From gnutls-devel at lists.gnutls.org Fri Oct 1 06:04:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Oct 2021 04:04:02 +0000 Subject: [gnutls-devel] GnuTLS | Confusing error when guile-3.0-dev is absent (Ubuntu) (#1261) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1261: https://gitlab.com/gnutls/gnutls/-/issues/1261 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 1 06:04:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Oct 2021 04:04:01 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS for Windows (#1267) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1267: https://gitlab.com/gnutls/gnutls/-/issues/1267 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 1 06:04:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Oct 2021 04:04:02 +0000 Subject: [gnutls-devel] GnuTLS | Confusing error when guile-3.0-dev is absent (Ubuntu) (#1261) In-Reply-To: References: Message-ID: GnuTLS bot commented: @provoost This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1261#note_691983919 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 1 06:04:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Oct 2021 04:04:01 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS for Windows (#1267) In-Reply-To: References: Message-ID: GnuTLS bot commented: @xbotuk This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1267#note_691983914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 1 12:07:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 01 Oct 2021 10:07:00 +0000 Subject: [gnutls-devel] GnuTLS | Possible race condition in gnutls_x509_trust_list_verify_crt2 (#1277) References: Message-ID: Remi Gacogne created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1277 ## Description of problem: Possible race condition leading to a memory corruption issue in `trust_list_add_compat` called indirectly from `gnutls_x509_trust_list_verify_crt2` (see below) when handling outgoing (client) TLS connections from multiple threads. Or possibly I'm holding GnuTLS wrong. ## Version of gnutls used: 3.7.2. ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Arch Linux and compiled from source. ## How reproducible: I'm experiencing a race condition leading to a memory corruption issue in dnsdist 1.7.0-alpha1 (developer here), when using GnuTLS 3.7.2 to handle outgoing (client) TLS connections from multiple threads, and I'm trying to understand whether I'm holding GnuTLS wrong or if this is an issue that needs to be fixed in GnuTLS itself. Our design is that we create a single `gnutls_certificate_credentials_t` object while parsing the configuration, in this particular case calling `gnutls_certificate_set_x509_system_trust` to use the system CA store. PKCS11 support is enabled in this GnuTLS build, which will be important later. Later we have several worker threads each creating several new TLS connections, a single `gnutls_session_t` being only accessed by one thread, but the `gnutls_certificate_credentials_t` is shared by all connections by calling `gnutls_credentials_set` with `GNUTLS_CRD_CERTIFICATE`. My understanding after reading the "Thread safety" and "gnutls_credentials_set" parts of the documentation is that it should be safe to do so, but perhaps I'm wrong and this is the root cause of my issue. We also require certificate verification by calling `gnutls_session_set_verify_cert` with `GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN`. We are then experiencing a memory corruption when several handshakes are processed at the same time from different threads, in the certification verification code: ``` ================================================================= ==82302==ERROR: AddressSanitizer: attempting double-free on 0x627000085100 in thread T19 (dnsdist/healthC): #0 0x5610da6eada2 in realloc (/work/pdns/pdns/dnsdistdist/dnsdist+0x12fcda2) #1 0x7fc1b573ab14 in _gnutls_reallocarray_fast /data/sources/gnutls-3.7.2/lib/mem.c:63:8 #2 0x7fc1b57c6b03 in trust_list_add_compat /data/sources/gnutls-3.7.2/lib/x509/verify-high.c:310:3 #3 0x7fc1b57c6b03 in gnutls_x509_trust_list_get_issuer /data/sources/gnutls-3.7.2/lib/x509/verify-high.c:1165:10 #4 0x7fc1b57c732b in gnutls_x509_trust_list_verify_crt2 /data/sources/gnutls-3.7.2/lib/x509/verify-high.c:1521:7 #5 0x7fc1b5755208 in _gnutls_x509_cert_verify_peers /data/sources/gnutls-3.7.2/lib/cert-session.c:597:10 #6 0x7fc1b57541c0 in auto_verify_cb /data/sources/gnutls-3.7.2/lib/auto-verify.c:40:9 #7 0x7fc1b5719148 in _gnutls_run_verify_callback /data/sources/gnutls-3.7.2/lib/handshake.c:2972:10 #8 0x7fc1b5719148 in _gnutls_run_verify_callback /data/sources/gnutls-3.7.2/lib/handshake.c:2938:5 #9 0x7fc1b571156c in _gnutls13_handshake_client /data/sources/gnutls-3.7.2/lib/handshake-tls13.c:132:9 #10 0x7fc1b571cf41 in handshake_client /data/sources/gnutls-3.7.2/lib/handshake.c:3012:10 #11 0x7fc1b571cf41 in gnutls_handshake /data/sources/gnutls-3.7.2/lib/handshake.c:2855:10 #12 0x5610db811868 in GnuTLSConnection::tryHandshake() /work/pdns/pdns/dnsdistdist/tcpiohandler.cc:1103:13 #13 0x5610db81396b in GnuTLSConnection::tryWrite(std::vector > > const&, unsigned long&, unsigned long) /work/pdns/pdns/dnsdistdist/tcpiohandler.cc:1145:20 #14 0x5610da8af7ab in TCPIOHandler::tryWrite(std::vector > > const&, unsigned long&, unsigned long) /work/pdns/pdns/dnsdistdist/./tcpiohandler.hh:402:22 #15 0x5610da8a88b3 in healthCheckTCPCallback(int, boost::any&) /work/pdns/pdns/dnsdistdist/dnsdist-healthchecks.cc:261:37 #16 0x5610db7d3bb4 in boost::function2::operator()(int, boost::any&) const /usr/include/boost/function/function_template.hpp:763:14 #17 0x5610db84be27 in EpollFDMultiplexer::run(timeval*, int) /work/pdns/pdns/dnsdistdist/epollmplexer.cc:193:9 #18 0x5610da8a9f64 in handleQueuedHealthChecks(FDMultiplexer&, bool) /work/pdns/pdns/dnsdistdist/dnsdist-healthchecks.cc:451:23 #19 0x5610db6d0ed9 in healthChecksThread() /work/pdns/pdns/dnsdistdist/dnsdist.cc:1907:5 #20 0x7fc1b55433c3 in execute_native_thread_routine /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82:18 #21 0x7fc1b568f258 in start_thread (/usr/lib/libpthread.so.0+0x9258) #22 0x7fc1b522f5e2 in clone (/usr/lib/libc.so.6+0xfe5e2) 0x627000085100 is located 0 bytes inside of 14000-byte region [0x627000085100,0x6270000887b0) freed by thread T6 (dnsdist/tcpClie) here: #0 0x5610da6eada2 in realloc (/work/pdns/pdns/dnsdistdist/dnsdist+0x12fcda2) #1 0x7fc1b573ab14 in _gnutls_reallocarray_fast /data/sources/gnutls-3.7.2/lib/mem.c:63:8 previously allocated by thread T3 (dnsdist/tcpClie) here: #0 0x5610da6eada2 in realloc (/work/pdns/pdns/dnsdistdist/dnsdist+0x12fcda2) #1 0x7fc1b573ab14 in _gnutls_reallocarray_fast /data/sources/gnutls-3.7.2/lib/mem.c:63:8 ``` We see that the certificate verification code is reallocating an array inside the cred's `tlist` in `trust_list_add_compat`, after being called by `gnutls_x509_trust_list_get_issuer`. That happens only if PKCS11 support is enabled and the trust list's pkcs11_token field is set. The documentation for `gnutls_x509_trust_list_get_issuer` states that "the flag `GNUTLS_TL_GET_COPY` is required for this function to work with PKCS#11 trust lists in a thread-safe way", but `gnutls_x509_trust_list_verify_crt2` does not set that flag. Unfortunately that means that another thread might be trying to access the array at the same time, or even reallocating it, which leads to memory corruption (use-after-free). Note that `gnutls_x509_trust_list_get_issuer` was not called before e97a5f07bc9d9394424c6520656e902019fcb380, so this behaviour might have been introduced in 3.7.1. ## Actual results: Memory corruption. ## Expected results: No memory corruption. I would welcome some help understanding whether I should be doing things differently in dnsdist in order to prevent this. Many thanks in advance :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 5 12:41:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 05 Oct 2021 10:41:27 +0000 Subject: [gnutls-devel] GnuTLS | Build of samba-4.15.0 on Linux for x86_64 target is failing with gnutls (#1278) References: Message-ID: Debananda Pal created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1278 Hi All, I am facing below issue while building samba-4.15.0 (without --enable-fips140-mode in gnutls), I am getting issue with fips mode support as below : ------------------------------------------------------------------------------ Checking for gnutls fips mode support: UNKNOWN ------------------------------------------------------------------------------ According to Release Notes for Samba 4.15.0 : Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. --------------------------------------------------- After adding --enable-fips140-mode on gnutls config, I am getting nettle library not found issue, though the library is present in build path : --------------------------------------------------- linux/gnutls/_build/oak.x86_64/work/gnutls-3.7.2/lib/.libs/lt-fipshmac: error while loading shared libraries: libnettle.so.8: cannot open shared object file: No such file or directory Makefile:3392: recipe for target '.libs/.libgnutls.so.30.hmac' failed --------------------------------------------------- Note: As --without-dnsupdate option is not supported, I removed the option, but failed to build gnutls Please help me to proceed further. Below are the config options used for gnutls : ----------------------------------------- '--libdir=/lib64', '--prefix=/', '--with-nettle-mini', '--with-included-unistring', '--with-included-libtasn1', '--disable-silent-rules', '--without-p11-kit', '--enable-silent-rules', '--disable-rpath', '--enable-fips140-mode', '--enable-sha1-support', '--with-system-priority-file=/tandberg/etc/gnutls-conf'[build.log](/uploads/11a2110728af93fc80219d8d8d308cbd/build.log) ----------------------------------------- I have attached gnutls build log for your kind attention. Thanks, D Pal -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 11 11:47:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 11 Oct 2021 09:47:56 +0000 Subject: [gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279) References: Message-ID: Roel Janssen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1279 ## Description of the feature: I want to propose implementing a feature that enables a user to choose a trust store at run-time. This feature would work exactly as it works in OpenSSL: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_default_verify_paths.html > SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used. There is one default directory, one default file and one default store. The default CA certificates directory is called certs in the default OpenSSL directory, and this is also the default store. Alternatively the SSL_CERT_DIR environment variable can be defined to override this location. The default CA certificates file is called cert.pem in the default OpenSSL directory. Alternatively the SSL_CERT_FILE environment variable can be defined to override this location. This manual page describes being able to overwrite the default CA certificates by specifying alternatives using either `SSL_CERT_DIR` or `SSL_CERT_FILE`. ## Applications that this feature may be relevant to: See a related discussion here: https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html ## Is this feature implemented in other libraries (and which) Yes, in OpenSSL. See: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_default_verify_paths.html ## Guidance If the feature request seems fine, but nobody can work on it, I would like to give it a try. If there are any perspectives that come to mind that I have to take into account while implementing this feature, please write them here. :) Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 14 15:38:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 14 Oct 2021 13:38:27 +0000 Subject: [gnutls-devel] GnuTLS | Git access issues due to long CA bundle filename (#1280) References: Message-ID: Ye Yang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1280 ## Description of problem: I have a CA bundle file added to `/etc/ssl/certs` that is used by the NGINX HTTPS reverse proxy setup on the machine and is unrelated to `git`. I have noticed that `git` (which uses `gnutls`) operations would fail if the bundle filename has more than 36 characters. ## Version of gnutls used: `3.6.13-2ubuntu1.6` ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * Add a CA bundle file with more than 36 characters, eg: `/etc/ssl/certs/star.staging.xxxx.eu.nginx.bundle.crt` * Try to `git clone` ## Actual results: ```bash root at wiki-staging:~# ll /etc/ssl/certs/star.staging.xxxx.eu.nginx.bundle.crt -rw-r--r-- 1 root root 7198 Oct 13 18:37 /etc/ssl/certs/star.staging.xxxx.eu.nginx.bundle.crt root at wiki-staging:~# git clone https://code.****.pt/****/****.git Cloning into '****'... fatal: unable to access 'https://code.****.pt/****/****.git/': server certificate verification failed. CAfile: none CRLfile: none root at wiki-staging:~# ``` ## Expected results: If we change the file name from `star.staging.xxxx.eu.nginx.bundle.crt` (37 chars) to `star.staging.xxx.eu.nginx.bundle.crt` (36 chars) the `git` commands return to normal function. ```bash root at wiki-staging:~# mv /etc/ssl/certs/star.staging.xxxx.eu.nginx.bundle.crt /etc/ssl/certs/star.staging.xxx.eu.nginx.bundle.crt root at wiki-staging:~# ll /etc/ssl/certs/star.staging.xxx.eu.nginx.bundle.crt -rw-r--r-- 1 root root 7198 Oct 13 18:37 /etc/ssl/certs/star.staging.xxx.eu.nginx.bundle.crt root at wiki-staging:~# git clone https://code.****.pt/****/****.git Cloning into '****'... remote: Counting objects: 13, done. remote: Compressing objects: 100% (11/11), done. remote: Total 13 (delta 1), reused 0 (delta 0) Unpacking objects: 100% (13/13), 3.49 KiB | 142.00 KiB/s, done. root at wiki-staging:~# ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1280 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 06:03:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 04:03:10 +0000 Subject: [gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255) In-Reply-To: References: Message-ID: GnuTLS bot commented: @romankulikov This issue was marked as needinfo with no update for long time. We are now closing it, but please re-open if it is still relevant. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255#note_704426323 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 06:03:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 04:03:10 +0000 Subject: [gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255) In-Reply-To: References: Message-ID: Issue was closed by GnuTLS bot Issue #1255: https://gitlab.com/gnutls/gnutls/-/issues/1255 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:03:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:03:06 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:03:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:03:06 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 Project:Branches: FrantisekKrenzelok/gnutls:ktls_api to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno API and default behavior, following [!1451](https://gitlab.com/gnutls/gnutls/-/merge_requests/1451) ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:03:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:03:06 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Reassigned merge request 1477 https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 Assignee changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:04:18 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:04:18 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented: API will be further discussed and implemented in the following MR [!1477](https://gitlab.com/gnutls/gnutls/-/merge_requests/1477) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704614388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:04:43 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:04:43 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: All discussions on merge request !1451 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 11:26:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 09:26:31 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented: As suggested by [@rwmjones](https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_680381199) and [@berrange](https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_682833280) - When the GnuTLS is configured and build with `--enable-ktls`, It will be used by default on all connections. - It will work only for connections using GnuTLS read/write functions - Enc/Dec will fallback to userspace if the KTLS initialization fails. - API: - `gnutls_transport_is_ktls_enabled` - used after handshake to check whether or not is KTLS enabled Any other suggestions? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_704636584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 15:54:28 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 13:54:28 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704937405 > +#else //ENABLE_KTLS > + > +int _gnutls_ktls_enable(gnutls_session_t session){ Shouldn't this be `gnutls_ktls_enable` or should the other be `_gnutls_ktls_enable`? -- Daiki Ueno started a new discussion on lib/includes/gnutls/socket.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704937407 > > + > + Leftover? -- Daiki Ueno started a new discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704937409 > void *epoch_lock; > > + /* indicates weather or not was KTLS initialized properly. */ typo: weather ? whether -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704937410 > + // ignore post-handshake messages > + if (type != record_type) { > + return _gnutls_ktls_recv_int(session, Wouldn't simply return `GNUTLS_E_AGAIN` work? -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704937414 > + } > + break; > + default: Although the other algorithms are already filtered out, it might make sense to add `assert(0)` here to catch any future programming error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 15:57:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 13:57:31 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daiki Ueno commented: Other than the comments it looks good to me. A couple of minor suggestions: - remove `log` file in the commit - remove spaces between function name and the open parenthesis, following the Linux kernel coding style It would be nice if you could draft a NEWS entry for this, but we can also do it in !1477. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704940829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 15 15:58:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 15 Oct 2021 13:58:03 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daiki Ueno commented: Ah, also please rebase and retrigger the CI :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_704941467 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 16 18:46:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 16 Oct 2021 16:46:08 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/tpm2_esys.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_705545575 > + if (tpm2_pin(info->pin_info, "tpm2:", hierarchy_name, pass, sizeof(pass))) { > + return gnutls_assert_val(GNUTLS_E_TPM_KEY_PASSWORD_ERROR); > + } > + install_tpm_passphrase(&info->ownerauth, pass); > + info->need_ownerauth = false; > + } > + rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); > + if (rc) { > + _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); > + return gnutls_assert_val(GNUTLS_E_TPM_ERROR); > + } > + rc = Esys_CreatePrimary(ctx, hierarchy, > + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, > + &primary_sensitive, > + info->pub.publicArea.type == TPM2_ALG_RSA ? > + &primary_template_rsa : OK, I've reverted it back to use ECC primary and also check capabilities as in tpm2-tss-engine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_705545575 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 17 09:37:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 17 Oct 2021 07:37:27 +0000 Subject: [gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the proposal. While I don't strongly oppose, I would rather avoid adding new envvars that affect the library behavior unless they are really commonly used. I still wonder why this can't be addressed in the application side, like using the `gnutls_x509_trust_list_t` object, which provides much more flexibility and even allows you to configure PKCS#11 backed store, which can be easily managed through the [trust](https://p11-glue.github.io/p11-glue/p11-kit/manual/trust.html) command. cc @civodul. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279#note_705626500 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 17 09:44:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 17 Oct 2021 07:44:09 +0000 Subject: [gnutls-devel] GnuTLS | Build of samba-4.15.0 on Linux for x86_64 target is failing with gnutls (#1278) In-Reply-To: References: Message-ID: Daiki Ueno commented: @debananda.pal sorry for the delay. I see some useful information we had in the private conversation are omitted in the description: - this is a cross build - if gnutls is compiled without `--enable-fips140-mode`, the Samba build succeeds, but the test fails It would be nice if you can attach the scripts / logs you sent me, or I can do it if you want. @cryptomilk any idea on the Samba front? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1278#note_705627106 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 17 09:55:30 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 17 Oct 2021 07:55:30 +0000 Subject: [gnutls-devel] GnuTLS | Git access issues due to long CA bundle filename (#1280) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you for the report. I think on Ubuntu, GnuTLS should follow the `_POSIX_PATH_MAX` (= 256), so I wonder why it's truncated so short. In any case we should at least check the [truncation](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/x509/verify-high2.c#L409) in the library and print useful diagnostics... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1280#note_705628124 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 17 14:31:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 17 Oct 2021 12:31:29 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) References: Message-ID: Rafael Gieschke created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1282 If you try to run GnuTLS on a Linux kernel with the `noxsave` [command-line parameter](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) set, it will (on CPUs with AVX2) be terminated with `SIGILL` at the `verzoupper` instruction in . The reason is that `_gnutls_x86_cpuid_s` is not calculated like [`sha256_block_data_order`](https://gitlab.com/gnutls/gnutls/-/blob/9571f3a9e202ca2eeb369bb320bb93b638bb718c/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s#L48) expects it to be. In OpenSSL, `OPENSSL_ia32cap_P[4]` is essentially `= {CPUID.1:EDX, CPUID.1:ECX, CPUID.7:EBX, CPUID.7:ECX}` **but** with some heavy modifications (in assembly) done afterwards: . There is a more readable C version of the same code with explanations in BoringSSL: , . ## Bugs in GnuTLS 1. [`read_cpuid_vals()`](https://gitlab.com/gnutls/gnutls/-/blob/9571f3a9e202ca2eeb369bb320bb93b638bb718c/lib/accelerated/x86/x86-common.c#L130) mixes up CPUID.1:EDX with CPUID.1:EBX, so that `_gnutls_x86_cpuid_s[0] = CPUID.1:EBX` instead of `= CPUID.1:EDX`. 2. [`read_cpuid_vals()`](https://gitlab.com/gnutls/gnutls/-/blob/9571f3a9e202ca2eeb369bb320bb93b638bb718c/lib/accelerated/x86/x86-common.c#L125) does neither check the OSXSAVE bit nor does it apply the other modifications done by the upstream code, e.g., it does not set `_gnutls_x86_cpuid_s[0] & (1 << 30)` on Intel CPUs (this bit originally was the ["IA64 processor emulating x86" bit](https://en.wikipedia.org/wiki/CPUID#EAX=1:_Processor_Info_and_Feature_Bits), is currently reserved (0) on current Intel CPUs and is (ab)used by the upstream code to indicate **any** Intel CPU). 3. This results in [`sha256_block_data_order`](https://gitlab.com/gnutls/gnutls/-/blob/9571f3a9e202ca2eeb369bb320bb93b638bb718c/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s#L48) (and other function) not following Intel's specified way to check for AVX(2/-512) support (i.e., check the OSXSAVE bit first): . If a CPU supports AVX(2/-512) but the operating system does not (e.g., Linux with `noxsave`), this will, thus, cause SIGILL. 4. Not setting the Intel CPU bit (even if `read_cpuid_vals()` was fixed to set `_gnutls_x86_cpuid_s[0] = CPUID.1:EDX`), probably results in the AVX (without AVX2) code path's never being taken (https://gitlab.com/gnutls/gnutls/-/blob/9571f3a9e202ca2eeb369bb320bb93b638bb718c/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s#L57 checks `_gnutls_x86_cpuid_s[0]` for `1073741824 == 1 << 30`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 17 19:54:37 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 17 Oct 2021 17:54:37 +0000 Subject: [gnutls-devel] GnuTLS | Build errors with MinGW (#1283) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1283 ``` make[5]: Entering directory '/usr/local/gnutls/lib/x509' CC common.lo CC key_encode.lo CC key_decode.lo CC time.lo CC crl.lo CC crl_write.lo CC crq.lo CC dn.lo CC attributes.lo CC prov-seed.lo CC extensions.lo CC mpi.lo CC output.lo CC pkcs12.lo CC pkcs12_bag.lo CC pkcs12_encr.lo CC pkcs7.lo CC pkcs7-attrs.lo CC pkcs7-crypt.lo CC privkey.lo CC privkey_pkcs8.lo CC privkey_pkcs8_pbes1.lo CC privkey_openssl.lo CC hostname-verify.lo CC sign.lo CC verify.lo CC x509.lo CC x509_dn.lo CC x509_write.lo CC name_constraints.lo CC verify-high.lo CC verify-high2.lo CC x509_ext.lo CC email-verify.lo CC pkcs7-output.lo CC spki.lo CC virt-san.lo CC tls_features.lo CC krb5.lo CC ip.lo CC ocsp.lo CC ocsp_output.lo x86_64-w64-mingw32-gcc: fatal error: Killed signal terminated program cc1 compilation terminated. x86_64-w64-mingw32-gcc: fatal error: Killed signal terminated program cc1 compilation terminated. x86_64-w64-mingw32-gcc: fatal error: Killed signal terminated program cc1 compilation terminated. make[5]: *** [Makefile:2241: x509_dn.lo] Error 1 make[5]: *** Waiting for unfinished jobs.... verify-high2.c: In function 'load_dir_certs': make[5]: *** [Makefile:2241: privkey_pkcs8_pbes1.lo] Error 1 verify-high2.c:442:19: warning: cast increases required alignment of target type [-Wcast-align] 442 | dirp = _topendir((_TCHAR*)utf16.data); | ^ make[5]: *** [Makefile:2241: time.lo] Error 1 x86_64-w64-mingw32-gcc: fatal error: Killed signal terminated program cc1 compilation terminated. make[5]: *** [Makefile:2241: privkey.lo] Error 1 privkey_pkcs8.c:1142:13: warning: 'ASN1_TYPE' macro is deprecated, use 'asn1_node' instead. 1142 | _decode_pkcs8_modern_ecdh_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey, const char *oid) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ x86_64-w64-mingw32-gcc: fatal error: Killed signal terminated program cc1 compilation terminated. ``` Not sure why these warnings let the build fail at all. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1283 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 18 10:49:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 18 Oct 2021 08:49:54 +0000 Subject: [gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279) In-Reply-To: References: Message-ID: civodul commented: Hi @dueno & @roelj, Applications can definitely live without any environment variable being honored by the library itself. That's what they do already, usually defining their own environment variables: `GIT_SSL_CAINFO` for Git, `CURL_CA_BUNDLE` for cURL, `SSL_CERT_DIR` and `SSL_CERT_FILE` for Guix (same name as the OpenSSL variables), etc. An argument in favor of having an environment variable honored by GnuTLS itself is that it would unify this and provide a sane default behavior for applications. HTH! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279#note_706061694 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 18 11:52:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 18 Oct 2021 09:52:12 +0000 Subject: [gnutls-devel] GnuTLS | devel: move .abi files into a separate repository (!1478) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 Project:Branches: dueno/gnutls:wip/dueno/abi-dump to gnutls/gnutls:master Author: Daiki Ueno Changes to the .abi files are a bit too noisy to track in the main repository. This moves the files out of this repository and embed it as a git submodule. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 18 18:04:23 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 18 Oct 2021 16:04:23 +0000 Subject: [gnutls-devel] GnuTLS | Build errors with MinGW (#1283) In-Reply-To: References: Message-ID: Daiki Ueno commented: Could you provide more details on the toolchain? Because mingw build in the CI is actually succeeding... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1283#note_706674153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 18 18:13:38 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 18 Oct 2021 16:13:38 +0000 Subject: [gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279) In-Reply-To: References: Message-ID: Daiki Ueno commented: @civodul thanks for the input. One suggestion on the implementation: be careful about thread safety; it would probably be the best to read it in the ELF constructor `gnutls_global_init` only once. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279#note_706682807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 12:05:24 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 10:05:24 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: All discussions on merge request !1451 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 12:21:11 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 10:21:11 +0000 Subject: [gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279) In-Reply-To: References: Message-ID: civodul commented: @dueno Thanks for the suggestion. Just to be clear though: I don't plan to work on it. :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279#note_707485203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 15:12:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 13:12:40 +0000 Subject: [gnutls-devel] GnuTLS | devel: move .abi files into a separate repository (!1478) In-Reply-To: References: Message-ID: Merge request !1478 was closed by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 Project:Branches: dueno/gnutls:wip/dueno/abi-dump to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 15:13:06 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 13:13:06 +0000 Subject: [gnutls-devel] GnuTLS | devel: move .abi files into a separate repository (!1478) In-Reply-To: References: Message-ID: Merge request !1478 was reopened by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 Project:Branches: dueno/gnutls:wip/dueno/abi-dump to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 15:16:58 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 13:16:58 +0000 Subject: [gnutls-devel] GnuTLS | devel: move .abi files into a separate repository (!1478) In-Reply-To: References: Message-ID: Merge request !1478 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 Project:Branches: dueno/gnutls:wip/dueno/abi-dump to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 16:34:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 14:34:33 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_707854277 I see in the [architecture document](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf) there are mentions of `TPM_ALG_RSASSA` and `TPM_ALG_RSAPSS`. Although I'm not sure if they are widely supported, fallback sounds like a good idea. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_707854277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 16:45:32 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 14:45:32 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Merge request !1451 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 Project:Branches: FrantisekKrenzelok/gnutls:ktls to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 19 16:48:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 19 Oct 2021 14:48:48 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me; please set a longer timeout for the CI: https://docs.gitlab.com/ee/ci/pipelines/settings.html#set-a-limit-for-how-long-jobs-can-run and it should be ready for merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451#note_707874180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 08:36:46 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 06:36:46 +0000 Subject: [gnutls-devel] GnuTLS | ktls: basic implementation of SW mode (!1451) In-Reply-To: References: Message-ID: Merge request !1451 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 Project:Branches: FrantisekKrenzelok/gnutls:ktls to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 08:52:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 06:52:29 +0000 Subject: [gnutls-devel] GnuTLS | FIPS: Missing self-tests for SHAKE256 (#1284) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1284 FIPS140-3 IG [10.3.A](https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf#page=56) mentions: > if the module implements SHA-3 permutation-based and/or extendable-output functions (see IG C.C and FIPS 202): > * At the minimum, the cryptographic module shall perform a CAST for one of the functions defined in FIPS 202: SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128 and SHAKE256, no matter how many of these functions the module may be designed to use. GnuTLS currently doesn't perform self-tests for SHAKE256 while it's provided. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 09:39:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 07:39:29 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_708755473 Further detail of these algorithms is described in the [structure document](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf): > For the TPM_ALG_RSAPSS signing scheme, the same hash algorithm is used for digesting TPM- generated data (an attestation structure) and in the KDF used for the masking operation. The salt size is always the largest salt value that will fit into the available space. This means that the algorithm cannot be used for TLS 1.3, where the salt size equals to the hash digest size. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_708755473 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 11:29:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 09:29:31 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_708886181 Sounds like a sensible design to me. As we briefly discussed yesterday, it might make sense to have a function to wrap `sendfile` call so the application doesn't need to deal with the transport socket. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_708886181 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 11:57:40 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 09:57:40 +0000 Subject: [gnutls-devel] GnuTLS | ktls: API (!1477) In-Reply-To: References: Message-ID: Daniel P_ Berrang? started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_708918978 > + * Since: 3.7.2 > + **/ > +int gnutls_ktls_enable(gnutls_session_t session, int sockin, int sockout) > +{ > + if (setsockopt (sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) < 0) > + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > + > + session->internals.recv_fd = sockin; > + session->internals.send_fd = sockin; > + > + if (sockin != sockout){ > + if (setsockopt (sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) < 0) > + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > + session->internals.send_fd = sockout; > + } > + The caller of this method ignores the error return value and carries on with the intent to doing userspace TLS. In the 2 file descriptor case, the code here allows for the scenario that the first FD gets kTLS enabled, but the second FD fails to get it enabled. So the caller could end up carrying on with usrspace TLS, despite 1 of the 2 FDs having kTLS enabled. Admittedly it is pretty unlikely that we'd get into this situation, but from a code robustness POV, I think we ought to handle that, by disabling kTLS on the first FD again if the second fails to enable it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1477#note_708918978 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 13:58:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 11:58:22 +0000 Subject: [gnutls-devel] GnuTLS | Port openconnect TPM2 code (!1460) In-Reply-To: References: Message-ID: David Woodhouse commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_709060750 That means you can't use TPM sign-only keys for TLSv1.3; you can only use unrestricted keys, do the padding for yourself and ask the TPM to *decrypt* (as we do at the moment). Yes? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1460#note_709060750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 14:57:02 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 12:57:02 +0000 Subject: [gnutls-devel] GnuTLS | Draft: make insecure-hash filter out ciphersuites on ->prf as well (!1479) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 Project:Branches: asosedkin/gnutls:wip/asosedki/hash-filters-prf to gnutls/gnutls:master Author: Alexander Sosedkin `insecure-hash = sha384` didn't prevent ciphersuites using GNUTLS_MAC_SHA384 as `->prf` from being considered. This change adds a test to illustrate the issue and suggests a solution for filtering on `->prf` as well. I'm unsure about the best way of converting macs to digests, please advise. All kinds of feedback's welcome, from subject matter to style nuances. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 15:23:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 13:23:45 +0000 Subject: [gnutls-devel] GnuTLS | Draft: make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709183724 > } > } > > +static gnutls_digest_algorithm_t digest_by_mac(gnutls_mac_algorithm_t mac) { `MAC_TO_DIG`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709183724 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 16:17:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 14:17:50 +0000 Subject: [gnutls-devel] GnuTLS | Draft: make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: All discussions on merge request !1479 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 16:17:51 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 14:17:51 +0000 Subject: [gnutls-devel] GnuTLS | Draft: make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709267666 > } > } > > +static gnutls_digest_algorithm_t digest_by_mac(gnutls_mac_algorithm_t mac) { *facepalm* thank you, IDK how I missed this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709267666 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 16:18:22 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 14:18:22 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin changed the draft status of merge request !1479 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 16:19:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 14:19:26 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Removing `Draft:` because code's probably fine; concerns remain on 1) whether it's the right thing to do in general 2) the documentation side. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709269779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 17:21:12 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 15:21:12 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709355079 > for (j=0;j_cipher.num_priorities;j++) { > for (z=0;z_mac.num_priorities;z++) { > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) Is my understanding correct that this is expanded like this to avoid the unnecessary call to `cipher_suite_get`? As I expect the compiler would do this kind of job as part of optimization, I would suggest moving this `if` to [line 1698](https://gitlab.com/gnutls/gnutls/-/merge_requests/1479/diffs#dc3111175f1ef48ddba45e288e07e48088695bdb_1689_1698), as it would be a little clearer why `cs.size` is checked. -- Daiki Ueno started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709355086 > for (j=0;j_cipher.num_priorities;j++) { > for (z=0;z_mac.num_priorities;z++) { > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) Same here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 17:25:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 15:25:04 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709360402 Thank you for this! As for (1) I would say it is the right thing to do, because PRF is used to derive keys so the system-wide setting should affect the filtering. For (2), maybe good to add a NEWS entry as it potentially break backward compatibility? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709360402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 17:38:52 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 15:38:52 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 was reviewed by Alexander Sosedkin -- Alexander Sosedkin commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709377516 > for (j=0;j_cipher.num_priorities;j++) { > for (z=0;z_mac.num_priorities;z++) { > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) There's also `digest_is_insecure`, a loop from a separate compilation unit that I'm less optimistic about being optimized out. But I agree, hoisting this check hurt readability for no noticeable readability benefits, moving it down. -- Alexander Sosedkin commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709377520 > for (j=0;j_cipher.num_priorities;j++) { > for (z=0;z_mac.num_priorities;z++) { > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) Same a above. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 17:53:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 15:53:53 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: All discussions on merge request !1479 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 17:53:53 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 15:53:53 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709395261 I agree, added a NEWS entry. Hope we won't need more for a "bring in line with docs" change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709395261 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 19:29:21 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 17:29:21 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709476584 > priority_cache->_mac.priorities[z]); > + if (ce == NULL) > + continue; > > - if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) { > - priority_cache->cs.entry[priority_cache->cs.size++] = ce; > - } > + prf_digest = MAC_TO_DIG(ce->prf); > + if (prf_digest == GNUTLS_DIG_UNKNOWN) > + continue; > + if (_gnutls_digest_is_insecure(prf_digest)) > + continue; > + > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) > + continue; > + priority_cache->cs.entry[priority_cache->cs.size++] = ce; Sorry for being picky, but this could be: ```suggestion:-2+0 if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) priority_cache->cs.entry[priority_cache->cs.size++] = ce; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709476584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 20:02:27 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 18:02:27 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709501376 > priority_cache->_mac.priorities[z]); > + if (ce == NULL) > + continue; > > - if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) { > - priority_cache->cs.entry[priority_cache->cs.size++] = ce; > - } > + prf_digest = MAC_TO_DIG(ce->prf); > + if (prf_digest == GNUTLS_DIG_UNKNOWN) > + continue; > + if (_gnutls_digest_is_insecure(prf_digest)) > + continue; > + > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) > + continue; > + priority_cache->cs.entry[priority_cache->cs.size++] = ce; No problem, I've specifically asked for that. Updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709501376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 20:02:26 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 18:02:26 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: All discussions on merge request !1479 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 20:55:07 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 18:55:07 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request !1479 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 Project:Branches: asosedkin/gnutls:wip/asosedki/hash-filters-prf to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 20 20:55:10 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 20 Oct 2021 18:55:10 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request !1479 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 Project:Branches: asosedkin/gnutls:wip/asosedki/hash-filters-prf to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 06:09:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 04:09:33 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709790051 > - have_ec = 1; > - add_ec(priority_cache); > - } > - if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) { > - have_dh = 1; > - add_dh(priority_cache); > - } > + prf_digest = MAC_TO_DIG(ce->prf); > + if (prf_digest == GNUTLS_DIG_UNKNOWN) > + continue; > + if (_gnutls_digest_is_insecure(prf_digest)) > + continue; > + > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) > + continue; > + priority_cache->cs.entry[priority_cache->cs.size++] = ce; While the CI is blocking merge, here is one more: ```suggestion:-2+0 if (priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) priority_cache->cs.entry[priority_cache->cs.size++] = ce; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709790051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 09:50:35 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 07:50:35 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709953205 > - have_ec = 1; > - add_ec(priority_cache); > - } > - if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) { > - have_dh = 1; > - add_dh(priority_cache); > - } > + prf_digest = MAC_TO_DIG(ce->prf); > + if (prf_digest == GNUTLS_DIG_UNKNOWN) > + continue; > + if (_gnutls_digest_is_insecure(prf_digest)) > + continue; > + > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) > + continue; > + priority_cache->cs.entry[priority_cache->cs.size++] = ce; Not really, I don't want the following lines to trigger (and the nesting's already deep enough around here). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_709953205 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 10:26:00 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 08:26:00 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/priority.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_710009717 > - have_ec = 1; > - add_ec(priority_cache); > - } > - if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) { > - have_dh = 1; > - add_dh(priority_cache); > - } > + prf_digest = MAC_TO_DIG(ce->prf); > + if (prf_digest == GNUTLS_DIG_UNKNOWN) > + continue; > + if (_gnutls_digest_is_insecure(prf_digest)) > + continue; > + > + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) > + continue; > + priority_cache->cs.entry[priority_cache->cs.size++] = ce; Ah, sorry; missed that. Looks good to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_710009717 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 10:26:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 08:26:01 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: All discussions on merge request !1479 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 10:47:59 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 08:47:59 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Rebased to pass CI... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479#note_710043779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 10:50:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 08:50:49 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request !1479 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 Project:Branches: asosedkin/gnutls:wip/asosedki/hash-filters-prf to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 12:56:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 10:56:09 +0000 Subject: [gnutls-devel] GnuTLS | make insecure-hash filter out ciphersuites on ->prf as well (!1479) In-Reply-To: References: Message-ID: Merge request !1479 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 Project:Branches: asosedkin/gnutls:wip/asosedki/hash-filters-prf to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1479 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 21 17:25:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 21 Oct 2021 15:25:29 +0000 Subject: [gnutls-devel] GnuTLS | WIP: .gitlab-ci.yml: add caching to cppcheck (!1480) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 Project:Branches: asosedkin/gnutls:wip/asosedki/gitlab-ci-speed-up-cppcheck to gnutls/gnutls:master Author: Alexander Sosedkin Add naive cppcheck caching, it's currently the longest step. WIP because I see something more complicated about the compilation ccache versioning, so I'd like to first discuss whether the same's needed for cppcheck's. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 26 09:30:42 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 26 Oct 2021 07:30:42 +0000 Subject: [gnutls-devel] GnuTLS | devel: update release procedure taking into account of abi-dump (!1481) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1481 Project:Branches: dueno/gnutls:wip/dueno/abi-dump-release to gnutls/gnutls:master Author: Daiki Ueno This is a follow-up of !1478, expanding the release steps to cover the update procedure of abi-dump repository. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 27 16:04:44 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Oct 2021 14:04:44 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add caching to cppcheck (!1480) In-Reply-To: References: Message-ID: Alexander Sosedkin changed the draft status of merge request !1480 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 27 16:06:33 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 27 Oct 2021 14:06:33 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add caching to cppcheck (!1480) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Removed the WIP. I probably misunderstood/overthought the cache invalidation aspect. My current understanding is we can simply add/bump [`key:`](https://docs.gitlab.com/ee/ci/caching/#clear-the-cache-by-changing-cachekey) when the need arises. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480#note_716060450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 12:48:14 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 10:48:14 +0000 Subject: [gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285) References: Message-ID: Julian Andres Klode created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1285 Trying to connect to irc.sekrit.org port 994 fails: ``` $ gnutls-cli irc.sekrit.org -p 994 Processed 128 CA certificate(s). Resolving 'irc.sekrit.org:994'... Connecting to '34.86.153.216:994'... - Successfully sent 0 certificate(s) to server. - Server has requested a certificate. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=irc-new.sekrit.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x035246f14a5f17856da061c4af902569e957, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-08-31 11:04:27 UTC', expires `2021-11-29 11:04:26 UTC', pin-sha256="D4UO7EFocRJUU18myirKrVhOKtVztbnmngql hmVeBp0=" Public Key ID: sha1:98c0e59729d7dab6587779a831fcbc072f0e9021 sha256:0f850eec4168711254535f26ca2acaad584e2ad573b5b9e69e0aa586655e069d Public Key PIN: pin-sha256:D4UO7EFocRJUU18myirKrVhOKtVztbnmngqlhmVeBp0= - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` openssl works fine: ``` $ openssl s_client -host irc.sekrit.org -port 994 CONNECTED(00000003) depth=0 CN = irc-new.sekrit.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = irc-new.sekrit.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = irc-new.sekrit.org i:C = US, O = Let's Encrypt, CN = R3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFOjCCBCKgAwIBAgISA1JG8UpfF4VtoGHEr5AlaelXMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA4MzExMTA0MjdaFw0yMTExMjkxMTA0MjZaMB0xGzAZBgNVBAMT EmlyYy1uZXcuc2Vrcml0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAKXJHa2U/7oUNjM8u5cvniV4YHBJpewsKYhsr9cMSsgOT3TYcSxs/xzQwQuR rwRM20nZrNakweRhXS++sFFiVh2fbyWWl3U1i1xDDVenhORkTOZ27ZoG7rJjs/2U fu8BWhMrv8hQrqbpHeLOj7UX2hYackFhxQBkYw91yTFQF/jYVrmOX8OBoBkIXhgF xbe9VUcLh+8U1/Z3qQyI+logrXNz7P2IsqILSOSCd32t1QcVFm0g6ol+kZwe9X/J 5uC5evi1mHdOzTzWZPQM56CYSV89UsoxRF5sVRbiuoyXdEd54/d+2Q7edcgAl61G TkpJDWYBpXpthl4H+uCKEGV3ogUCAwEAAaOCAl0wggJZMA4GA1UdDwEB/wQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUSPtuimutYnXbwL+im0Zmd8ZzBVAwHwYDVR0jBBgwFoAUFC6zF7dY VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy Lm9yZy8wLQYDVR0RBCYwJIISaXJjLW5ldy5zZWtyaXQub3Jngg5pcmMuc2Vrcml0 Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC BAIEgfUEgfIA8AB2AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAAB e5wYq9sAAAQDAEcwRQIgCRhIKDaFx5IUOuAT2TdiZYSwunNdE+O/6XyudOBZ+nwC IQC34O9yZusCePy649AmElE9ZSiHCx0gslgOgKEZXBQzmwB2APZclC/RdzAiFFQY CDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABe5wYq9gAAAQDAEcwRQIgDHSdfhycsMVr EPDK+WW9Bs2ctgMMuKpxgwsosTy/JGQCIQDo8thv8yS4cGarSV2KleYJkoWI7gtu B8bUSt7IhZ//UTANBgkqhkiG9w0BAQsFAAOCAQEAi4nL96yScI45iSL75Rdu+DvN utc4ihLMjPWsGHHJOli55FToqlyVV7zUpKjP44bL6Zinwjl5QKzST3EvZwGqIYCM nN+DX/3rSewbqtCzJIQ7BhRPX0re6G+kGC9dq1MJbgZsmK/Kbve08lzme5r2eUBR poBAPRA/pQbmdSJNReWxZAknOeG4bSE4SORP9T9IThTJHblcOYdpZrlSiR86gXYa 4sotBNzEsGGLPuuSaGcfEy4w11jd7jxqwaBc7kL/wDy7SLd+heqx+yoJOocdYH6C ik8B9VaAAv9GSaTAElXqG98ieWYYBESmk4qkWKck6wtfEmoNrEvFpW/2/WDA0w== -----END CERTIFICATE----- subject=CN = irc-new.sekrit.org issuer=C = US, O = Let's Encrypt, CN = R3 --- ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 13:44:54 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 11:44:54 +0000 Subject: [gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285) In-Reply-To: References: Message-ID: Daiki Ueno commented: "CN=R3,O=Let's Encrypt,C=US" is an [intermediate CA](https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html) and the client needs to retrieve the rest of the certificate chain. In this case, as the server uses the AIA extension for that, you could use the `--ca-auto-retrieve` option: ```console gnutls-cli --ca-auto-retrieve irc.sekrit.org -p 994 ... Connecting to caIssuer server: r3.i.lencr.org... Resolving 'r3.i.lencr.org:80'... Connecting to '2a02:26f0:4700:185::21cc:80'... - Status: The certificate is trusted. - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Session ID: 83:F4:C0:C1:38:BC:9D:5F:59:48:83:80:4A:C6:37:9A:B5:C2:AB:28:01:C4:88:BF:99:1D:FA:17:15:A1:3B:59 - Options: - Handshake was completed ``` > openssl works fine: Looks like it just continues the handshake ignoring the error (as printed in your log). If you specify `-verify_return_error` the behavior would be different. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285#note_717191369 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 14:49:31 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 12:49:31 +0000 Subject: [gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285) In-Reply-To: References: Message-ID: Julian Andres Klode commented: So two things on that, that option seems fairly new (it's not on my Ubuntu 20.04 server, but on the 22.04 devel laptop), why is it not the default, and is there anyway to get this working without 3.6.13 without pinning the server cert (which is what I do now in weechat, to be able to connect to the network; and well, I can't find network operators) (I guess I can pin the let's encrypt CA itself?). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285#note_717271110 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 15:51:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 13:51:29 +0000 Subject: [gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285) In-Reply-To: References: Message-ID: Daiki Ueno commented: Short answer: no. The library doesn't retrieve missing certs by itself but it's a responsibility of applications to implement and set proper callback, respecting user's privacy settings, caching, etc. `gnutls-cli` is merely a test client and it implements the simplest form, so it's disabled by default. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285#note_717354300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 19:03:01 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 17:03:01 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 Project:Branches: dueno/gnutls:wip/dueno/priority-race to gnutls/gnutls:master Author: Daiki Ueno _gnutls_update_system_priorities is called from gnutls_priority_set* functions when the SYSTEM keyword is used and reads/updates a global variable system_wide_priority_strings. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 19:03:55 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 17:03:55 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add caching to cppcheck (!1480) In-Reply-To: References: Message-ID: Merge request !1480 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 Project:Branches: asosedkin/gnutls:wip/asosedki/gitlab-ci-speed-up-cppcheck to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 19:04:13 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 17:04:13 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add caching to cppcheck (!1480) In-Reply-To: References: Message-ID: Merge request !1480 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 Project:Branches: asosedkin/gnutls:wip/asosedki/gitlab-ci-speed-up-cppcheck to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 28 19:04:36 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 28 Oct 2021 17:04:36 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: add caching to cppcheck (!1480) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1480#note_717621889 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 09:09:57 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 07:09:57 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Daiki Ueno commented: @asosedkin could you review this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718116618 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 10:01:04 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 08:01:04 +0000 Subject: [gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1285: https://gitlab.com/gnutls/gnutls/-/issues/1285 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 14:54:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 12:54:48 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: LGTM. As you have [rightfully noted](https://bugzilla.redhat.com/show_bug.cgi?id=2012249#c12), there's also write access to `system_wide_priority_strings` in `_gnutls_unload_system_priorities()`, but this is only called from `_gnutls_global_deinit()`, which isn't supposed to be thread-safe. One thing that caught my attention while reviewing this: we also don't clear `system_wide_priority_strings_init` there (or anywhere). That doesn't sound right if one deinits and then reinits, is that a valid scenario? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718509521 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 14:55:08 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 12:55:08 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Merge request !1482 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 Project:Branches: dueno/gnutls:wip/dueno/priority-race to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 17:54:19 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 15:54:19 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718729223 > One thing that caught my attention while reviewing this: we also don't clear system_wide_priority_strings_init there (or anywhere). That doesn't sound right if one deinits and then reinits, is that a valid scenario? Good catch, indeed; I've added a line to clear it before reading the config file. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718729223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 29 19:56:17 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 29 Oct 2021 17:56:17 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718817137 I didn't mean clearing during initialization until it's consistent, so that catch is yours. I meant the hypothetical case where the library is deinitialized through `gnutls_global_deinit` and the flag isn't cleared. Not sure how supported is to deinit and init again though, but I'd clear it in `_gnutls_unload_system_priorities` nevertheless, just in case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_718817137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 07:05:50 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 05:05:50 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_719049633 OK, cleared it in `_gnutls_unload_system_priorities` as well. (Btw, the mention of `_gnutls_unload_system_priorities` in the linked bug was actually a typo of `_gnutls_update_system_priorities` :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482#note_719049633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 07:05:56 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 05:05:56 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: All discussions on merge request !1482 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 07:12:03 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 05:12:03 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Merge request !1482 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 Project:Branches: dueno/gnutls:wip/dueno/priority-race to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 10:49:29 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 08:49:29 +0000 Subject: [gnutls-devel] GnuTLS | priority: fix potential race in reloading system-wide config (!1482) In-Reply-To: References: Message-ID: Merge request !1482 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 Project:Branches: dueno/gnutls:wip/dueno/priority-race to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 17:27:48 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 15:27:48 +0000 Subject: [gnutls-devel] GnuTLS | priority: remove unnecessary system_wide_priority_strings_init (!1483) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1483 Project:Branches: dueno/gnutls:wip/dueno/system_wide_priority_strings_init to gnutls/gnutls:master Author: Daiki Ueno This variable was only for tracking whether `system_wide_priority_strings` is set, which can be simply a NULL check. This is a minor follow-up of !1482. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 17:28:45 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 15:28:45 +0000 Subject: [gnutls-devel] GnuTLS | devel: update release procedure taking into account of abi-dump (!1481) In-Reply-To: References: Message-ID: Daiki Ueno commented: Merging as this is a doc-only change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1481#note_719158880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 30 17:28:49 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 30 Oct 2021 15:28:49 +0000 Subject: [gnutls-devel] GnuTLS | devel: update release procedure taking into account of abi-dump (!1481) In-Reply-To: References: Message-ID: Merge request !1481 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1481 Project:Branches: dueno/gnutls:wip/dueno/abi-dump-release to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1481 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 31 14:42:09 2021 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 31 Oct 2021 13:42:09 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS: Consider depth-first ("branching") certificate path building strategy (#1286) References: Message-ID: Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1286 ## Description of the feature: Over the past couple years, there have been a series of blog posts highlighting the need for improved certificate path building strategies in TLS libraries. Notably: * Ryan Sleevi ([part one](https://medium.com/@sleevi_/path-building-vs-path-verifying-the-chain-of-pain-9fbab861d7d6), [part two](https://medium.com/@sleevi_/path-building-vs-path-verifying-implementation-showdown-39a9272b2820)) describes a certificate path building strategy based on depth-first search, where path building is part of certificate verification and not a separate initial step in order to ensure the implementation can consider another path if verification of the first path fails. * [Ian Haken](https://netflixtechblog.com/revisiting-bettertls-certificate-path-building-4c978b79843f) introduces a bettertls test server that evaluates the robustness of TLS client path building, and shares the results for GnuTLS and other clients. Here he calls Ryan's strategy "branched" path building. * Scott Helme ([part one](https://scotthelme.co.uk/impending-doom-root-ca-expiring-legacy-clients/), [part two](https://scotthelme.co.uk/complexities-chain-building-ca-infrastructure/), and [part three](https://scotthelme.co.uk/cross-signing-alternate-trust-paths-how-they-work/), [part four](https://scotthelme.co.uk/building-certificate-chains/)) provide additional background and motivation. (Most of this will already be familiar to TLS library developers.) To the best of my knowledge, GnuTLS's current path building strategy is currently sufficient for compatibility with _today's_ web. That said, it would be prudent to consider whether GnuTLS should adopt Ryan's suggested path building strategy, which would allow passing the bettertls tests. This might improve confidence that GnuTLS will be unaffected by _future_ incidents where a large number of websites break after a particular root certificate expiration, similar to #1008. ## Applications that this feature may be relevant to: All ## Is this feature implemented in other libraries (and which) According to [this blog post](https://netflixtechblog.com/revisiting-bettertls-certificate-path-building-4c978b79843f) this path building strategy is implemented by: Rusttls, Go, Java, LibreSSL, Firefox, Chromium Notably not implemented by: OpenSSL, BoringSSL -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1286 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: