From gnutls-devel at lists.gnutls.org Mon Jun 1 00:55:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 31 May 2020 22:55:23 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Kenneth J_ Miller commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352577566 > Though I am not following the discussion around this, my question is whether it is legitimate that the server sends such certificate chain. GnuTLS implements the [Basic Path Validation procedure](https://tools.ietf.org/html/rfc5280#section-6.1) quite naively, meaning that it assumes that the `n`th certificate is signed by `n-1`th, and individual certificate validity is only checked at the [Basic Certificate Processing phase](https://tools.ietf.org/html/rfc5280#section-6.1.3). It seems to be that the chain sent by a server is a single path as defined in [RFC5246](https://tools.ietf.org/html/rfc5246#section-7.4.2) and [RFC4158](https://tools.ietf.org/html/rfc4158#section-1). This was my misunderstanding. The second chain order above also fails when tested in OpenSSL 1.1.1f, as it should according to this. I've recreated a more accurate reproduction where the keys and DN from INTERMEDIATE 1 are used to create a self-signed certificate that is added the the trust anchor list. This example fails in GnuTLS 3.6.13, but succeeds in OpenSSL 1.1.1f. While validation of a single path is the scope of section 6.1; section [6.2. Using the Path Validation Algorithm](https://tools.ietf.org/html/rfc5280#section-6.2) states: > The path validation algorithm describes the process of validating a single certification path. While each certification path begins with a specific trust anchor, there is no requirement that all certification paths validated by a particular system share a single trust anchor. The selection of one or more trusted CAs is a local decision. A system may provide any one of its trusted CAs as the trust anchor for a particular path. The inputs to the path validation algorithm may be different for each path. While this is a bit vague, it opens up the possibility that a single path may have multiple trust anchors by not forbidding it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352577566 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 06:09:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 04:09:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli: Inconsistent OCSP behavior regarding intermediate depending on stapling (#981) In-Reply-To: References: Message-ID: GnuTLS bot commented: @hanno This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/981#note_352623656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 06:09:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 04:09:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Merge Request !1175 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 Project:Branches: nmav/gnutls:tmp-mark-gost94-as-broken to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 06:09:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 04:09:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: GnuTLS bot commented: @nmav This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175#note_352623660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 06:09:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 04:09:44 +0000 Subject: [gnutls-devel] GnuTLS | p11-kit / p11tool hang on clang (#965) In-Reply-To: References: Message-ID: GnuTLS bot commented: @AndreasFuchsSIT This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/965#note_352623657 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 06:10:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 04:10:47 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1009) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1009 The following issues require labels: - [ ] [gnutls-cli: Inconsistent OCSP behavior regarding intermediate depending on stapling](https://gitlab.com/gnutls/gnutls/-/issues/981) - [ ] [p11-kit / p11tool hang on clang](https://gitlab.com/gnutls/gnutls/-/issues/965) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 10:01:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 08:01:27 +0000 Subject: [gnutls-devel] GnuTLS | WIP: GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Merge Request !1175 was reopened by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 Project:Branches: nmav/gnutls:tmp-mark-gost94-as-broken to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 11:52:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 09:52:30 +0000 Subject: [gnutls-devel] GnuTLS | RFE: Support for AES-SIV (RFC 5297) (#463) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 11:54:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 09:54:49 +0000 Subject: [gnutls-devel] GnuTLS | 2 slow tests fail on macOS (#974) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 11:54:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 09:54:56 +0000 Subject: [gnutls-devel] GnuTLS | Copyright year is updated on build (#980) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/980 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 11:56:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 09:56:46 +0000 Subject: [gnutls-devel] GnuTLS | Update session_ticket.c to add support for zero length session tickets returned from the server (!1260) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1260 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 11:58:02 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 09:58:02 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to pop.verizon.net:995 (#997) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/997 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 12:05:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 10:05:56 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_pkcs11_verify_crt_status: check validity against system cert (!1271) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 12:06:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 10:06:05 +0000 Subject: [gnutls-devel] GnuTLS | use bcrypt for the windows random generator instead of wincrypt (!1255) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 12:09:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 10:09:13 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for AES-192-GCM (!1267) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 13:16:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 11:16:07 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Vinay Banakar commented: Hi, I am using gnuTLS 3.6.11 and this issue still seems to persist. Command: ` ./configure --prefix=/etc/gnutls-fips --enable-fips140-mode --with-libnettle-prefix=/etc/gnutls-nettle; make` Error message: ``` make[4]: Entering directory `/root/gnutls-3.6.11/lib' CC pkcs11_privkey.lo pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known struct ck_rsa_pkcs_pss_params rsa_pss_params; ^ pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-variable] make[4]: *** [pkcs11_privkey.lo] Error 1 make[4]: Leaving directory `/root/gnutls-3.6.11/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.11/lib' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.11/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.11' make: *** [all] Error 2 ``` Gcc version: ``` gcc --version gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-28) ``` I also tried to compile without p11-kit, but faced a different issue ``` ./configure --prefix=/etc/gnutls-fips \ --enable-fips140-mode \ --with-libnettle-prefix=/etc/gnutls-nettle \ --without-p11-kit; make ``` ``` make all-am make[5]: Entering directory `/root/gnutls-3.6.11/src/libopts' CC libopts_la-libopts.lo libopts.c:14:24: fatal error: save-flags.h: No such file or directory #include "save-flags.h" ^ compilation terminated. make[5]: *** [libopts_la-libopts.lo] Error 1 make[5]: Leaving directory `/root/gnutls-3.6.11/src/libopts' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/gnutls-3.6.11/src/libopts' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.11/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.11/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.11' make: *** [all] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/812#note_352823139 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 13:30:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 11:30:57 +0000 Subject: [gnutls-devel] GnuTLS | Memory leak in gnutls_aead_cipher_encrypt() (#1010) References: Message-ID: Miroslav Lichvar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1010 ## Description of problem: When gnutls_aead_cipher_encrypt() is called with a key which has an invalid length, the function returns an error code, but doesn't free the allocated handle. It seems this was fixed in commit 502be13049, but regressed in commit 2eef509ce. ## Version of gnutls used: Current development branch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 13:48:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 11:48:55 +0000 Subject: [gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352841981 I have pulled 299bd4f113d0bd39fa1577a671a04ed7899eff3c cdf075e7f54cb77f046ef3e7c2147f159941faca and 9067bcbee8ff18badff1e829d22e63590dbd7a5c for Debian unstable's [3.6.13-4](https://packages.qa.debian.org/g/gnutls28/news/20200601T091851Z.html). I would appreciate a second pair of eyes to look over the backport for 3.6.7 (Debian 10/buster): [44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch](/uploads/a966c3fce079366355aad1f786b3d44b/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch) [44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch](/uploads/cc43478b14fae8a1bc952600d6efd975/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch) [44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch](/uploads/e7735af1fffae6c84256df89bdf2573e/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch) (middle one listed for completeness sake, unchanged, applies cleanly). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352841981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 14:19:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 12:19:38 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: use AES-NI for AES-XTS when available (!1244) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 14:20:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 12:20:23 +0000 Subject: [gnutls-devel] GnuTLS | fips: check library soname during configure (!1231) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1231 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 14:21:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 12:21:14 +0000 Subject: [gnutls-devel] GnuTLS | xts: check key block according to FIPS-140-2 IG A.9 (!1233) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1233 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 14:23:01 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 12:23:01 +0000 Subject: [gnutls-devel] GnuTLS | fips: make FIPS140-2 mode enablement logic simpler (!1253) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.6.14 (Mar 31, 2020?Jun 1, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/28 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 14:25:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 12:25:58 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 Branches: tmp-release-3.6.14 to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 17:28:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 15:28:57 +0000 Subject: [gnutls-devel] GnuTLS | serv: omit upper bound of --maxearlydata option definition (!1273) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 Branches: tmp-autogen-int to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 21:53:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 19:53:15 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353183547 > + _gnutls_debug_log("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); > + gnutls_assert(); > + MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_FOUND); > + goto cleanup; > + } > + > + /* missing issuer is populated by the callback */ > + ret = tlist->issuer_callback(tlist, cert, issuer); > + if (ret < 0) { > + /* if the callback fails, continue as though the callback > + * wasn't invoked i.e issuer remains NULL */ > + gnutls_x509_crt_deinit(issuer); > + gnutls_assert(); > + issuer = NULL; > + } else > + issuer_deinit = true; @dueno Thanks, this was a good idea indeed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353183547 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 21:56:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 19:56:16 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353184704 > cred->verify_callback = func; > } > > +/** > + * gnutls_x509_trust_list_set_getissuer_function: > + * @tlist: is a #gnutls_x509_trust_list_t type. > + * @func: is the callback function > + * > + * This function sets a callback to be called when the peer's certificate > + * chain is incomplete due a missing intermediate certificate/certificates. > + * > + * The callback's function prototype is defined in `abstract.h': > + * int (*callback)( > + * gnutls_x509_crt_t crt, > + * gnutls_x509_crt_t issuer); I'll let it be in lib/cert-cred.c. Most other callbacks are defined here too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353184704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 1 21:59:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 01 Jun 2020 19:59:13 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: All discussions on Merge Request !1262 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 05:42:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 03:42:43 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 Branches: tmp-aead-init-leak to master Author: Daiki Ueno When _gnutls_aead_cipher_init() fails, the function returns without freeing the allocted handle. This was once fixed in commit 502be130493e8ce802cdf60fffdbb5f1885352a5 but regressed after a code reorganization in commit 2eef509ce5f2d250f8dcaeffa46444dd2b694e91. Reported by Miroslav Lichvar. Fixes #1010. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 07:07:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 05:07:21 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/cert-cred.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353348888 > + * > + * The callback function should return 0 if the missing issuer certificate > + * for 'crt' was properly polulated in 'issuer' and added to the 'tlist' using Remove mention of `issuer`. -- Daiki Ueno started a new discussion on lib/x509/verify-high.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353348890 > + > + /* set this callback if the issuer in the certificate > + * * chain is missing. */ Remove stray `*`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 07:09:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 05:09:05 +0000 Subject: [gnutls-devel] GnuTLS | WIP: AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the update. I think it's almost there (you can remove `WIP: ` from the title). I also did a quick experiment using this feature in gnutls-cli, as attached (mostly a copy-and-paste from `src/ocsptool-common.c`).[cli-aia.patch](/uploads/94390edaee08a8063387997d7cc7144f/cli-aia.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_353349360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 09:09:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 07:09:20 +0000 Subject: [gnutls-devel] libtasn1 | fix memleaks in asn1_array2tree, free the unused child (!62) In-Reply-To: References: Message-ID: whzhe51 commented: @rockdaboot -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/62#note_353400004 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 10:08:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 08:08:17 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: All discussions on Merge Request !1262 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 12:10:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 10:10:44 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: I'd mention: - stopping using Nettle/hogweed internal symbols (!1235) - xts: check key block according to FIPS-140-2 IG A.9 (!1233) - decoding certificate policy OIDs (!1245) - improvements in Win Vista+ support (!1257, !1254, !1256, !1255) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272#note_353536037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 15:21:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 13:21:44 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: All discussions on Merge Request !1272 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 15:22:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 13:22:42 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272#note_353674353 Thanks; incorporated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272#note_353674353 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 17:14:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 15:14:04 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: Airtower started a new discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272#note_353768995 Please take a look at #1011 (confidential issue) before making the release, I believe it is a critical security issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272#note_353768995 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 18:14:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 16:14:08 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) References: Message-ID: Tim Kosse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1012 ## Description of the feature: When looking at the fix for #1008 I realized that there does not appear to be a function to return the actual used certificate path to a trusted CA for a given session. The certificate path that eventually leads to a successful gnutls_certificate_verify_peers() may be different from the certificates sent by the server and subsequently returned by gnutls_certificate_get_peers(). Not only can the raw list be out of order, it may also contain CA certificates that aren't part of a path to a trusted root. This is confusing when trying to understand why a particular certificate(-chain) is trusted, especially if there is something wrong with the CA certificates sent by the server, as is the case with e.g. support.sectigo.com sending expired CA certificates. The output of certtool unfortunately is not very helpful either when given the certificates sent by this server: ``` $ certtool --verify --infile support.sectigo.com.pem Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Loaded system trust (128 CAs available) Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Checked against: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Signature algorithm: RSA-SHA384 Output: Not verified. The certificate is NOT trusted. The certificate chain uses expired certificate. Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Checked against: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Signature algorithm: RSA-SHA384 Output: Verified. The certificate is trusted. Subject: CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Checked against: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Signature algorithm: RSA-SHA384 Output: Verified. The certificate is trusted. Subject: CN=support.sectigo.com,OU=COMODO EV SSL,OU=IT,O=Comodo CA Limited,street=3rd Floor Building 26,street=Office Village Exchange Quay,street=Trafford Road,L=Salford,ST=Manchester,postalCode=M5 3EQ,C=GB,businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=GB,serialNumber=04058690 Issuer: CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Checked against: CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. ``` [support.sectigo.com.pem](/uploads/b39012da314113bb31b6980c072eca80/support.sectigo.com.pem) I suggest adding a function that returns the full path to the trusted root as was used in gnutls_certificate_verify_peers. ## Applications that this feature may be relevant to: Any programs that displays certificate paths, such as web browsers. ## Is this feature implemented in other libraries (and which) I believe NSS implements this feature. Viewing the certificate path of support.sectigo.com in Firefox shows a path with a valid root CA, even though the server sends a chain with expired certificates. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 23:07:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 21:07:33 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) In-Reply-To: References: Message-ID: Merge Request !1274 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 Branches: tmp-aead-init-leak to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 2 23:08:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 02 Jun 2020 21:08:00 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: It would be nice to have a test though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274#note_353998314 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 10:17:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 08:17:52 +0000 Subject: [gnutls-devel] GnuTLS | stek: differentiate initial state from valid time window of TOTP (!1275) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 Branches: tmp-totp-init to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 10:49:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 08:49:47 +0000 Subject: [gnutls-devel] GnuTLS | Too small MAX_SEED_SIZE for PRF functions (#1013) References: Message-ID: Ruslan Marchenko created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1013 ## Description of problem: Current implementation of PRF limits MAX_SEED_SIZE to 200 bytes, while this seed size includes 2x GNUTLS_RANDOM_SIZE (32) + 2 ctx_len (u16) + label + context. That leaves Label + Context with only 134 bytes. At the same time Context is only validated to be below u16 boundary (65535). The labels in IANA registry have avg size 24 bytes leaving only 110 bytes for the context. Is there any particular reason to limit it to 200 bytes? ## Version of gnutls used: 3.6.13-2 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) ArchLinux ## How reproducible: ret = gnutls_prf_rfc5705 (priv->session, 30, "EXPORTER-SCRAM-Channel-Binding", 116, "n=user,r=rOprNGfwEbeRWgbNEkqO,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096", 32, out_buf); ## Actual results: GNUTLS_E_INTERNAL_ERROR ## Expected results: GNUTLS_E_SUCCESS -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1013 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 13:38:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 11:38:07 +0000 Subject: [gnutls-devel] GnuTLS | stek: differentiate initial state from valid time window of TOTP (!1275) In-Reply-To: References: Message-ID: Merge Request !1275 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 Branches: tmp-totp-init to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 13:38:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 11:38:39 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: Merge Request !1272 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 Branches: tmp-release-3.6.14 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 13:49:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 11:49:41 +0000 Subject: [gnutls-devel] GnuTLS | stek: differentiate initial state from valid time window of TOTP (!1275) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275#note_354401685 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 13:52:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 11:52:04 +0000 Subject: [gnutls-devel] GnuTLS | stek: differentiate initial state from valid time window of TOTP (!1275) In-Reply-To: References: Message-ID: Merge Request !1275 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 Branches: tmp-totp-init to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 14:23:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 12:23:31 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: All discussions on Merge Request !1272 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 14:52:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 12:52:19 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.6.14 [ci skip] (!1272) In-Reply-To: References: Message-ID: Merge Request !1272 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 Branches: tmp-release-3.6.14 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 16:40:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 14:40:34 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge Request !1262 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 Project:Branches: sahprasa/gnutls:aia to gnutls/gnutls:master Author: Sahana Prasad Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 16:40:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 14:40:59 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Daiki Ueno commented: This is in a pretty good shape now, so I'm approving. @TheRealMichaelCatanzaro you might want to check if the API is sufficient for the Epiphany use-cases? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_354566064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 17:07:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 15:07:28 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Didn't know about this, will look. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_354587896 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 3 20:12:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 18:12:40 +0000 Subject: [gnutls-devel] GnuTLS | CVE-2020-13777: TLS 1.3 session resumption works without master key, allowing MITM (#1011) In-Reply-To: References: Message-ID: Daiki Ueno commented: Done, thank you so much for reporting this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1011#note_354702284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 00:08:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 03 Jun 2020 22:08:21 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Thanks Sahana! I'm pretty sure this API will work for glib-networking. I will try to implement our side soon to confirm. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_354808708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 08:54:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 06:54:45 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_354997583 Cool, thanks for having a look Michael. @dueno has already posted this patch [cli-aia.patch](/uploads/2e8e0d211c6000647b4d6b85d5bcf51a/cli-aia.patch) and tested gnutls-cli with it. I'll send a PR for that soon. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_354997583 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 11:27:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 09:27:48 +0000 Subject: [gnutls-devel] GnuTLS | Make in 3.6.11 fails with "error: storage size of 'rsa_pss_params' isn't known" with gcc 4.8.5 (#1015) References: Message-ID: Vinay Banakar created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1015 Hi, I am using gnuTLS 3.6.11 and this [issue](https://gitlab.com/gnutls/gnutls/-/issues/812) still seems to persist which was supposed to have been fixed in 3.6.10. Command: ` ./configure --prefix=/etc/gnutls-fips --enable-fips140-mode --with-libnettle-prefix=/etc/gnutls-nettle; make` Error message: ``` make[4]: Entering directory `/root/gnutls-3.6.11/lib' CC pkcs11_privkey.lo pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known struct ck_rsa_pkcs_pss_params rsa_pss_params; ^ pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-variable] make[4]: *** [pkcs11_privkey.lo] Error 1 make[4]: Leaving directory `/root/gnutls-3.6.11/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.11/lib' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.11/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.11' make: *** [all] Error 2 ``` Versions: ``` # gcc --version gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-28) # cat /etc/centos-release CentOS Linux release 7.5.1804 (Core) # Nettle (nettle.pc) Name: Nettle Description: Nettle low-level cryptographic library (symmetric algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: 3.5.1 ``` I also tried to compile without p11-kit, but faced a different issue ``` ./configure --prefix=/etc/gnutls-fips \ --enable-fips140-mode \ --with-libnettle-prefix=/etc/gnutls-nettle \ --without-p11-kit; make ``` ``` make all-am make[5]: Entering directory `/root/gnutls-3.6.11/src/libopts' CC libopts_la-libopts.lo libopts.c:14:24: fatal error: save-flags.h: No such file or directory #include "save-flags.h" ^ compilation terminated. make[5]: *** [libopts_la-libopts.lo] Error 1 make[5]: Leaving directory `/root/gnutls-3.6.11/src/libopts' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/gnutls-3.6.11/src/libopts' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-3.6.11/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-3.6.11/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-3.6.11' make: *** [all] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1015 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 12:14:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 10:14:38 +0000 Subject: [gnutls-devel] GnuTLS | Can't generate public.crt on Windows 2016 (#923) In-Reply-To: References: Message-ID: labnewbie commented: I will try this. Thanks for your help -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/923#note_355146214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 13:29:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 11:29:16 +0000 Subject: [gnutls-devel] GnuTLS | serv: omit upper bound of --maxearlydata option definition (!1273) In-Reply-To: References: Message-ID: Merge Request !1273 was approved by Anderson Sasaki Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 Branches: tmp-autogen-int to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 13:42:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 11:42:52 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: All discussions on Merge Request !1262 were resolved by Sahana Prasad https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 13:47:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 11:47:22 +0000 Subject: [gnutls-devel] GnuTLS | serv: omit upper bound of --maxearlydata option definition (!1273) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review and the analysis! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273#note_355218539 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 13:47:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 11:47:27 +0000 Subject: [gnutls-devel] GnuTLS | serv: omit upper bound of --maxearlydata option definition (!1273) In-Reply-To: References: Message-ID: Merge Request !1273 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 Branches: tmp-autogen-int to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 17:00:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 15:00:06 +0000 Subject: [gnutls-devel] GnuTLS | ecc_scalar_random in nettle is public but not mangled in GnuTLS (#1016) References: Message-ID: Steve Lhomme created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1016 The `import-ecc-from-nettle.sh` script mangles internal functions listed in `ecc-internal.h` by patching the original `ecc-internal.h`. But unlike other internal functions listed there, `ecc_scalar_random` is not in there and thus not mangled. That leads to link errors in GnuTLS 3.16.4 where linking with nettle and gnutls result in a duplicated `nettle_ecc_scalar_random` which is the public name of the file. Either `ecc-random.c` should not be imported from the nettle source to avoid duplicates (but `ecc_mod_random` from that file is used), or the name used in GnuTLS should be mangled. It can be mangled in `ecc-internal.h` as it's included after `` which defines the public name. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1016 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 17:08:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 15:08:03 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 Project:Branches: FrantisekKrenzelok/gnutls:master to gnutls/gnutls:master Author: Franti?ek Kren?elok Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 4 22:22:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 04 Jun 2020 20:22:53 +0000 Subject: [gnutls-devel] GnuTLS | Memory leak when using aead AES-CCM (#1017) References: Message-ID: Marius Steffen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1017 ## Description of problem: I've noticed this bug through using Samba, which has been reported over here: https://bugzilla.samba.org/show_bug.cgi?id=14399 Apparently, there's a memory leak in gnutls's AEAD AES-CCM (not GCM) `gnutls_aead_cipher_decryptv2` when using CCM in SMB. ## Version of gnutls used: 3.6.13 ## How reproducible: Steps to Reproduce: * Install Samba, enforce signing or encryption * Use client that only supports CCM (e.g. macOS) * Observe memory usage -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1017 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 02:30:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 00:30:14 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) References: Message-ID: Alexander Haase created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 Project:Branches: ahaase/gnutls:fix/memleak to gnutls/gnutls:master Author: Alexander Haase This patch is related to issue #1017 and fixes a bug in `iov_store_grow()` to avoid a memory leak for use with Samba and `AES-CCM` cipher. Under certain conditions memory is not freed after use, as the `allocated` flag is unset. In use with Samba, this can lead to a DoS attack, as copying a sufficiently large amount of data would allocate the whole memory of the server and letting the process die. As far as I could test, this patch allows the memory to be freed up again, having a stable memory consumption when using `gnutls_aead_cipher_decryptv2()`. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 05:39:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 03:39:52 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: Daiki Ueno commented: @FrantisekKrenzelok Thanks! Could you increase the CI timeout with "Settings" -> "CI/CD" -> "General pipelines" -> "Timeout" and retrigger the pipeline? That would solve CI failures. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276#note_355802493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 05:43:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 03:43:11 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Daiki Ueno commented: @ahaase Thanks! Could you increase the CI timeout with "Settings" -> "CI/CD" -> "General pipelines" -> "Timeout" and retrigger the pipeline? That would solve CI failures. I wonder why this is not caught by `tests/aead-cipher-vec.c`. Do you have any idea how to implement a test reproducing this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355803179 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 09:03:11 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 07:03:11 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355870661 OK, here is a patch for reproducer [vec-tests.patch](/uploads/54616d0e488644fa4a48135fa3eea17c/vec-tests.patch), which exercises multiple iov lengths. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355870661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 09:05:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 07:05:36 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355871837 > s->data = gnutls_realloc(s->data, s->size); > if (s->data == NULL) > return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); > - s->allocated = 1; > } else { > void *data = s->data; > size_t size = s->size + length; > s->data = gnutls_malloc(size); Again, an issue in the original code, but we should check `s->data != NULL`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355871837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 09:06:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 07:06:55 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/crypto-api.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_355871909 > s->data = gnutls_realloc(s->data, s->size); This is an issue in the original code, but `s->data` will leak if `gnutls_realloc` fails. Maybe good to rewrite it to something like: ```c void *data; [...] data = gnutls_realloc(s->data, s->size); if (data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); s->data = data; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 09:13:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 07:13:42 +0000 Subject: [gnutls-devel] GnuTLS | A question about the license of gnutls (#1018) References: Message-ID: Lei Maohui created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1018 I has a question about the license of gnutls, I'm not sure whether it is a bug. In gnutls-3.6.13/LICENSE, the content is as following: ------------------------------------------------------------------ LICENSING ========= Since GnuTLS version 3.1.10, the core library is released under the GNU Lesser General Public License (LGPL) version 2.1 or later (see doc/COPYING.LESSER for the license terms). The GNU LGPL applies to the main GnuTLS library, while the included applications as well as gnutls-openssl library are under the GNU GPL version 3. The gnutls library is located in the lib/ and libdane/ directories, while the applications in src/ and, the gnutls-openssl library is at extra/. ...... ------------------------------------------------------------------ I think it means that all the license in lib/ is under the license of LGPL-2.1+. But I found that the license of lib/x509/krb5.h and lib/x509/krb5.c is GPL-3.0+. Obviously, it is inconsistent with the LICENSE file. So, I don't know whether it is a bug or I got it wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 10:00:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 08:00:44 +0000 Subject: [gnutls-devel] GnuTLS | Add support for DTLS 1.3 (#1019) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1019 As the [DTLS 1.3 draft](https://www.ietf.org/id/draft-ietf-tls-dtls13-38.html) has been WGLC for a while, it would be nice to consider adding support for it in the library. A notable change is [sequence number encryption](https://www.ietf.org/id/draft-ietf-tls-dtls13-38.html#name-sequence-number-encryption) using the same scheme as in QUIC. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1019 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 10:15:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 08:15:26 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented: Pipeline is increased, and running again. I am not sure what else i should implement. There is one test in `tlsfuzzer/tests/*.json` files that was implemented in between updates, should i add it as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276#note_355919241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 10:15:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 08:15:49 +0000 Subject: [gnutls-devel] GnuTLS | A question about the license of gnutls (#1018) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented: I see from the log that I'm the only one who touched this file, so as far as I'm concerned this is the same license as the rest of gnutls. Feel free to update the license to right one. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1018#note_355919711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 10:40:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 08:40:35 +0000 Subject: [gnutls-devel] GnuTLS | A question about the license of gnutls (#1018) In-Reply-To: References: Message-ID: Lei Maohui commented: Thank you for your reply, I'll submit PR later. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1018#note_355939110 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 13:02:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 11:02:31 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: Merge Request !1276 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 Project:Branches: FrantisekKrenzelok/gnutls:master to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 13:02:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 11:02:22 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276#note_356047265 I think that would be nice, but not a blocker. You can add more tests at any time if you notice some tests are missing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276#note_356047265 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 13:04:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 11:04:07 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274#note_356048272 Thanks. I think this is a bit hard to test, because it's a failure path and tests are supposed to be in nettle code. Maybe a static analyzer can be of help in this case? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274#note_356048272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 13:45:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 11:45:34 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Merge Request !1262 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 Project:Branches: sahprasa/gnutls:aia to gnutls/gnutls:master Author: Sahana Prasad Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 14:32:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 12:32:29 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Marius Steffen commented: Okay, I'm sorry to be so frank, but this is kinda annoying. I don't think you've realized the severity of this bug, and why _immediate_ fixing, merging and releasing are necessary: You're developing a library for security relevant stuff, and it's being used in a widely deployed software, namely Samba. So this this little line of code leads to all Samba 4.12+ servers being susceptible to extremely easy and reproducible Denial-of-Service attacks by using up all available memory, hence crashing the server. This is solely a bug in *this* library, not Samba. This is a security incident, and it should be treated like one, not like a missing feature. Pipelines are okay, I thoroughly tested the fix in my setup, and now you're practically wasting time by refactoring and reevaluating your implementation. Please. realize. how. urgent. this. is. It's nice to find and fix other *potential* future bugs, but _deploy_(!) the current fix first. Otherwise, maybe you should switch to some less security relevant piece of software. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356114305 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 17:21:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 15:21:32 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Offtopic: @mariussteffen, I understand your disappointment and, while I'm not qualified enough to evaluate the severity of an issue, I can't help but note that your comment doesn't seem entirely appropriate, given that the issue was merely 12 hours old at the time. 'Immediate fixing, merging and releasing' sounds cool, but I'd prefer people behind a widely used cryptography library I use to exhaustively analyze and test the fix before merging it, and get a healthy dose of sleep beforehand if they need to. Thanks for voicing your concerns, anyway. I'm sure that this will be handled at a far-from-glacial pace. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356260789 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:07:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:07:20 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Andreas Metzler commented: Julien Cristau and Adrian Bunk have shed some light on this in [https://bugs.debian.org/962218](https://bugs.debian.org/962218) The respective buildd has IPv6 connectivity, the IPv4 loopback is still present, though: ~~~ eth0: flags=4163 mtu 1500 inet6 2a02:16a8:dc41:100::240 prefixlen 64 scopeid 0x0 inet6 fe80::216:37ff:fed2:16f0 prefixlen 64 scopeid 0x20 ether 00:16:37:d2:16:f0 txqueuelen 1000 (Ethernet) [...] lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) ~~~ However with this setup gnutls-serv only listens on the IPv6 interface: Adrian: > The conova buildds are IPv6-only, see #[962019](https://bugs.debian.org/962019) for a similar problem in perl. and in later message > The usage of AI_ADDRCONFIG in src/serv.c:listen_socket() looks similar to the problem described in the perl bug. Julien: > And indeed gnutls-serv seems to call getaddrinfo with node == NULL and > hints.ai_flags == AI_PASSIVE|AI_ADDRCONFIG, to figure out what address > to listen on. If the host has no non-local ipv4 address, that > getaddrinfo call returns :: but not 0.0.0.0; and then the test hardcodes > 127.0.0.1 as the address for gnutls-cli to connect to, and sadness > ensues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356288765 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:35:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:35:12 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1278) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 Branches: tmp-iov-memleak to master Author: Daiki Ueno The AEAD iov interface falls back to serializing the input buffers if the low-level cipher doesn't support scatter/gather encryption. However, there was a bug in the functions used for the serialization, which causes memory leaks under a certain condition (i.e. the number of input buffers is 1). This patch makes the logic of the functions simpler, by removing a micro-optimization that tries to minimize the number of calls to malloc/free. The original problem was reported by Marius Steffen in: https://bugzilla.samba.org/show_bug.cgi?id=14399 and the cause was investigated by Alexander Haase in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 Fixes #1017. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:38:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:38:37 +0000 Subject: [gnutls-devel] GnuTLS | Memory leak in gnutls_aead_cipher_init() (#1010) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1274 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1274) Issue #1010: https://gitlab.com/gnutls/gnutls/-/issues/1010 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:38:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:38:37 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) In-Reply-To: References: Message-ID: Merge Request !1274 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 Branches: tmp-aead-init-leak to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:38:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:38:33 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_aead_cipher_init: fix potential memleak (!1274) In-Reply-To: References: Message-ID: All discussions on Merge Request !1274 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:38:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:38:56 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: All discussions on Merge Request !1276 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 5 18:39:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 05 Jun 2020 16:39:00 +0000 Subject: [gnutls-devel] GnuTLS | tests: updated tlsfuzzer tests to latest version (!1276) In-Reply-To: References: Message-ID: Merge Request !1276 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 Project:Branches: FrantisekKrenzelok/gnutls:master to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 02:10:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 00:10:03 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Alexander Haase commented: @dueno I don't know about the GnuTLS internals, but I think the `iov_store_st` struct could be checked after a test case, if `allocated` is `0` and the pointer is `NULL` or freed? Usually this should be tracked by valgrind or memory sanitizer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356504906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 06:15:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 04:15:39 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/20 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 06:16:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 04:16:04 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #202: https://gitlab.com/gnutls/gnutls/-/issues/202 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 06:16:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 04:16:04 +0000 Subject: [gnutls-devel] GnuTLS | add a callback to retrieve missing chain certificates (#202) In-Reply-To: References: Message-ID: Daiki Ueno commented: Fixed in !1262. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/202#note_356530875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 06:22:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 04:22:42 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Daiki Ueno commented: @ahaase, I think having `allocated` flag is the root of the problem, because `iov_store_*` functions are only used in the fallback path (in this case CCM, which I know is common in the Samba context though), and a buffer for serializing the iovs is always allocated because we nevertheless need to append an AEAD tag. I've filed !1278 to remove that flag. If you don't mind, we can consider this being superseded by that MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356531404 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:43:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:43:04 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) In-Reply-To: References: Message-ID: Daiki Ueno commented: That's indeed misleading. > I suggest adding a function that returns the full path to the trusted root as was used in gnutls_certificate_verify_peers. Would you like to work on this? I see `gnutls_x509_trust_list_verify_crt2` takes `gnutls_verify_output_function`, while the code path reachable from `gnutls_certificate_verify_peers` doesn't make use of it so a new API function would be needed as you say. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012#note_356549038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:46:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:46:09 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.0 (Jun 3, 2020?Aug 3, 2020) ( https://gitlab.com/gnutls/gnutls/-/milestones/20 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:46:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:46:39 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Merge Request !1161 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 Project:Branches: GostCrypt/gnutls:gost-split-6 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:46:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:46:34 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Daiki Ueno commented: Now that 3.7 is branched, let's unblock this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161#note_356549280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:49:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:49:31 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: Merge Request !1268 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 Branches: tmp-fix-cert-pass to master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:50:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:50:20 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: Daiki Ueno commented: It looks good to me, though it would be nice if there is a test case (a script). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268#note_356549592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 08:58:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 06:58:23 +0000 Subject: [gnutls-devel] GnuTLS | Add support for DTLS 1.3 (#1019) In-Reply-To: References: Message-ID: Daiki Ueno commented: @dwmw2 do you have a use-case of this in OpenConnect perhaps? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1019#note_356550270 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 09:03:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 07:03:40 +0000 Subject: [gnutls-devel] GnuTLS | Add support for DTLS 1.3 (#1019) In-Reply-To: References: Message-ID: David Woodhouse commented: If you have it working then OpenConnect with PSK-NEGOTIATE ought to be able to use it with minimal changes, I suspect. Would have to revisit what happened to PSK in 1.3... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1019#note_356550742 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 10:49:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 08:49:13 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Christoph Reiter commented: There is a typo in `WIN32_WINT=0x600` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_356562025 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 10:55:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 08:55:31 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) References: Message-ID: Christoph Reiter created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1020 `-lbcrypt -lncrypt` are missing ``` CCLD libgnutls.la C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x2e): undefined reference to `NCryptFreeObject' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0xdd): undefined reference to `NCryptSignHash' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x128): undefined reference to `NCryptSignHash' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x3e4): undefined reference to `NCryptDecrypt' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x434): undefined reference to `NCryptDecrypt' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x1542): undefined reference to `NCryptFreeObject' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x1551): undefined reference to `NCryptFreeObject' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x156d): undefined reference to `NCryptOpenStorageProvider' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x16bb): undefined reference to `NCryptOpenKey' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x16f7): undefined reference to `NCryptGetProperty' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x185d): undefined reference to `NCryptFreeObject' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x2500): undefined reference to `NCryptDeleteKey' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: system/.libs/keys-win.o:keys-win.c:(.text+0x250a): undefined reference to `NCryptFreeObject' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: nettle/.libs/libcrypto.a(sysrng-bcrypt.o):sysrng-bcrypt.c:(.text+0x17): undefined reference to `BCryptGenRandom' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: nettle/.libs/libcrypto.a(sysrng-bcrypt.o):sysrng-bcrypt.c:(.text+0x89): undefined reference to `BCryptOpenAlgorithmProvider' C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe: nettle/.libs/libcrypto.a(sysrng-bcrypt.o):sysrng-bcrypt.c:(.text+0xea): undefined reference to `BCryptCloseAlgorithmProvider' collect2.exe: error: ld returned 1 exit status ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 11:00:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 09:00:17 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) In-Reply-To: References: Message-ID: Christoph Reiter commented: @robUx4 any idea what could be the problem here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020#note_356563068 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 12:03:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 10:03:03 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: Ah yes, in the CI file. Should I submit a patch or you can merge it ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_356571838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 12:07:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 10:07:30 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) In-Reply-To: References: Message-ID: Steve Lhomme commented: The variables are used here https://gitlab.com/gnutls/gnutls/-/blob/master/lib/gnutls.pc.in Do you get the issue when statically linking or dynamically linking ? I suppose that's dynamic linking, producing a DLL because I use the static linking without a problem. I guess they need to be added in `thirdparty_libadd` in https://gitlab.com/gnutls/gnutls/-/blob/master/lib/Makefile.am -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020#note_356572460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 13:53:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 11:53:04 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 Project:Branches: robUx4/gnutls:fix-vista-ci to gnutls/gnutls:master Author: Steve Lhomme There was a typo in the original Vista addition so it did the same as the non Vista target. Also adding a Vista DLL (64 bits) target that may trigger the #1020 issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 13:53:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 11:53:56 +0000 Subject: [gnutls-devel] GnuTLS | Allow statically linking ncrypt (win32) (!1254) In-Reply-To: References: Message-ID: Steve Lhomme commented: I submitted !1279 to fix the typo. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1254#note_356593461 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 14:13:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 12:13:45 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1280) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 Project:Branches: robUx4/gnutls:merge-mandatory-libs to gnutls/gnutls:master Author: Steve Lhomme This should fix #1020 and makes things cleaner for the future. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 14:16:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 12:16:35 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) In-Reply-To: References: Message-ID: Steve Lhomme commented: This won't pass the pipelines because of the CC cache. Should I just rename the target ? Also given #1020 shouldn't there be as least a build that does a DLL target to make sure it works ? It doesn't seem to be run during the normal CI phase. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279#note_356596209 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 19:19:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 17:19:37 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Andreas Metzler commented: The latest gnutls upload to Debian features this change: ~~~diff --- gnutls28-3.6.14.orig/src/serv.c +++ gnutls28-3.6.14/src/serv.c @@ -912,11 +912,7 @@ int listen_socket(const char *name, int snprintf(portname, sizeof(portname), "%d", listen_port); memset(&hints, 0, sizeof(hints)); hints.ai_socktype = socktype; - hints.ai_flags = AI_PASSIVE -#ifdef AI_ADDRCONFIG - | AI_ADDRCONFIG -#endif - ; + hints.ai_flags = AI_PASSIVE; ~~~ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 21:29:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 19:29:46 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: serge sterck commented: Same isue here i have activeted the devtoolset-9 to have gcc 9 cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core) gcc --version gcc (GCC) 9.1.1 20190605 (Red Hat 9.1.1-2) Copyright (C) 2019 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. prefix=~/build mkdir -p $prefix/Filezilla3 export PATH="$prefix/Filezilla3/bin:$PATH" export LD_LIBRARY_PATH="$prefix/Filezilla3/lib:$LD_LIBRARY_PATH" export PKG_CONFIG_PATH="$prefix/Filezilla3/lib/pkgconfig:$PKG_CONFIG_PATH" cd $prefix wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.14.tar.xz tar -xf gnutls-3.6.14.tar.xz cd gnutls-3.6.14 ./configure --prefix=$prefix/Filezilla3 \ --docdir=$prefix/Filezilla3/share/doc/gnutls-3.6.14 \ --disable-guile \ --with-libnettle-prefix="$prefix/Filezilla3" \ --with-included-unistring CC pkcs11_privkey.lo pkcs11_privkey.c: In function '_gnutls_pkcs11_privkey_sign': pkcs11_privkey.c:335:32: error: storage size of 'rsa_pss_params' isn't known 335 | struct ck_rsa_pkcs_pss_params rsa_pss_params; | ^~~~~~~~~~~~~~ pkcs11_privkey.c:335:32: warning: unused variable 'rsa_pss_params' [-Wunused-variable] make[4]: *** [Makefile:2261: pkcs11_privkey.lo] Error 1 make[4]: Leaving directory '/root/build/gnutls-3.6.14/lib' make[3]: *** [Makefile:2357: all-recursive] Error 1 make[3]: Leaving directory '/root/build/gnutls-3.6.14/lib' make[2]: *** [Makefile:1980: all] Error 2 make[2]: Leaving directory '/root/build/gnutls-3.6.14/lib' make[1]: *** [Makefile:1757: all-recursive] Error 1 make[1]: Leaving directory '/root/build/gnutls-3.6.14' make: *** [Makefile:1682: all] Error 2 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/812#note_356651045 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 22:36:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 20:36:51 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) In-Reply-To: References: Message-ID: Christoph Reiter commented: Thanks! I'll give that MR a try tomorrow. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020#note_356657230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 6 23:58:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 21:58:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix two issues about certtool and passwords (!1268) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268#note_356664249 Yes, looks like a good idea to test it. I'll add a script. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1268#note_356664249 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:01:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:01:55 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @robUx4 you can increase the number in the `cache->key` variable in the `.gitlab-ci.yml`. This will make it drop old cache. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279#note_356664567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:03:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:03:07 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1280) In-Reply-To: References: Message-ID: Merge Request !1280 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 Project:Branches: robUx4/gnutls:merge-mandatory-libs to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:03:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:03:15 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1280) In-Reply-To: References: Message-ID: Merge Request !1280 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 Project:Branches: robUx4/gnutls:merge-mandatory-libs to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:03:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:03:15 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1280 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1280) Issue #1020: https://gitlab.com/gnutls/gnutls/-/issues/1020 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:06:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:06:27 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1281) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 Project:Branches: GostCrypt/gnutls:tmp-fix-36-mandatory-lib to gnutls/gnutls:gnutls_3_6_x Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 00:15:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 22:15:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Also could you please open another instance of the same MR against `gnutls_3_6_x` branch? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279#note_356666759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 01:56:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 06 Jun 2020 23:56:39 +0000 Subject: [gnutls-devel] GnuTLS | MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161) In-Reply-To: References: Message-ID: Merge Request !1161 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 Project:Branches: GostCrypt/gnutls:gost-split-6 to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1161 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 08:06:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 06:06:16 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 Project:Branches: robUx4/gnutls:fix-vista-ci-3_6_x to gnutls/gnutls:master Author: Steve Lhomme This is similar to !1279 but on top of the current `gnutls_3_6_x` branch instead of master. The code is exactly the same. There was a typo in the original Vista addition so it did the same build as the non Vista target. Also adding a Vista DLL (64 bits) target that may trigger the #1020 issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 09:43:54 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 07:43:54 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Steve Lhomme commented: The fact it fails is a good thing. It triggers the #1020 issue. This is fixed in !1281, as visible in !1279 which contains the fix and the same CI code changes as this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282#note_356731863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 09:49:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 07:49:46 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 fails to build on Windows because of missing bcrypt/ncrypt (#1020) In-Reply-To: References: Message-ID: Christoph Reiter commented: Works nicely, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1020#note_356732320 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 14:45:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 12:45:52 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1281) In-Reply-To: References: Message-ID: Merge Request !1281 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 Project:Branches: GostCrypt/gnutls:tmp-fix-36-mandatory-lib to gnutls/gnutls:gnutls_3_6_x Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 15:03:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 13:03:38 +0000 Subject: [gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1021 Hello, the testcase for cve-2019-3829 in tests/cert-tests/invalid-sig does not trigger an error anymore since the certificate expired: ~~~ (stretch)ametzler at argenau:/tmp$ certtool --verify-chain --infile /tmp/cve-2019-3829.pem > /dev/null ; echo $? 1 (stretch)ametzler at argenau:/tmp$ datefudge -s 2020-01-01 certtool --verify-chain --infile /tmp/cve-2019-3829.pem > /dev/null 2>&1 ; echo $? *** Error in `certtool': double free or corruption (out): 0x0000557141ae3c00 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f5b86fd8bfb] [...] 7fff4e9c9000-7fff4e9cb000 r-xp 00000000 00:00 0 [vdso] Aborted 134 ~~~ cu Andreas -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:18:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:18:36 +0000 Subject: [gnutls-devel] GnuTLS | Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE (!1281) In-Reply-To: References: Message-ID: Merge Request !1281 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 Project:Branches: GostCrypt/gnutls:tmp-fix-36-mandatory-lib to gnutls/gnutls:gnutls_3_6_x Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1281 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:34:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:34:22 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1278) In-Reply-To: References: Message-ID: Merge Request !1278 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 Branches: tmp-iov-memleak to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:34:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:34:45 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1278) In-Reply-To: References: Message-ID: Merge Request !1278 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 Branches: tmp-iov-memleak to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:34:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:34:45 +0000 Subject: [gnutls-devel] GnuTLS | Memory leak when using aead AES-CCM (#1017) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1278 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1278) Issue #1017: https://gitlab.com/gnutls/gnutls/-/issues/1017 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1017 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:36:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:36:34 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @ahaase thank you for your proposal, but !1278 seems not only to fix the issue, but also simplifies the code, thus removing the possibility of such issues in future (in this area). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356781640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:36:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:36:35 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Merge Request !1277 was closed by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 Project:Branches: ahaase/gnutls:fix/memleak to gnutls/gnutls:master Author: Alexander Haase Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 16:38:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 14:38:23 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Alexander Haase commented: Yep, I'm fine with this solution. Thanks for immediately reworking the related code! ;) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356781900 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 18:02:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 16:02:29 +0000 Subject: [gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021) In-Reply-To: References: Message-ID: Andreas Metzler commented: I am not sure on what is the preferred way to fix this. invalid-sigs bundles multiple test, none of which yet use datefudge. So I cannot simply do ~~~diff --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig -${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" +check_for_datefudge +datefudge -s 2020-01-01 \ + ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" ~~~ because then the test could show up as skipped, although most of the tests actually ran. Should I move it to a separate unit? I also think that the script is buggy, it does not FAIL for many errors: ~~~shell #check whether a different PKCS #1 signature than the advertized in certificate is tolerated ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem" rc=$? # We're done. if test "${rc}" = "0"; then echo "Verification of invalid signature (1) failed" exit ${rc} fi ~~~ If certtool succeeds (although it should not) the test exits with exitcode 0, i.e. PASS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_356792928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 18:22:42 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 16:22:42 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: update for the 3.7.x releases (!1283) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 Branches: tmp-doc-fixes to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 18:24:37 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 16:24:37 +0000 Subject: [gnutls-devel] GnuTLS | RELEASES.md: update for the 3.7.x releases (!1283) In-Reply-To: References: Message-ID: Daiki Ueno commented: Here is my proposal to the release policy after 3.6.14. @lumag @rockdaboot please take a look. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283#note_356796316 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 19:39:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 17:39:17 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) In-Reply-To: References: Message-ID: Merge Request !1279 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 Project:Branches: robUx4/gnutls:fix-vista-ci to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 19:41:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 17:41:09 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Merge Request !1282 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 Project:Branches: robUx4/gnutls:fix-vista-ci-3_6_x to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 19:41:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 17:41:22 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (!1279) In-Reply-To: References: Message-ID: Merge Request !1279 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 Project:Branches: robUx4/gnutls:fix-vista-ci to gnutls/gnutls:master Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 7 21:49:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 07 Jun 2020 19:49:50 +0000 Subject: [gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277) In-Reply-To: References: Message-ID: Marius Steffen commented: As the other solution is merged now, thanks for fixing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356821879 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 07:07:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 05:07:24 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: prefer the latest version of build infrastructure (!1284) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 Branches: tmp-gettext to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 07:11:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 05:11:00 +0000 Subject: [gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_356932673 Thank you for the report. > because then the test could show up as skipped, although most of the tests actually ran. I wonder why it is treated as skipped; do you mean in case `datefudge` is not installed? I tried the attached change and it seems to work.[invalid-sig.diff](/uploads/25c9f28173481945b909d326e4268098/invalid-sig.diff) > I also think that the script is buggy, it does not FAIL for many errors: Indeed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_356932673 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 09:54:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 07:54:57 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) References: Message-ID: Lei Maohui created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 Project:Branches: leimaoh/gnutls:master to gnutls/gnutls:master Author: Lei Maohui The license of /x509/krb5.h and lib/x509/krb5.c are inconsistent with the LICENSE file. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 13:42:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 11:42:13 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks! Could you increase the CI timeout with "Settings" -> "CI/CD" -> "General pipelines" -> "Timeout" and retrigger the pipeline? That would solve CI failures. Or, given that this is only about licensing clarification, you could add "[ci skip]" to the first line of the commit message to skip CI run, like: https://gitlab.com/gnutls/gnutls/-/merge_requests/1272/diffs?commit_id=73a735bd852df5b1f742f4cc815281a4f7f64328 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_357187731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 14:17:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 12:17:18 +0000 Subject: [gnutls-devel] GnuTLS | 3.6.14 build regression due to -Wno-type-limits (#1022) References: Message-ID: Bj?rn Jacke created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1022 2055909fe4fdc386f69e8171e49be72ccfc934ba adds a -Wno-type-limits CFLAG, which is not supported by all compilers. xlc for example will abort the build accordingly. Such flags should have a configure check and only be used if suported. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1022 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 15:11:17 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 13:11:17 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Lei Maohui commented: I'm sorry, I have increased the timeout to 50h, is it enough? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_357257050 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 8 18:28:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 16:28:07 +0000 Subject: [gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_357440801 Daiki Ueno @dueno wroter >> because then the test could show up as skipped, although most of the tests actually ran. > > I wonder why it is treated as skipped; do you mean in case datefudge is not installed? Yes, exactly. This test script contains half a dozen tests, all but one run (or are supposed to work correctly) without datefudge. I was wondering what to do when datefudge was unavailable. - Skipping all tests looked wrong to me, but running all but the last one makes the EXITSTATUS 77 look wrong, too. Your patch looks good. Thanks -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_357440801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 01:34:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 08 Jun 2020 23:34:28 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) In-Reply-To: References: Message-ID: All discussions on Merge Request !1251 were resolved by Daniel Lenski https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 14:49:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 12:49:10 +0000 Subject: [gnutls-devel] GnuTLS | Signing with imported DSS key fails intermittently (#1023) References: Message-ID: Hans Leidekker created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1023 gnutls_privkey_sign_hash fails roughly 50% of the time here with a key generated by Microsoft's DSS cryptographic provider. I'm attaching a patch to tests/sign-verify.c that reproduces the problem. [gnutls_dss_sign.diff](/uploads/9546ee9e86098d9fa7bced37ed0057ce/gnutls_dss_sign.diff) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 15:02:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 13:02:13 +0000 Subject: [gnutls-devel] GnuTLS | configure: improve nettle, gmp, and hogweed soname detection (!1286) References: Message-ID: Vitezslav Cizek created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 Project:Branches: civz/gnutls:nettle_so to gnutls/gnutls:master Author: Vitezslav Cizek Some linkers might optimize away the libraries passed on the command line if they aren't actually needed, such as gnu ld with --as-needed. The ldd output then won't list the shared libraries and the detection will fail. Make sure nettle and others are really used. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 16:27:46 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 14:27:46 +0000 Subject: [gnutls-devel] GnuTLS | configure: improve nettle, gmp, and hogweed soname detection (!1286) In-Reply-To: References: Message-ID: Anderson Sasaki commented: Thank you! I was investigating this issue today and I think this is the best approach for fixing it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286#note_358097675 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 16:28:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 14:28:07 +0000 Subject: [gnutls-devel] GnuTLS | configure: improve nettle, gmp, and hogweed soname detection (!1286) In-Reply-To: References: Message-ID: Merge Request !1286 was approved by Anderson Sasaki Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 Project:Branches: civz/gnutls:nettle_so to gnutls/gnutls:master Author: Vitezslav Cizek Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 18:04:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 16:04:59 +0000 Subject: [gnutls-devel] GnuTLS | configure: improve nettle, gmp, and hogweed soname detection (!1286) In-Reply-To: References: Message-ID: Merge Request !1286 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 Project:Branches: civz/gnutls:nettle_so to gnutls/gnutls:master Author: Vitezslav Cizek Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 19:45:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 17:45:05 +0000 Subject: [gnutls-devel] GnuTLS | Getting actual certificate path to a trusted CA (#1012) In-Reply-To: References: Message-ID: Reassigned Issue 1012 https://gitlab.com/gnutls/gnutls/-/issues/1012 Assignee changed to Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 9 19:45:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 09 Jun 2020 17:45:27 +0000 Subject: [gnutls-devel] GnuTLS | Too small MAX_SEED_SIZE for PRF functions (#1013) In-Reply-To: References: Message-ID: Reassigned Issue 1013 https://gitlab.com/gnutls/gnutls/-/issues/1013 Assignee changed to Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1013 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 10 18:40:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 10 Jun 2020 16:40:38 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_crt_export2 can return values greater than 0 (#1025) References: Message-ID: David Michmerhuizen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1025 ## Description of problem: The documentation for gnutls_x509_crt_export2 claims that "In case of failure a negative error code will be returned, and 0 on success." This is incorrect, as the value of _gnutls_fbase64_encode is sometimes directly returned, which is the length of the exported certificate. Specifically, 0 or greater is returned on success. ## Version of gnutls used: gnutls-3.6.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: Code examination. And yeah, it happened to me in some code and drove me crazy for a day - thanks. Steps to Reproduce: * one * two * three ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1025 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 11 14:54:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 12:54:06 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS allows unrelated certificates in the certificate chain during client certificate authentication (#1029) References: Message-ID: Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1029 ## Description of problem: GnuTLS allows the client to present, in addition to a valid certificate chain, unrelated additional certificates in its certificate message during client authentication. While this is somewhat allowed in TLS 1.3 it's prohibited in prior versions. ## Version of gnutls used: 3.6.13, 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Compiled from source after cloning the respective branch from GitHub ## How reproducible: Steps to Reproduce: * Start `gnutls-serv` with - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/b5997cc58cda614eaf0b63ee2e452756/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile` - [rsakey_2.pem](/uploads/58a0617004be9d88309f2c490880c65e/rsakey_2.pem) for `--x509keyfile` - [root.pem](/uploads/93dc75c17eb4ef983c1f32b32b0ae699/root.pem) for `--x509cafile` - require client certificate `-r` - verify client certificate `--verify-client-cert` I am unaware of any currently public tool that allows one to add unrelated certificates in the certificate message during the TLS handshake. Hence I provide two wireshark traces which show a successful handshake, first with an additional certificate after the last intermediate CA certificate and second with an additional certificate between leaf and intermediate CA certificate. Additionally, I provide the certificates used in their order of occurence. * First trace [AdditionalCertAfterChain.pcapng](/uploads/a0cfc1c6292ee7059d9f8c725f8377ac/AdditionalCertAfterChain.pcapng) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__leaf_certificate1.pem](/uploads/2993b988edaaeb5489a96b093849fea0/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__leaf_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__ca_certificate1.pem](/uploads/71c0a75d5058a32de59f886915e1960d/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__ca_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__attacker_certificate.pem](/uploads/d2ff7599473ffe16b953202ce035a313/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__attacker_certificate.pem) * Second trace [AdditionalCertAfterLeaf.pcapng](/uploads/31070d7963feb5156d91052444f46fc4/AdditionalCertAfterLeaf.pcapng) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__leaf_certificate1.pem](/uploads/5b158c661d1564c4ead5ef45c396fd6c/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__leaf_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__attacker_certificate.pem](/uploads/39e081e44b919380efd5462e27b665b7/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__attacker_certificate.pem) - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__ca_certificate1.pem](/uploads/e2213f1de15b97dccef5864048bb11fa/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__ca_certificate1.pem) Key for the leaf certificate: - [rsakey_2.pem](/uploads/58a0617004be9d88309f2c490880c65e/rsakey_2.pem) ## Actual results: GnuTLS accepts the certificate chain, apparently ignoring the additional, unrelated certificate. ## Expected results: GnuTLS should reject the certificate chain in TLS 1.2 and prior. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 11 15:04:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 13:04:31 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS allows version one and two certificates in TLS 1.2 during client authentication (#1030) References: Message-ID: Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1030 ## Description of problem: The specification for TLS 1.2 ([RFC 5246](https://tools.ietf.org/html/rfc5246#section-7.4.6)) requires the usage of X.509v3 certificates for entity authentication. GnuTLS allows the usage of version one and two certificates. ## Version of gnutls used: 3.6.13, 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Compiled from source after cloning the respective branch from GitHub ## How reproducible: Steps to Reproduce: * Start `gnutls-serv` with - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/8e79d085d9f7ada8e9f088c0b21f268d/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile` - [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem) for `--x509keyfile` - [root.pem](/uploads/b080bace5ded73971868664aa18d6dc0/root.pem) for `--x509cafile` - require client certificate `-r` - verify client certificate `--verify-client-cert` * Use OpenSSL `s_client` or similar tool to connect to the server using the following two certificates. This example uses OpenSSL. - `openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem` - [ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem](/uploads/ba0ef0d0e622226b559446b45fe16c4e/ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem](/uploads/644009f2a69240eba7908169940591ab/ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem) - [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem) For version one the certificates are: - [ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem](/uploads/322173f1e006247727e5961fec128c5a/ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem](/uploads/290501bc7cf402d9101ed35d7af45378/ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem) - [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem) ## Actual results: GnuTLS accepts the certificates as valid and proceeds with the handshake. ## Expected results: GnuTLS should reject the certificates and abort the handshake. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1030 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 11 15:16:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 13:16:59 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not require the Key Usage extension in CA certificates during client certificate authentication. (#1031) References: Message-ID: Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1031 ## Description of problem: During client certificate authentication (Tested in TLS 1.0 to 1.2) GnuTLS accepts certificate chains in which the intermediate CA certificate has no key usage extension. However, the specification for X.509 certificates, [RFC 5280](https://tools.ietf.org/html/rfc5280#section-4.2.1.3), states regarding the Key Usage extension that "Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical." I think that this constraint should be enforced by libraries through checking that the extension is present and contains the correct values. ## Version of gnutls used: 3.6.13, 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Compiled from source after cloning the respective branch from GitHub ## How reproducible: Steps to Reproduce: * Start `gnutls-serv` with - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/220bbfd19bdf074125362a1b8227885b/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile` - [rsakey_2.pem](/uploads/8d6df42f84649152d9ecd12ba17b944b/rsakey_2.pem) for `--x509keyfile` - [root.pem](/uploads/5539c2945e90e9be1bc0bdb53253fd31/root.pem) for `--x509cafile` - require client certificate `-r` - verify client certificate `--verify-client-cert` * Use OpenSSL `s_client` or similar tool to connect to the server using the following two certificates. This example uses OpenSSL. - `openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__ca_certificate1.pem` - [ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__leaf_certificate1.pem](/uploads/72b83e9d76b2e152571c1b3da1a69de0/ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__leaf_certificate1.pem) - [ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__ca_certificate1.pem](/uploads/a4e19e4cc801e03e4a6c8785d13c1a6f/ROOTv3_CAv3_NoKeyUsage_LEAF_RSAv3__ca_certificate1.pem) - [rsakey_2.pem](/uploads/8d6df42f84649152d9ecd12ba17b944b/rsakey_2.pem) ## Actual results: GnuTLS accepts the certificate chain and proceeds with the handshake. ## Expected results: GnuTLS should reject the certificate chain since the CA certificate is invalid. Consequently, the handshake should be aborted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1031 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 11 21:11:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 19:11:28 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Vinay Banakar commented: Hi @serge.sterck, the above hack kind of helped me get over that issue as well. But unfortunately, my build is still failing because of something else. ``` nettle-3.5.1 ./configure --prefix=/etc/gnutls-nettle/ --disable-static --disable-non-suiteb-curves --enable-shared make make install ``` ``` gnutls-3.6.11.1 ./configure --prefix=/etc/gnutls-fips --enable-fips140-mode --with-libnettle-prefix=/etc/gnutls-nettle // With or without --without-p11-kit I get the same issue seen bellow. export PKG_CONFIG_PATH=/etc/gnutls-nettle/lib64/pkgconfig/ export LIBRARY_PATH=/etc/gnutls-nettle/lib64/ make ``` Make error: ``` ../lib/.libs/libgnutls.so: undefined reference to `mpn_zero_p' collect2: error: ld returned 1 exit status make[4]: *** [psktool] Error 1 make[4]: Leaving directory `/root/gnutls-src/gnutls-3.6.11.1/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/gnutls-src/gnutls-3.6.11.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/gnutls-src/gnutls-3.6.11.1/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnutls-src/gnutls-3.6.11.1' make: *** [all] Error 2 ``` Undefined reference: ``` # objdump -T ./lib/.libs/libgnutls.so | grep "mpn_zero_p" 0000000000000000 D *UND* 0000000000000000 mpn_zero_p ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/812#note_359806677 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 11 21:56:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 19:56:13 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: serge sterck commented: Install devtoolset-9 and compile with gcc 9'x you will be ridle with this error i have back portes to cent so 7 th? Last filezilla -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/812#note_359823431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 01:12:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 11 Jun 2020 23:12:12 +0000 Subject: [gnutls-devel] GnuTLS | gcc 4.8: does not contain __get_cpuid_count() (#812) In-Reply-To: References: Message-ID: Vinay Banakar commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/812#note_359885488 Thanks, but the issue seems to persist even with devtoolset-9. **/opt/rh/devtoolset-9/root/usr/libexec/gcc/x86_64-redhat-linux/9/ld: ../lib/.libs/libgnutls.so: undefined reference to `mpn_zero_p'** ``` collect2: error: ld returned 1 exit status make[4]: *** [Makefile:2086: psktool] Error 1 make[4]: Leaving directory '/root/gnutls-src/gnutls-3.6.11.1/src' make[3]: *** [Makefile:2257: all-recursive] Error 1 make[3]: Leaving directory '/root/gnutls-src/gnutls-3.6.11.1/src' make[2]: *** [Makefile:1918: all] Error 2 make[2]: Leaving directory '/root/gnutls-src/gnutls-3.6.11.1/src' make[1]: *** [Makefile:1591: all-recursive] Error 1 make[1]: Leaving directory '/root/gnutls-src/gnutls-3.6.11.1' make: *** [Makefile:1518: all] Error 2 [root at localhost gnutls-3.6.11.1]# gcc --version gcc (GCC) 9.1.1 20190605 (Red Hat 9.1.1-2) Copyright (C) 2019 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/812#note_359885488 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 12:43:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 12 Jun 2020 10:43:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS does not verify the correctness of the parameters in a certificates signatureAlgorithm field (#1032) References: Message-ID: Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1032 ## Description of problem: During TLS client certificate authentication GnuTLS accepts a leaf certificate that contains non NULL parameters in the signatureAlgorithm and signature fields even though the respective signature algorithm, in this case sha256withRSAEncryption, requires the parameters to be NULL. ## Version of gnutls used: 3.6.13, 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Compiled from source after cloning the respective branch from GitHub ## How reproducible: Steps to Reproduce: * Start `gnutls-serv` with - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/1712ccd3fd67ee3efd0dc0b3764bf80f/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile` - [rsakey_2.pem](/uploads/20e983c02290ac8b02c8e527cfdb3345/rsakey_2.pem) for `--x509keyfile` - [root.pem](/uploads/efcc33c618ecfca6784ee40998ede142/root.pem) for `--x509cafile` - require client certificate `-r` - verify client certificate `--verify-client-cert` * Use OpenSSL `s_client` or similar tool to connect to the server using the following two certificates. This example uses OpenSSL. - `openssl s_client -connect localhost:4444 -cert ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem` - [ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem](/uploads/8e7782b17a8c4f9bd42c3065d15e4572/ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem) - [ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem](/uploads/114c4b752b1ed62fb67b06588150ef95/ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem) - [rsakey_2.pem](/uploads/20e983c02290ac8b02c8e527cfdb3345/rsakey_2.pem) ## Actual results: GnuTLS considers the certificate valid even though it violates the specified values and proceeds with the handshake. ## Expected results: GnuTLS should reject the certificate since it violates the [specification](https://tools.ietf.org/html/rfc3279#section-2.2.1). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 15:53:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 12 Jun 2020 13:53:52 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS allows unrelated certificates in the certificate chain during client certificate authentication (#1029) In-Reply-To: References: Message-ID: Issue was closed by Immortalem Issue #1029: https://gitlab.com/gnutls/gnutls/-/issues/1029 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 16:53:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 12 Jun 2020 14:53:24 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 Branches: tmp-enum to master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 16:56:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 12 Jun 2020 14:56:21 +0000 Subject: [gnutls-devel] GnuTLS | tests: improve datefudge usage (!1288) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 Branches: tmp-skip-datefudge to master Author: Daiki Ueno Fixes #1021. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 12 16:58:05 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 12 Jun 2020 14:58:05 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_360326523 Should be. Can you retrigger the pipeline from https://gitlab.com/leimaoh/gnutls/-/pipelines/153853794? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_360326523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 12:15:04 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 10:15:04 +0000 Subject: [gnutls-devel] GnuTLS | Gnutls 3.6.14 fails to compile on Mac OS Catalina (#1033) References: Message-ID: Lancelot de Ferri?re created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1033 ## Description of problem: When compiling the library (part of our dependencies on 0 A.D., build script is [here](https://code.wildfiregames.com/source/0ad/browse/ps/trunk/libraries/osx/build-osx-libs.sh), I experience a build failure that I did not experience with 3.6.13 The failure happens at link time: ` CCLD gnutls-cli-debug Undefined symbols for architecture x86_64: "_c_isdigit", referenced from: __asn1_expand_object_id in libgnutls.a(parser_aux.o) __asn1_check_identifier in libgnutls.a(parser_aux.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[3]: *** [psktool] Error 1 make[3]: *** Waiting for unfinished jobs.... Undefined symbols for architecture x86_64: "_c_isdigit", referenced from: __asn1_expand_object_id in libgnutls.a(parser_aux.o) __asn1_check_identifier in libgnutls.a(parser_aux.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[3]: *** [gnutls-cli-debug] Error 1 make[2]: *** [install-recursive] Error 1 make[1]: *** [install] Error 2 make: *** [install-recursive] Error 1 ERROR: GnuTLS build failed ` I can provide the rest of the build logs but they seem rather uninteresting. ## Version of gnutls used: 3.6.14. It works using 3.6.13. ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Downloaded from source on the official repository. ## How reproducible: Happens every time when compiling, both under Catalina and Mojave. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1033 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 15:20:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 13:20:20 +0000 Subject: [gnutls-devel] GnuTLS | Tests fail if the Python interpreter binary isn't called "python" (#1034) References: Message-ID: Airtower created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1034 Some tests (the tlsfuzzer tests, and `tests/suite/multi-ticket-reception.sh`) fail if the Python interpreter binary isn't called `python`. That is the case at least on Debian(-ish) systems with only Python 3 installed, where the interpreter is called `python3`. Part of this must be fixed in tlsfuzzer (I've already [raised an issue there](https://github.com/tomato42/tlsfuzzer/issues/670)). For the GnuTLS side of things the proper fix would be to use `AM_PATH_PYTHON` in `configure.ac`, and use the `PYTHON` variable provided by it to call the interpreter. I'll be happy to prepare a patch, just one question: Is there any reason not to strictly require Python 3? Tlsfuzzer and tlslite-ng both give their requirements as at least Python 3.3 or 2.6. `AM_PATH_PYTHON` does not support those as alternatives, so it's either 3.3 (or newer), or no version check. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 15:53:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 13:53:28 +0000 Subject: [gnutls-devel] GnuTLS | Wipe session ticket keys before releasing the session structure (!1289) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 Project:Branches: airtower-luna/gnutls:tmp-clear-session-ticket-keys to gnutls/gnutls:master Author: Airtower When calling `gnutls_session_ticket_enable_server()` the key is copied into `session->key.initial_stek`, and then derived keys created from that as needed. The copy is good for applications that implement their own key rotation (because with just a pointer they'd have to keep the old key around). However the copied and derived keys are not safely wiped before the session structure is released, contrary to what the documentation for `gnutls_session_ticket_enable_server()` recommends. This merge request fixes that. I see one alternative approach here, and that would be to simply wipe the _whole_ `session->key` structure after releasing all contained data. Let me know if that's preferred, but I think the specific `gnutls_memset()` calls (like the existing one for `session->key.proto`) are easier to understand. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 19:34:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 17:34:21 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1290) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 Branches: tmp-fix-iov-3_6 to gnutls_3_6_x Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:34:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:34:56 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci: disable config.cache for nettle-master builds (!1291) References: Message-ID: Dmitry Baryshkov created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 Project:Branches: GostCrypt/gnutls:tmp-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:40:07 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:40:07 +0000 Subject: [gnutls-devel] GnuTLS | tests: improve datefudge usage (!1288) In-Reply-To: References: Message-ID: Merge Request !1288 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 Branches: tmp-skip-datefudge to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:44:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:44:20 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/algorithms/sign.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287#note_360776984 > if (unlikely(se == NULL)) > return 0; > > - me = mac_to_entry(se->hash); > + me = mac_to_entry(DIG_TO_MAC(se->hash)); `hash_to_entry`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287#note_360776984 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:44:32 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:44:32 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: Dmitry Baryshkov started a new discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287#note_360777000 > > /* This call will return a valid MAC entry and > * getters will check that is not null anyway. */ > - me = mac_to_entry(_gnutls_gost_digest(pk_params->algo)); > + me = mac_to_entry(DIG_TO_MAC(_gnutls_gost_digest(pk_params->algo))); And here -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287#note_360777000 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:47:27 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:47:27 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: LGTM otherwise. I'm a little bit worried about SHA-3 digests, for which there is no HMAC. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287#note_360777340 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:51:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:51:56 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: Merge Request !1287 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 Branches: tmp-enum to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:54:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:54:25 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @robUx4 could you please rebase now on top of current 3_6_x branch? I can not merge this till build succeeds. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282#note_360778230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:55:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:55:06 +0000 Subject: [gnutls-devel] GnuTLS | tests: disable slow tests if configured with --disable-full-test-suite (!1263) In-Reply-To: References: Message-ID: Merge Request !1263 was closed by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263 Project:Branches: GostCrypt/gnutls:fix-testsuite to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 22:55:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 20:55:06 +0000 Subject: [gnutls-devel] GnuTLS | tests: disable slow tests if configured with --disable-full-test-suite (!1263) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: Hmm. True. Let's get this closed for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1263#note_360778321 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:05:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:05:49 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: prefer the latest version of build infrastructure (!1284) In-Reply-To: References: Message-ID: Merge Request !1284 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 Branches: tmp-gettext to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:05:53 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:05:53 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: prefer the latest version of build infrastructure (!1284) In-Reply-To: References: Message-ID: Merge Request !1284 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 Branches: tmp-gettext to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:08:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:08:58 +0000 Subject: [gnutls-devel] GnuTLS | tests: improve datefudge usage (!1288) In-Reply-To: References: Message-ID: Merge Request !1288 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 Branches: tmp-skip-datefudge to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:08:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:08:56 +0000 Subject: [gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1288 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1288) Issue #1021: https://gitlab.com/gnutls/gnutls/-/issues/1021 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:26:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:26:20 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) In-Reply-To: References: Message-ID: Merge Request !1251 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 14 23:26:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 14 Jun 2020 21:26:33 +0000 Subject: [gnutls-devel] GnuTLS | refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS (!1251) In-Reply-To: References: Message-ID: Merge Request !1251 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 Project:Branches: dlenski/gnutls:better_SSL3.0_tests to gnutls/gnutls:master Author: Daniel Lenski Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 05:02:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 03:02:22 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Lei Maohui commented: I have retriggered the pipeline and the result is passed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_360824498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:41 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: Merge Request !1151 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 Branches: tmp-clang-ubsan+asan to master Author: Tim R?hsen Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Merge Request !1144 was closed by GnuTLS bot Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 Project:Branches: GostCrypt/gnutls:gost-cleaned to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:40 +0000 Subject: [gnutls-devel] GnuTLS | guile bindings do not build with pkgsrc (on NetBSD) (#996) In-Reply-To: References: Message-ID: GnuTLS bot commented: @teknokatze This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/996#note_360837951 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:41 +0000 Subject: [gnutls-devel] GnuTLS | New CI runner with clang ubsan+asan (!1151) In-Reply-To: References: Message-ID: GnuTLS bot commented: @rockdaboot This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1151#note_360837958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:41 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: GnuTLS bot commented: @lumag This merge request is marked as work in progress with no update for very long time. We are now closing it, but please re-open if you are still interested in finishing this merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144#note_360837964 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:39 +0000 Subject: [gnutls-devel] GnuTLS | Issues require labels (#1035) References: Message-ID: GnuTLS bot created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1035 The following issues require labels: - [ ] [guile bindings do not build with pkgsrc (on NetBSD)](https://gitlab.com/gnutls/gnutls/-/issues/996) - [ ] [GnuTLS parsed a cert without error. But ZCertificate reported the error that the modulus is not a positive number](https://gitlab.com/gnutls/gnutls/-/issues/987) Please take care of them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1035 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 06:08:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 04:08:40 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS parsed a cert without error. But ZCertificate reported the error that the modulus is not a positive number (#987) In-Reply-To: References: Message-ID: GnuTLS bot commented: @GOODPWDCETCSZ This issue is unlabelled after 30 days. It needs attention. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/987#note_360837954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 08:32:47 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 06:32:47 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Steve Lhomme commented: Done (now let's see if the pipeline still works) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282#note_360895855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 10:34:58 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 08:34:58 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Support for GOST-CTR ciphersuites from draft-smyshlyaec-tls12-gost-suites (!1144) In-Reply-To: References: Message-ID: Merge Request !1144 was reopened by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 Project:Branches: GostCrypt/gnutls:gost-cleaned to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 11:26:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 09:26:34 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: All discussions on Merge Request !1287 were resolved by Dmitry Baryshkov https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 11:26:50 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 09:26:50 +0000 Subject: [gnutls-devel] GnuTLS | build: minor fixes (!1287) In-Reply-To: References: Message-ID: Merge Request !1287 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 Branches: tmp-enum to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1287 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 11:29:28 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 09:29:28 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @robUx4 could you please: - Navigate to your forks's CI/CD > Pipelines page. - Click on the Clear Runner caches button to clean up the cache. - Restart two failing jobs afterwards -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282#note_361034665 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 12:27:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 10:27:36 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Steve Lhomme commented: It worked ! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282#note_361084118 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 15:42:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 13:42:52 +0000 Subject: [gnutls-devel] GnuTLS | Fix Vista CI and add a Vista DLL target (3_6_x branch) (!1282) In-Reply-To: References: Message-ID: Merge Request !1282 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 Project:Branches: robUx4/gnutls:fix-vista-ci-3_6_x to gnutls/gnutls:gnutls_3_6_x Author: Steve Lhomme Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 16:03:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 14:03:12 +0000 Subject: [gnutls-devel] GnuTLS | Tests fail if the Python interpreter binary isn't called "python" (#1034) In-Reply-To: References: Message-ID: Airtower commented: My [pull request for tlsfuzzer](https://github.com/tomato42/tlsfuzzer/pull/671) has been merged, so the remaining parts could be fixed in GnuTLS now (including updating the submodule). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1034#note_361272378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 21:26:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 19:26:36 +0000 Subject: [gnutls-devel] GnuTLS | Page with binaries for Windows is returning 404 (#1036) References: Message-ID: silvioprog created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1036 Hi. Please provide official binaries for Windows. The page below is returning 404: https://gitlab.com/gnutls/gnutls/builds/artifacts/3.6.14/download?job=MinGW32.DLLs The page above is suggested here: https://gnutls.org/download.html Cheers -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1036 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 15 22:55:41 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 15 Jun 2020 20:55:41 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Dmitry Baryshkov pushed new commits to merge request !1175 https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 * 9ac41f0b...5c7ec5ab - 274 commits from branch `master` * 7bfc148a - Merge branch 'master' into 'tmp-mark-gost94-as-broken' -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 02:35:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 00:35:14 +0000 Subject: [gnutls-devel] GnuTLS | GOSTR341194, RIPEMD160: mark as insecure for digital signatures (!1175) In-Reply-To: References: Message-ID: Merge Request !1175 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 Project:Branches: nmav/gnutls:tmp-mark-gost94-as-broken to gnutls/gnutls:master Author: Nikos Mavrogiannopoulos Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 10:22:13 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 08:22:13 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli in pipes messes up the i/o stream (#1037) References: Message-ID: Bj?rn Jacke created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1037 I recently added gnutls-cli support to the rsync-ssl wrapper script but gnutls-cli turns out to mess up the i/o stream. To show you the effect I attach the [rsync-ssl](/uploads/9fd0318c67c1c9f530b65163940fbead/rsync-ssl) script. If you run it like ./rsync-ssl --type=gnutls -ai download.samba.org::gnokii /tmp/testdir/ You will probably see already letters from the rsync welcome banner be scrambled. Later on the rsync protocol stream will break. If you run the same command with --type=openssl then there will be no error. Is there some blocking I/O issue with gnutls-cli in terminal mode? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 10:52:34 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 08:52:34 +0000 Subject: [gnutls-devel] GnuTLS | p11-kit / p11tool hang on clang (#965) In-Reply-To: References: Message-ID: Andreas Fuchs commented: I'll see what I can do. FYI, seems to hang on Ubuntu2004 as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/965#note_361829041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 22:25:35 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 20:25:35 +0000 Subject: [gnutls-devel] GnuTLS | tests/cert-tests/pem-decoding fails after build with --disable-gost (#1038) References: Message-ID: Airtower created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1038 Running `make check` fails with an error in `tests/cert-tests/pem-decoding`. The log file `tests/cert-tests/pem-decoding.log` looks like this: ``` 9d8 < error importing public key: The curve is unsupported 10a10,19 > Algorithm Security Level: High (256 bits) > Curve: CryptoPro-A > Digest: GOSTR341194 > ParamSet: CryptoPro-A > X: > e0:35:f2:a8:40:cf:ea:25:63:b5:c1:eb:fa:fd:1d:7f > 45:d6:2a:31:96:56:35:75:25:19:f6:62:69:db:da:eb > Y: > 57:41:b2:c1:e2:1f:7b:d0:13:c8:dd:eb:9f:ba:cb:42 > a3:63:c7:0b:f4:e9:24:d7:dd:e9:34:8d:12:18:67:d8 31a41,45 > Public Key ID: > sha1:43757042dae9e9f5fa92cc2d2cbf4950f28a7bd0 > sha256:cee4a59e7803bafb101af8e39e5355d7895e3b85e7616fe624d48f2c51e8bdbf > Public Key PIN: > pin-sha256:zuSlnngDuvsQGvjjnlNV14leO4XnYW/mJNSPLFHovb8= GOST cert decoding failed 2 FAIL pem-decoding (exit status: 1) ``` ## Version of gnutls used: Build from master at 1c8720d012d47439e96672ea44f34e50ae8c6725. The build I based !1289 on was fine, so the bug must have been introduced after 1270e81b944e1672f89d8a8b1db986535cf5b072. ## How reproducible: * Run `./configure` with `--disable-gost`. * Run `make check` ## Actual results: `tests/cert-tests/pem-decoding` fails, the test suite stops after running tests in the `cert-tests` directory. ## Expected results: Passing test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1038 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 23:00:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 21:00:40 +0000 Subject: [gnutls-devel] GnuTLS | Detect Python interpreter for tests instead of assuming "python" (!1292) References: Message-ID: Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 Project:Branches: airtower-luna/gnutls:tmp-detect-python to gnutls/gnutls:master Author: Airtower This change makes the extended test suite work on Debian(-ish) systems without Python 2, where the Python 3 interpreter is called "python3". Note that the changes include a tlsfuzzer update to get similar changes there. Closes #1034. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 16 23:02:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 16 Jun 2020 21:02:12 +0000 Subject: [gnutls-devel] GnuTLS | Tests fail if the Python interpreter binary isn't called "python" (#1034) In-Reply-To: References: Message-ID: Airtower commented: I've prepared !1292 without a version check that'd enforce Python 3 because I noticed some of the CI containers still use Python 2. With the merge request like this the containers could be updated to Python 3, but don't have to be. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1034#note_362376381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 17 16:26:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 17 Jun 2020 14:26:59 +0000 Subject: [gnutls-devel] GnuTLS | FIPS restrictions are not as comprehensive as one might infer from the documentation (#1039) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1039 doc/cha-internals.texi#L691 has the following claim: > When the FIPS140-2 mode is enabled, The operation of the library is in addition modified as follows. > > * Only approved by FIPS140-2 algorithms are enabled As far as I understand, this is mostly true, as in, ciphers and MACs usage is restricted, but not, e.g., curve selection. But the doc text might leave the impression that the imposted restrictions are comprehensive. I suppose that either the wording should be amended to clarify the extent of the restrictions in place, or the library behaviour should be extended to restrict more of its functionality when in FIPS mode. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1039 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 17 19:43:19 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 17 Jun 2020 17:43:19 +0000 Subject: [gnutls-devel] GnuTLS | Detect Python interpreter for tests instead of assuming "python" (!1292) In-Reply-To: References: Message-ID: Merge Request !1292 was approved by Dmitry Baryshkov Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 Project:Branches: airtower-luna/gnutls:tmp-detect-python to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 17 19:43:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 17 Jun 2020 17:43:30 +0000 Subject: [gnutls-devel] GnuTLS | Tests fail if the Python interpreter binary isn't called "python" (#1034) In-Reply-To: References: Message-ID: Issue was closed by Dmitry Baryshkov via merge request !1292 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1292) Issue #1034: https://gitlab.com/gnutls/gnutls/-/issues/1034 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 17 19:43:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 17 Jun 2020 17:43:29 +0000 Subject: [gnutls-devel] GnuTLS | Detect Python interpreter for tests instead of assuming "python" (!1292) In-Reply-To: References: Message-ID: Merge Request !1292 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 Project:Branches: airtower-luna/gnutls:tmp-detect-python to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 17 19:43:48 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 17 Jun 2020 17:43:48 +0000 Subject: [gnutls-devel] GnuTLS | Detect Python interpreter for tests instead of assuming "python" (!1292) In-Reply-To: References: Message-ID: Dmitry Baryshkov commented: @airtower-luna @dueno do we need this for 3.6 also? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1292#note_363121738 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 09:05:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 07:05:36 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Merge Request !1285 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 Project:Branches: leimaoh/gnutls:master to gnutls/gnutls:master Author: Lei Maohui Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 09:05:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 07:05:43 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: All discussions on Merge Request !1285 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 09:05:49 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 07:05:49 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Merge Request !1285 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 Project:Branches: leimaoh/gnutls:master to gnutls/gnutls:master Author: Lei Maohui Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 09:06:09 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 07:06:09 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_363402259 Thank you, merged; sorry for the delay. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285#note_363402259 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 09:06:12 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 07:06:12 +0000 Subject: [gnutls-devel] GnuTLS | issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file. (!1285) In-Reply-To: References: Message-ID: All discussions on Merge Request !1285 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 10:33:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 08:33:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli does not report failed handshake when debug level < 3 (#1040) References: Message-ID: Markus Wamser created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1040 ## Description of problem: gnutls-cli returns exit code 0 and does not report any error although the server side reports a failed handshake. This behaviour changes when the debug level is set to 3 via `-d 3`. This is a regression probably introduced between 3.6.2 and 3.6.6. ## Version of gnutls used: 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) NixOS ## How reproducible: Please see this issue: https://github.com/NixOS/nixpkgs/issues/84507 for details, which also links to runs with different versions of gnutls-cli that demonstrate the introduction of this regression and the workaround proposed here: https://github.com/NixOS/nixpkgs/pull/90718 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1040 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 18 11:31:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 18 Jun 2020 09:31:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_channel_binding returns empty binding data for TLS1.3 (#1041) References: Message-ID: Ruslan Marchenko created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1041 ## Description of problem: When using TLS1.3 connection and attempting to retrieve tls-unique binding data the gnutls_session_channel_binding() call succeeds however returns empty data (zero size buffer). Looking at the code - the call intercepts finished message only on lib/handshake.c but not in lib/tls13/finished.c Technically you don't need to store finished in tls13 as it could always be computed, which is not done in this call. ## Version of gnutls used: 3.6.14-1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) ArchLinux ## How reproducible: ``` gnutls_datum_t cb; int ret = gnutls_session_channel_binding (priv->session, GNUTLS_CB_TLS_UNIQUE, &cb); if (ret == GNUTLS_E_SUCCESS) { if (data != NULL) { g_tls_log_debug (gnutls, "tls-unique binding size %d", cb.size); g_free (g_byte_array_steal (data, NULL)); g_byte_array_append (data, cb.data, cb.size); } g_free (cb.data); return TRUE; } ``` Steps to Reproduce: * run with G_TLS_GNUTLS_PRIORITY='NORMAL:%COMPAT:!VERS-TLS1.3' - result is ``` (/home/ruff/co/glib-networking/_build/tls/tests/connection-gnutls:430951): GLib-Net-DEBUG: 11:27:43.445: CLIENT[0x55b24b896440]: tls-unique binding size 12 (/home/ruff/co/glib-networking/_build/tls/tests/connection-gnutls:430951): GLib-Net-DEBUG: 11:27:43.445: SERVER[0x55b24b8a29d0]: tls-unique binding size 12 ``` * run with defaults (which prefers TLS1.3) ``` (/home/ruff/co/glib-networking/_build/tls/tests/connection-gnutls:430949): GLib-Net-DEBUG: 11:27:43.398: CLIENT[0x564054f58440]: tls-unique binding size 0 (/home/ruff/co/glib-networking/_build/tls/tests/connection-gnutls:430949): GLib-Net-DEBUG: 11:27:43.398: SERVER[0x564054f649d0]: tls-unique binding size 0 ``` ## Actual results: see above ## Expected results: tls-unique binding size 48 (at least that's what I get with OpenSSL) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 20 19:51:23 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 20 Jun 2020 17:51:23 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) References: Message-ID: Ruslan Marchenko created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293 Project:Branches: rufferson/gnutls:tls-unique-13 to gnutls/gnutls:master Author: Ruslan Marchenko This change fixes gnutls_session_channel_binding call for TLSv1.3 protocol. The handshake for this protocol is executed outside of normal flow therefore cb_tls_unique buffer is not filled with right payload. Should close #1041 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:11:52 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:11:52 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) In-Reply-To: References: Message-ID: Ruslan Marchenko commented: Just to add - this has been tested in synthetic test of glib-networking (byte-compare client and server binding data) and in real-life test of telepathy/wocky + metronomeIM using SCRAM-SHA-512-PLUS over TLS1.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_365122948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:16:25 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:16:25 +0000 Subject: [gnutls-devel] GnuTLS | Wipe session ticket keys before releasing the session structure (!1289) In-Reply-To: References: Message-ID: Merge Request !1289 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 Project:Branches: airtower-luna/gnutls:tmp-clear-session-ticket-keys to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:16:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:16:40 +0000 Subject: [gnutls-devel] GnuTLS | Wipe session ticket keys before releasing the session structure (!1289) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you, looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289#note_365123457 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:16:44 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:16:44 +0000 Subject: [gnutls-devel] GnuTLS | Wipe session ticket keys before releasing the session structure (!1289) In-Reply-To: References: Message-ID: Merge Request !1289 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 Project:Branches: airtower-luna/gnutls:tmp-clear-session-ticket-keys to gnutls/gnutls:master Author: Airtower Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1289 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:17:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:17:08 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1290) In-Reply-To: References: Message-ID: Merge Request !1290 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 Branches: tmp-fix-iov-3_6 to gnutls_3_6_x Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:17:14 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:17:14 +0000 Subject: [gnutls-devel] GnuTLS | crypto-api: always allocate memory when serializing iovec_t (!1290) In-Reply-To: References: Message-ID: Merge Request !1290 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 Branches: tmp-fix-iov-3_6 to gnutls_3_6_x Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1290 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:17:51 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:17:51 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci: disable config.cache for nettle-master builds (!1291) In-Reply-To: References: Message-ID: Merge Request !1291 was approved by Daiki Ueno Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 Project:Branches: GostCrypt/gnutls:tmp-nettle-master to gnutls/gnutls:master Author: Dmitry Baryshkov Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 10:40:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 08:40:21 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you. I'm a bit concerned about that RFC 8446 seems to prefer using exporters as channel bindings. Perhaps fixing #1013 could help your use-case? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_365125838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 21 11:22:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 21 Jun 2020 09:22:55 +0000 Subject: [gnutls-devel] GnuTLS | Copy Finished packet to cb_tls_unique buffer in tls13/finished (!1293) In-Reply-To: References: Message-ID: Ruslan Marchenko commented: Yes I'm aware about this and we have implementation for [proposal](https://datatracker.ietf.org/doc/draft-ietf-kitten-tls-channel-bindings-for-tls13/) which makes use of exporter function (and which is where #1013 was coming from). However since it's not yet adopted we cannot put it into public api. From officially supported bindings we have only RFC 5929 so far and that's what other side (servers) are using currently. Also a note - in latest revision proposal dropped use of context data so that issue while still stands per se is not blocking anymore. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1293#note_365130466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 22 09:17:33 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 22 Jun 2020 07:17:33 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) References: Message-ID: Steve Lhomme created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 Project:Branches: robUx4/gnutls:macos-connectx to gnutls/gnutls:master Author: Steve Lhomme connectx is only available since macOS 10.11. So when compiling with a lower minimum SDK the compiler issues this error: ``` system/fastopen.c:134:9: error: 'connectx' is only available on macOS 10.11 or newer [-Werror,-Wunguarded-availability] ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL); ^~~~~~~~ /Applications/Xcode9.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/socket.h:713:5: note: 'connectx' has been marked as being introduced in macOS 10.11 here, but the deployment target is macOS 10.7.0 ``` With macOS compilers it's possible to detect at runtime whether an API call is present or not using `__builtin_available()`. So we check at runtime for connectx and use it only when available. So the same code compiled running on 10.10 will not use it and fallback to the regular `connect()` call. The code running on 10.11+ will use `connectx` as expected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 24 14:47:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Wed, 24 Jun 2020 12:47:10 +0000 Subject: [gnutls-devel] libtasn1 | Cross compilation issue (#28) References: Message-ID: Fernando Martinez created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/28 ## Description of problem: I am trying to cross compile libtasn1 4.16 to armv7 iOS, but i am getting a linker error that i can't solve ``` Undefined symbols for architecture armv7: "_c_isdigit", referenced from: __asn1_expand_object_id in libtasn1.a(parser_aux.o) __asn1_check_identifier in libtasn1.a(parser_aux.o) ``` ## Version of libtasn1 used: 4.16 https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.16.0.tar.gz ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) I am compiling the source code itself ## How reproducible: ``` export SDKPATH=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk export MIN_IOS_VERSION=10.0 export HOST=arm-apple-darwin export BUILD=armv7 export LDFLAGS_NATIVE="-isysroot $SDKPATH " export ARCHES=armv7 export LDFLAGS=$LDFLAGS_NATIVE export CFLAGS="-arch $ARCH $LDFLAGS -miphoneos-version-min=$MIN_IOS_VERSION -fembed-bitcode -Wno-sign-compare " ./configure --host=$HOST --build=$BUILD --enable-static --disable-shared --prefix=$PWD/build/$ARCH && make && make install ``` ## Actual results: ``` /Applications/Xcode.app/Contents/Developer/usr/bin/make all-recursive Making all in lib Making all in gl /Applications/Xcode.app/Contents/Developer/usr/bin/make all-recursive make[5]: Nothing to be done for `all-am'. CC coding.lo CC decoding.lo CC element.lo CC errors.lo CC gstr.lo CC parser_aux.lo CC structure.lo CC version.lo CCLD libtasn1.la Making all in src CC asn1Parser.o CCLD asn1Parser Undefined symbols for architecture armv7: "_c_isdigit", referenced from: __asn1_expand_object_id in libtasn1.a(parser_aux.o) __asn1_check_identifier in libtasn1.a(parser_aux.o) ld: symbol(s) not found for architecture armv7 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[2]: *** [asn1Parser] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 ``` ## Expected results: I see the lib now has a custom c-ctype implementation and it should be included for cross compilation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/28 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 26 01:42:40 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Thu, 25 Jun 2020 23:42:40 +0000 Subject: [gnutls-devel] GnuTLS | Please update OpenSSL / cryptograms to 3.0.0-alpha1 or higher (#1043) References: Message-ID: Dimitri John Ledkov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1043 In January Intel CET patches landed in the crypto assembly .pl scripts. However GnuTLS is using openssl pinned on an older version, and thus generates asm code without CET support. Please update openssl library to at least 3.0.0-alpha1, or just master, or like the latest 3.0.0-alpha4. Unfortunately CET support is not backported to 1.1.1 branch yet. I have requested for the CET support to be merged back to 1.1.1 branch here https://github.com/openssl/openssl/pull/12272 , but I'm not sure if gnutls project can apply patches on top of the openssl submodule. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1043 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 26 15:06:43 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 26 Jun 2020 13:06:43 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 Branches: tmp-sp800-56ar3 to master Author: Daiki Ueno There is a new requirement under FIPS140-2 mode, where only approved DH primes should be accepted. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 26 16:10:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 26 Jun 2020 14:10:22 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Merge Request !1295 was approved by Anderson Sasaki Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 Branches: tmp-sp800-56ar3 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 26 16:11:16 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 26 Jun 2020 14:11:16 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Anderson Sasaki commented: I couldn't find any obvious mistake in the code. The implementation seems correct to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_368989160 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 26 16:53:24 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Fri, 26 Jun 2020 14:53:24 +0000 Subject: [gnutls-devel] GnuTLS | Please update OpenSSL / cryptograms to 3.0.0-alpha1 or higher (#1043) In-Reply-To: References: Message-ID: Anderson Sasaki commented: Hello @xnox, I started the effort of bringing Intel CET support to GnuTLS not so long ago. Investigating what changes would be required, I found the problem you mentioned (missing changes in the OpenSSL_1_1_1-stable branch). That also lead to the problem brought by the change in OpenSSL license to Apache Software License 2.0, which conflicts with the licenses required when GnuTLS is linked with typically used dependencies (like GMP). To avoid the license issue and bring the Intel CET support, we plan to obtain CRYPTOGAMS code directly from its repository, https://github.com/dot-asm/cryptogams. The problem is there are some files used by GnuTLS still missing there, which is tracked by https://github.com/dot-asm/cryptogams/issues/7. Once the required files are in place we will get back to this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1043#note_369022840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 27 16:05:38 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 27 Jun 2020 14:05:38 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369325170 Thank you for the review. I've added more test cases courtesy of @tomato42. @smuellerDD would you be able to double check whether this is sufficient? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369325170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 27 16:10:56 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 27 Jun 2020 14:10:56 +0000 Subject: [gnutls-devel] GnuTLS | Detect the availability of connectx at runtime (!1294) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294#note_369325885 > > fi > > +AC_MSG_CHECKING([whether the compiler supports __builtin_available()]) > +AC_COMPILE_IFELSE([ > + AC_LANG_PROGRAM([[ > +#include > + ]],[[ > + if (__builtin_available(macOS 10.8, iOS 5.0, *)) {} Can't this be done sorely in the C file, with `#if has_builtin(__builtin_available)`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1294#note_369325885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 27 20:35:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 27 Jun 2020 18:35:10 +0000 Subject: [gnutls-devel] GnuTLS | fix threading bug in libgnutls (#1044) References: Message-ID: James Bottomley created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1044 `On a very recent openSUSE build, libgnutls is getting built without libpthread. This caused a thread related error when trying to load a pkcs11 module that uses threading. The reason is rather convoluted: glibc actually controls all the pthread_ function calls, but it returns success without doing anything unless -lpthread is in the link list. What's happening is that gnutls_system_mutex_init() is being called on _gnutls_pkcs11_mutex before library pthreading is initialized, so the pthread_mutex_init ends up being a nop. Then, when the pkcs11 module is loaded, pthreads get initialized and the call to pthread_mutex_lock is real, but errors out on the uninitialized mutex. The problem seems to be that nothing in the gnulib macros gnutls relies on for threading support detection actually sets LTLIBPTHREAD, they only set LIBPTHREAD. The fix is to use LIBPTHREAD in lib/Makefile.in Signed-off-by: James Bottomley --- diff --git a/lib/Makefile.am b/lib/Makefile.am index f55f298f7b..cee7906765 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -168,7 +168,7 @@ libgnutls_la_LIBADD += accelerated/libaccelerated.la endif if !WINDOWS -thirdparty_libadd += $(LTLIBPTHREAD) +thirdparty_libadd += $(LIBPTHREAD) endif if NEEDS_LIBRT[tmp.txt](/uploads/f9b3a3cae0774bfda19680f1ba38ecc6/tmp.txt)` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jun 27 21:42:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sat, 27 Jun 2020 19:42:08 +0000 Subject: [gnutls-devel] GnuTLS | p11-kit / p11tool hang on clang (#965) In-Reply-To: References: Message-ID: James Bottomley commented: This may be another example of [issue 1044](https://gitlab.com/gnutls/gnutls/-/issues/1044). The exact behaviour depends on what the state of malloc'd memory is. Mine is poisoned which leads to an error on lock attempt, but if yours looked like the lock were already locked, this would be the behaviour. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/965#note_369363214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 28 12:15:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 28 Jun 2020 10:15:06 +0000 Subject: [gnutls-devel] GnuTLS | fix threading bug in libgnutls (#1044) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1044: https://gitlab.com/gnutls/gnutls/-/issues/1044 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 28 12:15:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 28 Jun 2020 10:15:06 +0000 Subject: [gnutls-devel] GnuTLS | fix threading bug in libgnutls (#1044) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the suggestion; afaik gnutls tried to remove the hard dependency on libpthread in favor of the glibc stubs, though it has never been complete as it's technically not possible to remove libpthread dependency from p11-kit (see [the reasoning](https://github.com/p11-glue/p11-kit/pull/177)). I think the best way to handle this is to rely on the pthread module in gnulib, which adjusts [compiler / linker flags](https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/threadlib.m4#n558) properly on different platforms. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1044#note_369437941 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 28 12:16:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 28 Jun 2020 10:16:36 +0000 Subject: [gnutls-devel] GnuTLS | fix threading bug in libgnutls (#1044) In-Reply-To: References: Message-ID: Issue was reopened by Daiki Ueno Issue 1044: https://gitlab.com/gnutls/gnutls/-/issues/1044 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 28 17:22:10 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 28 Jun 2020 15:22:10 +0000 Subject: [gnutls-devel] GnuTLS | fix threading bug in libgnutls (#1044) In-Reply-To: References: Message-ID: James Bottomley commented: > > > Daiki Ueno commented: > > > Thanks for the suggestion; afaik gnutls tried to remove the hard > dependency on libpthread in favor of the glibc stubs, though it has > never been complete as it's technically not possible to remove > libpthread dependency from p11-kit (see [the reasoning](https://githu > b.com/p11-glue/p11-kit/pull/177)). I'm not saying don't do that, I'm just saying you're using the wrong gnulib variable. > I think the best way to handle this is to rely on the pthread module > in gnulib, which adjusts [compiler / linker > flags](https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/threadlib > .m4#n558) properly on different platforms. You do ... you just use the wrong variable: you have to use LIBPTHREAD because nowhere in gnulib is LTLIBPTHREAD set. One could argue this is a but in gnulib, but it's a bug that's impacting gnutls. James -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1044#note_369491140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jun 28 21:37:31 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Sun, 28 Jun 2020 19:37:31 +0000 Subject: [gnutls-devel] GnuTLS | build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD) (!1296) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 Branches: tmp-pthread to master Author: Daiki Ueno See #1044. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 02:23:22 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 00:23:22 +0000 Subject: [gnutls-devel] GnuTLS | static build: multiple definition of 'nettle_ecc_scalar_random' (#1045) References: Message-ID: Adrien B?raud created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1045 When building a static library of gnutls, `nettle_ecc_scalar_random` is included in the resulting static library: ``` nm -C x86_64-linux-android/lib/libgnutls.a | grep nettle_ecc_scalar_random 00000000000001f0 T nettle_ecc_scalar_random ``` However this symbol is really part of `libhogweed` (Nettle): ``` nm -C x86_64-linux-android/lib/libhogweed.a | grep nettle_ecc_scalar_random 00000000000001f0 T nettle_ecc_scalar_random ``` So when building an executable with `-lgnutls -lhogweed -lnettle`: ``` ld: error: x86_64-linux-android/lib/libhogweed.a(ecc-random.o): multiple definition of 'nettle_ecc_scalar_random' ld: x86_64-linux-android/lib/libgnutls.a(ecc-random.o): previous definition here clang90++: error: linker command failed with exit code 1 (use -v to see invocation) ``` Or if trying to build without libhogweed (just `-lgnutls -lnettle`), the linker fails at runtime: ``` dlopen failed: cannot locate symbol "nettle_rsa_pss_sha256_sign_digest_tr" referenced by "/data/app/blah.so"... ``` Expected behavior: No definition from libhogweed or nettle should be included in the static library -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1045 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 02:49:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 00:49:30 +0000 Subject: [gnutls-devel] GnuTLS | static build: multiple definition of 'nettle_ecc_scalar_random' (#1045) In-Reply-To: References: Message-ID: Adrien B?raud commented: Does not happen when building against Nettle 3.6 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1045#note_369559507 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 07:25:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 05:25:20 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Stephan Mueller commented: The check in itself is good and I have no comments. Yet, I am wondering about the following: the check is added to `_gnutls_proc_dh_common_server_kx`. This function seems to indicate that the call is in the TLS server. But shouldn't the call be also in the client considering that the server sends the domain parameters to the client? That said, wouldn't the check be better found in the actual DH function like gnutls_pk_derive or similar? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369623014 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 07:49:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 05:49:00 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369635899 > This function seems to indicate that the call is in the TLS server It's the other way around: the function is called by the client to handle ServerKeyExchange sent from the server. The only possible way to let the server use custom DH parameters is through `gnutls_dh_params_import_pkcs3` at the initialization time, but we suggest documenting that in the security policy rather than actually restricting the uses. > wouldn't the check be better found in the actual DH function like gnutls_pk_derive or similar? That could be, but I guess it would make testing harder (because we need to have FIPS/non-FIPS setup for the client and the server). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369635899 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 08:00:08 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 06:00:08 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369640331 Hi Daiki, > That could be, but I guess it would make testing harder (because we need to > have FIPS/non-FIPS setup for the client and the server). Ok, but that would imply that only the TLS use case of DH follows 56A rev 3, would it not? Ciao Stephan -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369640331 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 08:28:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 06:28:55 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369650822 That is true, but GnuTLS doesn't expose DH in any other way (i.e., there is no public API for DH). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369650822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 08:37:20 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 06:37:20 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: It's been a while since there has been any activity on this issue. As per my analysis, it seems likely that telecom providers in the UAE introduce an issue with secp256r1, so I'm looking for a way to disable this globally on my system for applications compiled/linked against gnutls (openssl on Ubuntu 20.04 doesn't appear to use secp256r1). Does anybody know of any way to do this? Is there any global GNUTLS configuration file *on Ubuntu 20.04* in which I can disable this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_369654445 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 08:40:21 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 06:40:21 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369655789 Hi Daiki, > That is true, but GnuTLS doesn't expose DH in any other way (i.e., there is > no public API for DH). Agreed, then please disregard my comments - the patch looks good. Ciao Stephan -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369655789 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 09:17:18 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 07:17:18 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369674656 Thanks for the double check. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295#note_369674656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 09:17:30 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 07:17:30 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: All discussions on Merge Request !1295 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 09:17:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 07:17:39 +0000 Subject: [gnutls-devel] GnuTLS | fips: tighten check on DH parameters according to SP800-56A (rev 3) (!1295) In-Reply-To: References: Message-ID: Merge Request !1295 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 Branches: tmp-sp800-56ar3 to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 15:56:39 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 13:56:39 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 Branches: tmp-safe-memcmp to master Author: Daiki Ueno This replaces the uses of `safe_memcmp` with `gnutls_memcmp` which is resilient against timing attacks. Note that this doesn't imply that the previous code was vulnerable: they were either (1) both arguments are public or (2) both arguments are confidential (and thus the attacker is not able to leverage it for timing attacks unless it has access to the data already). Fixes #1042. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 16:15:03 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 14:15:03 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297#note_370008959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 16:22:00 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 14:22:00 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) In-Reply-To: References: Message-ID: Merge Request !1297 was approved by Anderson Sasaki Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 Branches: tmp-safe-memcmp to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 16:22:26 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 14:22:26 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297#note_370014840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 16:23:15 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 14:23:15 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) In-Reply-To: References: Message-ID: Merge Request !1297 was approved by Sahana Prasad Merge Request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 Branches: tmp-safe-memcmp to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 16:49:45 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 14:49:45 +0000 Subject: [gnutls-devel] GnuTLS | safe_memcmp: remove in favor of gnutls_memcmp (!1297) In-Reply-To: References: Message-ID: Merge Request !1297 was merged Merge Request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 Branches: tmp-safe-memcmp to master Author: Daiki Ueno Assignees: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 23:06:06 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 21:06:06 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Sahana Prasad commented: @TheRealMichaelCatanzaro Hey Michael! Did you get a change to use this callback? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_370327577 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 29 23:08:29 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Mon, 29 Jun 2020 21:08:29 +0000 Subject: [gnutls-devel] GnuTLS | AIA callback to retrieve missing chain certificates (!1262) In-Reply-To: References: Message-ID: Michael Catanzaro commented: Not yet, but it's still high on my TODO so I hope to get to it pretty soon. Thanks for following up. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1262#note_370328419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 30 08:06:57 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 30 Jun 2020 06:06:57 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: I've got GIT working by creating the following file ``` # /etc/gnutls/config [overrides] tls-disabled-group = group-secp256r1 ``` However this doesn't work for apt/apt-get. If I run: ``` export GNUTLS_DEBUG_LEVEL=9 apt update ``` I'm getting a different kind of exception from gnutls: ``` gnutls[3]: ASSERT: ../../lib/buffers.c[get_last_packet]:1168 gnutls[5]: REC[0x55ea6c6b1bf0]: SSL 3.3 Alert packet received. Epoch 0, length: 2 gnutls[5]: REC[0x55ea6c6b1bf0]: Expected Packet Handshake(22) gnutls[5]: REC[0x55ea6c6b1bf0]: Received Packet Alert(21) with length: 2 gnutls[5]: REC[0x55ea6c6b1bf0]: Decrypted Packet[0] Alert(21) with length: 2 gnutls[5]: REC[0x55ea6c6b1bf0]: Alert[2|40] - Handshake failed - was received gnutls[3]: ASSERT: ../../lib/record.c[record_add_to_buffers]:891 gnutls[3]: ASSERT: ../../lib/record.c[record_add_to_buffers]:897 gnutls[3]: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446 gnutls[3]: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1531 gnutls[3]: ASSERT: ../../lib/handshake.c[handshake_client]:2918 gnutls[3]: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696 gnutls[5]: REC: Sending Alert[1|0] - Close notify gnutls[5]: REC[0x55ea6c6b1bf0]: Preparing Packet Alert(21) with length: 2 and min pad: 0 gnutls[9]: ENC[0x55ea6c6b1bf0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 gnutls[5]: REC[0x55ea6c6b1bf0]: Sent Packet[2] Alert(21) in epoch 0 and length: 7 gnutls[3]: ASSERT: ../../lib/record.c[check_session_status]:1649 gnutls[3]: ASSERT: ../../lib/record.c[gnutls_bye]:324 Err:14 https://download.mono-project.com/repo/ubuntu stable-focal Release Could not handshake: A TLS fatal alert has been received. [IP: 152.199.19.161 443] ``` Will keep investigating... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_370499297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 30 15:22:55 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 30 Jun 2020 13:22:55 +0000 Subject: [gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990) In-Reply-To: References: Message-ID: Maarten Boekhold commented: OK, the last bit is because there is a general issue with download.mono-project.com. No matter if I'm on VPN or not, I get the error from the previous post. If I completely disable TLSv1.3, the connection succeeds. OpenSSL doesn't seem to have this issue on my system because it doesn't seem to try TLSv1.3 at all, or it graciously fails back to TLSv1.2. Not sure if/how to report this to mono-project.com... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_370833483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 30 17:30:59 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 30 Jun 2020 15:30:59 +0000 Subject: [gnutls-devel] GnuTLS | Setting tls priority lists is not working correctly (#1046) References: Message-ID: Andreas Schneider created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1046 To honor system crypto policies we changed the 'tls priority' setting in Samba from `NORMAL:-VERS-SSL3.0` to `@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0` according to the doc of [gnutls_priority_init2](https://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fpriority_005finit2) ``` Typical usage would be to specify application specified keyword first, followed by "SYSTEM" as a default fallback. e.g., "@LIBVIRT,SYSTEM:!-VERS-SSL3.0" will first try to find a config file entry matching "LIBVIRT", but if that does not exist will use the entry for "SYSTEM". If "SYSTEM" does not exist either, an error will be returned. In all cases, the SSL3.0 protocol will be disabled. ``` However this doesn't work at all as it even doesn't recognize NORMAL if SAMBA and SYSTEM profiles are not available: ``` asn at addc:~/workspace/projects/samba> GNUTLS_DEBUG_LEVEL=6 bin/ldbsearch -H ldaps://$SERVER:636/ -s base -b "" -U% gnutls[2]: Enabled GnuTLS 3.6.14 logging... gnutls[2]: getrandom random generator was detected gnutls[2]: Intel SSSE3 was detected gnutls[2]: Intel SHA was detected gnutls[2]: Intel AES accelerator was detected gnutls[2]: Intel GCM accelerator (AVX) was detected gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 gnutls[5]: REC[0x55c6d6cc78a0]: Allocating epoch #0 gnutls[2]: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 gnutls[2]: resolved 'SAMBA' to '', next 'SYSTEM,NORMAL' gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 gnutls[2]: resolved 'SYSTEM' to '', next 'NORMAL' gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 gnutls[2]: resolved 'NORMAL' to '', next '' gnutls[2]: unable to resolve @SAMBA,SYSTEM,NORMAL:!VERS-SSL3.0 gnutls[3]: ASSERT: priority.c[gnutls_priority_init]:2017 gnutls[3]: ASSERT: priority.c[gnutls_priority_set_direct]:2343 TLS ../../source4/lib/tls/tls_tstream.c:1052 - The request is invalid.. Check 'tls priority' option at '@SAMBA,SYSTEM,NORMAL:!VERS-SSL3.0' ``` How should the correct string be that it tries the a SAMBA and SYSTEM profile and if this doesn't work uses NORMAL and not trying to resolve NORMAL as a file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1046 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 30 19:53:36 2020 From: gnutls-devel at lists.gnutls.org (Development of GNU's TLS library) Date: Tue, 30 Jun 2020 17:53:36 +0000 Subject: [gnutls-devel] GnuTLS | Setting tls priority lists is not working correctly (#1046) In-Reply-To: References: Message-ID: Daiki Ueno commented: A couple of issues I see here: 1. The `!-VERS-SSL3.0` syntax is invalid and the documentation should be updated 1. There is no fallback mechanism from `@SYSTEM` to `NORMAL` at the priority string level For the latter, I suspect the least surprising behavior (for both the systems with/without the default configuration file) is determine the `@SYSTEM` priority at build time, e.g., adding a new configure option `--with-system-priority=NORMAL` for Debian. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1046#note_371141350 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: