From gnutls-devel at lists.gnutls.org Sat May 1 09:31:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 07:31:22 +0000 Subject: [gnutls-devel] GnuTLS | Replace `gnutls_rnd_works` hack in tests with a more reliable mechanism (#1220) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1220 Some [tests](https://gitlab.com/gnutls/gnutls/-/blob/master/tests/tls13/prf.c#L76) replace `gnutls_rnd` symbol dynamically, with `visibility ("protected")`. This only works with special support of linker and needs check after `gnutls_handshake` (which indirectly calls `gnutls_rnd`) whether the replacement has been called. Maybe we should have a private function similar to `_gnutls_global_set_gettime_function` to explicitly set a custom random function. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 1 09:43:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 07:43:43 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: Daiki Ueno commented: Glad that you could make it work. Closing this now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215#note_565236386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 1 09:43:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 07:43:43 +0000 Subject: [gnutls-devel] GnuTLS | Libnettle 3.6 was not found (#1215) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1215: https://gitlab.com/gnutls/gnutls/-/issues/1215 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 1 10:31:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 08:31:40 +0000 Subject: [gnutls-devel] GnuTLS | WIP: Implement new tls channel biding types (!1422) References: Message-ID: Ruslan Marchenko created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 Project:Branches: rufferson/gnutls:tlsv1.3-cb to gnutls/gnutls:master Author: Ruslan Marchenko Current support for tls channel binding extraction api (`gnutls_session_channel_binding()`) is very rudimentary (`tls-unique` only) and partial (does not work for TLSv1.3). This MR targets to add missing binding types to cover existing protocols (TLSv1.2 and TLSv1.3). Closes #1041 Closes #1214 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 1 17:01:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 15:01:59 +0000 Subject: [gnutls-devel] GnuTLS | AFL instrumented gnutls always uses same session id and random (#1221) References: Message-ID: Weiqi Wang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1221 ## Description of problem: I followed https://gitlab.com/gnutls/gnutls/-/blob/master/fuzz/README.md to compile gnutls with `afl-clang-fast`. Then when I use `gnutls-serv` and `gnutls-cli`, the `session-id` and `random` are fixed to `00:2D:4E:C4:AC:68:92:9A:38:B5:F2:E2:53:D3:BB:01:FD:BE:3C:63:38:55:99:C2:FE:3D:DE:A7:75:05:56:31` ## Version of gnutls used: commit f17e1be2 3.7.0 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * Use AFL to compile gnutls * Run gnutls-serv * Run gnutls-cli two times and capture traffic ## Actual results: The `session-id` and `random` are the same across sessions. In this capture file, `session-id` and `random` of client hello, `session-id` and `random` of server hello are all fixed to `00:2D:4E:C4:AC:68:92:9A:38:B5:F2:E2:53:D3:BB:01:FD:BE:3C:63:38:55:99:C2:FE:3D:DE:A7:75:05:56:31` [gnutls_capture.pcap](/uploads/e43b9af820429d32112b7b3314346f8c/gnutls_capture.pcap) Here is a capture using openssl client so that the client hello doesn't contain `session-id` and uses unique `random`. However, `gnutls-serv` still responds with server hello containing the same `session-id` and `random`. [openssl_capture.pcap](/uploads/b1c7e17f7c4cb8e48c92eaae9fad621e/openssl_capture.pcap) ## Expected results: The `random` and `session-id` are generated correctly. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 1 17:28:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 May 2021 15:28:10 +0000 Subject: [gnutls-devel] GnuTLS | AFL instrumented gnutls always uses same session id and random (#1221) In-Reply-To: References: Message-ID: Daiki Ueno commented: I believe this is intentional; see commit d2e49df8ebc1b3a7e3a28059c099174365e0a546. If you have any better idea (without this, but still making fuzzing practical), I'm all ears :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1221#note_565306715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 2 06:20:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 02 May 2021 04:20:18 +0000 Subject: [gnutls-devel] GnuTLS | AFL instrumented gnutls always uses same session id and random (#1221) In-Reply-To: References: Message-ID: Weiqi Wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1221#note_565398001 Thanks for the info. I work around it and have what I need. I understand predictable randomness is needed for fuzzing but what I'm curious is when I compile gnutls with AFL but without `--enable-fuzzer-target` flag, those values are also fixed. Maybe it can detect I'm using AFL compiler? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1221#note_565398001 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 09:26:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 07:26:46 +0000 Subject: [gnutls-devel] libtasn1 | Fix homepage URL. Remove text duplicated from LICENSE. (!77) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 Branches: tmp-fix-readme to master Author: Simon Josefsson This is a small typo fix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 09:52:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 07:52:41 +0000 Subject: [gnutls-devel] GnuTLS | AFL instrumented gnutls always uses same session id and random (#1221) In-Reply-To: References: Message-ID: Issue was closed by Weiqi Wang Issue #1221: https://gitlab.com/gnutls/gnutls/-/issues/1221 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1221 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 10:27:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 08:27:25 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Ruslan Marchenko changed the draft status of merge request !1422 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 11:04:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 09:04:44 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/state.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565796530 > + > + /* preallocate 512 bits buffer as maximum supported digest */ > + rlen = 64; Let's use `MAX_HASH_SIZE`. -- Daiki Ueno started a new discussion on lib/state.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565796531 > + &rlen); > + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { > + cb->data = gnutls_realloc (cb->data, cb->size); Use `gnutls_realloc_fast` or temporary variable to avoid potential memleak: https://redhat-crypto.gitlab.io/defensive-coding-guide/#sect-Defensive_Coding-C-Allocators -- Daiki Ueno started a new discussion on tests/tls-channel-binding.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565796534 > +} > + > +void doit(void) This is great, thank you for adding the tests! -- Daiki Ueno started a new discussion on lib/state.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565796537 > + if (cbtype == GNUTLS_CB_TLS_UNIQUE) { > + if (get_num_version(session) == GNUTLS_TLS1_3) > + return GNUTLS_E_UNIMPLEMENTED_FEATURE; ```suggestion:-1+0 const version_entry_st *ver = get_version(session); if (unlikely(ver == NULL || ver->tls13_sem)) { return GNUTLS_E_INVALID_REQUEST; } ``` might be a little more future-proof? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 11:32:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 09:32:04 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Ruslan Marchenko commented on a discussion on lib/state.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565821054 > gnutls_channel_binding_t cbtype, > gnutls_datum_t * cb) > { > - if (cbtype != GNUTLS_CB_TLS_UNIQUE) > - return GNUTLS_E_UNIMPLEMENTED_FEATURE; > - > if (!session->internals.initial_negotiation_completed) > return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE; > > - cb->size = session->internals.cb_tls_unique_len; > - cb->data = gnutls_malloc(cb->size); > - if (cb->data == NULL) > - return GNUTLS_E_MEMORY_ERROR; > + if (cbtype == GNUTLS_CB_TLS_UNIQUE) { > + if (get_num_version(session) == GNUTLS_TLS1_3) > + return GNUTLS_E_UNIMPLEMENTED_FEATURE; I'd glad to but I got lost at version enum so this was the best I could come up with. But now I remember this tls13_sem, was using it before, not sure why I stuck at the num_version. Thanks for suggestion. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565821054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 11:50:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 09:50:50 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Ruslan Marchenko commented on a discussion on tests/tls-channel-binding.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565833675 > + success("binding fail: fake binding type not supported\n"); > + > + /* tls-server-end-point testing, undefined for anon and psk */ > + if (check_binding_data(client, server, GNUTLS_CB_TLS_SERVER_END_POINT, > + "tls-server-end-point", 1) == 0) > + success("binding fail: tls-server-end-point invalid for anon\n"); > + > + /* tls-exporter testing, take both sides and compare */ > + if (check_binding_data(client, server, GNUTLS_CB_TLS_EXPORTER, > + "tls-exporter", 0) == 0) > + success("binding match: tls-exporter\n"); > + > + tls_clear_peers(client, server); > +} > + > +void doit(void) np, I put way too many assumptions/conditions there to feel comfortable without proof :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422#note_565833675 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 11:50:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 09:50:50 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: All discussions on merge request !1422 were resolved by Ruslan Marchenko https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 12:54:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 10:54:43 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Merge request !1422 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 Project:Branches: rufferson/gnutls:tlsv1.3-cb to gnutls/gnutls:master Author: Ruslan Marchenko Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 12:54:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 10:54:45 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Merge request !1422 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 Project:Branches: rufferson/gnutls:tlsv1.3-cb to gnutls/gnutls:master Author: Ruslan Marchenko Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 14:33:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 12:33:14 +0000 Subject: [gnutls-devel] GnuTLS | Implement new tls channel biding types (!1422) In-Reply-To: References: Message-ID: Merge request !1422 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 Project:Branches: rufferson/gnutls:tlsv1.3-cb to gnutls/gnutls:master Author: Ruslan Marchenko Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 14:33:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 12:33:14 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1422 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1422) Issue #1214: https://gitlab.com/gnutls/gnutls/-/issues/1214 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 14:33:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 12:33:14 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_channel_binding returns empty binding data for TLS1.3 (#1041) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1422 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1422) Issue #1041: https://gitlab.com/gnutls/gnutls/-/issues/1041 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 16:50:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 14:50:50 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 Project:Branches: dueno/gnutls:wip/dueno/trusted-ca-sha1 to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1202 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 16:55:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 14:55:37 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Daiki Ueno commented: I took a closer look and realized that the reproducer is a bit special: that is, the last certificate in the chain is an intermediate CA, but there is also another CA in the system trust store, which shares the same key and the DN (Certum Trusted Network CA) but uses SHA-1 for the signature. !1423 would cover this case, but I am not sure if we need a new flag. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566098242 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:11:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:11:30 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) In-Reply-To: References: Message-ID: Reassigned Issue 1216 https://gitlab.com/gnutls/gnutls/-/issues/1216 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:11:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:11:39 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Reassigned Issue 1202 https://gitlab.com/gnutls/gnutls/-/issues/1202 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:12:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:12:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_channel_binding returns empty binding data for TLS1.3 (#1041) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:12:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:12:39 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_session_channel_binding returns empty binding data for TLS1.3 (#1041) In-Reply-To: References: Message-ID: Reassigned Issue 1041 https://gitlab.com/gnutls/gnutls/-/issues/1041 Assignee changed to Ruslan Marchenko -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1041 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:12:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:12:52 +0000 Subject: [gnutls-devel] GnuTLS | Implement channel bindings for TLS 1.3 (#1214) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1214 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:19:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:19:28 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Jacek commented: > here is also another CA in the system trust store, which shares the same key and the DN (Certum Trusted Network CA) but uses SHA-1 That is precisely the case. If such certs are immediately trusted, even if they contain SHA-1 signature, then my case is handled - no flag is needed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566117295 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:30:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:30:11 +0000 Subject: [gnutls-devel] GnuTLS | global: rename GNUTLS_NO_EXPLICIT_INIT to GNUTLS_NO_IMPLICIT_INIT (!1424) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1424 Project:Branches: dueno/gnutls:wip/dueno/implicit-init to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1178 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 17:30:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 15:30:40 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_NO_EXPLICIT_INIT should be named GNUTLS_NO_IMPLICIT_INIT (#1178) In-Reply-To: References: Message-ID: Reassigned Issue 1178 https://gitlab.com/gnutls/gnutls/-/issues/1178 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 18:41:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 16:41:16 +0000 Subject: [gnutls-devel] libtasn1 | Fix homepage URL. Remove text duplicated from LICENSE. (!77) In-Reply-To: References: Message-ID: Merge request !77 was approved by Andreas Metzler Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 Branches: tmp-fix-readme to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 18:41:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 16:41:26 +0000 Subject: [gnutls-devel] libtasn1 | Fix homepage URL. Remove text duplicated from LICENSE. (!77) In-Reply-To: References: Message-ID: Merge request !77 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 Branches: tmp-fix-readme to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/77 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 3 21:02:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 03 May 2021 19:02:50 +0000 Subject: [gnutls-devel] GnuTLS | DNS name matching for name constraints is case-sensitive (#1223) References: Message-ID: Robert Suska created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1223 ## Description of problem: I've noticed that when GnuTLS checks name constraints during validation of X.509 certificates, it performs a case-sensitive matching on DNS names. I think this is a bug, since [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) (article 7.2) says _"When evaluating name constraints, conforming implementations MUST perform a case-insensitive exact match on a label-by-label basis."_. ## Version of gnutls used: 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) RHEL 8.3 ## How reproducible: [example_chain.zip](/uploads/fb73fc696d5db4bf969a6e7556c5046d/example_chain.zip) contains three certificates, where _root_ca.pem_ specifies a single name constraint: ``` X509v3 Name Constraints: critical Permitted: DNS:example.com ``` _server_ok.pem_ has an alternative name: ``` X509v3 Subject Alternative Name: DNS:test.example.com ``` _server_error.pem_ has an alternative name: ``` X509v3 Subject Alternative Name: DNS:test.EXAMPLE.COM ``` a the following two commands need to be run: ``` certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_ok.pem ``` ``` certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_error.pem ``` ## Actual results: The validation result for the first chain (with _server_ok.pem_) is ``` Chain verification output: Verified. The certificate is trusted. ``` while the validation result for the second chain (with _server_error.pem_) is ``` Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints. ``` ## Expected results: It would be expected that both chains are validated successfully. ## Note: For reference, I've also included a [real_world_example_chain.zip](/uploads/8dd73b9f217b6f3539a8b21fd9919835/real_world_example_chain.zip). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 10:57:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 08:57:48 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566737250 That makes sense; in the MR I've removed the `%VERIFY_ALLOW_SIGN_WITH_SHA` requirement when the cert is trusted. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566737250 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 10:58:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 08:58:06 +0000 Subject: [gnutls-devel] GnuTLS | global: rename GNUTLS_NO_EXPLICIT_INIT to GNUTLS_NO_IMPLICIT_INIT (!1424) In-Reply-To: References: Message-ID: Merge request !1424 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1424 Project:Branches: dueno/gnutls:wip/dueno/implicit-init to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 10:58:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 08:58:06 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_NO_EXPLICIT_INIT should be named GNUTLS_NO_IMPLICIT_INIT (#1178) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1424 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1424) Issue #1178: https://gitlab.com/gnutls/gnutls/-/issues/1178 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1178 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 15:10:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 13:10:34 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Merge request !1423 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 Project:Branches: dueno/gnutls:wip/dueno/trusted-ca-sha1 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 15:10:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 13:10:37 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423#note_566965924 > + return gnutls_assert_val(0); \ > + } \ > + if (se->hash == GNUTLS_DIG_UNKNOWN) { \ Previous condition has `unlikely`, this one might benefit too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 15:12:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 13:12:55 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Changes look good to me. Not sure what would that incur on the documentation side. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423#note_566968273 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 16:55:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 14:55:56 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Merge request !1423 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 Project:Branches: dueno/gnutls:wip/dueno/trusted-ca-sha1 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 16:55:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 14:55:46 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: All discussions on merge request !1423 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 16:56:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 14:56:05 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423#note_567068501 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 18:33:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 16:33:11 +0000 Subject: [gnutls-devel] GnuTLS | global: rename GNUTLS_NO_EXPLICIT_INIT to GNUTLS_NO_IMPLICIT_INIT (!1424) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Thanks for taking care of this, @dueno! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1424#note_567150873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 20:45:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 18:45:06 +0000 Subject: [gnutls-devel] GnuTLS | SHA-1 root CA is rejected when %PROFILE_MEDIUM is set (#1202) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1423 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1423) Issue #1202: https://gitlab.com/gnutls/gnutls/-/issues/1202 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 20:45:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 18:45:06 +0000 Subject: [gnutls-devel] GnuTLS | x509/verify: treat SHA-1 signed CA in the trusted set differently (!1423) In-Reply-To: References: Message-ID: Merge request !1423 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 Project:Branches: dueno/gnutls:wip/dueno/trusted-ca-sha1 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 4 21:17:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 May 2021 19:17:44 +0000 Subject: [gnutls-devel] GnuTLS | certtool: Align warning about --provable with actual code (!1425) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 Project:Branches: dkg/gnutls:fix-provable-constraints to gnutls/gnutls:master Author: Daniel Kahn Gillmor If I try to generate an ed25519 key, it is *not* an ECDSA key. But I see this warning: 0 dkg at host:~$ certtool --generate-privkey --provable --key-type ed25519 Generating a 256 bit EdDSA (Ed25519) private key ... The --provable parameter cannot be used with ECDSA keys. 1 dkg at host:~$ Looking at the code and documentation, it's clear that --provable only works for RSA and DSA. This fix aligns the warning message with the underlying mechanism. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 08:04:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 06:04:38 +0000 Subject: [gnutls-devel] GnuTLS | certtool: Align warning about --provable with actual code (!1425) In-Reply-To: References: Message-ID: Merge request !1425 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 Project:Branches: dkg/gnutls:fix-provable-constraints to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 08:04:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 06:04:33 +0000 Subject: [gnutls-devel] GnuTLS | certtool: Align warning about --provable with actual code (!1425) In-Reply-To: References: Message-ID: Merge request !1425 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 Project:Branches: dkg/gnutls:fix-provable-constraints to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 08:04:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 06:04:43 +0000 Subject: [gnutls-devel] GnuTLS | certtool: Align warning about --provable with actual code (!1425) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1425#note_567524238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 09:40:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 07:40:55 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224) References: Message-ID: Weiqi Wang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1224 ## Description of problem: GnuTLS sends record_overflow alert for a malformed client message. However, the client message ```\xe8\x03\x00\x00\x02\x02\x50``` has a valid length. From my understanding: - \xe8 is type - \x03\x00 is version - \x00\x02 is length (2 bytes) - \x02\x50 has a length of 2 bytes which corresponds with the length field Since the type is invalid, I think an unexpected_message alert is more appropriate in this case. As per [RFC 5246](https://tools.ietf.org/html/rfc5246) >record_overflow > >A TLSCiphertext record was received that had a length more than >2^14+2048 bytes, or a record decrypted to a TLSCompressed record >with more than 2^14+1024 bytes. >unexpected_message > >An inappropriate message was received. This alert is always fatal >and should never be observed in communication between proper >implementations. ## Version of gnutls used: GnuTLS 3.7.0 commit 7e44152fd4076afb0b64ed311fd092669e71fa1e ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: ```gnutls-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-COMP-ALL:+COMP-NONE --x509keyfile /path/to/key.pem --x509certfile /path/to/cert.pem -p 44331 --noticket -a --http``` ```echo -n -e "\xe8\x03\x00\x00\x02\x02\x50" | nc 127.0.0.1 44331``` ## Actual results: Gnutls sends record_overflow alert. The capture file is attached. ## Expected results: Send unexpected_message alert. ## Attachments: [gnutls_capture.pcap](/uploads/9dc498a6f7924b71ead448fc9ad4cfef/gnutls_capture.pcap) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 11:30:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 09:30:30 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224) In-Reply-To: References: Message-ID: Daiki Ueno commented: Because the `type` field is invalid, GnuTLS treats it as an SSLv2 Client Hello as described in: https://tools.ietf.org/html/rfc5246#appendix-E.2 In that format, length is calculated as `((0xe8 & 0x7f) << 8) | 0x03`, which exceeds the record size limit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224#note_567701623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 12:47:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 10:47:17 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224) In-Reply-To: References: Message-ID: Weiqi Wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1224#note_567777629 Thanks for your reply. But gnutls-serv is configured as using TLS1.2 only. So I think it should parse the message according to the TLS1.2 format. And since the type is invalid, an unexpected message should be returned. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224#note_567777629 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 12:56:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 10:56:52 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224) In-Reply-To: References: Message-ID: Weiqi Wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1224#note_567785955 Thanks for your reply. It's very helpful. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224#note_567785955 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 13:16:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 11:16:12 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224) In-Reply-To: References: Message-ID: Issue was closed by Weiqi Wang Issue #1224: https://gitlab.com/gnutls/gnutls/-/issues/1224 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 5 23:51:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 21:51:55 +0000 Subject: [gnutls-devel] GnuTLS | guile: Writes to record ports handle EAGAIN/EINTR transparently. (!1417) In-Reply-To: References: Message-ID: civodul commented: Hey @dueno. Let me know if there's anything I should look at so we can close this issue. Thanks in advance! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417#note_568339360 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 00:09:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 22:09:06 +0000 Subject: [gnutls-devel] GnuTLS | spelling: The possessive pronoun "its" has no apostrophe. (!1426) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 Project:Branches: dkg/gnutls:its-spelling to gnutls/gnutls:master Author: Daniel Kahn Gillmor This is a trivial spelling cleanup. "it's" is for contractions like "it is" or "it has". "its" is a possessive pronoun, like "his" or "hers" or "theirs", none of which have an apostrophe in them either. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 00:31:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 May 2021 22:31:45 +0000 Subject: [gnutls-devel] GnuTLS | certtool automatically applies "digital signature" usage flag for EdDSA and other certificates (#1227) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1227 the relevant bits of `generate_certificate()` in `src/certtool.c` say: ```c if (!ca_status || server) { if (pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { /* DSA and ECDSA keys can only sign. */ result = get_sign_status(server); if (result) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; result = get_encrypt_status(server); if (result) usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; } else { usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } ``` This suggests that as long as the generated certificate is not a CA, and it is not one of the selected algorithms, it *must* have the "digital signature" flag set in its usage field. But [rfc 8410](https://www.rfc-editor.org/rfc/rfc8410#section-5) suggests, for example, that an end-entity certificate using Ed25519 with only the "non-repudiation" usage set should be acceptable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1227 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 04:41:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 02:41:04 +0000 Subject: [gnutls-devel] GnuTLS | error: initializer element is not a compile-time constant (#1228) References: Message-ID: Rosen Penev created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1228 ## Version of gnutls used: 3.7.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) MSYS2 ## How reproducible: Always I tried changing the void cast to add const but doesn't work. ``` ../../../gnutls-3.7.1/lib/algorithms/groups.c:140:12: error: initializer element is not a compile-time constant .prime = &gnutls_ffdhe_2048_group_prime, ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1228 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 09:10:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 07:10:33 +0000 Subject: [gnutls-devel] GnuTLS | spelling: The possessive pronoun "its" has no apostrophe. (!1426) In-Reply-To: References: Message-ID: Merge request !1426 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 Project:Branches: dkg/gnutls:its-spelling to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 09:10:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 07:10:52 +0000 Subject: [gnutls-devel] GnuTLS | spelling: The possessive pronoun "its" has no apostrophe. (!1426) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426#note_568508576 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 09:10:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 07:10:44 +0000 Subject: [gnutls-devel] GnuTLS | spelling: The possessive pronoun "its" has no apostrophe. (!1426) In-Reply-To: References: Message-ID: Merge request !1426 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 Project:Branches: dkg/gnutls:its-spelling to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 10:46:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 08:46:39 +0000 Subject: [gnutls-devel] GnuTLS | RFE: RFC8773 PSK + Certificate auth (#1229) References: Message-ID: David Woodhouse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1229 ## Description of the feature: https://www.rfc-editor.org/rfc/rfc8773.html For quantum resistance we want to be able to mix a PSK into the Master Secret derivation in *addition* to the normal certificate authentication and DH key exchange. ## Applications that this feature may be relevant to: https://gitlab.com/openconnect/ocserv/-/issues/411 ## Is this feature implemented in other libraries (and which) Not afaict. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1229 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 6 15:51:25 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 May 2021 13:51:25 +0000 Subject: [gnutls-devel] GnuTLS | WIP: priority: support allowlisting in configuration file (!1427) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1427 Project:Branches: dueno/gnutls:wip/dueno/config-allowlisting to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1172 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1427 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 04:54:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 02:54:48 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) References: Message-ID: Weiqi Wang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1230 ## Description: The client sends a message with type alert (\x15) and invalid version number (\x83\x01) GnuTLS responds with protocol_version alert. At terminal, GnuTLS server prints ```Error in handshake: A packet with illegal or unsupported version was received```, thus I think the illegal and unsupported version are handled in the same way. However this doesn't seem to conform to RFC 5246. As per RFC 5246, the protocol version is defined as "recognized but not supported". Since the version used by client is \x83\x01, I think it should be interpreted as "not recognized". RFC 5246 also states that server MUST accept any value {03,XX} as record layer version. Combining the two requirements together, I think the logic should be ``` If the record version is {03,XX} { server accepts it If the actual version is not supported { send protocol_version alert } } Else (the major version is not 03) { the server shouldn't complain. //Because the version is not recognized, which means it's not the case of protocol_version alert. } ``` >protocol_version > >The protocol version the client has attempted to negotiate is >recognized but not supported. (For example, old protocol versions >might be avoided for security reasons.) >Earlier versions of the TLS specification were not fully clear on what the record layer version number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as the record layer version number for ClientHello. ## Version of gnutls used: GnuTLS 3.7.0 commit 7e44152fd4076afb0b64ed311fd092669e71fa1e ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu 18.04 ## How reproducible: Steps to Reproduce: ```gnutls-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-COMP-ALL:+COMP-NONE --x509keyfile /path/to/key.pem --x509certfile /path/to/cert.pem -p 44331 --noticket -a --http``` ```echo -n -e "\x15\x83\x01\x00\x02\x02\x50" | nc 127.0.0.1 44331``` ## Actual results: GnuTLS sends protocol_version alert. The capture file is attached. ## Expected results: Not send protocol_version alert. Besides, in this specific case, I'm not sure whether unexpected_message should be sent since the server is expecting client hello but got an alert. ## Attachments: [gnutls_capture.pcap](/uploads/a58572b74253a93995591280e3b72a75/gnutls_capture.pcap) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 16:08:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 14:08:51 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib files. (!78) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/78 Branches: tmp-update-gnulib to master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/78 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 16:09:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 14:09:05 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib files. (!78) In-Reply-To: References: Message-ID: Merge request !78 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/78 Branches: tmp-update-gnulib to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/78 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 16:20:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 14:20:34 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) In-Reply-To: References: Message-ID: Simon Josefsson commented: I can't reproduce it either. Which OS are you using, and which version of git? Any particular way it was installed? I'm inclined to close this report if nobody can reproduce it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29#note_569933586 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 17:00:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 15:00:44 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) In-Reply-To: References: Message-ID: Konstantin Kouptsov commented: On Unix the repo checks out fine. On Windows, there is an error: error: invalid path 'tests/invalid-x509/id:000002,orig:TFPA-2015-002-libtasn1-4.3-stack-overflow.crt.der' fatal: unable to checkout working tree because the file contains colons, ':', which are not allowed in the Windows file path. Suggestion: change the file names to be acceptable for all platforms. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29#note_569979940 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 7 21:23:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 May 2021 19:23:28 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1231 It's not clear why a curve448 key might claim to have 456 bits of "security": ``` 0 dkg at alice:~$ certtool --generate-privkey --key-type ed448 Generating a 256 bit EdDSA (Ed448) private key ... Public Key Info: Public Key Algorithm: EdDSA (Ed448) Key Security Level: Ultra (456 bits) curve: Ed448 ? ``` I think this should be 448 bits. (i know that "security levels" in the Ultra range are basically indistinguishable in their overwhelming strength, but this is still a bit of an odd mismatch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 05:27:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 03:27:14 +0000 Subject: [gnutls-devel] GnuTLS | certtool automatically applies "digital signature" usage flag for EdDSA and other certificates (#1227) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Note also that when generating a certificate with an EC public key (e.g. using NIST's P-256 curve), it is not necessarily an ECDSA key -- the same public might be used for ECDH in a CMS (S/MIME) context, as specified in [RFC 5753](https://tools.ietf.org/html/rfc5753). Such a certificate should *not* be marked with the "digital signature" flag, but rather with the "key agreement" flag (and maybe also wants to include some [S/MIME capabilities](https://tools.ietf.org/html/rfc4262) to indicate what flavors of ECDH are preferred, as in [?6 of RFC 5753](https://tools.ietf.org/html/rfc5753#section-6)). I know that certtool is not typically used for CMS or S/MIME, and that barring a fix for #1185, the user won't be able to use such an ECDH certificate with GnuTLS tooling itself, but it is still useful for certtool to be powerful enough to be able to generate such a certificate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1227#note_570481898 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 05:58:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 03:58:11 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428 Project:Branches: dkg/gnutls:x25519-and-x448 to gnutls/gnutls:master Author: Daniel Kahn Gillmor I'm using certtool to generate certificates for use in CMS (S/MIME) for [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/). The LAMPS WG requested some sample certificates using Curve25519. The verification certificates/signing keys (using EdDSA) were straightforward to generate, but the encryption certificates/decryption keys (using X25519) were not possible. This series of changes to GnuTLS adds support for generating and handling X25519 and X448, though of course those certificates are not yet useful in a CMS context from GnuTLS itself without completing work on #1185. I don't consider this series ready to go yet; it would help me to get three specific pieces of feedback from GnuTLS devs upstream: - many of the commits in this series effectively duplicate code that was EdDSA-specific, and refers to these CFRG curves as "modern ECDH". A different approach would be to take the (non-visible) pubkey and privkey handling functions that are currently named `*_eddsa_*` and expand them to handle X25519 and X448 as well, since their data representations are identical to Ed25519 and Ed448 to the best of my understanding. If that is preferable to the current approach (less code duplication, but possibly some other entanglements), let me know and i can rework the series with that preference in mind. - I'm not sure what tests I should add. Suggestions welcome! - I've exercised this code enough to be able to generate X25519 certificates using an Ed25519 CA using `certtool` in the way that I'm comfortable with already, but i am not sure that I've handled every possible codepath where an X25519 or X448 certificate, private key, or public key might show up. Further review would be welcome. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 07:52:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 05:52:01 +0000 Subject: [gnutls-devel] libtasn1 | Bison compatibility (#33) References: Message-ID: Simon Josefsson created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/33 The self-test tests/Test_parser.c hard code bison error strings, that happened to change in bison 3.6+. See commits d05c25f9f0ddb1d8911d96f75101ecdb6cd95d4d for background 123d39f28e8ec1426888ef0577105903d67d1c4d. The self-test should be modified to work with both bison versions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/33 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 07:55:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 05:55:16 +0000 Subject: [gnutls-devel] libtasn1 | Bison compatibility (#33) In-Reply-To: References: Message-ID: Milestone changed to Release libtasn1 4.17.0 ( https://gitlab.com/gnutls/libtasn1/-/milestones/3 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/33 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 08:15:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 06:15:29 +0000 Subject: [gnutls-devel] libtasn1 | Improve version numbers when building from git (#34) References: Message-ID: Simon Josefsson created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/34 The tarballs generated by CI/CD use the previous releases version number, we should consider using something like git-version-gen to generate more useful version numbers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/34 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 13:55:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 11:55:16 +0000 Subject: [gnutls-devel] libtasn1 | Support both old and new bison. Closes: #33. (!79) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 Branches: tmp-more-cicd to master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 13:55:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 11:55:52 +0000 Subject: [gnutls-devel] libtasn1 | Support both old and new bison. Closes: #33. (!79) In-Reply-To: References: Message-ID: Merge request !79 was scheduled to merge after pipeline succeeds by Simon Josefsson Merge request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 Branches: tmp-more-cicd to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 14:44:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 12:44:04 +0000 Subject: [gnutls-devel] libtasn1 | Support both old and new bison. Closes: #33. (!79) In-Reply-To: References: Message-ID: Merge request !79 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 Branches: tmp-more-cicd to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/79 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 14:44:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 12:44:04 +0000 Subject: [gnutls-devel] libtasn1 | Bison compatibility (#33) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson via merge request !79 (https://gitlab.com/gnutls/libtasn1/-/merge_requests/79) Issue #33: https://gitlab.com/gnutls/libtasn1/-/issues/33 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/33 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 14:44:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 12:44:06 +0000 Subject: [gnutls-devel] libtasn1 | Bison compatibility (#33) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson via commit 08801fc96e6a48e50e7cd067ee97de41d9edc56c Issue #33: https://gitlab.com/gnutls/libtasn1/-/issues/33 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/33 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 8 19:19:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 May 2021 17:19:23 +0000 Subject: [gnutls-devel] libtasn1 | fail to parse certificate then build with clang (#31) In-Reply-To: References: Message-ID: Simon Josefsson commented: Is 593609388b035bf695ffe10ef3ef2fa261026f6e related? It mentions clang. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/31#note_570597140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 9 16:32:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 May 2021 14:32:49 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Some of the CI builds are failing for reasons unrelated to the proposed changes here. For example, this [debian build](https://gitlab.com/dkg/gnutls/-/jobs/1246746214) fails due to some redefinition of `streebox512_ctx`: ``` In file included from gost/hmac-gost.h:42, from mac.c:39: gost/streebog.h:62:8: error: redefinition of 'struct streebog512_ctx' 62 | struct streebog512_ctx | ^~~~~~~~~~~~~~~ In file included from /usr/include/nettle/hmac.h:44, from mac.c:33: /usr/include/nettle/streebog.h:58:8: note: originally defined here 58 | struct streebog512_ctx | ^~~~~~~~~~~~~~~ ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_570868140 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 09:26:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 07:26:05 +0000 Subject: [gnutls-devel] libtasn1 | gtk-doc API indexes missing when built with gtk-doc from debian bullseye (#35) References: Message-ID: Simon Josefsson created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/35 For some reason, the indexes "Index of deprecated API", "Index of new API in 1.6", "Index of new API in 2.0" sections are missing when the GTK-DOC manual is built with gtk-doc-tools in debian testing. Compare tarballs from CI/CD pipeline artefacts. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/35 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 17:37:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 15:37:53 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds: 'make install' installs dummy crypt32.dll and ncrypt.dll (#1232) References: Message-ID: Tim Kosse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1232 ## Description of problem: When compiling GnuTLS for Windows, both natively and cross-compiled, running 'make install' in the top build directory installs the dummy crypt32.dll and ncrypt.dll from the tests/windows subdirectory. The presence of these dummy libraries in the library search path results in a conflict with Windows' native DLLs. These debug libraries seem to be missing the noinst_ prefix in tests/windows/Makefile.am ## Version of gnutls used: 3.6.12, 3.7.1 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Source tarballs from https://www.gnupg.org/ftp/gcrypt/gnutls/ ## How reproducible: - Setup a x86_64-w64-mingw32 build environment, either under Debian or using msys2 - Compile and install recent GMP, Nettle - Extract gnutls-3.7.1.tar.xz - cd gnutls-3.7.1 - ./configure --host=x86_64-w64-mingw32 --with-included-libtasn1 --with-included-unistring --without-p11-kit --prefix=$HOME/myprefix - make -k install ## Actual results: Dummy crypt32.dll and ncrypt.dll are installed into $HOME/myprefix/lib ## Expected results: crypt32.dll and ncrypt.dll are not installed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 17:43:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 15:43:16 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds: 'make install' installs dummy crypt32.dll and ncrypt.dll (#1232) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report; let's make them `check_LTLIBRARIES` (or `noinst_`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1232#note_571688626 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 17:54:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 15:54:18 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) In-Reply-To: References: Message-ID: Daiki Ueno commented: It seems like debatable; RFC 8446 Appendix D.2 says: > A TLS server can also receive a ClientHello indicating a version number smaller than its highest supported version. [...] and later: > If the "supported_versions" extension is absent and the server only supports versions greater than ClientHello.legacy_version, the server MUST abort the handshake with a "protocol_version" alert. Therefore, in this occasion, the older client should be prepared for the servers sending a "protocol_version" alert anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_571697257 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 18:06:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 16:06:51 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Daiki Ueno commented: I also get 528 for secp521r1 curve; looks like an unwanted rounding. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_571706053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 18:40:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 16:40:08 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571747050 I've also added patches to add `ecc_mod_mul_canonical`, though it is a bit different implementation because of the lack of `tp` in `ecc_mod_mul` in nettle 3.6. Does this look better? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571747050 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 20:55:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 18:55:23 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Niels M?ller started a new discussion on lib/nettle/ecc/override/ecc-internal.h.diff: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571818856 > +@@ -49,6 +49,7 @@ > + #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 > + #define ecc_mod_mul _nettle_ecc_mod_mul > + #define ecc_mod_sqr _nettle_ecc_mod_sqr > ++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical > + #define ecc_mod_random _nettle_ecc_mod_random > + #define ecc_mod _nettle_ecc_mod > + #define ecc_mod_inv _nettle_ecc_mod_inv > +@@ -256,6 +257,15 @@ void > + ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, > + const mp_limb_t *ap); > + > ++/* These mul function produce a canonical result, 0 <= R < M. > ++ Requirements on input and output areas are similar to the above > ++ functions, except that it is *not* allowed to pass rp = rp + > ++ m->size. This is a typo. Just fixed on master branch, where it now reads rp = tp + m->size. And probably not quite right for this version. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571818856 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 20:57:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 18:57:52 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_571819948 > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public License > + * along with this program. If not, see > + * > + */ > + > +/* Helper functions for ECC handling > + * based on public domain code by Tom St. Dennis. > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) The documentation has been improved like this: ```C /** * gnutls_ecdh_compute_key: * @privkey: is a #gnutls_privkey_t key to compute * @pubkey: is a #gnutls_pubkey_t key to compute with privkey * @Z: the computation result * * This function calculates a key agreement with Elliptic * Curve Diffie-Hellman Ephemeral Static using a private and * a public ECC keys * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since: 3.7.?? **/ ``` I'm not sure with the `Since` value though -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_571819948 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 21:06:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 19:06:45 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Niels M?ller started a new discussion on lib/nettle/ecc/override/ecc-mod-arith.c.diff: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571824730 > +--- a/ecc-mod-arith.c > ++++ b/ecc-mod-arith.c > +@@ -125,3 +125,14 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, > + mpn_sqr (rp, ap, m->size); > + m->reduce (m, rp); > + } > ++ > ++void > ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) > ++{ > ++ mp_limb_t cy; > ++ ecc_mod_mul(m, tp, ap, bp); > ++ > ++ cy = mpn_sub_n (rp, tp, m->m, m->size); > ++ cnd_copy (cy, rp, tp, m->size); This will not work if rp == tp (unlike the version on master). I think it can be made to be more of a drop-in replacement for ecc_mod_mul, without the new tp argument. Something like ecc_mod_mul (m, rp, ap, bp); /* clobbers 2*size limbs, size limbs final result */ cy = mpn_sub_n (rp + m->size, rp, m->m, m->size); /* area at rp + m->size now free to reuse */ cnd_copy (!cy, rp, rp + m->size, m->size); (!cy should be the same as 1-cy here. I would hope either variant can be compiled without a conditional branch). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571824730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 21:58:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 19:58:42 +0000 Subject: [gnutls-devel] GnuTLS | Add ecdh compute function gnutls_ecdh_compute_key (!1395) In-Reply-To: References: Message-ID: Nicolas Mora commented on a discussion on lib/ecdh.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_571853220 > + */ > +#include "gnutls_int.h" > +#include > +#include "errors.h" > + > +int gnutls_ecdh_compute_key(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey, gnutls_datum_t *Z) > +{ > + gnutls_ecc_curve_t curve_pub = GNUTLS_ECC_CURVE_INVALID, curve_priv = GNUTLS_ECC_CURVE_INVALID; > + unsigned int bits_pub = 0, bits_priv = 0; > + gnutls_datum_t priv_x = {NULL, 0}, priv_y = {NULL, 0}, priv_k = {NULL, 0}, pub_x = {NULL, 0}, pub_y = {NULL, 0}; > + int ret = GNUTLS_E_SUCCESS, res; > + > + Z->data = NULL; > + Z->size = 0; > + > + if (gnutls_privkey_get_pk_algorithm(privkey, &bits_priv) != GNUTLS_PK_ECDSA) I've tried adding support for Curve25519/Curve448, yet no luck: https://gitlab.com/babelouest/gnutls/-/tree/ecdh-ed25519 The [ed25519 test](https://gitlab.com/babelouest/gnutls/-/blob/ecdh-ed25519/tests/ecdh-compute.c#L464) fails during [`_gnutls_dh_compute_key`](https://gitlab.com/babelouest/gnutls/-/blob/ecdh-ed25519/lib/ecdh.c#L95) with a return value -55 (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER). I couldn't find if the problem comes from my code or outside -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1395#note_571853220 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 10 22:27:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 May 2021 20:27:34 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: 528 for secp521r1 is definitely rounding to an even number of octets. but 448?456 isn't - that's going from 56 octets (even) to 57 octets (even). so that's an additional full 8 bits. I do note that these "bits of security" numbers for ECC are all a little weird -- if they're intended to indicate comparable "symmetric strength" then they're actually double what they should be (curve448 should be comparable to 224-bit symmetric algorithms. Even [wikipedia](https://en.wikipedia.org/wiki/Curve448) says: > In cryptography, Curve448 or Curve448-Goldilocks is an elliptic curve potentially offering 224 bits of security -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_571867781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 08:09:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 06:09:19 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/ecc/override/ecc-mod-arith.c.diff: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_572099422 > +--- a/ecc-mod-arith.c > ++++ b/ecc-mod-arith.c > +@@ -125,3 +125,14 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, > + mpn_sqr (rp, ap, m->size); > + m->reduce (m, rp); > + } > ++ > ++void > ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) > ++{ > ++ mp_limb_t cy; > ++ ecc_mod_mul(m, tp, ap, bp); > ++ > ++ cy = mpn_sub_n (rp, tp, m->m, m->size); > ++ cnd_copy (cy, rp, tp, m->size); Thank you; that makes things much clearer. I've applied those changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_572099422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 08:09:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 06:09:34 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: All discussions on merge request !1407 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 09:52:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 07:52:27 +0000 Subject: [gnutls-devel] GnuTLS | tests: don't install crypt32.dll and ncrypt.dll replacement (!1429) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1429 Project:Branches: dueno/gnutls:wip/dueno/windows-tests to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1232 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1429 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 10:59:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 08:59:22 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds: 'make install' installs dummy crypt32.dll and ncrypt.dll (#1232) In-Reply-To: References: Message-ID: Tim Kosse commented: There is a follow-up issue: In lib/system/keys-win.c CryptAcquireContextW is used. According to https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontextw, using this fuction requires linking against advapi32, however it is missing from the GnuTLS linker flags. This results in an error loading libgnutls-30.dll: "The procedure entry point CryptAcquireContextW could not be loacated in the dynamic link library libgnutls-30.dll" This issue however gets masked by the presence of the dummy crypt32.dll which exports this function, which the system's crypt32.dll does not export. To solve this, -ladvapi32 needs to be added to GNUTLS_LIBS_PRIVATE in configure.ac -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1232#note_572240238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 14:32:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 12:32:33 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Merge request !1407 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 Project:Branches: dueno/gnutls:wip/dueno/ecdsa-verify-3.6.x to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 14:32:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 12:32:46 +0000 Subject: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the reviews and suggestions! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_572586108 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 14:49:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 12:49:49 +0000 Subject: [gnutls-devel] GnuTLS | Trivial build fixes spotted by GCC 11 (!1430) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 Project:Branches: dueno/gnutls:wip/dueno/build-fixes to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 16:45:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 14:45:46 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_572778526 Looks like the debian image seems to have been updated with newer nettle; https://gitlab.com/gnutls/gnutls/-/merge_requests/1430/diffs?commit_id=e7abc8ff12916ac6a19d9afdceabd0a3152519c7 should address it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_572778526 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 17:32:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 15:32:55 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) In-Reply-To: References: Message-ID: Weiqi Wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572826313 Sorry I don't understand. I configured the server to use TLS1.2 only. And I mean the server shouldn't send protocol_version alert in this case since the version sent by client is not recognized. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572826313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 19:05:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 17:05:24 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572903471 Actually RFC 8446 is quite clear on this, see https://datatracker.ietf.org/doc/html/rfc8446#page-79: ``` legacy_record_version: MUST be set to 0x0303 for all records generated by a TLS 1.3 implementation other than an initial ClientHello (i.e., one not generated after a HelloRetryRequest), where it MAY also be 0x0301 for compatibility purposes. This field is deprecated and MUST be ignored for all purposes. Previous versions of TLS would use other values in this field under some circumstances. ``` The key sentence being "MUST be ignored for all purposes". As such, the message should be parsed by GnuTLS as well-formed Alert, but since the client MUST send ClientHello as the first message, the GnuTLS server should abort with `unexpected_message`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572903471 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 19:51:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 17:51:28 +0000 Subject: [gnutls-devel] GnuTLS | DTLS handshake restarted by ClientHello using invalid message sequence numbers (#1233) References: Message-ID: Paul created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1233 ## Description of problem: GnuTLS does not validate message sequence numbers in ClientHello messages. According to [DTLS RFC](https://www.rfc-editor.org/rfc/rfc6347.html#page-18): > The first message each side transmits in each handshake always has message_seq = 0. Whenever each new message is generated, the message_seq value is incremented by one. We found that GnuTLS does not check for message_seq to be 0 in a ClientHello delivered in the middle of an on-going handshake. ## Version of gnutls used: 3.7.1 ## Operating System Ubuntu 20 ## How reproducible: I attached files necessary for reproduction using [DTLS-fuzzer](https://github.com/assist-project/dtls-fuzzer/), a Java-based tool for testing DTLS libraries, whose .jar is included in the archive. Also included is a capture of the interaction, generated on my machine. DTLS-fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running: `sudo apt-get install openjdk-8-jdk` Unpack the archive at the end of this post, `cd` to resulting folder, download to this folder the .jar of DTLS-fuzzer available [here](https://github.com/pfg666/reproduction/blob/main/dtls-fuzzer.jar), and run `bash reproduce.sh `, while running an instance of Wireshark on the side. The reproduction script will: * launch a gnutls-serv server instance * execute a test exposing the behavior using DTLS-fuzzer. It assumes `gnutls-serv` is present in the PATH. ## Actual results: If everything works as planned, Wireshark should show an interaction similar to that in the image below: ![handshake_restart](/uploads/cba60d807a4f7486b7ec81926c02ffb3/handshake_restart.png) Therein, if we check the value of the highlighted restarting ClientHello message, we see: ![handshake_restart_mseq](/uploads/31b4c6a9e60dc748d4bf89a065a7a788/handshake_restart_mseq.png) BTW, I had to pack dtls-fuzzer separately since its .jar is too large. ## Expected results: The server should not have restarted the handshake using this message. Thanks! [handshake_restarted.tar.gz](/uploads/848784142be5fb0e425d95f3f33e4e09/handshake_restarted.tar.gz) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1233 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 19:59:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 17:59:43 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 EC key with TLSv1.3; silent failure (#1234) References: Message-ID: David Woodhouse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1234 I'm finally getting round to implementing TPM tests for OpenConnect. OpenConnect has a set of {EC,RSA,DSA} keys in its test suite, runs ocserv and attempts to use certificate authentication. If I import the EC key into a TPMv2 and then attempt to use it, I cannot use client certificate auth with TLSv1.3; I just get a silent failure to present a certificate, followed by authentication failure. ``` HSK[0x1120930]: CERTIFICATE REQUEST (13) was received. Length 70[70], frag offset 0, frag length: 70, sequence: 0 HSK[0x1120930]: parsing certificate request EXT[0x1120930]: rcvd signature algo (4.1) RSA-SHA256 EXT[0x1120930]: rcvd signature algo (8.9) RSA-PSS-SHA256 EXT[0x1120930]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 EXT[0x1120930]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256 EXT[0x1120930]: rcvd signature algo (8.7) EdDSA-Ed25519 EXT[0x1120930]: rcvd signature algo (5.1) RSA-SHA384 EXT[0x1120930]: rcvd signature algo (8.10) RSA-PSS-SHA384 EXT[0x1120930]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384 EXT[0x1120930]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384 EXT[0x1120930]: rcvd signature algo (8.8) EdDSA-Ed448 EXT[0x1120930]: rcvd signature algo (6.1) RSA-SHA512 EXT[0x1120930]: rcvd signature algo (8.11) RSA-PSS-SHA512 EXT[0x1120930]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512 EXT[0x1120930]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512 EXT[0x1120930]: rcvd signature algo (2.1) RSA-SHA1 EXT[0x1120930]: rcvd signature algo (2.3) ECDSA-SHA1 EXT[0x1120930]: rcvd signature algo (2.2) (null) checking cert compat with RSA-SHA256 cannot use privkey of EC/ECDSA with RSA-SHA256 checking cert compat with RSA-PSS-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-SHA256 checking cert compat with RSA-PSS-RSAE-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA256 checking cert compat with ECDSA-SECP256R1-SHA256 checking cert compat with EdDSA-Ed25519 cannot use privkey of EC/ECDSA with EdDSA-Ed25519 checking cert compat with RSA-SHA384 cannot use privkey of EC/ECDSA with RSA-SHA384 checking cert compat with RSA-PSS-SHA384 cannot use privkey of EC/ECDSA with RSA-PSS-SHA384 checking cert compat with RSA-PSS-RSAE-SHA384 cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA384 checking cert compat with ECDSA-SECP384R1-SHA384 checking cert compat with EdDSA-Ed448 cannot use privkey of EC/ECDSA with EdDSA-Ed448 checking cert compat with RSA-SHA512 cannot use privkey of EC/ECDSA with RSA-SHA512 checking cert compat with RSA-PSS-SHA512 cannot use privkey of EC/ECDSA with RSA-PSS-SHA512 checking cert compat with RSA-PSS-RSAE-SHA512 cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA512 checking cert compat with ECDSA-SECP521R1-SHA512 checking cert compat with RSA-SHA1 cannot use privkey of EC/ECDSA with RSA-SHA1 checking cert compat with ECDSA-SHA1 The hash size used in signature (20) is less than the expected (32) ASSERT: signature.c[_gnutls_session_sign_algo_enabled]:433 Signature algorithm ECDSA-SHA1 is not enabled HSK[0x1120930]: rejecting client auth because of no suitable signature algorithm ASSERT: tls13/certificate_request.c[_gnutls13_recv_certificate_request_int]:203 ASSERT: buffers.c[get_last_packet]:1168 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1234 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 20:01:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 18:01:21 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 EC key with TLSv1.3; silent failure (#1234) In-Reply-To: References: Message-ID: David Woodhouse commented: This is what I get using the same key from a file: ``` HSK[0x1f7df10]: CERTIFICATE REQUEST (13) was received. Length 70[70], frag offset 0, frag length: 70, sequence: 0 HSK[0x1f7df10]: parsing certificate request EXT[0x1f7df10]: rcvd signature algo (4.1) RSA-SHA256 EXT[0x1f7df10]: rcvd signature algo (8.9) RSA-PSS-SHA256 EXT[0x1f7df10]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 EXT[0x1f7df10]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256 EXT[0x1f7df10]: rcvd signature algo (8.7) EdDSA-Ed25519 EXT[0x1f7df10]: rcvd signature algo (5.1) RSA-SHA384 EXT[0x1f7df10]: rcvd signature algo (8.10) RSA-PSS-SHA384 EXT[0x1f7df10]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384 EXT[0x1f7df10]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384 EXT[0x1f7df10]: rcvd signature algo (8.8) EdDSA-Ed448 EXT[0x1f7df10]: rcvd signature algo (6.1) RSA-SHA512 EXT[0x1f7df10]: rcvd signature algo (8.11) RSA-PSS-SHA512 EXT[0x1f7df10]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512 EXT[0x1f7df10]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512 EXT[0x1f7df10]: rcvd signature algo (2.1) RSA-SHA1 EXT[0x1f7df10]: rcvd signature algo (2.3) ECDSA-SHA1 EXT[0x1f7df10]: rcvd signature algo (2.2) (null) checking cert compat with RSA-SHA256 cannot use privkey of EC/ECDSA with RSA-SHA256 checking cert compat with RSA-PSS-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-SHA256 checking cert compat with RSA-PSS-RSAE-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA256 checking cert compat with ECDSA-SECP256R1-SHA256 ASSERT: buffers.c[get_last_packet]:1168 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1234#note_572941862 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 20:02:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 18:02:30 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 EC key with TLSv1.3; silent failure (#1234) In-Reply-To: References: Message-ID: David Woodhouse commented: ... and when I force TLSv1.2 using the TPM key: ``` BUF[REC]: Inserted 63 bytes of Data(22) HSK[0x192b870]: CERTIFICATE REQUEST (13) was received. Length 59[59], frag offset 0, frag length: 59, sequence: 0 EXT[0x192b870]: rcvd signature algo (4.1) RSA-SHA256 EXT[0x192b870]: rcvd signature algo (8.9) RSA-PSS-SHA256 EXT[0x192b870]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256 EXT[0x192b870]: rcvd signature algo (4.3) ECDSA-SHA256 EXT[0x192b870]: rcvd signature algo (8.7) EdDSA-Ed25519 EXT[0x192b870]: rcvd signature algo (5.1) RSA-SHA384 EXT[0x192b870]: rcvd signature algo (8.10) RSA-PSS-SHA384 EXT[0x192b870]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384 EXT[0x192b870]: rcvd signature algo (5.3) ECDSA-SHA384 EXT[0x192b870]: rcvd signature algo (8.8) EdDSA-Ed448 EXT[0x192b870]: rcvd signature algo (6.1) RSA-SHA512 EXT[0x192b870]: rcvd signature algo (8.11) RSA-PSS-SHA512 EXT[0x192b870]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512 EXT[0x192b870]: rcvd signature algo (6.3) ECDSA-SHA512 EXT[0x192b870]: rcvd signature algo (2.1) RSA-SHA1 EXT[0x192b870]: rcvd signature algo (2.3) ECDSA-SHA1 EXT[0x192b870]: rcvd signature algo (2.2) DSA-SHA1 ASSERT: buffers.c[get_last_packet]:1168 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x192b870]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 REC[0x192b870]: Expected Packet Handshake(22) REC[0x192b870]: Received Packet Handshake(22) with length: 4 READ: Got 4 bytes from 0x5 READ: read 4 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 4 bytes. RB: Requested 9 bytes REC[0x192b870]: Decrypted Packet[3] Handshake(22) with length: 4 BUF[REC]: Inserted 4 bytes of Data(22) HSK[0x192b870]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 0, sequence: 0 HSK[0x192b870]: CERTIFICATE was queued [541 bytes] HWRITE: enqueued [CERTIFICATE] 541. Total 541 bytes. ASSERT: mpi.c[wrap_nettle_mpi_print]:60 HSK[0x192b870]: CLIENT KEY EXCHANGE was queued [310 bytes] HWRITE: enqueued [CLIENT KEY EXCHANGE] 310. Total 851 bytes. checking cert compat with RSA-SHA256 cannot use privkey of EC/ECDSA with RSA-SHA256 checking cert compat with RSA-PSS-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-SHA256 checking cert compat with RSA-PSS-RSAE-SHA256 cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA256 checking cert compat with ECDSA-SHA256 sign handshake cert vrfy: picked ECDSA-SHA256 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1234#note_572942436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 20:17:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 18:17:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572952544 OK, thank you for the clarification. I misread `TlsPlainText.legacy_record_version` as `ClientHello.legacy_version`. Still, I'm wondering whether we should implement the logic given in the description, i.e., special casing 0x03XX. Given RFC 8446 supersedes 5246 I am skeptical that we need to strictly follow that rule; what do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_572952544 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 20:29:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 18:29:45 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) References: Message-ID: Simo Sorce created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 Project:Branches: simo5/libtasn1:covscan_fixes to gnutls/libtasn1:master Author: Simo Sorce Small bugs unveiled by static analysis (internal tool called covscan). Individual commits show the issue in the commit message. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 21:49:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 19:49:07 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) In-Reply-To: References: Message-ID: Simo Sorce commented: @dueno can you review please? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80#note_573014890 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 21:49:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 19:49:51 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) In-Reply-To: References: Message-ID: Simo Sorce commented: @jas you may want to pull this in before next release -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80#note_573015494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 11 22:45:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 20:45:45 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_573042954 thanks for that fix. I'd appreciate any thoughts on the substance of the patch series when you get a chance! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_573042954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 00:58:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 22:58:13 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 EC key with TLSv1.3; silent failure (#1234) In-Reply-To: References: Message-ID: David Woodhouse commented: Given that I don't have to do anything different for the actual signature at all, just lie to the TPM about the hash algorithm based on the size of the data it's given, I think this is a sane way to fix it: https://gitlab.com/openconnect/openconnect/-/commit/830f14c37605ab58a11aa4c83046f2e6459dfaff https://gitlab.com/openconnect/openconnect/-/commit/4c225c0e68c7762d61bcdfc7392e2b638fc862b0 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1234#note_573094009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 00:59:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 22:59:03 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 EC key with TLSv1.3; silent failure (#1234) In-Reply-To: References: Message-ID: David Woodhouse commented: The silent failure is still suboptimal. If given a client key which can't be used with TLSv1.3, shouldn't we *avoid* TLSv1.3? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1234#note_573094293 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 01:03:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 May 2021 23:03:57 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 RSA key with TLSv1.3 (#1235) References: Message-ID: David Woodhouse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1235 The TPM code doesn't support PSS padding. But it does support GNUTLS_SIGN_RSA_RAW; couldn't GnuTLS do the padding *for* me? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1235 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 07:35:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 05:35:44 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80#note_573230567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 07:35:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 05:35:46 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) In-Reply-To: References: Message-ID: Merge request !80 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 Project:Branches: simo5/libtasn1:covscan_fixes to gnutls/libtasn1:master Author: Simo Sorce Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 09:03:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 07:03:58 +0000 Subject: [gnutls-devel] GnuTLS | Cannot use TPMv2 RSA key with TLSv1.3 (#1235) In-Reply-To: References: Message-ID: David Woodhouse commented: I made extra coffee this morning with the intention of writing some RSA-PSS padding code, but I don't see how to do that with an external privkey at all. All the things that _gnutls_pkcs11_privkey_sign() puts into its `rsa_pss_params` come from arguments that privkey_sign_raw_data() doesn't even *pass* to my ->sign_hash_func(). If you expect me to do the padding for myself, how do I know the params? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1235#note_573274865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 14:34:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 12:34:01 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 was reviewed by Ivan Nikolchev -- Ivan Nikolchev started a new discussion on lib/state.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_573623563 > + } > + > + if (unlikely(session->internals. Braces are missing around this if statement. -- Ivan Nikolchev started a new discussion on tests/secrets.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_573623567 > +static const struct secret client_normal_0[] = { Don't you need the copyright text at the top of the file? -- Ivan Nikolchev started a new discussion on tests/secrets.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_573623571 > +static const struct secret client_normal_0[] = { I see all of the arrays are name with client_*, shouldn't those secrets be in the client-secrets.h? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 14:35:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 12:35:24 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Ivan Nikolchev commented: Few small nits, but other than that it looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_573624801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 17:24:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 15:24:42 +0000 Subject: [gnutls-devel] GnuTLS | Cannot support TLSv1.3 RSA-PSS with external keys (#1235) In-Reply-To: References: Message-ID: David Woodhouse commented: This might do it. My God I shouldn't have to write something like this in my application just to ask the crypto library to use the key that the user asked me to use :) https://gitlab.com/openconnect/openconnect/-/commit/022bd9c606ac9bb81cdaaf009f2e98ae36d4acac -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1235#note_573808037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 19:35:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 17:35:53 +0000 Subject: [gnutls-devel] GnuTLS | DTLS handshake restarted by ClientHello using invalid message sequence numbers (#1233) In-Reply-To: References: Message-ID: Paul commented: I opened a similar [issue for Scandium](https://github.com/eclipse/californium/issues/1620), which also exhibited this behavior. From the discussions I had there, it appears the DTLS 1.2 RFC may provide some ground for accepting ClientHello messages with increased message sequence numbers based on the [quote](https://www.rfc-editor.org/rfc/rfc6347.html#page-18): > If a server receives a ClientHello with an invalid cookie, it SHOULD > treat it the same as a ClientHello with no cookie. This avoids > race/deadlock conditions if the client somehow gets a bad cookie > (e.g., because the server changes its cookie signing key). > Note to implementors: This may result in clients receiving multiple > HelloVerifyRequest messages with different cookies. Clients SHOULD > handle this by sending a new ClientHello with a cookie in response to > the new HelloVerifyRequest. If this is indeed the reason for accepting such ClientHellos, then I think the issue can be closed. I am leaving this issue open to to ensure the behavior is intended (a dev may close it if that is the case), as it does appear to be a bit of an edge case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1233#note_574085248 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 12 20:16:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 18:16:53 +0000 Subject: [gnutls-devel] libtasn1 | Fix bugs unvelieled by Static Analysis (!80) In-Reply-To: References: Message-ID: Merge request !80 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 Project:Branches: simo5/libtasn1:covscan_fixes to gnutls/libtasn1:master Author: Simo Sorce Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/80 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 01:07:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 23:07:24 +0000 Subject: [gnutls-devel] GnuTLS | certtool mis-encodes keyUsage when trailing bits are 0 (#1236) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1236 over on the IETF's [LAMPS WG's mailing list](https://www.ietf.org/mailman/listinfo/spasm), [David A. Cooper writes](https://mailarchive.ietf.org/arch/msg/spasm/fy6ilJRnqBaXiZctVyHJELQMmK8/): ``` the keyUsage extensions in the certificates are not DER encoded. The keyUsage extensions in the certificates are all encoded in the form "03 03 07 XX 00." It seems that the developer of the encoder mistakenly believed that the bit string should always be 9 bits long in order to correspond to the definition of keyUsage: KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to contentCommitment keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } However, X.680 and X.690 specify that when encoding a named bit list, such as above, any trailing zeros must be removed. So, a keyUsage extension with just digitalSignature and nonRepudiation set would be encoded as a bit string that is only two bits long ('11') and a keyUsage extension with just keyAgreement set would be encoded as a bit string that is five bits long ('00001'). So, the correct encoding for the keyUsage extension would be: * "03 02 01 06" for the CA certificate * "03 02 06 C0" for the digital signature certificates * "03 02 05 20" for the encryption certificates * "03 02 03 08" for the key agreement certificates ``` This concerns [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/), which contains certificates being generated by `certtool`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 01:25:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 May 2021 23:25:13 +0000 Subject: [gnutls-devel] GnuTLS | `certtool` permits creation of certificates "negative" serial numbers (#1237) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1237 over on the IETF's [LAMPS WG's mailing list](https://www.ietf.org/mailman/listinfo/spasm), [David A. Cooper writes](https://mailarchive.ietf.org/arch/msg/spasm/fy6ilJRnqBaXiZctVyHJELQMmK8/): ``` [The certificates] contain negative serial numbers. While this is permitted by X.509, Section 4.1.2.2 of RFC 5280 requires conforming CAs to use positive integers as serial numbers. ``` While the `certtool` template used to generate the certificate does contain hex that would be read as a negative number (e.g. `serial = 0xdebecc44907bab1df99acd6d1568fbb61df2e6`), certtool probably shouldn't embed it in non-compliant form. Two different ways that GnuTLS could approach this would be: - prefix such a serial number with a leading 0x00 octet, thereby making it compliant, or - reject it as malformed and refuse to generate the cert (as it would if it saw a template line `serial = nan`) I suspect this is also the case for generating certificate requests, but i've only encountered it when generating certificates. This concerns [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/), which contains certificates being generated by `certtool`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 02:53:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 00:53:16 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 Project:Branches: dkg/gnutls:minimal-key-usage to gnutls/gnutls:master Author: Daniel Kahn Gillmor This aims to fix #1236. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 10:06:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 08:06:43 +0000 Subject: [gnutls-devel] GnuTLS | CI updates and build fixes spotted by GCC 11 (!1430) In-Reply-To: References: Message-ID: Merge request !1430 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 Project:Branches: dueno/gnutls:wip/dueno/build-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 11:12:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 09:12:19 +0000 Subject: [gnutls-devel] GnuTLS | CI updates and build fixes spotted by GCC 11 (!1430) In-Reply-To: References: Message-ID: Merge request !1430 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 Project:Branches: dueno/gnutls:wip/dueno/build-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1430 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 11:24:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 09:24:06 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: All discussions on merge request !1421 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 11:23:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 09:23:55 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/secrets.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_574697430 > +static const struct secret client_normal_0[] = { Right, sorry; this file was mistakenly added. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_574697430 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 11:50:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 09:50:23 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Merge request !1421 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 11:50:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 09:50:30 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421#note_574763336 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 12:31:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 10:31:28 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit 5216620eaa309f82a33bb9eefc53a263dd896b6e Issue #1216: https://gitlab.com/gnutls/gnutls/-/issues/1216 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 12:31:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 10:31:27 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT support for QUIC (!1421) In-Reply-To: References: Message-ID: Merge request !1421 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 Project:Branches: dueno/gnutls:wip/dueno/earlydata to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1421 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 15:05:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 13:05:08 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds: 'make install' installs dummy crypt32.dll and ncrypt.dll (#1232) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the suggestion; I've updated the MR, though I couldn't test by myself. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1232#note_574951723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 15:21:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 13:21:21 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Merge request !1431 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 Project:Branches: dkg/gnutls:minimal-key-usage to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 15:21:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 13:21:06 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS sends protocol_version alert when client message contains unrecognized version (#1230) In-Reply-To: References: Message-ID: Weiqi Wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_574963865 Yes, the `unexpected_message` should be sent. The logic in the description is to support that `protocol_version` alert shouldn't be sent (The logic itself is not meant to be implemented). As I mentioned in the expected result and confirmed by Hubert, the server should send `unexpected_message` alert. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1230#note_574963865 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 15:21:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 13:21:59 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you; the CI should succeed once you rebase against the master. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_574964459 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 16:55:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 14:55:11 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Brian Henry commented: "security levels" is different to "key size(key length)" I found some [explanation](https://cryptobook.nakov.com/asymmetric-key-ciphers/elliptic-curve-cryptography-ecc): > The Curve448 provides ~ 224-bit security level (more precisely [222.8-bits](https://safecurves.cr.yp.to/rho.html)). The private keys for the Curve448 are 446 bits and are typically encoded as 448-bit integers (56 bytes, 112 hex digits). The public keys are also encoded as 448-bit integers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_575041260 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 16:57:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 14:57:39 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds: 'make install' installs dummy crypt32.dll and ncrypt.dll (#1232) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1429 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1429) Issue #1232: https://gitlab.com/gnutls/gnutls/-/issues/1232 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 16:57:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 14:57:39 +0000 Subject: [gnutls-devel] GnuTLS | tests: don't install crypt32.dll and ncrypt.dll replacement (!1429) In-Reply-To: References: Message-ID: Merge request !1429 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1429 Project:Branches: dueno/gnutls:wip/dueno/windows-tests to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1429 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 16:58:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 14:58:57 +0000 Subject: [gnutls-devel] GnuTLS | certtool mis-encodes keyUsage when trailing bits are 0 (#1236) In-Reply-To: References: Message-ID: Reassigned Issue 1236 https://gitlab.com/gnutls/gnutls/-/issues/1236 Assignee changed to Daniel Kahn Gillmor -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 19:39:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 17:39:18 +0000 Subject: [gnutls-devel] libtasn1 | Improve version numbers when building from git (#34) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson Issue #34: https://gitlab.com/gnutls/libtasn1/-/issues/34 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/34 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 19:47:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 17:47:30 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson Issue #18: https://gitlab.com/gnutls/libtasn1/-/issues/18 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/18 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 19:47:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 17:47:29 +0000 Subject: [gnutls-devel] libtasn1 | Send release announcements to info-gnu@gnu.org (#18) In-Reply-To: References: Message-ID: Simon Josefsson commented: The new gnulib-based 'readme-release' infrastructure create announcement messages automatically that suggests posting to info-gnu, and I did so for 4.17.0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/18#note_575162574 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 19:50:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 17:50:18 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) In-Reply-To: References: Message-ID: Simon Josefsson commented: Ouch. Yes -- let's convert all ':' into '-' or something. Please provide a merge request. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29#note_575163857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 20:15:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 18:15:34 +0000 Subject: [gnutls-devel] libtasn1 | fuzz/corpus2array: fix build with gnu89 (!70) In-Reply-To: References: Message-ID: Simon Josefsson commented: Looks fine to me -- please update merge request so it passes pipeline, and maybe fix the problem Tim found if you want, and we can merge it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/70#note_575180037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 22:52:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 20:52:34 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Thanks! I've rebased now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_575269095 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 13 23:56:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 May 2021 21:56:13 +0000 Subject: [gnutls-devel] libtasn1 | Test_tree and copynode test failures on clang 10+ (#30) In-Reply-To: References: Message-ID: Carlo Cabrera commented: Is this now resolved? The fix seems to have been merged in https://gitlab.com/gnutls/libtasn1/-/merge_requests/74. Just want to make sure because we're discussing dropping a patch that implements an alternative fix in https://github.com/Homebrew/homebrew-core/pull/77228. Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/30#note_575293037 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 03:31:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 01:31:34 +0000 Subject: [gnutls-devel] libtasn1 | Rename test files. Avoid using ':', which is illegal on Windows. (!81) References: Message-ID: Konstantin Kouptsov created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 Project:Branches: kkouptsov/libtasn1:kk/rename-files to gnutls/libtasn1:master Author: Konstantin Kouptsov This addresses the issue https://gitlab.com/gnutls/libtasn1/-/issues/29 Files in libtasn1/tests/invalid-x509 are renamed to avoid using colons, ':', which are illegal characters in the path on Windows. Specifically, the following replacements are made in each offending file path: ``` 'id:' -> 'id-' 'src:' -> 'src-' 'orig:' -> 'orig-' 'op:' -> 'op-' 'pos:' -> 'pos-' 'rep:' -> 'rep-' 'val:' -> 'val-' 'be:' -> 'be-' ``` which are the same as ':' -> '-' but reversible., considering there are other '-' characters in the file names. Checking out this branch on Windows succeeds. `make check` passes. PS. `$ git clone https://gitlab.com/gnutls/libtasn1.git` in MINGW on Windows still gives an error, however `$ git checkout kk/rename-files` succeeds without errors. When this branch is merged to master, the above command will work with no errors as well, as expected. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 06:26:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 04:26:09 +0000 Subject: [gnutls-devel] libtasn1 | Rename test files. Avoid using ':', which is illegal on Windows. (!81) In-Reply-To: References: Message-ID: Merge request !81 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 Project:Branches: kkouptsov/libtasn1:kk/rename-files to gnutls/libtasn1:master Author: Konstantin Kouptsov Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 08:04:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 06:04:51 +0000 Subject: [gnutls-devel] libtasn1 | Test_tree and copynode test failures on clang 10+ (#30) In-Reply-To: References: Message-ID: Stefan Weil commented: I think it is resolved, and the issue could be closed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/30#note_575414343 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 08:49:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 06:49:46 +0000 Subject: [gnutls-devel] GnuTLS | WIP: .gitlab-ci.yml: add bootstrap stage (!1432) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1432 Project:Branches: dueno/gnutls:wip/dueno/ci-bootstrap to gnutls/gnutls:master Author: Daiki Ueno Fixes: #891 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 08:57:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 06:57:41 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo (!1433) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 Project:Branches: dueno/gnutls:wip/dueno/addrconfig to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1007 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 09:17:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 07:17:07 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add bootstrap stage (!1432) In-Reply-To: References: Message-ID: Daiki Ueno changed the draft status of merge request !1432 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 12:56:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 10:56:29 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo (!1433) In-Reply-To: References: Message-ID: Merge request !1433 was approved by Andreas Metzler Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 Project:Branches: dueno/gnutls:wip/dueno/addrconfig to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 12:57:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 10:57:05 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_575621922 Sorry, it somehow fell of my Radar. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_575621922 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 13:14:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 11:14:32 +0000 Subject: [gnutls-devel] GnuTLS | Speed up or avoid bootstrap in CI runners (#891) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1432 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1432) Issue #891: https://gitlab.com/gnutls/gnutls/-/issues/891 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/891 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 13:14:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 11:14:31 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add bootstrap stage (!1432) In-Reply-To: References: Message-ID: Merge request !1432 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1432 Project:Branches: dueno/gnutls:wip/dueno/ci-bootstrap to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 14:21:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 12:21:38 +0000 Subject: [gnutls-devel] GnuTLS | Testsuite error - listening on IPv6, connecting to IPv4 (#1007) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1433 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1433) Issue #1007: https://gitlab.com/gnutls/gnutls/-/issues/1007 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1007 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 14:21:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 12:21:38 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo (!1433) In-Reply-To: References: Message-ID: Merge request !1433 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 Project:Branches: dueno/gnutls:wip/dueno/addrconfig to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1433 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 16:15:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 14:15:37 +0000 Subject: [gnutls-devel] GnuTLS | cert: filter out unsupported cert types from TLS 1.2 CR (!1434) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 Project:Branches: dueno/gnutls:wip/dueno/tls12-cert-type to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 19:52:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 17:52:58 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Looks like the following tests are still failing with this patch applied: - gnutls_x509_crt_sign - gnutls_x509_crq_sign - crt_apis - crq_apis I'm looking into them. I suspect that they embed some assumptions about how a generated object should look. I think the right way to fix them is to change the desired result to contain a minimized keyUsage BIT STRING. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_575918064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 22:15:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 20:15:41 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: David Woodhouse commented: We are finding this particularly problematic in OpenConnect because when we attempt to use our carefully crafted prio strings to select a particular version of DTLS, the system policy makes it fail. It's OK to disable things by default, but to force them off even when the application knows what it's doing and explicitly tries to use them is going to be counter-productive. https://gitlab.com/openconnect/openconnect/-/issues/243 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172#note_575984608 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 22:32:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 20:32:03 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: The latest version now has fixes to many artifacts in the test suite. I'll keep an eye on the CI to see how it fares. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_575990642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 23:10:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 21:10:47 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: I agree with @phlerovium's note: key size or length has to do with the octets consumed on the wire or in local storage. "strength" is a rough attempt at providing an equivalence to the expected "work factor" (in log 2) needed for a brute-force attack. But the note made me realize there is an additional weird annotation above, namely: Generating a 256 bit EdDSA (Ed448) private key That should probably read "Generating a 448 bit EdDSA (Ed448) private key". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_576004047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 14 23:39:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 21:39:01 +0000 Subject: [gnutls-devel] GnuTLS | certtool: adding a policy without qualifiers results in empty sequence (#1238) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1238 Consider a certtool template that contains one of the [NIST test policies](https://csrc.nist.gov/CSRC/media/Projects/Computer-Security-Objects-Register/documents/test_policy.pdf): ``` policy1 = 2.16.840.1.101.3.2.1.48.1 ``` but doesn't contain either `policy1_txt` or `policy1_url`. In this case, `certtool` embeds an x509v3 certificatePolicies (2.5.29.32) extension with the value `3010300E060A608648016503020130013000`, which unpacks to: ``` 0 16: SEQUENCE { 2 14: SEQUENCE { 4 10: OBJECT IDENTIFIER nistTestPolicy1 (2 16 840 1 101 3 2 1 48 1) 16 0: SEQUENCE {} : } : } ``` RFC 3280 defines this structure as a `certificatePolicies` structure: ``` certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } ``` The final empty sequence (starting at octet 16) is the `policyQualifiers` object. This object is optional. But if it is present, it is a sequence of at least size 1. If there are no qualifiers, `certtool` should instead omit the `policyQualifiers` sequence entirely, rather than emitting it as an empty sequence. This was caught by [David Cooper's cert_check](https://github.com/dcooper16/cert_check). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:11:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:11:14 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 Project:Branches: dkg/gnutls:omit-empty-policy-qualifiers to gnutls/gnutls:master Author: Daniel Kahn Gillmor This aims to fix #1238. A better fix would be for libtasn1 to recognize when an `optional` `SEQUENCE` of with minimum size 1 (e.g. `(1..MAX)`) has no elements, it should be omitted rather than trying to produce an empty `SEQUENCE`, but this is an easier fix for now. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:14:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:14:54 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: The most recent push is just a rebase against master, plus a fix to `tests/cert-tests/data/cert-eddsa.pem` now that the X25519 SPKI is interpretable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_576020223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:18:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:18:06 +0000 Subject: [gnutls-devel] GnuTLS | certtool: adding a policy without qualifiers results in empty sequence (#1238) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: !1435 should resolve this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1238#note_576020844 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:22:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:22:59 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: The only remaining test failure that i can see is in [fedora-abicoverage/test](https://gitlab.com/dkg/gnutls/-/jobs/1263813358), and the failure is completely unrelated to these changes, afaict: in tests/suite? FAIL: testcompat-polarssl-serv-no-etm.sh Perhaps this is some sort of intermittent failure instead? The [log for this failure](https://gitlab.com/dkg/gnutls/-/jobs/1263813358/artifacts/file/tests/suite/testcompat-polarssl-serv-no-etm.log) says in part: ``` HTTP Server listening on IPv4 0.0.0.0 port 5739...bind() failed: Address already in use HTTP Server listening on IPv6 :: port 5739...bind() failed: Address already in use ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_576021816 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:24:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:24:01 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: I've just launched a retry of the `fedora-abicoverage/test` runner. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_576022031 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:38:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:38:50 +0000 Subject: [gnutls-devel] libtasn1 | be smarter when writing an empty optional sequence specified with a minimum length (#36) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/36 ## Description of problem: Over in https://gitlab.com/gnutls/gnutls/-/issues/1238, I noted that `certtool` was emitting an empty sequence of policyQualifiers even though the ASN.1 specification for `policyQualifiers` clearly says `(1..MAX) OPTIONAL`. If libtasn1 knows that a given `SEQUENCE` is `OPTIONAL` and it has a minimum length (e.g. `(1..MAX)`, or, regardless of the upper limit, even `(1..2)` really), and the data structure to be written is an *empty* sequence, then libtasn1 should be clever enough to omit the member entirely. ## Version of libtasn1 used: 4.16.0-2 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Steps to Reproduce: ``` printf 'policy1=1.2.3.4\ncn="test"' > foo.template certtool --generate-privkey > foo.key certtool --generate-self-signed --template foo.template --load-privkey foo.key --outder | dumpasn1 ``` ## Actual results: ``` 556 18: SEQUENCE { 558 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 563 11: OCTET STRING 30 09 30 07 06 03 2A 03 04 30 00 : } ``` The payload of the extension converts to: ``` $ xxd -r -c 256 <<<"0000 30 09 30 07 06 03 2A 03 04 30 00" | dumpasn1 - 0 9: SEQUENCE { 2 7: SEQUENCE { 4 3: OBJECT IDENTIFIER '1 2 3 4' 9 0: SEQUENCE {} : } : } $ ``` ## Expected results: The payload of the extension should be `30 07 30 05 06 03 2A 03 04`, which is: ``` 0 7: SEQUENCE { 2 5: SEQUENCE { 4 3: OBJECT IDENTIFIER '1 2 3 4' : } : } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/36 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 00:39:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 22:39:49 +0000 Subject: [gnutls-devel] libtasn1 | be smarter when writing an empty optional sequence specified with a minimum length (#36) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Note that https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 narrowly resolves the issue for `certtool`, but it'd be better if libtasn1 could DTRT here automatically. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/36#note_576025671 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 01:00:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 23:00:31 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Retrying that test run shows a clean result, suggesting that the error was an intermittent error. I think this is ready to go. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_576028793 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 01:44:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 May 2021 23:44:09 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: Daniel Lenski commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1172#note_576040423 Although the most recent issues are with DTLS, this also applies to TLS. There are still a good number of ancient workplace VPNs that only support SSLv3/TLSv1 with RC4/3DES, and we had another wave of issue reports when distros started disabling those via crypto policies: https://gitlab.com/openconnect/openconnect/-/issues/145 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172#note_576040423 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 09:58:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 May 2021 07:58:35 +0000 Subject: [gnutls-devel] GnuTLS | Early data issues in QUIC use (#1216) In-Reply-To: References: Message-ID: Tatsuhiro Tsujikawa commented: Thank you for Daiki, with this fix, GnuTLS QUIC client can send 0RTT. Great! GnuTLS QUIC server still has some issues, so I'll investigate what's happening (it might be a bug on my side), will report issue if I found any issues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1216#note_576108854 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 11:17:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 May 2021 09:17:36 +0000 Subject: [gnutls-devel] GnuTLS | Server side QUIC early data issue (#1239) References: Message-ID: Tatsuhiro Tsujikawa created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1239 Client side early data is fixed by #1216 and it works great. For server side, if GnuTLS QUIC server receives early data indication and session ticket, it crashes at: https://gitlab.com/gnutls/gnutls/-/blob/e899e3200ffb3d7d8958cfa7685052a66ebfbf80/lib/handshake.c#L799 Reproduction steps: 1. Build examples/gtlsserver and examples/gtlsclient from https://github.com/ngtcp2/ngtcp2/tree/gnutls-exp (which requires the latest unreleased GnuTLS). 2. Run server by `examples/gtlsserver 127.0.0.1 4433 /path/to/key /path/to/cert` 3. Remove session.txt file if it exists. 4. Run client by `examples/gtlsclient 127.0.0.1 4433 https://127.0.0.1:4433 --session-file session.txt --tp-file tp.txt` just once. This writes session parameters in session.txt. 5. Run client again with the same arguments above. 6. Observe server crashes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 16:34:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 May 2021 14:34:53 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Merge request !1431 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 Project:Branches: dkg/gnutls:minimal-key-usage to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 16:34:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 May 2021 14:34:53 +0000 Subject: [gnutls-devel] GnuTLS | certtool mis-encodes keyUsage when trailing bits are 0 (#1236) In-Reply-To: References: Message-ID: Issue was closed by Daniel Kahn Gillmor via commit 87394a055bdd4cfcbdff52d7c0d9d06563fb7bcb Issue #1236: https://gitlab.com/gnutls/gnutls/-/issues/1236 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1236 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 15 16:35:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 May 2021 14:35:16 +0000 Subject: [gnutls-devel] GnuTLS | x509: Write keyUsage extension with minimal BIT STRING (!1431) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1431#note_576162676 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 15:56:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 13:56:41 +0000 Subject: [gnutls-devel] GnuTLS | Non-conforming cookie computation (#1240) References: Message-ID: Paul created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1240 ## Description of problem: The [RFC](https://www.rfc-editor.org/rfc/rfc6347.html#page-17) states the following on computing the cookie: > When responding to a HelloVerifyRequest, the client MUST use the same > parameter values (version, random, session_id, cipher_suites, > compression_method) as it did in the original ClientHello. The > server SHOULD use those values to generate its cookie and verify that > they are correct upon cookie receipt. > ... > Cookie = HMAC(Secret, Client-IP, Client-Parameters) According to our testing, the DTLS server applications provided with GnuTLS (e.g. udp_serv.c) do not use supported cipher suites to compute a cookie from the first Client Hello received from the client. From looking at the source code of [udp_serv.c](https://gitlab.com/gnutls/gnutls/-/blob/fec8a392591f0d8d048b2d60e8873535ef130279/src/udp-serv.c#L129), it appears only the peer address is used, and none of the ClientHello parameters. This leads to situation where the first ClientHello can have different values for these parameters compared to the second ClientHello. For example, it allows for the interaction: * -> ClientHello(supportedCipherSuites=TLS_ECDHE...) * <- HelloVerifyRequest * -> ClientHello(supportedCipherSuites=TLS_PSK...) * <- ServerHello This is a minor non-conformance, since cookie exchange in this form still prevents Denial of Service. The library method which generates the cookie [`gnutls_dtls_cookie_send` ](https://gitlab.com/gnutls/gnutls/-/blob/fec8a392591f0d8d048b2d60e8873535ef130279/lib/dtls.c#L839) has a `client_data` buffer parameter used to compute the cookie. Including in it ClientHello parameters would make cookie computation conform to the standard. ## Version of gnutls used: 3.7.1 ## Operating System Ubuntu 20 ## How reproducible: I attached files necessary for reproduction (see reproduction.tar.gz) using [DTLS-Fuzzer](https://github.com/assist-project/dtls-fuzzer/). Also included in the archive is a capture of the interaction similar to the one described. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running: `sudo apt-get install openjdk-8-jdk` Unpack the archive, `cd` to resulting folder and run `bash reproduce.sh`, while running an instance of Wireshark on the side. The reproduction script will: * setup DTLS-Fuzzer; * launch gnutls-serv utility (it is assumed the correct version of GnuTLS is already installed) * launch DTLS-Fuzzer to execute input sequence found in 'test_sequence', upon which DTLS-Fuzzer will send two ClientHellos with different supported cipher suites. ## Actual results: The server generates ServerHello, ServerHelloDone, despite having received ClientHello messages with different parameters. ## Expected results: If the RFC had been followed, the second ClientHello should have been rejected [reproduction.tar.gz](/uploads/fc76c6d67fcccf4a52b88b13de13b309/reproduction.tar.gz) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1240 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 16:13:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 14:13:49 +0000 Subject: [gnutls-devel] libtasn1 | Rename test files. Avoid using ':', which is illegal on Windows. (!81) In-Reply-To: References: Message-ID: Konstantin Kouptsov commented: Can someone merge this, please? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81#note_576298074 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 18:36:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 16:36:23 +0000 Subject: [gnutls-devel] GnuTLS | Server side QUIC early data issue (#1239) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report. When running under `GNUTLS_DEBUG_LEVEL=10`, the server program outputs the following lines: ```console gnutls[3]: ASSERT: session_ticket.c[_gnutls_decrypt_session_ticket]:201 gnutls[3]: ASSERT: tls13/session_ticket.c[_gnutls13_unpack_session_ticket]:479 ``` that means the session ticket sent from the client cannot be decrypted because of missing key. It seems that the server always regenerate STEK upon new session is created, while it needs to persist across sessions, so [stek.patch](/uploads/f6a53bcf5621a05fc3a4f017c91788dc/stek.patch) should fix the issue. On the other hand, the crash is certainly an issue: given GnuTLS API currently doesn't support provisioning encryption parameters along with external PSK, we should reject early data upon resumption failure. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1239#note_576317324 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 19:46:15 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 17:46:15 +0000 Subject: [gnutls-devel] libtasn1 | Rename test files. Avoid using ':', which is illegal on Windows. (!81) In-Reply-To: References: Message-ID: Merge request !81 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 Project:Branches: kkouptsov/libtasn1:kk/rename-files to gnutls/libtasn1:master Author: Konstantin Kouptsov Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 19:46:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 17:46:34 +0000 Subject: [gnutls-devel] libtasn1 | Rename test files. Avoid using ':', which is illegal on Windows. (!81) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the MR! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/81#note_576327887 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 16 19:52:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 May 2021 17:52:03 +0000 Subject: [gnutls-devel] GnuTLS | Add new API to provision 0-RTT data encryption parameter for PSK (#1241) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1241 According to RFC 8446 4.2.10, when sending 0-RTT data with an externally negotiated PSK, it should be encrypted with the parameters associated with the PSK itself. GnuTLS provides a couple of functions to associat e parameters to PSK, but it is currently not possible to provision encryption parameters, such as symmetric cipher. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 09:27:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 07:27:32 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Brian Henry commented: secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1 all curves got the same problems. ``` certtool --generate-privkey --key-type ecdsa --curve=secp192r1 certtool --generate-privkey --key-type ecdsa --curve=secp224r1 certtool --generate-privkey --key-type ecdsa --curve=secp256r1 certtool --generate-privkey --key-type ecdsa --curve=secp384r1 certtool --generate-privkey --key-type ecdsa --curve=secp521r1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_576525102 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 09:40:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 07:40:08 +0000 Subject: [gnutls-devel] GnuTLS | WIP: pre_shared_key: limit 0-RTT to resumption connections (!1436) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 Project:Branches: dueno/gnutls:wip/dueno/earlydata-server to gnutls/gnutls:master Author: Daiki Ueno This tightens early data acceptance when resumption fails or external PSK is used (due to #1241). Fixes: #1239 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 14:04:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 12:04:06 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Daiki Ueno changed the draft status of merge request !1436 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 14:05:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 12:05:56 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Daiki Ueno commented: I thought we could add a test case that exercises early data indication in PSK-only handshake, but it turned out to be non-trivial (we need to manually modify extensions in ClientHello). Therefore I'd defer it to tlsfuzzer (or properly implement it through #1241) for now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436#note_576863393 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:17:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:17:09 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Daiki Ueno commented: It would be nice if there is a test case (e.g., a simple shell script calling certtool), but overall it looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435#note_577025775 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:26:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:26:26 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 was reviewed by Hubert Kario (@mention me if you need reply) -- Hubert Kario (@mention me if you need reply) started a new discussion on tests/suite/tls-fuzzer/gnutls-cert.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577035488 > + "-p", "@PORT@", > + "-s", "sha256+rsa 8+9 8+4 sha256+ecdsa 8+7 sha384+rsa 8+10 8+5 sha384+ecdsa 8+8 sha512+rsa 8+11 8+6 sha512+ecdsa sha1+rsa sha1+ecdsa", > + "check cert types in cert request"] why not run all tests in the script? -- Hubert Kario (@mention me if you need reply) started a new discussion on tests/suite/tls-fuzzer/gnutls-cert.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577035491 > + "-c", "tests/clientX509Cert.pem", > + "-p", "@PORT@", > + "-s", "sha256+rsa 8+9 8+4 sha256+ecdsa 8+7 sha384+rsa 8+10 8+5 sha384+ecdsa 8+8 sha512+rsa 8+11 8+6 sha512+ecdsa sha1+rsa sha1+ecdsa", wouldn't it be more readable to use the following instead?: ``` "-s", "sha256+rsa rsa_pss_pss_sha256 rsa_pss_rsae_sha256 sha256+ecdsa rsa_pss_rsae_sha256 sha384+rsa rsa_pss_pss_sha384 rsa_pss_rsae_sha384 sha384+ecdsa ed448 sha512+rsa rsa_pss_pss_sha512 rsa_pss_rsae_sha512 sha512+ecdsa sha1+rsa sha1+ecdsa", ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:27:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:27:19 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: just two nits, r+ overall -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577036436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:28:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:28:02 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/suite/tls-fuzzer/gnutls-cert.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577037126 > + {"server_command": ["@SERVER@", "--http", > + "--x509keyfile", "tests/serverX509Key.pem", > + "--x509certfile", "tests/serverX509Cert.pem", > + "--debug=6", > + "--priority=NORMAL:+VERS-TLS1.2", > + "--port=@PORT@"], > + "environment": {"PYTHONPATH" : "."}, > + "server_hostname": "localhost", > + "server_port": @PORT@, > + "tests" : [ > + {"name" : "test-certificate-request.py", > + "arguments" : ["-k", "tests/clientX509Key.pem", > + "-c", "tests/clientX509Cert.pem", > + "-p", "@PORT@", > + "-s", "sha256+rsa 8+9 8+4 sha256+ecdsa 8+7 sha384+rsa 8+10 8+5 sha384+ecdsa 8+8 sha512+rsa 8+11 8+6 sha512+ecdsa sha1+rsa sha1+ecdsa", > + "check cert types in cert request"] The rest of the script is run in the previous chunk of this file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577037126 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:32:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:32:34 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/suite/tls-fuzzer/gnutls-cert.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577042137 > + }, > + {"server_command": ["@SERVER@", "--http", > + "--x509keyfile", "tests/serverX509Key.pem", > + "--x509certfile", "tests/serverX509Cert.pem", > + "--debug=6", > + "--priority=NORMAL:+VERS-TLS1.2", > + "--port=@PORT@"], > + "environment": {"PYTHONPATH" : "."}, > + "server_hostname": "localhost", > + "server_port": @PORT@, > + "tests" : [ > + {"name" : "test-certificate-request.py", > + "arguments" : ["-k", "tests/clientX509Key.pem", > + "-c", "tests/clientX509Cert.pem", > + "-p", "@PORT@", > + "-s", "sha256+rsa 8+9 8+4 sha256+ecdsa 8+7 sha384+rsa 8+10 8+5 sha384+ecdsa 8+8 sha512+rsa 8+11 8+6 sha512+ecdsa sha1+rsa sha1+ecdsa", Thanks for the suggestion; updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434#note_577042137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:41:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:41:26 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: All discussions on merge request !1434 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 16:42:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 14:42:44 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Merge request !1434 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 Project:Branches: dueno/gnutls:wip/dueno/tls12-cert-type to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 18:53:16 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 16:53:16 +0000 Subject: [gnutls-devel] GnuTLS | cert auth: filter out unsupported cert types from TLS 1.2 CR (!1434) In-Reply-To: References: Message-ID: Merge request !1434 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 Project:Branches: dueno/gnutls:wip/dueno/tls12-cert-type to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1434 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:01:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:01:19 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: I'll try to provide a test case as well, good idea. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435#note_577186061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:25:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:25:55 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: OK, i think this is updated with a functional test now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435#note_577204656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:32:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:32:05 +0000 Subject: [gnutls-devel] GnuTLS | .gitignore lists `*.tmp*`, but `tests/cert-tests/templates/` is filled with lots of files matching *.tmpl (#1242) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1242 I ran into this trying to revise !1435 -- git frowned on my adding a new template to `tests/cert-tests/templates/` because the common template name used in this directory (`*.tmpl`) matches an entry in the top-level `.gitignore`. Looks like the `*.tmp*` was only added a couple years ago, in dc85966364994006f9337e4749d1487e4b8e16a1 by @alonbl. (before that it used to just be `*.tmp`) I'd recommend either reverting `.gitignore` to just contain `*.tmp` or renaming all the template files. The former seems easier, but i also don't understand what @alonbl was aiming to catch with that revision. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1242 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:35:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:35:54 +0000 Subject: [gnutls-devel] GnuTLS | git: Do not ignore certtool templates. (!1437) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 Project:Branches: dkg/gnutls:avoid-matching-templates to gnutls/gnutls:master Author: Daniel Kahn Gillmor This closes #1242 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:42:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:42:33 +0000 Subject: [gnutls-devel] GnuTLS | .gitignore lists `*.tmp*`, but `tests/cert-tests/templates/` is filled with lots of files matching *.tmpl (#1242) In-Reply-To: References: Message-ID: Alon Bar-Lev commented: Hi, Maybe checkout `*.tmp.*` and make sure that all tests that create temporary files follows this principal. Regards, -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1242#note_577214484 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:47:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:47:51 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) In-Reply-To: References: Message-ID: Issue was closed by Konstantin Kouptsov Issue #29: https://gitlab.com/gnutls/libtasn1/-/issues/29 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 17 19:47:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 May 2021 17:47:50 +0000 Subject: [gnutls-devel] libtasn1 | Errors when cloning the repository. (#29) In-Reply-To: References: Message-ID: Konstantin Kouptsov commented: Now the repository checks out fine in MINGW. ``` $ git clone https://gitlab.com/gnutls/libtasn1.git Cloning into 'libtasn1'... remote: Enumerating objects: 1258, done. remote: Counting objects: 100% (1258/1258), done. remote: Compressing objects: 100% (270/270), done. remote: Total 12548 (delta 927), reused 1186 (delta 877), pack-reused 11290 Receiving objects: 100% (12548/12548), 3.58 MiB | 491.00 KiB/s, done. Resolving deltas: 100% (8368/8368), done. $ git status On branch master Your branch is up to date with 'origin/master'. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/29#note_577217297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:48:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:48:50 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Merge request !1435 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 Project:Branches: dkg/gnutls:omit-empty-policy-qualifiers to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:49:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:49:00 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435#note_577667135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:48:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:48:53 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Merge request !1435 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 Project:Branches: dkg/gnutls:omit-empty-policy-qualifiers to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:51:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:51:28 +0000 Subject: [gnutls-devel] GnuTLS | git: Do not ignore certtool templates. (!1437) In-Reply-To: References: Message-ID: Merge request !1437 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 Project:Branches: dkg/gnutls:avoid-matching-templates to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:51:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:51:33 +0000 Subject: [gnutls-devel] GnuTLS | git: Do not ignore certtool templates. (!1437) In-Reply-To: References: Message-ID: Merge request !1437 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 Project:Branches: dkg/gnutls:avoid-matching-templates to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 07:51:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 05:51:33 +0000 Subject: [gnutls-devel] GnuTLS | .gitignore lists `*.tmp*`, but `tests/cert-tests/templates/` is filled with lots of files matching *.tmpl (#1242) In-Reply-To: References: Message-ID: Issue was closed by Daniel Kahn Gillmor via commit 160bbea55d018a89f5c2cb14fbf70b8c6bbcd521 Issue #1242: https://gitlab.com/gnutls/gnutls/-/issues/1242 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1242 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 08:39:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 06:39:45 +0000 Subject: [gnutls-devel] GnuTLS | x509: Omit empty sequences of policyQualifiers. (!1435) In-Reply-To: References: Message-ID: Merge request !1435 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 Project:Branches: dkg/gnutls:omit-empty-policy-qualifiers to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1435 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 08:39:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 06:39:45 +0000 Subject: [gnutls-devel] GnuTLS | certtool: adding a policy without qualifiers results in empty sequence (#1238) In-Reply-To: References: Message-ID: Issue was closed by Daniel Kahn Gillmor via commit 1d1119fc15c354dc2f1a8838f3d5f858ec29d0ef Issue #1238: https://gitlab.com/gnutls/gnutls/-/issues/1238 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1238 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 16:38:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 14:38:54 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Reassigned merge request 1436 https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 Assignee changed to Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 17:27:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 15:27:55 +0000 Subject: [gnutls-devel] GnuTLS | certtool generates subject DN in reverse order (#1243) References: Message-ID: Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1243 over [on the IETF LAMPS mailing list](https://mailarchive.ietf.org/arch/msg/spasm/dDB3vVtC1K8SbA8KBGFKLoeXnRc/), David Cooper writes: > I noticed that the attributes in the issuer and subject fields of the certificates are encoded in the reverse order of what one would expect. In particular, the expectation is that the ASN.1 wire encoding lists the more general fields first. So, for example, "O" (organizationalName) should come before "OU" (organizationalUnit, a subset of the organization), and "C" (country) should come before "ST" (state). (note that the *visualization* of the DN is typically the reverse of the wire encoding; the work done to close #111 is correct, the problem is the wire encoding) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 18 23:25:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 May 2021 21:25:07 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) References: Message-ID: Daniel Kahn Gillmor created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 Project:Branches: dkg/gnutls:order-dn to gnutls/gnutls:master Author: Daniel Kahn Gillmor Certtool should default to ordering the components of the DN by scale (least specific to most specific), for both certificates and certificate requests. Please note discussion in the commit message about "API" for interactive use of certtool. I think I've justified the change, but reasonable people may disagree. This should resolve #1243. It is necessary for me to produce the next revision of [`draft-ietf-lamps-samples`](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/). ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 19 17:05:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 19 May 2021 15:05:30 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should transparently use KTLS if it's available (#1113) In-Reply-To: References: Message-ID: Leonardo Br?s commented: QEMU VM migration would really benefit from this feature, avoiding copy when migrating over TLS protocol. Is there any update or code related to this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1113#note_579740912 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 19 17:08:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 19 May 2021 15:08:31 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should transparently use KTLS if it's available (#1113) In-Reply-To: References: Message-ID: Leonardo Br?s commented: If nobody is working on that, I would gladly try to implement this. (Every suggestion is welcome, I have no experience in this project) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1113#note_579743631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 19 17:28:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 19 May 2021 15:28:59 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS should transparently use KTLS if it's available (#1113) In-Reply-To: References: Message-ID: Daiki Ueno commented: Hello @LeoBras, @FrantisekKrenzelok is currently looking into this, based on the experimental [integration](https://gitlab.com/dueno/nbdkit/-/commits/wip/dueno/ktls-experiment) of KTLS in nbdkit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1113#note_579764621 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 09:09:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 07:09:12 +0000 Subject: [gnutls-devel] GnuTLS | Fix some warnings (!1439) References: Message-ID: Leonardo Br?s created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 Project:Branches: LeoBras/gnutls:warn_fixes to gnutls/gnutls:master Author: Leonardo Br?s Add a description of the new feature/bug fix. Reference any relevant bugs.. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 10:45:39 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 08:45:39 +0000 Subject: [gnutls-devel] GnuTLS | guile: Writes to record ports handle EAGAIN/EINTR transparently. (!1417) In-Reply-To: References: Message-ID: civodul commented: @dueno friendly reminder. :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1417#note_581727205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 16:52:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 14:52:18 +0000 Subject: [gnutls-devel] GnuTLS | Fix some warnings (!1439) In-Reply-To: References: Message-ID: Merge request !1439 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 Project:Branches: LeoBras/gnutls:warn_fixes to gnutls/gnutls:master Author: Leonardo Br?s Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 16:52:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 14:52:31 +0000 Subject: [gnutls-devel] GnuTLS | Fix some warnings (!1439) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439#note_582115475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 16:52:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 14:52:40 +0000 Subject: [gnutls-devel] GnuTLS | Fix some warnings (!1439) In-Reply-To: References: Message-ID: Merge request !1439 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 Project:Branches: LeoBras/gnutls:warn_fixes to gnutls/gnutls:master Author: Leonardo Br?s Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1439 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 17:09:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 15:09:00 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo [3.6.x] (!1440) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 Project:Branches: dueno/gnutls:wip/dueno/addrconfig-3.6 to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno This backports !1433 to the gnutls_3_6_x branch. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 17:10:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 15:10:36 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo [3.6.x] (!1440) In-Reply-To: References: Message-ID: Merge request !1440 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 Project:Branches: dueno/gnutls:wip/dueno/addrconfig-3.6 to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 21 18:30:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 May 2021 16:30:40 +0000 Subject: [gnutls-devel] GnuTLS | serv: stop setting AI_ADDRCONFIG on getaddrinfo [3.6.x] (!1440) In-Reply-To: References: Message-ID: Merge request !1440 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 Project:Branches: dueno/gnutls:wip/dueno/addrconfig-3.6 to gnutls/gnutls:gnutls_3_6_x Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1440 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 13:01:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 11:01:51 +0000 Subject: [gnutls-devel] GnuTLS | DTLS client does not reset the connection state after receiving a fatal alert (#1244) References: Message-ID: Paul created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1244 ## Version of gnutls used: 3.7.1 ## Operating System Ubuntu 20 ## Description of problem: The [RFC](https://datatracker.ietf.org/doc/html/rfc5246#section-7.2.2) states the following on processing fatal alerts: > Upon transmission or receipt of a fatal alert message, both > parties immediately close the connection. According to our testing, the DTLS client applications provided with GnuTLS (e.g. gnutls-cli) do not seem to clear the connection data upon processing a fatal alert, or a close_notify alert for that matter. This is illustrated in the below interaction with a GnuTLS client: ![gnutls_continueafteralert](/uploads/5f08842fa7d11743f10feb3cfb97fc94/gnutls_continueafteralert.png) I don't know if it's the library or the application, but it is incorrect that the client after processing a fatal alert, still remembers the ClientHello it had sent before, accepts ServerHello, Certificate..., and eventually generates the ClientKeyExchange flight of messages. Receiving the fatal alert should have prompted the client to reset the connection state, and thus reject the ServerHello. ## How reproducible: I attached files necessary for [reproduction](/uploads/4013c1c4173a746706fa8981fe7ffe58/reproduce.tar.gz) using [DTLS-Fuzzer](https://github.com/assist-project/dtls-fuzzer/). Also included in the archive is the capture shown above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running: `sudo apt-get install openjdk-8-jdk` Unpack the archive, `cd` to resulting folder and run `bash reproduce.sh`, while running an instance of Wireshark on the side. The reproduction script will: * setup DTLS-Fuzzer; * launch gnutls-serv utility (it is assumed the correct version of GnuTLS is already installed) * launch DTLS-Fuzzer to execute input sequence found in 'test_sequence' to expose this problem. ## Actual results: The client generates the ClientKeyExchange flight of messages, despite not having generated ClientHello after processing the Alert. ## Expected results: If the RFC had been followed, the client would have rejected the ServerHello/would not have generated the ClientKeyExchange flight of messages. Note that this problem applies to both fatal and close_notify alerts. Both types of alerts should prompt the client to clear the connection state. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1244 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 15:54:41 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 13:54:41 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Reviewer changed to Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 16:56:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 14:56:28 +0000 Subject: [gnutls-devel] GnuTLS | DTLS client responds to CertificateRequest with Certificate of the wrong type (potential interop. problems) (#1245) References: Message-ID: Paul created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1245 ## Version of gnutls used: 3.7.1 ## Operating System Ubuntu 20 ## Description of problem: The problem regards, as the title suggests, the client's Certificate response to a CertificateRequest by the server. The [TLS 1.2 RFC](https://datatracker.ietf.org/doc/html/rfc5246#page-54) introduces the following requirements on the client Certificate: > The end-entity certificate provided by the client MUST contain a key > that is compatible with certificate_types. > This message is only sent if the server requests a certificate. If no > suitable certificate is available, the client MUST send a certificate > message containing no certificates. According to our testing, the GnuTLS DTLS client responds with the Certificate under its possession even if it is unsuitable. In our case, unsuitable means that the type of the public key contained in the Certificate is not compatible with certificate_types in CertificateRequest. This is showcased in the below capture of an interaction with a GnuTLS client. ![gnutls_wrong_certificate_type](/uploads/22e0d763a3a8b08d2991f87ff10917bc/gnutls_wrong_certificate_type.png) Inspection of the CertificateRequest and client Certificate messages reveals the incompatibility (DSS_SIGN requires a DSA key, whereas the client Certificate contains an RSA key). ![gnutls_wrong_certificate_type_certreq](/uploads/319b6c45d958d3bd8fb31dfdd089abf5/gnutls_wrong_certificate_type_certreq.png) ![gnutls_wrong_certificate_type_cert](/uploads/d73401e981fd101670a44a7afc16039e/gnutls_wrong_certificate_type_cert.png) This behavior can lead to interoperability problems when connecting to servers that request but do not require client Certificates. On receiving a Certificate of the wrong type from the client, the server may abort the handshake, which would have been avoided had the client sent an empty Certificate message. A similar bug has been shown to affect MbedTLS. In the respective [issue](https://github.com/ARMmbed/mbedtls/issues/4059) we also give a concrete interoperability scenario involving an MbedTLS client and OpenSSL server where the two sides fail to complete the handshake because of this issue. ## How reproducible: [Attached](/uploads/2b5d9f9ea12e2014e890bce23b27dccb/reproduction.tar.gz) are the files necessary for reproduction using [DTLS-Fuzzer](https://github.com/assist-project/dtls-fuzzer/). Also included in the archive is the capture shown above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running: `sudo apt-get install openjdk-8-jdk` Unpack the archive, `cd` to resulting folder and run `bash reproduce.sh`, while running an instance of Wireshark on the side. The reproduction script will: * setup DTLS-Fuzzer; * launch gnutls-cli utility (it is assumed the correct version of GnuTLS is already installed) * launch DTLS-Fuzzer to execute input sequence found in 'test_sequence' to expose this problem. ## Actual results: The client generates a non-empty Certificate message whose public key is incompatible with the certificate_types in CertificateRequest. ## Expected results: The client should have responded with an empty Certificate. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 18:22:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 16:22:42 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib. (!82) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 Branches: tmp-gnulib-update to master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 18:22:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 16:22:57 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib. (!82) In-Reply-To: References: Message-ID: Merge request !82 was scheduled to merge after pipeline succeeds by Simon Josefsson Merge request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 Branches: tmp-gnulib-update to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 19:20:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 17:20:18 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib. (!82) In-Reply-To: References: Message-ID: Merge request !82 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 Branches: tmp-gnulib-update to master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/82 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 23:08:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 21:08:05 +0000 Subject: [gnutls-devel] GnuTLS | certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates (!1428) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: any feedback on this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1428#note_584930635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 25 23:09:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 May 2021 21:09:00 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: any thoughts on this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438#note_584931017 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 26 18:35:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 May 2021 16:35:23 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Merge request !1436 was approved by Sahana Prasad Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 Project:Branches: dueno/gnutls:wip/dueno/earlydata-server to gnutls/gnutls:master Author: Daiki Ueno Assignee: Sahana Prasad Reviewer: Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 26 18:36:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 May 2021 16:36:05 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Sahana Prasad commented: @dueno LGTM. Would it be required that specific documentation needs any update? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436#note_585756726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 26 19:55:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 May 2021 17:55:50 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the review. As for the documentation, we probably should add once #1241 is addressed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436#note_585809505 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 26 19:55:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 May 2021 17:55:58 +0000 Subject: [gnutls-devel] GnuTLS | pre_shared_key: limit 0-RTT to resumption connections (!1436) In-Reply-To: References: Message-ID: Merge request !1436 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 Project:Branches: dueno/gnutls:wip/dueno/earlydata-server to gnutls/gnutls:master Author: Daiki Ueno Assignee: Sahana Prasad Reviewer: Sahana Prasad -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 26 19:55:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 26 May 2021 17:55:58 +0000 Subject: [gnutls-devel] GnuTLS | Server side QUIC early data issue (#1239) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1436 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1436) Issue #1239: https://gitlab.com/gnutls/gnutls/-/issues/1239 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1239 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 08:07:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 06:07:44 +0000 Subject: [gnutls-devel] GnuTLS | Soft-disabling configuration capabilities should match the hard-disabling ones (#1172) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1172 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 09:19:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 07:19:24 +0000 Subject: [gnutls-devel] GnuTLS | devel: update libtasn1 submodule (!1441) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1441 Project:Branches: dueno/gnutls:wip/dueno/update-libtasn1 to gnutls/gnutls:master Author: Daiki Ueno Fixes: #1144 (This possibly also fixes #1078) ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 09:38:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 07:38:55 +0000 Subject: [gnutls-devel] GnuTLS | certtool --generate-self-signed returns crt_sign: ASN1 parser: Value is not valid. (#1144) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 12:57:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 10:57:11 +0000 Subject: [gnutls-devel] GnuTLS | certtool --generate-self-signed returns crt_sign: ASN1 parser: Value is not valid. (#1144) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1441 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1441) Issue #1144: https://gitlab.com/gnutls/gnutls/-/issues/1144 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1144 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 12:57:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 10:57:10 +0000 Subject: [gnutls-devel] GnuTLS | devel: update libtasn1 submodule (!1441) In-Reply-To: References: Message-ID: Merge request !1441 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1441 Project:Branches: dueno/gnutls:wip/dueno/update-libtasn1 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 27 12:57:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 May 2021 10:57:12 +0000 Subject: [gnutls-devel] GnuTLS | apparent bug in _gnutls_x509_der_encode with fix/workaround that shouldn't work (#1078) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1441 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1441) Issue #1078: https://gitlab.com/gnutls/gnutls/-/issues/1078 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 17:26:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 15:26:09 +0000 Subject: [gnutls-devel] GnuTLS | Update git submodules for gnulib, nettle, and tlsfuzzer (!1442) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1442 Project:Branches: dueno/gnutls:wip/dueno/update-gnulib to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 18:26:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 16:26:33 +0000 Subject: [gnutls-devel] GnuTLS | Update git submodules for gnulib, nettle, and tlsfuzzer (!1442) In-Reply-To: References: Message-ID: Merge request !1442 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1442 Project:Branches: dueno/gnutls:wip/dueno/update-gnulib to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1442 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 18:29:34 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 16:29:34 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438#note_588028710 Sorry for the delay; it looks good to me. Maybe it's worth mentioning the behavior change in NEWS? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438#note_588028710 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 18:29:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 16:29:42 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Merge request !1438 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 Project:Branches: dkg/gnutls:order-dn to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 18:33:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 16:33:31 +0000 Subject: [gnutls-devel] GnuTLS | build: require libkcapi 1.3.0 or later if --enable-afalg (!1443) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 Project:Branches: dueno/gnutls:wip/dueno/libkcapi-1.3.0 to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 18:35:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 16:35:21 +0000 Subject: [gnutls-devel] GnuTLS | build: fix interface version dependencies in libgnutls.map (!1444) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 Project:Branches: dueno/gnutls:wip/dueno/version-deps to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 19:19:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 17:19:31 +0000 Subject: [gnutls-devel] GnuTLS | build: require libkcapi 1.3.0 or later if --enable-afalg (!1443) In-Reply-To: References: Message-ID: Merge request !1443 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 Project:Branches: dueno/gnutls:wip/dueno/libkcapi-1.3.0 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 19:19:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 17:19:47 +0000 Subject: [gnutls-devel] GnuTLS | build: fix interface version dependencies in libgnutls.map (!1444) In-Reply-To: References: Message-ID: Merge request !1444 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 Project:Branches: dueno/gnutls:wip/dueno/version-deps to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 19:24:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 17:24:49 +0000 Subject: [gnutls-devel] GnuTLS | certtool generates subject DN in reverse order (#1243) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.2 release ( https://gitlab.com/gnutls/gnutls/-/milestones/31 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 19:27:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 17:27:32 +0000 Subject: [gnutls-devel] GnuTLS | DTLS client responds to CertificateRequest with Certificate of the wrong type (potential interop. problems) (#1245) In-Reply-To: References: Message-ID: Daiki Ueno commented: I suspect this is the issue !1434 is supposed to fix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1245#note_588058563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 20:08:05 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 18:08:05 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Daniel Kahn Gillmor commented: Good idea. I've now updated NEWS as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438#note_588077243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 28 21:03:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 May 2021 19:03:31 +0000 Subject: [gnutls-devel] GnuTLS | build: require libkcapi 1.3.0 or later if --enable-afalg (!1443) In-Reply-To: References: Message-ID: Merge request !1443 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 Project:Branches: dueno/gnutls:wip/dueno/libkcapi-1.3.0 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1443 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 06:40:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 04:40:18 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Merge request !1438 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 Project:Branches: dkg/gnutls:order-dn to gnutls/gnutls:master Author: Daniel Kahn Gillmor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 06:40:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 04:40:10 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: All discussions on merge request !1438 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 06:40:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 04:40:18 +0000 Subject: [gnutls-devel] GnuTLS | certtool generates subject DN in reverse order (#1243) In-Reply-To: References: Message-ID: Issue was closed by Daniel Kahn Gillmor via commit f2b207b3aebe298d99810235d97cb120853b051f Issue #1243: https://gitlab.com/gnutls/gnutls/-/issues/1243 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1243 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 06:40:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 04:40:27 +0000 Subject: [gnutls-devel] GnuTLS | certtool: order DN components by scale. (!1438) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1438#note_588212019 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 06:53:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 04:53:03 +0000 Subject: [gnutls-devel] GnuTLS | build: fix interface version dependencies in libgnutls.map (!1444) In-Reply-To: References: Message-ID: Merge request !1444 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 Project:Branches: dueno/gnutls:wip/dueno/version-deps to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 07:53:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 05:53:26 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.2 (!1445) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 Project:Branches: dueno/gnutls:wip/dueno/release-3.7.2 to gnutls/gnutls:master Author: Daiki Ueno Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 09:15:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 07:15:23 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.2 (!1445) In-Reply-To: References: Message-ID: Merge request !1445 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 Project:Branches: dueno/gnutls:wip/dueno/release-3.7.2 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 09:41:47 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 07:41:47 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.2 (!1445) In-Reply-To: References: Message-ID: Merge request !1445 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 Project:Branches: dueno/gnutls:wip/dueno/release-3.7.2 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1445 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 12:26:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 10:26:18 +0000 Subject: [gnutls-devel] GnuTLS | Apps using gnutls log error on kernel 5.12 if built with AF_ALG (#1246) References: Message-ID: Jan Palus created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1246 Just took gnutls 3.7.2 with `--enable-afalg` for a spin and there seems to be a usability problem. Application started to log cryptic error: ``` libkcapi - Error: AF_ALG: bind failed (errno: -2) ``` Few remarks: * error is harmless since it's about missing cipher in kernel, namely salsa20 which was dropped in kernel 5.12 * preferably error should be logged only with verbose mode, but unfortunately libkcapi does not seem to allow it * even in verbose mode it would be good if error had some additional info ie that it's salsa20 cipher which failed initialization -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 12:59:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 10:59:43 +0000 Subject: [gnutls-devel] GnuTLS | Apps using gnutls log error on kernel 5.12 if built with AF_ALG (#1246) In-Reply-To: References: Message-ID: Jan Palus commented: > but unfortunately libkcapi does not seem to allow it That's actually not correct -- there is a possibility to call `kcapi_set_verbosity(KCAPI_LOG_NONE);` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_588259248 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 29 16:53:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 29 May 2021 14:53:30 +0000 Subject: [gnutls-devel] GnuTLS | Apps using gnutls log error on kernel 5.12 if built with AF_ALG (#1246) In-Reply-To: References: Message-ID: Daiki Ueno commented: As the error is logged while probing supported ciphers, I guess it would be nice if the log is temporarily disabled, while I couldn't find an easy way to do so (e.g., `kcapi_get_verbosity`). Or perhaps it might be harmless to just disable the log unconditionally. @smuellerDD thoughts? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_588293123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 31 10:00:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 May 2021 08:00:22 +0000 Subject: [gnutls-devel] GnuTLS | Apps using gnutls log error on kernel 5.12 if built with AF_ALG (#1246) In-Reply-To: References: Message-ID: Stephan Mueller commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_588753316 When you probe the ciphers and expect an error, you could use: kcapi_set_verbosity(KCAPI_LOG_NONE); do_my_probing(); kcapi_set_verbosity(KCAPI_LOG_ERR); This way, no logs whatsoever are created. Would that work for you? Ciao Stephan -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_588753316 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 31 20:08:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 May 2021 18:08:28 +0000 Subject: [gnutls-devel] GnuTLS | Apps using gnutls log error on kernel 5.12 if built with AF_ALG (#1246) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_589323512 > kcapi_set_verbosity(KCAPI_LOG_NONE); do_my_probing(); kcapi_set_verbosity(KCAPI_LOG_ERR); Thanks. I was thinking about the case where the application previously sets any other log level than `ERR`. On the other hand, this is nevertheless called from the ELF constructor, so I guess it's a reasonable solution (i.e., applications can set it later). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1246#note_589323512 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 31 20:09:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 May 2021 18:09:04 +0000 Subject: [gnutls-devel] GnuTLS | Allow changing key of SIV AEAD ciphers (#1217) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.3 release ( https://gitlab.com/gnutls/gnutls/-/milestones/32 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1217 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 31 20:12:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 31 May 2021 18:12:43 +0000 Subject: [gnutls-devel] GnuTLS | Ed448 keys are indicated as having a 456-bit "security level" (#1231) In-Reply-To: References: Message-ID: Daiki Ueno commented: FWIW the relevant code is: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/pubkey.c#L68 For some reason,Ed448 indeed has a size definition as 57: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/algorithms/ecc.c#L111 If we want to be more accurate, I guess there should be another field representing security strength. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1231#note_589325032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: