ecc_scalar_random()` is a public API. So we should use the public API, otherwise we end up with the same public symbol defined twice when linking with GNUTLS and nettle. We could also mangle it in `ecc-internal.h` and use the version we build. But it's easier to patch `ecc-random.c`. `ecc_mod_random()` is unaffected as it's an internal API that is mangled by GNUTLS. Fixes #1016 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 14:32:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 12:32:34 +0000 Subject: [gnutls-devel] GnuTLS | How can I lock gnutls_record_get_state or pending when receiving data? (Maybe bug?) (#1052) References: Message-ID: Caesar Wang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1052 Hi I'm trying to do kTLS outside GnuTLS and use gnutls_record_get_state to get the param of TLS. However, the client can't receive any data and I found that maybe because it's receiving data when or after calling `gnutls_record_get_state`. If I add code like `sleep(1)` I can successfully receive the data. So is there any API that can lock the function call or pending that so it could be done after receiving? Or am I do anything wrong? You can try this https://paste.ubuntu.com/p/vSPSrG3nkr/ ./test_certs/cert.pem https://paste.ubuntu.com/p/8W4y8mQs3x/ ./test_certs/key.pem https://paste.ubuntu.com/p/RMNgqqqwJp/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 15 15:46:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 15 Jul 2020 13:46:37 +0000 Subject: [gnutls-devel] GnuTLS | How can I lock gnutls_record_get_state or pending when receiving data? (Maybe bug?) (#1052) In-Reply-To: References: Message-ID: Caesar Wang commented: Reproduced on 3 local linux machine, but not reproduced on Virtual Box VM and cloud machine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1052#note_379920669 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 16 14:06:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 16 Jul 2020 12:06:34 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls 3.6.14 fails to compile on Mac OS Catalina (#1033) In-Reply-To: References: Message-ID: Ross Nicholson commented: I can confirm the same issue building on Catalina when trying to build as part of Kodi. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1033#note_380638506 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 17 07:54:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jul 2020 05:54:35 +0000 Subject: [gnutls-devel] GnuTLS | Received alert [70]: Error in protocol version (#1053) References: Message-ID: mingli created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1053 $ wget https://download.pureftpd.org/pub/ucarp/ucarp-1.5.2.tar.gz --debug DEBUG output created by Wget 1.20.3 on linux-gnu. Reading HSTS entries from /folk/myu2/.wget-hsts Converted file name 'ucarp-1.5.2.tar.gz' (UTF-8) -> 'ucarp-1.5.2.tar.gz' (UTF-8) --2020-07-17 05:48:34-- https://download.pureftpd.org/pub/ucarp/ucarp-1.5.2.tar.gz Certificates loaded: 256 Resolving download.pureftpd.org... 37.59.238.213 Caching download.pureftpd.org => 37.59.238.213 Connecting to download.pureftpd.org|37.59.238.213|:443... connected. Created socket 3. Releasing 0x000055880ec87460 (new refcount 1). GnuTLS: A TLS fatal alert has been received. GnuTLS: received alert [70]: Error in protocol version Closed fd 3 Unable to establish SSL connection. $ gnutls-cli -V 37.59.238.213 Processed 126 CA certificate(s). Resolving '37.59.238.213:443'... Connecting to '37.59.238.213:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [70]: Error in protocol version $ gnutls-cli --version gnutls-cli 3.6.14 Copyright (C) 2000-2020 Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later Please send bug reports to: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 17 08:22:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jul 2020 06:22:36 +0000 Subject: [gnutls-devel] GnuTLS | Received alert [70]: Error in protocol version (#1053) In-Reply-To: References: Message-ID: mingli commented: BTW, I can use below method to workaround the error: $ wget --secure-protocol=TLSv1_2 https://download.pureftpd.org/pub/ucarp/ucarp-1.5.2.tar.gz -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1053#note_381082199 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 17 08:29:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jul 2020 06:29:35 +0000 Subject: [gnutls-devel] libtasn1 | Cross compilation issue (#28) In-Reply-To: References: Message-ID: Ross Nicholson commented: Probably related to this commit: https://gitlab.com/gnutls/libtasn1/-/commit/53509d47415cbe4845cb15b9f47cfa3fee32c38c -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/28#note_381084353 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jul 17 08:30:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 17 Jul 2020 06:30:56 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls 3.6.14 fails to compile on Mac OS Catalina (#1033) In-Reply-To: References: Message-ID: Ross Nicholson commented: Issue appears related to libtasn1: https://gitlab.com/gnutls/libtasn1/-/issues/28 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1033#note_381084807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 18 08:47:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jul 2020 06:47:20 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381659020 @smuellerDD Stephan, this is turning to be more complicated than anticipated, because of the API boundary between nettle and gnutls. Specifically, nettle doesn't expose meta information such as curve order from the ECC API, and it cannot represent infinity point on curves. I've worked those around by hard-coding the curve orders and using the group law that adding opposite points results in an infinity point. Could you check if those are acceptable? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381659020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 18 09:14:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jul 2020 07:14:48 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381661234 In summary: > - Shared secret generation: section 5.7.1.1 (FFC) and 5.7.1.2 (ECC) - this patch covers this check Done in bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf (FFC) and 13202600d3e42258d8758b05ff45a3e3d0f07e4e (ECC). > - receipt of remote public key following section 5.6.2.2.2: > > * FFC: > > . if PQG are RFC3526 / RFC7919 primes, then apply (at least) the partial validation from section 5.6.2.3.2 > > . otherwise perform the full validation compliant to section 5.6.2.3.1 I believe this is already done in `lib/nettle/pk.c:_wrap_nettle_pk_derive`. The relevant code is around: - https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/pk.c#L312 - https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/pk.c#L322 > * ECC: perform partial validation compliant to 5.6.2.3.4 This is also done through `_wrap_nettle_pk_derive` already: - `_wrap_nettle_pk_derive` calls `_ecc_params_to_pubkey`: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/pk.c#L397 - `_ecc_params_to_pubkey` uses nettle's `ecc_point_set`: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/pk.c#L397 - `ecc_point_set` has all the necessary checks: https://gitlab.com/gnutls/nettle/-/blob/master/ecc-point.c#L64 (step 1 and 2) and https://gitlab.com/gnutls/nettle/-/blob/master/ecc-point.c#L64 (step 3) > > - generation of local key pair following section 5.6.2.1.3: > > * FFC: > > . perform the full validation compliant to section 5.6.2.3.1 Done in 8b575625614fbe5a22b68dc8d1877efb1d44dd37. > * ECC: > > . perform a full validation compliant to section 5.6.2.3.3 Done in db001209da553a7eeaa68fd06d2d64a22ef42bde. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381661234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jul 18 14:31:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 18 Jul 2020 12:31:17 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381693263 I'm afraid it is not easily possible: the checks added in this MR are: - to validate generated public key derived from the random source - to validate shared secret, that also involves randomness - to validate received public keys (this is covered by the existing tests) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_381693263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 20 09:55:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 20 Jul 2020 07:55:06 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Stephan Mueller commented: The code changes look good to me. @lumag testing that the failure code paths of the new code indeed are good is hard. But IMHO this is not really needed, because the success code paths are only taken IF all checks are good - and if the checks would be poorly implemented it is hardly likely that the success code path is used. Thus, if your normal testing shows that with this code you can still perform DH / ECDH operations as you used to, you validated that the code is good. @dueno Maybe you can revisit your ECDH full validation key check based on the following idea. Note, mull this idea over with your peers to conclude that I am not off track here. IFF GnuTLS only supports prime field curves with a co-factor of 1 (e.g. all NIST P curves), then any valid point that is on the curve will have an order n based on the construction of those curves. So, if you validate that the point is on the curve, it implies that the order of the point is n. Hence, step 4 of the full validation test is implicitly covered. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299#note_382067645 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jul 22 14:43:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 22 Jul 2020 12:43:52 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) References: Message-ID: Petr Pavlu created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 Project:Branches: petrpavlu/gnutls:sign-spurious-message to gnutls/gnutls:master Author: Petr Pavlu When checking in `_gnutls_pubkey_compatible_with_sig()` whether a public key is compatible with a signature algorithm, run first `pubkey_supports_sig()` before performing weaker checks that can accept the given algorithm but with an audit-log warning. This avoids an issue when a weaker check would log an audit message for some signature algorithm that would then be determined as incompatible by the `pubkey_supports_sig()` check anyway. For instance, a GnuTLS server might have a certificate with a SECP384R1 public key and a client can report that it supports ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the GnuTLS server will eventually find that it must use ECDSA-SECP384R1-SHA384 with this public key. However, the code would first run `_gnutls_pubkey_compatible_with_sig()` to check if SECP384R1 is compatible with ECDSA-SECP256R1-SHA256. The function would report the audit warning "The hash size used in signature (32) is less than the expected (48)" but then reject the signature algorithm in `pubkey_supports_sig()` as incompatible because it has a different curve. Since the algorithm gets rejected it is not necessary to inform about its hash size difference in the audit log. The problem can be reproduced as follows: 1. Run a server: $ certtool --generate-privkey --key-type=ecdsa --curve=secp384r1 --outfile=server_privkey.pem $ certtool --generate-self-signed --load-privkey=server_privkey.pem --outfile=server_cert.pem [use defaults, set a sensible expiration date] $ gnutls-serv --x509keyfile=server_privkey.pem --x509certfile=server_cert.pem --port=4567 HTTP Server listening on IPv4 0.0.0.0 port 4567...done HTTP Server listening on IPv6 :: port 4567...done 2. Connect a client: $ gnutls-cli --port=4567 --insecure localhost Processed 0 CA certificate(s). Resolving 'localhost:4567'... Connecting to '::1:4567'... [...] 3. Output on the server: * Accepted connection from IPv6 ::1 port 44786 on Wed Jul 22 14:22:26 202 |<0x5608c399e3c0>| The hash size used in signature (32) is less than the expected (48) |<0x5608c399e3c0>| The hash size used in signature (32) is less than the expected (48) [...] ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 23 06:42:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jul 2020 04:42:18 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/pubkey.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301#note_384202821 > + return gnutls_assert_val(ret); > + } > + nit: it might be a little simpler to consolidate two `if`s? ```suggestion:-10+0 se = _gnutls_sign_to_entry(sign); if (se != NULL) { ret = pubkey_supports_sig(pubkey, se); if (ret < 0) return gnutls_assert_val(ret); } else if (_gnutls_version_has_selectable_sighash(ver)) { return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 23 06:43:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jul 2020 04:43:16 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: All discussions on Merge Request !1299 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jul 23 06:43:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 23 Jul 2020 04:43:25 +0000 Subject: [gnutls-devel] GnuTLS | nettle: check validity of (EC)DH shared secret before export (!1299) In-Reply-To: References: Message-ID: Merge Request !1299 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 Branches: tmp-dh-z to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 27 10:41:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jul 2020 08:41:05 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: Petr Pavlu commented on a discussion on lib/pubkey.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301#note_385781509 > unsigned int sig_hash_size; > const mac_entry_st *me; > const gnutls_sign_entry_st *se; > + int ret; > > se = _gnutls_sign_to_entry(sign); > if (se == NULL && _gnutls_version_has_selectable_sighash(ver)) > return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > > + if (se != NULL) { > + ret = pubkey_supports_sig(pubkey, se); > + if (ret < 0) > + return gnutls_assert_val(ret); > + } > + Applied in the updated patch, thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301#note_385781509 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 27 10:41:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jul 2020 08:41:08 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: All discussions on Merge Request !1301 were resolved by Petr Pavlu https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 27 12:36:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jul 2020 10:36:51 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: Merge Request !1301 was approved by Daiki Ueno Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 Project:Branches: petrpavlu/gnutls:sign-spurious-message to gnutls/gnutls:master Author: Petr Pavlu Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 27 12:37:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jul 2020 10:37:13 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: Merge Request !1301 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 Project:Branches: petrpavlu/gnutls:sign-spurious-message to gnutls/gnutls:master Author: Petr Pavlu Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jul 27 12:37:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 27 Jul 2020 10:37:44 +0000 Subject: [gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301#note_385856906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jul 28 12:11:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jul 2020 10:11:06 +0000 Subject: [gnutls-devel] GnuTLS | DTLS priority enables TLS1.2 (#1054) References: Message-ID: Miroslav Lichvar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1054 ## Description of problem: On a TLS server, I'd like to disable all TLS versions before TLSv1.3. When I set the priority to ``` NORMAL:-VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1 ``` it seems clients can still connect using TLS1.2. But when I add there `-VERS-DTLS-ALL`, it works as expected. If DTLS1.0 or DTLS1.2 is enabled, the server allows the client to use TLS1.2. I think that's unexpected, or at least I couldn't find an explanation in the documentation. ## Version of gnutls used: gnutls-3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: Always Steps to Reproduce: * gnutls-serv --x509keyfile=server.key --x509certfile=server.crt --priority="NORMAL:-VERS-TLS1.2:-VERS-TLS1.0:-VERS-TLS1.1" * gnutls-cli server.example.net -p 5556 --priority="NORMAL:-VERS-ALL:+VERS-TLS1.2" ## Actual results: Handshake completed ## Expected results: Handshake failed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jul 28 16:13:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 28 Jul 2020 14:13:45 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) References: Message-ID: Konstantin Kouptsov created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/29 ## Description of problem: Unable to clone repository due to errors ## Version of libtasn1 used: N/A ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) N/A ## How reproducible: ``` $ git clone https://gitlab.com/gnutls/libtasn1.git Cloning into 'libtasn1'... remote: Enumerating objects: 1113, done. remote: Counting objects: 100% (1113/1113), done. remote: Compressing objects: 100% (184/184), done. remote: Total 12288 (delta 873), reused 1050 (delta 826), pack-reused 11175 Receiving objects: 100% (12288/12288), 3.44 MiB | 15.23 MiB/s, done. Resolving deltas: 100% (8208/8208), done. error: invalid path 'tests/invalid-x509/id:000002,orig:TFPA-2015-002-libtasn1-4.3-stack-overflow.crt.der' fatal: unable to checkout working tree warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry with 'git restore --source=HEAD :/' ``` ## Actual results: `git status` shows a lot of deleted files: ``` deleted: tests/invalid-x509/id:000800,src:000623,op:flip1,pos:354,+cov.der deleted: tests/invalid-x509/id:000801,src:000623,op:arith8,pos:354,val:-25,+cov.der ``` `git checkout` shows a lot of errors: ``` $ git checkout master error: invalid path 'tests/invalid-x509/id:000002,orig:TFPA-2015-002-libtasn1-4.3-stack-overflow.crt.der' error: invalid path 'tests/invalid-x509/id:000047,orig:id:000009,src:000044,op:havoc,rep:2.der' ``` ## Expected results: a clean copy of the repository -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: