From gnutls-devel at lists.gnutls.org Wed Jun 1 00:21:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 31 May 2022 22:21:12 +0000 Subject: [gnutls-devel] GnuTLS | Android: undefined reference to rpl_malloc (#1376) In-Reply-To: References: Message-ID: Daiki Ueno commented: I suppose this is most likely in the realm of gnulib and [updating](https://gitlab.com/gnutls/gnutls/-/merge_requests/1509) the submodule might fix the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1376#note_966831271 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 1 11:33:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Jun 2022 09:33:02 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: (rebased) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593#note_967443937 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 1 14:44:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Jun 2022 12:44:54 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.7.5 libgnutls-symbols.expsym not in: lib/.libs/libgnutls.30.dylib (#1370) In-Reply-To: References: Message-ID: Clemens Lang commented: What I've found out so far: ``` $ nm .libs/libgnutls.30.dylib | grep gnutls_x86_cpuid_s 0000000100024150 s __gnutls_x86_cpuid_s ``` This suggests the symbol is local (denoted by the lowercase s). `nmedit -s` then fails because it expects `__gnutls_x86_cpuid_s` to be global. The symbol comes from `accelerated/.libs/libaccelerated.a`, but it's correct there: ``` nm accelerated/.libs/libaccelerated.a | grep gnutls_x86_cpuid_s accelerated/.libs/libaccelerated.a:cryptodev-gcm.o: no symbols U __gnutls_x86_cpuid_s U __gnutls_x86_cpuid_s U __gnutls_x86_cpuid_s U __gnutls_x86_cpuid_s U __gnutls_x86_cpuid_s 0000000000002900 S __gnutls_x86_cpuid_s ``` As soon as this is linked into a dynamic library, however, the symbol becomes local, even if you don't link anything else: ``` $ /usr/bin/clang -undefined dynamic_lookup -o lib.dylib -Wl,-force_load,accelerated/.libs/libaccelerated.a $ nm lib.dyblib | grep gnutls_x86_cpuid_s 0000000100024150 s __gnutls_x86_cpuid_s ``` I do not yet know why this happens. I cannot reproduce this with a minimal reproducer, either. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1370#note_967730390 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 1 15:45:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Jun 2022 13:45:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.7.5 libgnutls-symbols.expsym not in: lib/.libs/libgnutls.30.dylib (#1370) In-Reply-To: References: Message-ID: Clemens Lang commented: Found it. The problem is that in [lib/accelerated/x86/x86-common.c](/gnutls/gnutls/-/blob/master/lib/accelerated/x86/x86-common.c#L51-56), `_gnutls_x86_cpuid_s` is declared with `__attribute__((visibility("hidden")))` if `__GNUC__` is defined (which clang does afaik). Combine that with [lib/Makefile.am](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/Makefile.am#L219-223), which exports all symbols matching `^(gnutls|_gnutls).*` if `HAVE_LD_VERSION_SCRIPT` is false (which it is on macOS), this attempts to export a hidden symbol, which fails. I see two options: - Don't make `_gnutls_x86_cpuid_s` hidden unless `HAVE_LD_VERSION_SCRIPT` is defined, or - Rename `_gnutls_x86_cpuid_s` to not match the export regex. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1370#note_967832583 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 1 16:12:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Jun 2022 14:12:58 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: (restored skipping some tests that occasionally time out, comments are present in json files) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593#note_967879788 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 2 11:08:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Jun 2022 09:08:10 +0000 Subject: [gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364) In-Reply-To: References: Message-ID: Stephan Mueller commented: The issue NIST brought up is that the power-cycle operation is not under control of the module, i.e. GnuTLS. Therefore, relying on the "power-cycle" operation is not possible. Even deinitializing and initializing the library is not possible because it involves operations outside of the module (at one time I was suggesting to simply document that one could do a dlopen() of the library and check the result to avoid any changes to the code base of GnuTLS, but this was not considered sufficient because dlopen is not part of the module). Thus, we need an API that allows performing the same self tests as during power up: - integrity check as outlined in the snipped above - crypto algo known-answer tests If the self test fails, the module shall enter the error state (considering that we do not have a degraded mode in GnuTLS). The problem with the functions in `self-test.h` is that they provide the basic test call, but do not (a) have the actual test vector, and (b) do not set the module into error state in case of a failure. Thus, exporting _gnutls_fips_perform_self_checks2 should be the right course of action IMHO. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364#note_968977732 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 2 11:13:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Jun 2022 09:13:15 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Alexander Sosedkin changed the draft status of merge request !1593 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 3 09:22:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Jun 2022 07:22:28 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Reassigned merge request 1598 https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 3 09:22:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Jun 2022 07:22:29 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 Project:Branches: dueno/gnutls:wip/dueno/force-self-test to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno FIPS140-3 IG 10.3.E Periodic Self-Testing says: At security levels 1 and 2, acceptable means for initiating the periodic self-tests include a provided service, resetting, rebooting or power cycling. Neither resetting, rebooting, nor power-cycling is suitable because those involve operations outside of the module. Therefore this patch adds a new API to manually run the substance of FIPS140 self-tests. Suggeested by Richard Costa and Stephan Mueller in: https://gitlab.com/gnutls/gnutls/-/issues/1364 Fixes: #1364 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 3 09:22:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Jun 2022 07:22:53 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Reviewer changed to Stephan Mueller -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 3 21:27:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Jun 2022 19:27:00 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Stephan Mueller commented: Looks good to me -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_971197811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:22:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:22:27 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: @dueno: I consider it ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593#note_972128556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:24:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:24:31 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Merge request !1593 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 Project:Branches: asosedkin/gnutls:tlsfuzzer-update to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:24:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:24:46 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: All discussions on merge request !1593 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:25:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:25:07 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Merge request !1593 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 Project:Branches: asosedkin/gnutls:tlsfuzzer-update to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:25:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:25:16 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: use more -x/-X instead of -e and less -n (!1593) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1593#note_972131452 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:37:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:37:12 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: I see no problems. Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972144148 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:38:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:38:27 +0000 Subject: [gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: > Even deinitializing and initializing the library is not possible because it involves operations outside of the module Why? Wouldn't `gnutls_global_deinit(); ret = gnutls_global_init();` be sufficient? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364#note_972145597 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:49:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:49:30 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972157972 > > /* first round of self checks, these are done on the > * nettle algorithms which are used internally */ > + _gnutls_switch_lib_state(LIB_STATE_SELFTEST); > ret = _gnutls_fips_perform_self_checks1(); > + _gnutls_switch_lib_state(LIB_STATE_ERROR); why the unconditional state switch? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972157972 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 10:50:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 08:50:16 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972158684 > + _gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n"); > + } > if (res != 2) { can be folded into the previous if block -- Alexander Sosedkin started a new discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972158706 > + */ > +int > +gnutls_fips140_run_self_tests(void) Should it be documented as threading-unsafe? -- Alexander Sosedkin commented on a discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972158714 > + _gnutls_switch_lib_state(LIB_STATE_SELFTEST); > ret = _gnutls_fips_perform_self_checks1(); > + _gnutls_switch_lib_state(LIB_STATE_ERROR); Also, would `_gnutls_switch_fips_state` be safer to use to prevent logic mistakes? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 11:41:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 09:41:21 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972221955 > > /* first round of self checks, these are done on the > * nettle algorithms which are used internally */ > + _gnutls_switch_lib_state(LIB_STATE_SELFTEST); > ret = _gnutls_fips_perform_self_checks1(); > + _gnutls_switch_lib_state(LIB_STATE_ERROR); Oh, indeed; I've somehow dropped `if (ret < 0)`. Re: `_gnutls_switch_fips_state` it is about FIPS context (i.e., service indicator, not library state). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972221955 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 11:45:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 09:45:09 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972226194 > > /* first round of self checks, these are done on the > * nettle algorithms which are used internally */ > + _gnutls_switch_lib_state(LIB_STATE_SELFTEST); > ret = _gnutls_fips_perform_self_checks1(); > + _gnutls_switch_lib_state(LIB_STATE_ERROR); oh, right. not sure how useful it is to limit transitions of library state -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_972226194 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 6 16:50:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Jun 2022 14:50:22 +0000 Subject: [gnutls-devel] GnuTLS | restrict allowlisting api to before priority string initialization (!1533) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: v14: rebased on top of 3.7.6 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1533#note_972638906 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 7 11:10:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Jun 2022 09:10:45 +0000 Subject: [gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581) In-Reply-To: References: Message-ID: Hannes Reinecke commented on a discussion on lib/auth/psk.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973648313 > inline static > void _gnutls_copy_psk_username(psk_auth_info_t info, const gnutls_datum_t *username) > { > - assert(sizeof(info->username) > username->size); > + assert(MAX_USERNAME_SIZE >= username->size); > + gnutls_free(info->username); > + info->username = gnutls_malloc(username->size + 1); > + assert(info->username); Yes, I think that would be good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973648313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 7 11:12:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Jun 2022 09:12:50 +0000 Subject: [gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581) In-Reply-To: References: Message-ID: Hannes Reinecke commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973651587 > > #define MAX_CIPHER_IV_SIZE 16 > > -#define MAX_USERNAME_SIZE 128 > +#define MAX_USERNAME_SIZE 65535 Yes, we should. Otherwise it's not quite obvious as the username size is used in various places, and not all of these relate to PSK handling. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973651587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 7 11:32:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Jun 2022 09:32:32 +0000 Subject: [gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581) In-Reply-To: References: Message-ID: Hannes Reinecke commented on a discussion on lib/handshake-checks.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973684567 > if (username == NULL) > return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); > > - if (session->internals.saved_username_size != -1) { > - if (session->internals.saved_username_size == username_length && > - strncmp(session->internals.saved_username, username, username_length) != 0) { > + if (session->internals.saved_username) { > + int saved_username_length = strlen(session->internals.saved_username); Problem is that we need to check both, as either the pointer could be NULL, or the length could be '0'. And one probably would need to do an audit to check if both are always in sync. (Or add an 'assert' here :-) Nit: there is one place in ~~~ lib/state.c:(*session)->internals.saved_username_size = -1; ~~~ is there a convention what the length of an unallocated pointer should be? -1 or 0? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_973684567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 7 18:58:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Jun 2022 16:58:42 +0000 Subject: [gnutls-devel] GnuTLS | Use recvmmsg() for receiving UDP frames (#1248) In-Reply-To: References: Message-ID: Yick commented: For your reference: [Zero-copy network transmission with io_uring](https://lwn.net/Articles/879724/) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1248#note_974470051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 8 13:38:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Jun 2022 11:38:24 +0000 Subject: [gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364) In-Reply-To: References: Message-ID: Stephan Mueller commented: I actually was not aware of this API. So, if the deinit and the following init call would basically be the same as a complete restarting of the library (i.e. execve() of the app or a dlopen of the library), then this combo is perfectly fine. In this case we do not need a specific API. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364#note_975633584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 8 16:42:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 Jun 2022 14:42:58 +0000 Subject: [gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: As pointed outside of this discussion by Daiki, `deinit`/`init` only does actual deinitialization when the usage counter reaches zero and thus is not a straightforward way to retrigger self-tests reliably. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364#note_975993694 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 9 13:54:48 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Jun 2022 11:54:48 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: All discussions on merge request !1598 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 9 15:03:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Jun 2022 13:03:50 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Merge request !1598 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 Project:Branches: dueno/gnutls:wip/dueno/force-self-test to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Stephan Mueller -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 9 16:05:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Jun 2022 14:05:59 +0000 Subject: [gnutls-devel] GnuTLS | Expose a public interface for executing FIPS integrity tests on-demand (#1364) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via merge request !1598 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1598) Issue #1364: https://gitlab.com/gnutls/gnutls/-/issues/1364 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1364 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 9 16:05:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Jun 2022 14:05:59 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Merge request !1598 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 Project:Branches: dueno/gnutls:wip/dueno/force-self-test to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Stephan Mueller -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 9 16:06:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Jun 2022 14:06:10 +0000 Subject: [gnutls-devel] GnuTLS | fips: provide function to manually run FIPS self-tests (!1598) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598#note_980762348 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 10 10:13:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Jun 2022 08:13:24 +0000 Subject: [gnutls-devel] cligen | Fix typo found by codespell (!2) References: Message-ID: Dimitri Papadopoulos Orfanos created a merge request: https://gitlab.com/gnutls/cligen/-/merge_requests/2 Project:Branches: DimitriPapadopoulos/cligen:codespell to gnutls/cligen:main Author: Dimitri Papadopoulos Orfanos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/2 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 16:40:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 14:40:57 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 16:40:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 14:40:58 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) In-Reply-To: References: Message-ID: Reassigned merge request 1599 https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 Assignee changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 16:40:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 14:40:59 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 Project:Branches: FrantisekKrenzelok/gnutls:ktls-disabled-by-default to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno KTLS will be disabled by default when build with `--enable-ktls` to enable it, use config file option `ktls = true` in [global] section. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 16:46:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 14:46:49 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) In-Reply-To: References: Message-ID: Merge request !1599 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 Project:Branches: FrantisekKrenzelok/gnutls:ktls-disabled-by-default to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 22:20:38 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 20:20:38 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Gregor Jasny commented: I hit the same bug in Ubuntu 22.04 (`3.7.3-4ubuntu1`) which is supposed to be fixed. # environment * Ubuntu 22.04 * libgnutls30:amd64 3.7.3-4ubuntu1 # testcase ``` gnutls-cli github.com:443 ``` # dmesg ``` [20561.492164] traps: gnutls-cli[13879] trap invalid opcode ip:7f58f0bbc8b1 sp:7fffc5ac0500 error:0 in libgnutls.so.30.31.0[7f58f0a9b000+129000] ``` # backtrace (with ddebs installed) ``` #0 sha256_block_data_order_avx () at ../../../../lib/accelerated/x86/elf/sha256-ssse3-x86_64.s:3165 #1 0x00007ffff7ee9782 in x86_sha256_update (ctx=0x7fffffff77e0, length=64, data=0x7fffffff7720 '\\' , "\300w\377\377\377\177") at accelerated/x86/../../../../lib/accelerated/x86/sha-x86-ssse3.c:164 #2 0x00007ffff776ecc2 in nettle_hmac_set_key () from /lib/x86_64-linux-gnu/libnettle.so.8 #3 0x00007ffff7ef1c1b in wrap_x86_hmac_fast (algo=, nonce=, nonce_size=, key=0x7ffff7f3f583, key_size=0, text=0x7fffffff7b00, text_size=32, digest=0x555555608f18) at accelerated/x86/../../../../lib/accelerated/x86/hmac-x86-ssse3.c:294 #4 0x00007ffff7e1d355 in _gnutls_mac_fast (algorithm=, key=, keylen=, text=, textlen=, digest=) at ../../lib/hash_int.c:167 #5 0x00007ffff7e58056 in _tls13_init_secret2 (prf=0x7ffff7fb21d0 , psk=, psk_size=32, out=0x555555608f18) at ../../lib/secrets.c:59 #6 0x00007ffff7e10617 in _tls13_init_secret (psk=0x0, psk_size=0, session=0x555555607790) at ../../lib/secrets.c:35 #7 read_server_hello (datalen=, data=0x5555558c6470 "\003\003\325\312`\342\333\361p\270\331gC~?&\211Q\035\006\262so2=+XR\230c`\367\213 \213\306?\346\064\"!\343\v^\211\254niq\261\374\225\265\252b\033m\351UA\325X\213'{\023\001", session=0x555555607790) at ../../lib/handshake.c:2097 #8 _gnutls_recv_handshake (session=0x555555607790, type=, optional=, buf=0x0) at ../../lib/handshake.c:1656 #9 0x00007ffff7e18d4a in handshake_client (session=0x555555607790) at ../../lib/handshake.c:3072 #10 gnutls_handshake (session=0x555555607790) at ../../lib/handshake.c:2871 #11 0x00005555555651e7 in ?? () #12 0x00005555555658d8 in ?? () #13 0x000055555555de2c in ?? () #14 0x00007ffff7addd90 in __libc_start_call_main (main=main at entry=0x55555555d5b0, argc=argc at entry=2, argv=argv at entry=0x7fffffffe458) at ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x00007ffff7adde40 in __libc_start_main_impl (main=0x55555555d5b0, argc=2, argv=0x7fffffffe458, init=, fini=, rtld_fini=, stack_end=0x7fffffffe448) at ../csu/libc-start.c:392 #16 0x000055555555ff85 in ?? () ``` # disassembly ``` Dump of assembler code for function sha256_block_data_order_avx: 0x00007ffff7f1c880 <+0>: mov %rsp,%rax 0x00007ffff7f1c883 <+3>: push %rbx 0x00007ffff7f1c884 <+4>: push %rbp 0x00007ffff7f1c885 <+5>: push %r12 0x00007ffff7f1c887 <+7>: push %r13 0x00007ffff7f1c889 <+9>: push %r14 0x00007ffff7f1c88b <+11>: push %r15 0x00007ffff7f1c88d <+13>: shl $0x4,%rdx 0x00007ffff7f1c891 <+17>: sub $0x60,%rsp 0x00007ffff7f1c895 <+21>: lea (%rsi,%rdx,4),%rdx 0x00007ffff7f1c899 <+25>: and $0xffffffffffffffc0,%rsp 0x00007ffff7f1c89d <+29>: mov %rdi,0x40(%rsp) 0x00007ffff7f1c8a2 <+34>: mov %rsi,0x48(%rsp) 0x00007ffff7f1c8a7 <+39>: mov %rdx,0x50(%rsp) 0x00007ffff7f1c8ac <+44>: mov %rax,0x58(%rsp) => 0x00007ffff7f1c8b1 <+49>: vzeroupper 0x00007ffff7f1c8b4 <+52>: mov (%rdi),%eax 0x00007ffff7f1c8b6 <+54>: mov 0x4(%rdi),%ebx 0x00007ffff7f1c8b9 <+57>: mov 0x8(%rdi),%ecx ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_991427169 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 22:25:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 20:25:17 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Gregor Jasny commented: Building gnutls from source on that machine is kind of hard/impossible because I cannot checkout the git submodules because gnutls crashes. Some questions: 1) How do I use `GNUTLS_CPUID_OVERRIDE` to remove all acceleration? setting it to 0 does not fix the issue? 2) How do I make the `_gnutls_debug_log` debug log visible in my `gnutls-cli` testcase? 3) was there any post-3.7.3 fix in that area? Thanks for your time and help, Gregor -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_991431387 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 14 22:28:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Jun 2022 20:28:19 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Gregor Jasny commented: PS: the VM is running on Microsoft HyperV. The admin told me that the xsave/avx features are disabled on the VMs to be able to migrate them across hosts. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_991434297 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 15 10:54:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Jun 2022 08:54:31 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1378 By default the client sends the `status_request` extension. From the command-line there is no other way to disable this behavior than adding `%NO_EXTENSIONS`. It would be nice we have a new modifier, say `%NO_STATUS_REQUEST`. @tomato42 suggested that we might eventually provide finer grained control over each extension as in signature algorithms selection, but the challenge is that there are dependencies between extensions (e.g., `pre_shared_key` and `psk_ke_modes`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 15 13:26:51 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Jun 2022 11:26:51 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: Actually, what I had in mind was a `%MINIMAL_EXTENSIONS` which would send the minimal set of extensions necessary for interoperability given the selected protocol version (so only `signature_algorithms` and `supported_groups` for TLS 1.2 and additionally `supported_versions` and `key_share` for TLS 1.3, _maybe_ also `server_name`) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378#note_992347018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 16 00:46:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Jun 2022 22:46:39 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Daiki Ueno commented: @gjasny I think this is related https://gitlab.com/qemu-project/qemu/-/issues/993 Perhaps there might be some discrepancy, e.g., avx2 is advertised while avx is not. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_993293466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 16 08:49:51 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Jun 2022 06:49:51 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) In-Reply-To: References: Message-ID: Daiki Ueno commented: @tomato42 thanks for the clarification. That sounds like the meaning of this modifier may change from time to time, and that makes me worry about backward compatibility. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378#note_993555313 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 16 14:14:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Jun 2022 12:14:16 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) In-Reply-To: References: Message-ID: Merge request !1599 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 Project:Branches: FrantisekKrenzelok/gnutls:ktls-disabled-by-default to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 16 14:14:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Jun 2022 12:14:25 +0000 Subject: [gnutls-devel] GnuTLS | KTLS: disable by default enable by config (!1599) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1599#note_994023470 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 16 15:17:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Jun 2022 13:17:58 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: sure, but then we have keywords like `%NO_EXTENSIONS` that are intrinsically incompatible with TLS 1.3... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378#note_994139051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 07:22:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 05:22:52 +0000 Subject: [gnutls-devel] GnuTLS | Provide a better way to upload Windows artifacts upon release (#1182) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1182: https://gitlab.com/gnutls/gnutls/-/issues/1182 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1182 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 07:22:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 05:22:52 +0000 Subject: [gnutls-devel] GnuTLS | Provide a better way to upload Windows artifacts upon release (#1182) In-Reply-To: References: Message-ID: Daiki Ueno commented: We recently started uploading Windows binary directly on the ftp.gnupg.org, so I've changed links on the download [page](https://gnutls.gitlab.io/web-pages/download.html), which will be mirrored on gnutls.org soon. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1182#note_996982966 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:41:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:41:09 +0000 Subject: [gnutls-devel] cligen | Add two missing SPDX-License-Identifier tags. (!1) In-Reply-To: References: Message-ID: Merge request !1 was merged Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/1 Project:Branches: ametzler/cligen:2022-more-spdx to gnutls/cligen:main Author: Andreas Metzler Assignee: Andreas Metzler -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/1 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:41:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:41:55 +0000 Subject: [gnutls-devel] cligen | Add two missing SPDX-License-Identifier tags. (!1) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you; sorry for the delay, I didn't set up notifications from this project :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/1#note_997594999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:42:22 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:42:22 +0000 Subject: [gnutls-devel] cligen | Fix typo found by codespell (!2) In-Reply-To: References: Message-ID: Merge request !2 was merged Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/2 Project:Branches: DimitriPapadopoulos/cligen:codespell to gnutls/cligen:main Author: Dimitri Papadopoulos Orfanos -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/2 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:42:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:42:27 +0000 Subject: [gnutls-devel] cligen | Fix typo found by codespell (!2) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/2#note_997595791 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:45:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:45:16 +0000 Subject: [gnutls-devel] cligen | .gitlab-ci.yml: Run tests through tox (!3) In-Reply-To: References: Message-ID: Reassigned merge request 3 https://gitlab.com/gnutls/cligen/-/merge_requests/3 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/3 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 14:45:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 12:45:16 +0000 Subject: [gnutls-devel] cligen | .gitlab-ci.yml: Run tests through tox (!3) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/cligen/-/merge_requests/3 Branches: wip/dueno/tox to main Author: Daiki Ueno Assignee: Daiki Ueno This would allow us to run tests with multiple Python versions and detect any usage of Python 3.7+ features. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/3 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 15:53:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 13:53:15 +0000 Subject: [gnutls-devel] cligen | .gitlab-ci.yml: Run tests through tox (!3) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: r+ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/3#note_997751444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 15:54:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 13:54:13 +0000 Subject: [gnutls-devel] cligen | .gitlab-ci.yml: Run tests through tox (!3) In-Reply-To: References: Message-ID: Merge request !3 was merged Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/3 Branches: wip/dueno/tox to main Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/3 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 20 22:40:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Jun 2022 20:40:20 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Gregor Jasny commented: I don't think those are related. This is the `/proc/cpuinfo` from my VM: ``` processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 85 model name : Intel(R) Xeon(R) Gold 5120 CPU @ 2.20GHz stepping : 4 microcode : 0xffffffff cpu MHz : 2194.841 physical id : 0 siblings : 4 core id : 0 cpu cores : 1 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 movbe popcnt aes f16c rdrand hypervisor lahf_lm abm 3dnowprefetch pti bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit bogomips : 4389.68 clflush size : 64 cache_alignment : 64 address sizes : 36 bits physical, 48 bits virtual power management: ``` As you can see the `xsave` and `avx` are absent (also `avx2` which was set in the bug you quoted). Unfortunately I have a hard time to get gnutls compiled on that machine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_998323173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 03:11:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 01:11:42 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Daiki Ueno commented: OK, so that sounds like the whole avx detection is somehow not working. Let me reopen this. > How do I use GNUTLS_CPUID_OVERRIDE to remove all acceleration? setting it to 0 does not fix the issue? I should have answered to this question earlier, but you could set the variable to `0x1`, as documented in: https://www.gnutls.org/manual/html_node/Debugging-and-auditing.html#Debugging-and-auditing -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_998445170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 03:11:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 01:11:44 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Issue was reopened by Daiki Ueno Issue 1282: https://gitlab.com/gnutls/gnutls/-/issues/1282 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 11:21:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 09:21:03 +0000 Subject: [gnutls-devel] GnuTLS | README.md: explicitly install libtasn1-bin (!1600) References: Message-ID: Gregor Jasny created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 Project:Branches: gjasny/gnutls:add-tasn-bin to gnutls/gnutls:master Author: Gregor Jasny On Ubuntu the `libtasn1-6-dev` package does not depend on the `libtasn1-bin` package which provides the ASN.1 parser: [see](https://packages.ubuntu.com/jammy/libtasn1-6-dev). ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [X] Documentation updated / NEWS entry present (for non-trivial changes) * [X] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 11:22:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 09:22:13 +0000 Subject: [gnutls-devel] GnuTLS | x86(_64): CPU feature detection broken (#1282) In-Reply-To: References: Message-ID: Gregor Jasny commented: I was hitting ``` /root/src/gnutls/build-aux/missing: line 81: asn1Parser: command not found WARNING: 'asn1Parser' is missing on your system. You might have modified some files without having the proper tools for further handling them. Check the 'README' file, it often tells you about the needed prerequisites for installing this package. You may also peek at any GNU archive site, in case some other package contains this missing 'asn1Parser' program. ``` and filed !1600 to update the documentation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1282#note_998854365 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 12:18:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 10:18:21 +0000 Subject: [gnutls-devel] GnuTLS | README.md: explicitly install libtasn1-bin (!1600) In-Reply-To: References: Message-ID: Merge request !1600 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 Project:Branches: gjasny/gnutls:add-tasn-bin to gnutls/gnutls:master Author: Gregor Jasny Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 12:18:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 10:18:28 +0000 Subject: [gnutls-devel] GnuTLS | README.md: explicitly install libtasn1-bin (!1600) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600#note_998953175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 12:18:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 10:18:35 +0000 Subject: [gnutls-devel] GnuTLS | README.md: explicitly install libtasn1-bin (!1600) In-Reply-To: References: Message-ID: Merge request !1600 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 Project:Branches: gjasny/gnutls:add-tasn-bin to gnutls/gnutls:master Author: Gregor Jasny Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 15:41:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 13:41:54 +0000 Subject: [gnutls-devel] GnuTLS | drbg-aes: zeroize internally used AES-256 keys before resetting (!1601) In-Reply-To: References: Message-ID: Reassigned merge request 1601 https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 21 15:41:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Jun 2022 13:41:56 +0000 Subject: [gnutls-devel] GnuTLS | drbg-aes: zeroize internally used AES-256 keys before resetting (!1601) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 Project:Branches: dueno/gnutls:wip/dueno/drbg-zeroize to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno FIPS140-3 requires certain sensitive parameters to be cleared, which includes internal states of DRBG. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 22 02:03:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Jun 2022 00:03:52 +0000 Subject: [gnutls-devel] GnuTLS | drbg-aes: zeroize internally used AES-256 keys before resetting (!1601) In-Reply-To: References: Message-ID: Daiki Ueno commented: It turned out that this is not necessary, as the `aes128_ctx` only involves stack allocated memory (and it is overwritten with set_encryption_key). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601#note_1000032248 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 22 02:03:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Jun 2022 00:03:54 +0000 Subject: [gnutls-devel] GnuTLS | drbg-aes: zeroize internally used AES-256 keys before resetting (!1601) In-Reply-To: References: Message-ID: Merge request !1601 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 Project:Branches: dueno/gnutls:wip/dueno/drbg-zeroize to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1601 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 22 02:18:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Jun 2022 00:18:39 +0000 Subject: [gnutls-devel] GnuTLS | README.md: explicitly install libtasn1-bin (!1600) In-Reply-To: References: Message-ID: Merge request !1600 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 Project:Branches: gjasny/gnutls:add-tasn-bin to gnutls/gnutls:master Author: Gregor Jasny -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 23 13:56:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Jun 2022 11:56:54 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) References: Message-ID: Bj?rn Christensen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1380 ## Description of problem: When our customer exits his application it generate an exception 0xc0000005 during the unload of the gnutls library. The call stack indicates that it is failing in _gnutls_rnd_deinit. while trying to line 140 which looks simple rnd_initialized = 0; but it turns out that rnd_initialized is declared as static _Thread_local unsigned rnd_initialized = 0; where _Thread_local is defined as __declspec(thread) and it turns out the Ubuntu 18.04 mingw 7.3 we are using does not support the __declspec(thread) Is this a known problem? Is it because I am using a too old version of mingw? Which version of mingw are you using when cross compiling to windows? Call stack at the exception: _fpreset () C++ > _gnutls_rnd_deinit() Line 140 C++ _gnutls_global_deinit() Line 415 C++ lib_deinit() Line 530 C++ __do_global_dtors() Line 27 C++ _CRT_INIT() Line 142 C++ __DllMainCRTStartup() Line 211 C++ LdrpCallInitRoutine() Unknown LdrpProcessDetachNode() Unknown LdrpUnloadNode() Unknown LdrpDecrementModuleLoadCountEx () Unknown LdrUnloadDll () Unknown FreeLibrary() Unknown The fpreset seems to be a red herring when inspection the disassembly. (it is _fpreset+0x190, symbols must be incomplete ) ## Version of gnutls used: 3.6.15 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Cross-compiled Compiled and linked by me on Ubuntu 18.04 with mingw version 7.4 for windows. ## How reproducible: Difficult but reproducable Steps to Reproduce: * one * two * three ## Actual results: Exception during exit ## Expected results: no exception during exit -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 23 14:45:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Jun 2022 12:45:44 +0000 Subject: [gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_1002737641 > > #define MAX_CIPHER_IV_SIZE 16 > > -#define MAX_USERNAME_SIZE 128 > +#define MAX_USERNAME_SIZE 65535 please check whether the comment is ok now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_1002737641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 23 17:58:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Jun 2022 15:58:52 +0000 Subject: [gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335) In-Reply-To: References: Message-ID: Martin 'JaMa' Jansa commented: archive.mesa3d.org can be used as another testcase: ``` $ gnutls-cli archive.mesa3d.org Processed 136 CA certificate(s). Resolving 'archive.mesa3d.org:443'... Connecting to '131.252.210.176:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=archive.mesa3d.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x034b691f41ef93f5d205f6678f5e065a9975, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-05-05 00:25:27 UTC', expires `2022-08-03 00:25:26 UTC', pin-sha256="qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0=" Public Key ID: sha1:8bbb9c1cef01c1ec2ae8c50bb720045e7a9427a2 sha256:aa0e6b2e0eb7504e0cbe98d4669e34b2acea7386091f715cdf2bfd10a40a903d Public Key PIN: pin-sha256:qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0= - Certificate[1] info: - subject `CN=archive.mesa3d.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x034b691f41ef93f5d205f6678f5e065a9975, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-05-05 00:25:27 UTC', expires `2022-08-03 00:25:26 UTC', pin-sha256="qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_1003106235 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 24 01:13:48 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Jun 2022 23:13:48 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) In-Reply-To: References: Message-ID: Daiki Ueno commented: > Is this a known problem? Not that I know of. > Is it because I am using a too old version of mingw? Which version of mingw are you using when cross compiling to windows? The version used in our CI seems to be 9.0.0: ```console $ podman run -ti --pull=always registry.gitlab.com/gnutls/build-images:buildenv-mingw-fedora35 [root at 0bac5451fc8a /]# rpm -qa mingw32\* | grep 'headers\|crt' mingw32-crt-9.0.0-2.fc35.noarch mingw32-headers-9.0.0-2.fc35.noarch [root at 0bac5451fc8a /]# rpm -qf /usr/bin/x86_64-w64-mingw32-gcc mingw64-gcc-11.2.1-3.fc35.x86_64 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1003639170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 24 08:07:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Jun 2022 06:07:19 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) In-Reply-To: References: Message-ID: Bj?rn Christensen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1003840808 Hello Daiki, I have pulled the image and tried to build some test code using __declspec(thread) and I get the following error: Function.cpp:64:24: warning: 'thread' attribute directive ignored [-Wattributes] 64 | __declspec(thread) UI4 var = 0; | ^~~ But I am not completely sure I know, if you have things configured that would enable this pragma, or if that can be done at all? /bhc
... From: gitlab at mg.gitlab.com Sent: Friday, 24 June 2022 01.14 To: bhc at insight.dk Subject: Re: GnuTLS | Crash (0xC0000005) when closing application. (#1380) Daiki Ueno commented : Is this a known problem? Not that I know of. Is it because I am using a too old version of mingw? Which version of mingw are you using when cross compiling to windows? The version used in our CI seems to be 9.0.0: $ podman run -ti --pull=always registry.gitlab.com/gnutls/build-images:buildenv-mingw-fedora35 [root at 0bac5451fc8a /]# rpm -qa mingw32\* | grep 'headers\|crt' mingw32-crt-9.0.0-2.fc35.noarch mingw32-headers-9.0.0-2.fc35.noarch [root at 0bac5451fc8a /]# rpm -qf /usr/bin/x86_64-w64-mingw32-gcc mingw64-gcc-11.2.1-3.fc35.x86_64 ? Reply to this email directly or view it on GitLab . You're receiving this email because of your account on gitlab.com. If you'd like to receive fewer emails, you can unsubscribe from this thread or adjust your notification settings.
-- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1003840808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 24 10:28:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Jun 2022 08:28:47 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1004040111 GnuTLS usage of `__declspec(thread)` is [guarded](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/gthreads.h) with `#ifdef _MSC_VER`. If you see the macro expanded, that means`_MSC_VER` is defined somewhere, while it shouldn't be if you are using g++: https://sourceforge.net/p/mingw-w64/bugs/282/#3996 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1004040111 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 24 10:54:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Jun 2022 08:54:07 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) In-Reply-To: References: Message-ID: Bj?rn Christensen commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1004078015 Good point Daiki, And if I change the __declspec(thread) to __thread my sample program works. When I examined the crash I looked at the disassembly and I could not see that the access to rnd_initialized was guarded. 00000000773B165A mov qword ptr [rbp-8],0 00000000773B1662 mov rax,qword ptr [rbp-10h] 00000000773B1666 mov qword ptr [rbp-8],rax L3: 00000000773B166A cmp qword ptr [rbp-8],0 // 131 00000000773B166F jne _gnutls_rnd_deinit+25h (0773B1624h) L2 // 131 00000000773B1671 mov qword ptr [head (077618568h)],0 L1: 00000000773B167C lea rcx,[gnutls_mutex_unlock+8h (077551380h)] 00000000773B1683 call _fpreset+190h (07754A420h) 00000000773B1688 mov dword ptr [rax],0 00000000773B168E call _rnd_system_entropy_deinit (07748BCB2h) 00000000773B1693 nop 00000000773B1694 add rsp,30h 00000000773B1698 pop rbp Maybe the call to _fpreset+0x190 is the setup of TLS memory. Thanks for the help I will investigate a bit further. /bhc
... From: gitlab at mg.gitlab.com Sent: Friday, 24 June 2022 10.29 To: bhc at insight.dk Subject: Re: GnuTLS | Crash (0xC0000005) when closing application. (#1380) Daiki Ueno commented on a discussion : GnuTLS usage of __declspec(thread) is guarded with #ifdef _MSC_VER. If you see the macro expanded, that means_MSC_VER is defined somewhere, while it shouldn't be if you are using g++: https://sourceforge.net/p/mingw-w64/bugs/282/#3996 ? Reply to this email directly or view it on GitLab . You're receiving this email because of your account on gitlab.com. If you'd like to receive fewer emails, you can unsubscribe from this thread or adjust your notification settings.
-- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1004078015 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jun 24 12:23:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Jun 2022 10:23:05 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutlsxx header-only library (#1381) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1381 As the gnutlsxx is a thin wrapper around libgnutls, it would be possible to turn it into a header-only library, so we don't need to care about ABI compatibility of the shared library. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 02:32:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 00:32:26 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Reassigned merge request 1602 https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 02:32:27 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 00:32:27 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 Project:Branches: dueno/gnutls:wip/dueno/hkdf-limit to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno nettle: restrict output size of HKDF-Expand to 255 * HashLen RFC 5869 2.3 requires that requested output length of HKDF-Expand to be equal to or less than 255 times hash output size. Inspired by the report by Guido Vranken in: https://lists.gnupg.org/pipermail/gcrypt-devel/2022-June/005328.html ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 09:56:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 07:56:21 +0000 Subject: [gnutls-devel] GnuTLS | cipher: limit plaintext length supplied to AES-GCM (!1603) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1603 Project:Branches: dueno/gnutls:wip/dueno/aes-gcm-rekey-limit to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno According to SP800-38D 5.2.1.1, input data length of AES-GCM encryption function must be less than or equals to 2^39-256 bits. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 09:56:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 07:56:21 +0000 Subject: [gnutls-devel] GnuTLS | cipher: limit plaintext length supplied to AES-GCM (!1603) In-Reply-To: References: Message-ID: Reassigned merge request 1603 https://gitlab.com/gnutls/gnutls/-/merge_requests/1603 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 10:47:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 08:47:49 +0000 Subject: [gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1581 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/auth/rsa_psk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_1006304012 > + if (ret < 0) { > + gnutls_assert(); > + goto cleanup; Maybe you could simply return here as no cleanup is needed? On the other hand, the code below might need to free `info->username` upon failure, or is it handled separately? -- Daiki Ueno started a new discussion on lib/auth/srp_kx.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_1006304022 > + if (info->username == NULL) > + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); > + _gnutls_str_cpy(info->username, username_length + 1, priv->username); ```suggestion:-3+0 info->username = gnutls_strdup(priv->username); if (info->username == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ``` -- Daiki Ueno started a new discussion on lib/session_pack.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_1006304024 > - return GNUTLS_E_INTERNAL_ERROR; > - } > + if (username_size > MAX_USERNAME_SIZE) I'm a bit confused: does this `username_size` account for the terminating NULL or not? If yes shouldn't this condition be `username_size > MAX_USERNAME_SIZE + 1`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 10:49:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 08:49:16 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Reassigned merge request 1567 https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jun 27 13:04:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 11:04:56 +0000 Subject: [gnutls-devel] GnuTLS | tries to include on MinGW (#1382) References: Message-ID: Richard W_M_ Jones created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1382 On MinGW builds of nbdkit: ``` In file included from crypto.c:56: /usr/x86_64-w64-mingw32/sys-root/mingw/include/gnutls/socket.h:32:10: fatal error: sys/socket.h: No such file or directory 32 | #include | ^~~~~~~~~~~~~~ ``` This header shouldn't be included if the platform is Win32. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 01:10:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 27 Jun 2022 23:10:02 +0000 Subject: [gnutls-devel] GnuTLS | tries to include on MinGW (#1382) In-Reply-To: References: Message-ID: Daiki Ueno commented: This seems to be included only for `socklen_t` used by `gnutls_transport_set_fastopen`. @rockdaboot do you happen to know any better alternative? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1382#note_1007776002 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 04:55:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 02:55:07 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 Project:Branches: dueno/gnutls:wip/dueno/ktls-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Franti?ek Kren?elok This MR contains fixes for running tests with KTLS enabled, namely: - only call setsockopt(TCP_ULP) at the first call to gnutls_handshake, do not clear ktls_enabled flag during the lifetime of the session - do not report GNUTLS_KTLS_SEND if the first setsockopt for read fails - wrap gnutls_ktls test with a script that checks /proc/modules as well as prepares a custom config file that enables KTLS ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 04:55:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 02:55:06 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Reassigned merge request 1604 https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 04:55:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 02:55:06 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Reviewer changed to Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 09:52:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 07:52:58 +0000 Subject: [gnutls-devel] GnuTLS | tries to include on MinGW (#1382) In-Reply-To: References: Message-ID: Richard W_M_ Jones commented: On Windows, defines `socklen_t` as: ``` typedef int socklen_t; ``` BTW on Fedora you can easily try cross-compiling gnutls for Windows, like this: ``` $ sudo dnf builddep mingw64-gnutls $ mingw64-configure --with-included-unistring $ make ``` (The current `configure.ac` requires libev even though it's supposed to be an optional dependency, so I had to chop that out first. This seems like a bug in the configure script.) You can then try compiling test programs using mingw64-gcc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1382#note_1008172570 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 10:19:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 08:19:43 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 was reviewed by Franti?ek Kren?elok -- Franti?ek Kren?elok started a new discussion on lib/handshake.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604#note_1008212652 > int ret; > > - session->internals.ktls_enabled = 0; I suggest moving this to `gnutls_init(...)` as this is a initialization of the value. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 10:35:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 08:35:19 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/handshake.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604#note_1008235764 > const version_entry_st *vers = get_version(session); > int ret; > > - session->internals.ktls_enabled = 0; The session structure is created using `gnutls_calloc` in `gnutls_init`, so I don't think we need to explicitly initialize it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604#note_1008235764 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 10:59:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 08:59:31 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: All discussions on merge request !1604 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 14:07:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 12:07:25 +0000 Subject: [gnutls-devel] GnuTLS | tries to include on MinGW (#1382) In-Reply-To: References: Message-ID: Daiki Ueno commented: We have [that](https://gitlab.com/gnutls/gnutls/-/blob/master/.gitlab-ci.yml#L755) in our CI, but I suppose none of the tests includes on Windows. Regarding socklen_t, perhaps we could expose [`struct sockaddr_storage *`](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms740504(v=vs.85)) instead, without including any system-dependent header. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1382#note_1008824356 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 14:25:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 12:25:43 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 14:25:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 12:25:30 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 18:35:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 16:35:08 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 Project:Branches: asosedkin/gnutls:more-rsa-checks to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin Expand the test on RSA key sizes and FIPS indicators slightly, won't hurt to have. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 18:35:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 16:35:08 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Reassigned merge request 1605 https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 Assignee changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 18:44:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 16:44:49 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Will this change need a changelog notice? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602#note_1009293053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 19:05:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 17:05:49 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Technically it also stops tracking state `if (mode != GNUTLS_FIPS140_DISABLED)`, so it might make sense to declare that indicators and contexts are not supposed to be used outside of FIPS mode. Realistically, I hope it's not a big deal. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567#note_1009314112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jun 28 19:06:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Jun 2022 17:06:13 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Merge request !1567 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 Project:Branches: dueno/gnutls:wip/dueno/fipscontext-log to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 08:34:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 06:34:52 +0000 Subject: [gnutls-devel] GnuTLS | Draft: tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on tests/fips-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010088986 > fail("gnutls_privkey_sign_data failed\n"); > } > - gnutls_free(signature.data); > FIPS_POP_CONTEXT(NOT_APPROVED); > > - /* Verify a signature created with SHA-1; approved */ > + /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ > FIPS_PUSH_CONTEXT(); > - ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, > - &rsa2342_sha1_sig); > + ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, > + &data, &rsa2342_sha1_sig); > if (ret < 0) { > fail("gnutls_pubkey_verify_data2 failed\n"); > } > FIPS_POP_CONTEXT(APPROVED); Not affected by this MR, but shouldn't it be unapproved? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010088986 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 09:34:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 07:34:58 +0000 Subject: [gnutls-devel] GnuTLS | Crash (0xC0000005) when closing application. (#1380) In-Reply-To: References: Message-ID: Bj?rn Christensen commented: Since I am getting a crash in _gnutls_rnd_deinit probably when accessing the rnd_initialized which is declared as threaded. The call stack is from the unload of the DLL. That seems to me to require that the Random module is intialized and deinitized on the same thread? My application is running multiple threads, and I am not quite sure which GnuTLS call actually intialized the Random module. As far as I can see the _gnutls_rnd_init is call on the threads calling gnutls_rnd, but it is very likely that gnutls_rnd have never been called on the thread unloading the dll. Could that be the cause of the crash I am seing? /bhc -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1380#note_1010159715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 10:04:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 08:04:12 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Even if we turn context operations into no-ops, we'll still need some doc changes, I'm afraid. For example, `Returns: 0 upon success, a negative error code otherwise` on `gnutls_fips140_*_context` can be considered misleading now. Could be easier to document something like "don't rely on the values outside of FIPS mode". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567#note_1010201661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 10:05:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 08:05:13 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Merge request !1602 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 Project:Branches: dueno/gnutls:wip/dueno/hkdf-limit to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 10:26:44 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 08:26:44 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Alexander Sosedkin changed the draft status of merge request !1605 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 10:28:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 08:28:19 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: Looks OK, prints transitions at level 1. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567#note_1010238538 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:02:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:02:40 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Merge request !1602 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 Project:Branches: dueno/gnutls:wip/dueno/hkdf-limit to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:03:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:03:02 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Merge request !1567 was scheduled to merge after pipeline succeeds by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 Project:Branches: dueno/gnutls:wip/dueno/fipscontext-log to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:03:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:03:15 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567#note_1010302715 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:15:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:15:41 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/fips-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010323810 > fail("gnutls_privkey_sign_data failed\n"); > } > - gnutls_free(signature.data); > FIPS_POP_CONTEXT(NOT_APPROVED); > > - /* Verify a signature created with SHA-1; approved */ > + /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ > FIPS_PUSH_CONTEXT(); > - ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, > - &rsa2342_sha1_sig); > + ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, > + &data, &rsa2342_sha1_sig); > if (ret < 0) { > fail("gnutls_pubkey_verify_data2 failed\n"); > } > FIPS_POP_CONTEXT(APPROVED); Is this because 2342 is not multiple of 256? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010323810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:20:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:20:46 +0000 Subject: [gnutls-devel] GnuTLS | fips: make service indicator logging louder (!1567) In-Reply-To: References: Message-ID: Merge request !1567 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 Project:Branches: dueno/gnutls:wip/dueno/fipscontext-log to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 11:22:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 09:22:34 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Merge request !1605 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 Project:Branches: asosedkin/gnutls:more-rsa-checks to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 12:25:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 10:25:09 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/fips-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010434382 > fail("gnutls_privkey_sign_data failed\n"); > } > - gnutls_free(signature.data); > FIPS_POP_CONTEXT(NOT_APPROVED); > > - /* Verify a signature created with SHA-1; approved */ > + /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ > FIPS_PUSH_CONTEXT(); > - ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, > - &rsa2342_sha1_sig); > + ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, > + &data, &rsa2342_sha1_sig); > if (ret < 0) { > fail("gnutls_pubkey_verify_data2 failed\n"); > } > FIPS_POP_CONTEXT(APPROVED); Because SHA-1 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1010434382 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jun 29 13:45:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 Jun 2022 11:45:26 +0000 Subject: [gnutls-devel] GnuTLS | nettle: restrict output size of HKDF-Expand to 255 * HashLen (!1602) In-Reply-To: References: Message-ID: Merge request !1602 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 Project:Branches: dueno/gnutls:wip/dueno/hkdf-limit to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 08:32:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 06:32:42 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented: Looks good, Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604#note_1011522718 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 08:32:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 06:32:47 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Merge request !1604 was approved by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 Project:Branches: dueno/gnutls:wip/dueno/ktls-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 12:19:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 10:19:28 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Merge request !1604 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 Project:Branches: dueno/gnutls:wip/dueno/ktls-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 12:19:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 10:19:34 +0000 Subject: [gnutls-devel] GnuTLS | Minor fixes on KTLS (!1604) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1604#note_1011852861 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 15:57:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 13:57:01 +0000 Subject: [gnutls-devel] GnuTLS | Suppress compile time warnings on Fedora 36 (!1606) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1606 Project:Branches: dueno/gnutls:wip/dueno/minor-f36 to gnutls/gnutls:master Author: Daiki Ueno .. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1606 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 16:01:56 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 14:01:56 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/fips-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1012163291 > fail("gnutls_privkey_sign_data failed\n"); > } > - gnutls_free(signature.data); > FIPS_POP_CONTEXT(NOT_APPROVED); > > - /* Verify a signature created with SHA-1; approved */ > + /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ > FIPS_PUSH_CONTEXT(); > - ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, > - &rsa2342_sha1_sig); > + ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, > + &data, &rsa2342_sha1_sig); > if (ret < 0) { > fail("gnutls_pubkey_verify_data2 failed\n"); > } > FIPS_POP_CONTEXT(APPROVED); My understanding is that SHA-1 is still allowed in SigVer in legacy mode. Should we change it to non-approved? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1012163291 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 16:12:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 14:12:04 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: All discussions on merge request !1605 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 16:12:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 14:12:04 +0000 Subject: [gnutls-devel] GnuTLS | tests/fips-test: minor extension (!1605) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/fips-test.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1012179600 > fail("gnutls_privkey_sign_data failed\n"); > } > - gnutls_free(signature.data); > FIPS_POP_CONTEXT(NOT_APPROVED); > > - /* Verify a signature created with SHA-1; approved */ > + /* Verify a signature created with 2432-bit RSA and SHA-1; approved */ > FIPS_PUSH_CONTEXT(); > - ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data, > - &rsa2342_sha1_sig); > + ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, > + &data, &rsa2342_sha1_sig); > if (ret < 0) { > fail("gnutls_pubkey_verify_data2 failed\n"); > } > FIPS_POP_CONTEXT(APPROVED); Yes, [guess it still is](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1605#note_1012179600 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jun 30 18:25:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 Jun 2022 16:25:37 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Add self-test code inside a FIPS context (!1607) References: Message-ID: Richard Costa created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1607 Project:Branches: richard.costa/gnutls:master to gnutls/gnutls:master Author: Richard Costa Commit 036fb360 adds a self-test that executes outside of FIPS context. This messes with the FIPS FSM if executed just after a crypto operation which depends on the FIPS FSM. So a new context was added so the self tests can execute safely. In case one of the self tests fail, then the whole lib is moved to an error state, so FIPS FSM doesn't matter anymore. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1607 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: