From gnutls-devel at lists.gnutls.org Thu Sep 1 08:11:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 06:11:20 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: clear AVX bits if it cannot be queried through XSAVE (!1631) In-Reply-To: References: Message-ID: Gregor Jasny commented: Thank you for the fix. I verified that it works as expected: **before:** ``` $ git rev-parse HEAD c683f775415bfac29e71032ee03a4dd44b4e9551 $ src/gnutls-cli github.com:443 Processed 127 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.121.4:443'... Illegal instruction (core dumped) ``` **after:** ``` git rev-parse HEAD 9bf62ca7952c126df8f1befc5c42c4bd9105011d $ src/gnutls-cli github.com:443 Processed 127 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.121.3:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1631#note_1084745590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 1 08:15:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 06:15:05 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: clear AVX bits if it cannot be queried through XSAVE (!1631) In-Reply-To: References: Message-ID: Gregor Jasny commented: Now that the bug is fixed I'd like to get a patch into the Ubuntu 22.04 [package](https://packages.ubuntu.com/jammy/gnutls-bin). It is based on the `3.7.3` release. Which patches would I need? Is it just bc7f67c46736486426ba1bd22a52a67bd58beee5 ? Thanks, Gregor -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1631#note_1084749650 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 1 08:27:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 06:27:47 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on tests/gnutls_ktls_keyupdate.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1084760056 > + goto end;\ > + }\ > +} > + > + > +static void server_log_func(int level, const char *str) > +{ > + fprintf(stderr, "server|<%d>| %s", level, str); > +} > + > +static void client_log_func(int level, const char *str) > +{ > + fprintf(stderr, "client|<%d>| %s", level, str); > +} > + > +sem_t mutex_client; Sorry, I was wrong on that POSIX semaphores can also be used for synchronizing processes, though it requires some special setup when initializing them with `sem_init`, which is not currently in place: > If pshared is nonzero, then the semaphore is shared between processes, > and should be located in a region of shared memory (see shm_open(3), > mmap(2), and shmget(2)). Or you could simply use `sem_open`. While I suggested using pipes, since our KTLS support only works on Linux, I guess it would also be acceptable to use POSIX semaphores, if you prefer. We would just need a configure check for that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1084760056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 1 08:30:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 06:30:29 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: clear AVX bits if it cannot be queried through XSAVE (!1631) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1631#note_1084762091 > Which patches would I need? Is it just bc7f67c4 ? Yes, I think so; as the previous patch was already included in 3.7.3. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1631#note_1084762091 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 1 09:32:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 07:32:54 +0000 Subject: [gnutls-devel] web-pages | Wrong issue linked in GNUTLS-SA-2022-07-07 (#4) References: Message-ID: Rolf Eike Beer created an issue: https://gitlab.com/gnutls/web-pages/-/issues/4 The text of GNUTLS-SA-2022-07-07 says "reported in the issue tracker as #1383", but that issue does not exist. 1383 is a merge request that seems unrelated, did you mean 1387? Is this the same issue as described in [CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/4 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 1 10:00:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 01 Sep 2022 08:00:46 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on tests/gnutls_ktls_keyupdate.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1084861790 > + goto end;\ > + }\ > +} > + > + > +static void server_log_func(int level, const char *str) > +{ > + fprintf(stderr, "server|<%d>| %s", level, str); > +} > + > +static void client_log_func(int level, const char *str) > +{ > + fprintf(stderr, "client|<%d>| %s", level, str); > +} > + > +sem_t mutex_client; I will go with pipes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1084861790 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 08:12:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 06:12:02 +0000 Subject: [gnutls-devel] web-pages | Wrong issue linked in GNUTLS-SA-2022-07-07 (#4) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: As it was a security issue, it was originally made confidential. I have made the issue #1383 public now that it has been fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/4#note_1086041650 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 08:12:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 06:12:03 +0000 Subject: [gnutls-devel] web-pages | Wrong issue linked in GNUTLS-SA-2022-07-07 (#4) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich Issue #4: https://gitlab.com/gnutls/web-pages/-/issues/4 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/4 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 10:44:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 08:44:18 +0000 Subject: [gnutls-devel] GnuTLS | RFC 9266: Channel Bindings for TLS 1.3 support (#1391) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.8 (Jul 15, 2022?Sep 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/37 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1391 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 10:45:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 08:45:00 +0000 Subject: [gnutls-devel] GnuTLS | report system config file location in gnutls-cli (#1399) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.8 (Jul 15, 2022?Sep 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/37 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 10:45:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 08:45:32 +0000 Subject: [gnutls-devel] GnuTLS | nettle's gnutls_crypto_init() causes segfault in unrelated gmp code during static destructors (#1398) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.8 (Jul 15, 2022?Sep 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/37 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1398 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 10:47:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 08:47:11 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: clear AVX bits if it cannot be queried through XSAVE (!1631) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.8 (Jul 15, 2022?Sep 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/37 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 10:47:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 08:47:24 +0000 Subject: [gnutls-devel] GnuTLS | cipher: Ensure correct alignment (!1633) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.7.8 (Jul 15, 2022?Sep 15, 2022) ( https://gitlab.com/gnutls/gnutls/-/milestones/37 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 11:38:38 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 09:38:38 +0000 Subject: [gnutls-devel] GnuTLS | Doc fix about version numbers. (!1638) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1638 Project:Branches: jas/gnutls:jas/releases-follow-semver to gnutls/gnutls:master Author: Simon Josefsson Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1638 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 12:49:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 10:49:20 +0000 Subject: [gnutls-devel] GnuTLS | Make gnutlsxx header-only library (#1381) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/30 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 12:50:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 10:50:18 +0000 Subject: [gnutls-devel] GnuTLS | Support external PSK importer (#1355) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/30 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1355 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 2 12:50:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Sep 2022 10:50:53 +0000 Subject: [gnutls-devel] GnuTLS | Support external PSK importer (#1355) In-Reply-To: References: Message-ID: Daiki Ueno commented: I guess this would be a dependency of #680. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1355#note_1086378857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 5 14:03:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 05 Sep 2022 12:03:04 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: All discussions on merge request !1625 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 8 07:34:52 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Sep 2022 05:34:52 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/tls13/key_update.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1092218972 > #include "mem.h" > #include "mbuffers.h" > #include "secrets.h" > +#include "system/ktls.h" > > #define KEY_UPDATES_WINDOW 1000 > #define KEY_UPDATES_PER_WINDOW 8 > > +/* > + * Sets kTLS keys if enabled. > + * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is dissabled > + * becaose KTLS most likely doesn't support key update. > + */ There are a couple of typos: dissabled ? disabled, becaose ? because. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1092218972 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 8 17:47:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Sep 2022 15:47:08 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) References: Message-ID: Pedro Marzo created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1401 ## Description of problem: Implementing an https server with the libmicrohttpd library using one different thread per each https connection results in an slow but steady memory increment usage as TLS sessions are openned and closed. libmicrohttpd uses gnutls to implement the TLS layer. Using valgrind massif tool it seems the problem is on _gnutls_rnd_init which calls wrap_nettle_rnd_init which makes a calloc for the random context. These callocs seems to never be free as_gnutls_rnd_init allocates memory per each thread, but seems to not deallocate it when the thread ends, or at least I cannot see a way of doing that deallocation per thread. These context are stored on variables defined per each thread, so as the number of threads using gnu tls increases the number of allocated contexts grows. static _Thread_local void *gnutls_rnd_ctx; static _Thread_local unsigned rnd_initialized = 0; All contexts are deallocated when the program finally calls _gnutls_rnd_deinit, but that is only called by _gnutls_global_deinit, so libmicrohttpd never seems to call it because the https server never ends. May be it is not a bug on gnutls but on libmicrohttpd, but I see no way to free the random context associated to a particular thread on the gnutls library. ## Version of gnutls used: 3.6.14 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Launch a libmicrohttpd daemon running on https with the flag MHD_USE_THREAD_PER_CONNECTION. Using an script with curl perform https requests to the server. Memory starts growing with each new thread created and destroyed by the libmicrohttpd library. ## Actual results: Memory usage increments due to wrap_nettle_rnd_init calloc, I attach the massif image ![memoryusage](/uploads/ad315bd1d60400826c9a96d6da2af10b/memoryusage.png) ## Expected results: Memory usage should not grow. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 12:53:21 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 10:53:21 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Ryan Hope commented: Ran into the same issue after some investigating https://bugs.gnunet.org/view.php?id=7308. I did a quick hack to fix it but they suggested a better fix -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1094542923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:29:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:29:33 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Pedro Marzo commented: Yes, it is exactly the same bug. I managed to avoid it using the MHD_USE_EPOLL_INTERNAL_THREAD instead of the MHD_USE_THREAD_PER_CONNECTION mode on the libmicrohttpd but I guess a fixed should be implemented on gnutls. The pthread_key_create solution proposed seems grate, do you know if it is been implemented? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1094598246 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:36:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:36:46 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Reassigned merge request 1639 https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:36:47 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:36:47 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno 1. Adds the default system config file location to the output of `gnutls-cli --list-config` command 2. Adds `--system-config-file` option to gnutls-cli to print the active system config file Closes #1399 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:36:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:36:45 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:43:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:43:11 +0000 Subject: [gnutls-devel] GnuTLS | doc: mention GNUTLS_CB_TLS_EXPORTER (!1636) In-Reply-To: References: Message-ID: Reviewer changed from Zolt?n Fridrich to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1636 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 13:57:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 11:57:14 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on src/gnutls-cli-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1094644397 > }, > + { > + "long-option": "system-config-file", Can't we consolidate this option to `--list-config`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 14:03:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 12:03:17 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Ryan Hope commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1094655843 I do not think it has been implemented yet -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1094655843 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 14:11:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 12:11:02 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on src/gnutls-cli-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1094670495 > "long-option": "list-config", > "description": "Reports the configuration of the library" > }, > + { > + "long-option": "system-config-file", We can. I was just not sure if we want to call it a "list" as it only prints one entry -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1094670495 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 14:15:11 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 12:15:11 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on src/gnutls-cli-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1094679420 > "long-option": "list-config", > "description": "Reports the configuration of the library" > }, > + { > + "long-option": "system-config-file", Right, you mean to include the active system config location into the list-config option. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1094679420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 14:41:43 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 12:41:43 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: All discussions on merge request !1639 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 9 23:24:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 21:24:25 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1095498137 I agree. There is a gnulib [wrapper](https://www.gnu.org/software/gnulib/MODULES.html#module=tls) around `pthread_key_create` and `tss_create`, which could be used to fix this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1095498137 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 10 01:24:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Sep 2022 23:24:54 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1095547149 > * > - * Returns: a NUL-terminated %gnutls_library_config_st array > + * Returns: a NULL-terminated %gnutls_library_config_st array nit: it's not a typo https://en.wikipedia.org/wiki/Null_character -- Daiki Ueno started a new discussion on lib/global.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1095547152 > + while (strcmp(_gnutls_library_config[i].name, "system-config")) > + ++i; > + _gnutls_library_config[i].value = gnutls_get_system_config_file(); Instead of introducing a side-effect, I would rather put the logic in src/cli.c, something like: ```c if (HAVE_OPT(LIST_CONFIG)) { const gnutls_library_config_st *p; for (p = gnutls_get_library_config(); p->name; p++) { log_msg(stdout, "%s: %s\n", p->name, p->value); } log_msg(stdout, "system-config: %s\n", gnutls_get_system_config_file()); exit(0); } ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 10 20:41:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Sep 2022 18:41:06 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_encrypt_data throws encryption error when passing an input with same size as the key. (#1402) References: Message-ID: Santino Mazza created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1402 ## Description of problem: I'm trying to encrypt an input with a public RSA key without adding any padding, but when I put an input that has the same size as the key it just returns encryption error. ## Version of gnutls used: 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * Create a public RSA key with 512 bitlen (or any other) * Create a buffer of 64 bytes (512 bits) * Encrypt the buffer using the RSA key with gnutls_pubkey_encrypt_data ## Actual results: gnutls_pubkey_encrypt_data returns encryption error ## Expected results: gnutls_pubkey_encrypt_data should encrypt the data correctly -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 11 09:20:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 11 Sep 2022 07:20:53 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_encrypt_data throws encryption error when passing an input with same size as the key. (#1402) In-Reply-To: References: Message-ID: Daiki Ueno commented: I would say the behavior is expected, while it might be under documented. RSA encryption exposed from GnuTLS is RSAES-PKCS1-v1_5, which requires that the maximum plaintext length is key length minus 11 bytes (see the step 1 at https://www.rfc-editor.org/rfc/rfc8017#section-7.2.1). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1402#note_1095895895 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 11 18:46:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 11 Sep 2022 16:46:40 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_encrypt_data throws encryption error when passing an input with same size as the key. (#1402) In-Reply-To: References: Message-ID: Santino Mazza commented: Ohh didn't know about that. And there is some plan to add a flag to the function so you can pick the type of padding you want? Like no padding, pkcs or oaep. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1402#note_1096036387 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 08:26:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 06:26:19 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: All discussions on merge request !1639 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 09:27:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 07:27:34 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks for the update; I think it makes sense to keep `{ "default-system-config", SYSTEM_PRIORITY_FILE },` as it is sometimes useful to know the library default. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1096306304 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 09:44:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 07:44:55 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_pubkey_encrypt_data throws encryption error when passing an input with same size as the key. (#1402) In-Reply-To: References: Message-ID: Daiki Ueno commented: RSA-OAEP is currently not supported (@babelouest is working on it in the Nettle side). For no padding, it imposes risks of Bleichenbacher's attack as described in the above link. As we aim for a library hard to misuse, we might rather avoid supporting it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1402#note_1096328155 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 11:41:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 09:41:05 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Pedro Marzo commented: Sorry, no idea about the gnulib wrapper. I created a patch with a possible implementation using pthread_key_create. The only caveat I see is that the context of the main thread is not freed when gnutls_global_deinit then_gnutls_rnd_deinit is called because the linked list is removed [0001-pthread_key_create-to-store-context.patch](/uploads/e64417525be2f2cc9fc8080ef917e582/0001-pthread_key_create-to-store-context.patch). However this is just one context and I guess most of the applications will exit after deinitializing the library anyway. Best Regards, Pedro -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1096518628 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 16:39:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 14:39:09 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1097089003 Do we also want to rename the currently set system config to something like "current-system-config" or "set-system-config" or "actual-system-config" or something like that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639#note_1097089003 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 12 23:48:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Sep 2022 21:48:29 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Merge request !1639 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 09:19:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 07:19:33 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: All discussions on merge request !1639 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 09:35:34 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 07:35:34 +0000 Subject: [gnutls-devel] GnuTLS | Report system config file location via gnutls-cli (!1639) In-Reply-To: References: Message-ID: Merge request !1639 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1639 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 09:35:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 07:35:35 +0000 Subject: [gnutls-devel] GnuTLS | report system config file location in gnutls-cli (#1399) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich via merge request !1639 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1639) Issue #1399: https://gitlab.com/gnutls/gnutls/-/issues/1399 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1399 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 12:01:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 10:01:02 +0000 Subject: [gnutls-devel] GnuTLS | borinssl early data is rejected by gnutls server because of the ticket age (#1403) References: Message-ID: Tatsuhiro Tsujikawa created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1403 ## Description of problem: I often observed that boringssl early data got rejected by gnutls server due to ticket age: > gnutls[3]: ASSERT: tls13/anti_replay.c[_gnutls_anti_replay_check]:152 > gnutls[4]: EXT[0x...]: replay detected; rejecting early data That is https://gitlab.com/gnutls/gnutls/-/blob/84546da2c30d84a7aaeaf82af1f6d0b101b54d81/lib/tls13/anti_replay.c#L147-151 ```c /* It shouldn't be possible that the server's view of ticket * age is smaller than the client's view. */ ``` Whey does this happen? Because boringssl drops sub-second when calculating obfuscated_ticket_age: https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/extensions.cc#1982 It looks like RFC 8446 only says that "a server MUST validate that the ticket age for the selected PSK identity ... is within a small tolerance of the time since the ticket was issued". This particular check done by gnutls might be too strict. ## Version of gnutls used: master branch ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) ## How reproducible: Send early data from boringssl client to gnutls server. Do this several times and see the early data rejection by gnutls server. ## Actual results: Early data from boringssl client is often rejected. ## Expected results: Early data from boringssl client should be accepted if the ticket age is within the acceptable range. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 17:10:13 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 15:10:13 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Reassigned merge request 1640 https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 13 17:10:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Sep 2022 15:10:16 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 14 09:48:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Sep 2022 07:48:16 +0000 Subject: [gnutls-devel] GnuTLS | Doc fix about version numbers. (!1638) In-Reply-To: References: Message-ID: Merge request !1638 was closed by Simon Josefsson Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1638 Project:Branches: jas/gnutls:jas/releases-follow-semver to gnutls/gnutls:master Author: Simon Josefsson Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1638 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 14 11:25:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Sep 2022 09:25:41 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1100114847 > [AS_HELP_STRING([--with-default-crl-file=FILE], > [use the given CRL file as default])]) > > -AC_ARG_WITH([default-blacklist-file], -1 on such renaming of configure options breaks compatibility; one can inadvertently lose the blocklist file and only get a quiet warning in return: `configure: WARNING: unrecognized options: --with-default-blocklist-file` We should either support both names for a while or turn obsolete names into hard errors. And, probably, document this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1100114847 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 15 11:18:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Sep 2022 09:18:49 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.7.5 libgnutls-symbols.expsym not in: lib/.libs/libgnutls.30.dylib (#1370) In-Reply-To: References: Message-ID: Reassigned Issue 1370 https://gitlab.com/gnutls/gnutls/-/issues/1370 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1370 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 15 14:16:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Sep 2022 12:16:14 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: All discussions on merge request !1625 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 18 10:42:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 08:42:15 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 Project:Branches: dueno/gnutls:wip/dueno/cert-compression-followup to gnutls/gnutls:master Author: Daiki Ueno Previously the compress_certificate extension was sent by the server as part of ServerHello, which violates RFC 8879. This patch instead send it as an extension of CertificateRequest. Fixes: #1397 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 18 10:42:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 08:42:35 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate is being set on ServerHello (#1397) In-Reply-To: References: Message-ID: Reassigned Issue 1397 https://gitlab.com/gnutls/gnutls/-/issues/1397 Assignee changed from Zolt?n Fridrich to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 18 10:42:48 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 08:42:48 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Reassigned merge request 1641 https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 18 10:43:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 08:43:02 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Reviewer changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Sep 18 10:44:41 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 08:44:41 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate is being set on ServerHello (#1397) In-Reply-To: References: Message-ID: Daiki Ueno commented: As discussed with @asosedkin, we probably may want to address this for the imminent 3.7.8 either by disabling the feature by default or fixing it properly. !1641 is my attempt for the latter. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1397#note_1104442836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 00:48:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 22:48:24 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 Project:Branches: dueno/gnutls:wip/dueno/cpuid-symbol-rename to gnutls/gnutls:master Author: Daiki Ueno If the LD doesn't have support for version scripts, _gnutls_x86_cpuid_s is exported through libtool's --export-symbols-regex and that causes link error with clang: libtool: link: nmedit -s .libs/libgnutls-symbols.expsym .libs/libgnutls.30.dylib /Library/Developer/CommandLineTools/usr/bin/nmedit: error: symbols names listed in: .libs/libgnutls-symbols.expsym not in: /opt/local/var/macports/build/_Users_marius_Development_MacPorts_ports_devel_gnutls/gnutls-devel/work/gnutls-3.7.5/lib/.libs/libgnutls.30.dylib __gnutls_x86_cpuid_s make[4]: *** [libgnutls.la] Error 1 This patch renames _gnutls_x86_cpuid_s to __gnutls_x86_cpuid_s (double underscore) to avoid the issue. Problem investigated and fix suggested by Clemens Lang in: https://gitlab.com/gnutls/gnutls/-/issues/1370#note_967832583 Fixes: #1370 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 00:49:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 22:49:59 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Reassigned merge request 1642 https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 Assignee changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 00:50:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 22:50:06 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Reviewer changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 00:51:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Sep 2022 22:51:55 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.7.5 libgnutls-symbols.expsym not in: lib/.libs/libgnutls.30.dylib (#1370) In-Reply-To: References: Message-ID: Daiki Ueno commented: Thanks @cllang for looking into it and the suggestion. I've filed !1642 doing the latter. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1370#note_1104637173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 10:22:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 08:22:00 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Clemens Lang commented: I think the double underscore is reserved. See [the latest publicly available draft of the C17 standard][1], section 7.1.3 Reserved identifiers: > All identifiers that begin with an underscore and either an uppercase letter or another underscore are always reserved for any use, except those identifiers which are lexically identical to keywords. > All identifiers that begin with an underscore are always reserved for use as identifiers with file scope in both the ordinary and tag name spaces. > If the program declares or defines an identifier in a context in which it is reserved [?], or defines a reserved identifier as a macro name, the behavior is undefined. You should probably not use double underscores, or even leading single underscores. [1]: https://web.archive.org/web/20181230041359if_/http://www.open-std.org/jtc1/sc22/wg14/www/abq/c17_updated_proposed_fdis.pdf -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1104933790 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 10:32:51 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 08:32:51 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Daiki Ueno commented: Yeah I totally agree; I guess that's the reason we don't use leading underscore(s) for e.g., header guards. Maybe `GNUTLS_x86_cpuid_s` would be a better candidate? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1104949589 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 13:28:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 11:28:45 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: I see no obvious mistakes. Changes make sense. LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1105220661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 13:31:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 11:31:02 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion on lib/ext/compress_certificate.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1105223154 > gnutls_compression_method_t _gnutls_compress_certificate_num2method(uint16_t num); > int _gnutls_compress_certificate_method2num(gnutls_compression_method_t method); > > +int This is just a nitpick but could you please unify the format in this file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1105223154 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 13:31:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 11:31:15 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Reviewer changed from Zolt?n Fridrich to Unassigned -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 13:31:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 11:31:24 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Merge request !1641 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 Project:Branches: dueno/gnutls:wip/dueno/cert-compression-followup to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 15:47:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 13:47:36 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/accelerated/x86/coff/aesni-x86.s: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1105457508 > .L112pic: > popl %ebx > leal .Lkey_const-.L112pic(%ebx),%ebx > - leal __gnutls_x86_cpuid_s,%ebp > + leal _GNUTLS_x86_cpuid_s,%ebp If `^__` and `^_[A-Z]` are equally bad, what does the renaming give us? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1105457508 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 17:23:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 15:23:24 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/accelerated/x86/coff/aesni-x86.s: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1105636034 > .L112pic: > popl %ebx > leal .Lkey_const-.L112pic(%ebx),%ebx > - leal __gnutls_x86_cpuid_s,%ebp > + leal _GNUTLS_x86_cpuid_s,%ebp The assembler on macOS seems to add underscore to every external symbol: - https://orangejuiceliberationfront.com/intel-assembler-on-mac-os-x/ - https://github.com/dot-asm/cryptogams/blob/master/x86_64/x86_64-xlate.pl#L85 I guess it's not a problem as the restriction is at C level, not assembly level. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1105636034 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 17:36:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 15:36:32 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/compress_certificate.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1105652956 > gnutls_compression_method_t _gnutls_compress_certificate_num2method(uint16_t num); > int _gnutls_compress_certificate_method2num(gnutls_compression_method_t method); > > +int Do you mean to place `int` on the same line as `_gnutls_compress_certificate_recv_params`? I don't think it's a requirement of Linux kernel coding style, and if we do, the arguments would not align properly in 80 columns. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1105652956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 18:28:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 16:28:37 +0000 Subject: [gnutls-devel] GnuTLS | fips: mark symmetric key crypto operations with short key and output sizes non-approved (!1643) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1643 Project:Branches: dueno/gnutls:wip/dueno/symkey-limit to gnutls/gnutls:master Author: Daiki Ueno .. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1643 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 23:52:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 21:52:31 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: All discussions on merge request !1641 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 23:52:37 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 21:52:37 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Merge request !1641 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 Project:Branches: dueno/gnutls:wip/dueno/cert-compression-followup to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 19 23:52:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Sep 2022 21:52:36 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate is being set on ServerHello (#1397) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno via commit cde0061c33d56258281a4d6033eba1d85e75e32d Issue #1397: https://gitlab.com/gnutls/gnutls/-/issues/1397 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 08:14:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 06:14:01 +0000 Subject: [gnutls-devel] GnuTLS | trust: make filesystem path construction flexible (!1493) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !1493 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 08:17:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 06:17:04 +0000 Subject: [gnutls-devel] GnuTLS | trust: make filesystem path construction flexible (!1493) In-Reply-To: References: Message-ID: All discussions on merge request !1493 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 08:17:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 06:17:04 +0000 Subject: [gnutls-devel] GnuTLS | trust: make filesystem path construction flexible (!1493) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 was reviewed by Daiki Ueno -- Daiki Ueno commented on a discussion on lib/datum.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_1106367894 > if (dat != NULL) { > gnutls_free(dat->data); > + dat->data = NULL; Indeed, dropped the commit. -- Daiki Ueno commented on a discussion on lib/fips.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_1106367905 > - gnutls_free(data.data); > - > + _gnutls_free_datum(&data); As the fips.c has been heavily modified since this MR, I've dropped the changes to that file. -- Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493#note_1106367908 Sorry for the delay. After a bit of thinking and learning from the glibc's ftw implementation, I've reworked the logic with helper functions that allocates memory only if PATH_MAX has reached. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 09:08:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 07:08:39 +0000 Subject: [gnutls-devel] GnuTLS | fips: fix checking on hash algorithm used in ECDSA (!1644) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1644 Project:Branches: dueno/gnutls:wip/dueno/ecdsa-hash-check to gnutls/gnutls:master Author: Daiki Ueno Previously we checked against the "preferred" hash algorithm based on the curve, instead of the one actually used. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1644 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 09:24:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 07:24:04 +0000 Subject: [gnutls-devel] GnuTLS | compress-cert: support compression of client certificates (!1641) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/ext/compress_certificate.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1106479422 > gnutls_compression_method_t _gnutls_compress_certificate_num2method(uint16_t num); > int _gnutls_compress_certificate_method2num(gnutls_compression_method_t method); > > +int I meant you could change the other two prototypes to have return types on a new line aswell but its ok. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1641#note_1106479422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 11:41:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 09:41:54 +0000 Subject: [gnutls-devel] GnuTLS | doc: Don't depend on /usr/bin/perl in the Makefile.am. (!1645) References: Message-ID: Christopher Baines created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1645 Project:Branches: cbaines/gnutls:perl-PATH to gnutls/gnutls:master Author: Christopher Baines Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1645 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 13:19:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 11:19:45 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: All discussions on merge request !1640 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 13:24:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 11:24:19 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107001463 > [AS_HELP_STRING([--with-default-crl-file=FILE], > [use the given CRL file as default])]) > > -AC_ARG_WITH([default-blacklist-file], I kept both versions and added helper text that the blacklist one is obsolete. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107001463 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 13:40:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 11:40:20 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: All discussions on merge request !1640 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 15:19:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 13:19:15 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259633 > > AC_ARG_WITH([default-blacklist-file], > [AS_HELP_STRING([--with-default-blacklist-file=FILE], These two lines are kept for backward compatibility, right? As this is merely a build flag, we can change it. -- Daiki Ueno started a new discussion on doc/cha-intro-tls.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259745 > if the false start requirements are not satisfied. That is, on ciphersuites which are not > -whitelisted for false start or on insufficient key sizes, the handshake > +trusted for false start or on insufficient key sizes, the handshake ciphersuites can't be trusted :-) maybe "allowed" or "enabled" might be more appropriate? -- Daiki Ueno started a new discussion on doc/cha-tokens.texi: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259755 > > -That store, allows for blacklisting of CAs or certificates, as well as > +That store, allows for blocklisting of CAs or certificates, as well as I suggest "distrusting", to be consistent with the p11-kit terminology. -- Daiki Ueno started a new discussion on lib/auth/srp_kx.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259768 > _gnutls_audit_log(session, > - "SRP group parameters are not in the white list; rejecting.\n"); > + "SRP group parameters are not in the allow list; rejecting.\n"); "Unknown SRP group parameters; rejecting.\n" might be better? -- Daiki Ueno started a new discussion on src/p11tool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259773 > "long-option": "mark-distrusted", > - "description": "When retrieving objects, it requires the objects to be distrusted (blacklisted)", > + "description": "When retrieving objects, it requires the objects to be distrusted (distrusted)", double "distrusted" -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259775 > [AS_HELP_STRING([--with-default-blacklist-file=FILE], > - [use the given certificate blacklist file as default])]) > + [obsolete, use default-blocklist-file instead])]) "use --default-blocklist-file instead" -- Daiki Ueno started a new discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107259777 > [AS_HELP_STRING([--with-default-blacklist-file=FILE], > - [use the given certificate blacklist file as default])]) > + [obsolete, use default-blocklist-file instead])]) Alternatively you could simply error out: ```m4 AC_ARG_WITH([default-blacklist-file], [AS_HELP_STRING([--with-default-blacklist-file=FILE], [obsolete, use --with-default-blocklist-file instead])], [AC_MSG_ERROR([use --with-default-blocklist-file instead])]) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 15:23:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 13:23:59 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on configure.ac: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107275056 > > AC_ARG_WITH([default-blacklist-file], > [AS_HELP_STRING([--with-default-blacklist-file=FILE], IMO, only if we make it fail for unknown options, see previous resolved thread. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107275056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 15:26:12 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 13:26:12 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: While my understanding of all the nuances might be sketchy, I'm OK with this patch at the level that I don't see how it can cause problems. Commit message still mentions "double underscore". -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1107285175 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 15:26:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 13:26:46 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: All discussions on merge request !1642 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 15:54:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 13:54:45 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: All discussions on merge request !1640 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 16:11:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 14:11:36 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Merge request !1640 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 20 16:12:00 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Sep 2022 14:12:00 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me; maybe good to mention the configure option change in NEWS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640#note_1107427213 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 21 12:05:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Sep 2022 10:05:45 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Merge request !1640 was scheduled to merge after pipeline succeeds by Zolt?n Fridrich Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 21 15:13:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Sep 2022 13:13:35 +0000 Subject: [gnutls-devel] GnuTLS | Failed to set TLS options (default:). error: The request is invalid. (#1405) References: Message-ID: KENJI AKIHARA created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1405 ## Description of problem: Failed to set TLS options (default:). error: The request is invalid. ## Version of gnutls used: gnutls-3.7.1-1.aix6.1.aix6.1.ppc.rpm ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) AIX ## How reproducible: When throwing https requests from a source to a reverse proxy server (squid) with the Curl command, fin/ack comes back after the client Hello (=Server Hello is not returned) curl version curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.7 libidn/1.28 libssh2/1.4.3 nghttp2/1.31.1 ## Actual results: 2022/09/13 17:20:55 kid1| ERROR: session=0x11274deb0 Failed to set TLS options (default:). error: The request is invalid. ## Expected results: Establishing an SSL connection -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 21 16:21:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Sep 2022 14:21:02 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Release 3.7.8 (!1646) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 Project:Branches: asosedkin/gnutls:3.7.8 to gnutls/gnutls:master Author: Alexander Sosedkin Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 22 07:51:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Sep 2022 05:51:46 +0000 Subject: [gnutls-devel] GnuTLS | doc: Don't depend on /usr/bin/perl in the Makefile.am. (!1645) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on doc/Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1645#note_1109932468 > > gnutls-api.texi: $(top_srcdir)/lib/includes/gnutls/gnutls.h.in > echo "" > $@-tmp > - for i in `$(top_srcdir)/doc/scripts/getfuncs.pl < $< |sort|uniq`; do \ > + for i in `perl $(top_srcdir)/doc/scripts/getfuncs.pl < $< |sort|uniq`; do \ Maybe we could detect perl in configure.ac, something like `AM_MISSING_PROG([PERL], [perl])`, and use `$(PERL)` instead of `perl`? That way users could choose the program through the `make` command line or envvar. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1645#note_1109932468 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 22 12:40:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Sep 2022 10:40:33 +0000 Subject: [gnutls-devel] GnuTLS | boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age (#1403) In-Reply-To: References: Message-ID: Reassigned Issue 1403 https://gitlab.com/gnutls/gnutls/-/issues/1403 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 22 16:25:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Sep 2022 14:25:14 +0000 Subject: [gnutls-devel] GnuTLS | boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age (#1403) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: @tatsuhiro-t Hello and thank you for the report. After looking into the code of both boringssl and gnutls I believe that there is no problem on the gnutls side. The higher mentioned check seems very reasonable to me. On the other hand, it seems to me that the fix should be done on the side of boringssl as it calculates inaccurate ticket_age. From what I have seen boringssl works with seconds and then just multiplies the result by 1000 to fill the ticket_age. I guess if we would change the check to `if (unlikely(server_ticket_age / 1000 < client_ticket_age / 1000))` it would solve the issue, but I dont know if it is a reasonable change. @dueno what do you think of this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403#note_1110803944 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 08:01:55 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 06:01:55 +0000 Subject: [gnutls-devel] GnuTLS | Incomplete API listing under NEWS (#1406) References: Message-ID: Nikolaos Chatzikonstantinou created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1406 I was using the [NEWS](NEWS) file to refer to API changes, however I have noticed that the function `gnutls_x509_crt_get_pk_algorithm` is missing. Using git log -S gnutls_x509_crt_get_pk_algorithm --reverse | head -n1 I find the first commit in which it is mentioned and then with git tag --contains dc9ea76e89a13e5d119607fe1b3b0c9721efa732 I find that the first tag is `gnutls_0_9_1`. I was wondering if it is interesting to revise NEWS to mention these API changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1406 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 09:33:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 07:33:36 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Reassigned Issue 1401 https://gitlab.com/gnutls/gnutls/-/issues/1401 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 11:33:10 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 09:33:10 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1111937605 Thank you for your contribution. I will review the patch and maybe try to rework it a bit using the gnulib wrappers. Regarding the leftover context on the main thread. Wouldn't a call to `pthread_key_delete` inside of `_gnutls_rnd_deinit` help? After all, the `_gnutls_rnd_deinit` should be called from the main thread. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1111937605 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 12:45:25 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 10:45:25 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Pedro Marzo commented: pthread_key_delete must be called on `_gnutls_rnd_deinit`, that is a bug of the patch. But that will free the key, not the context as specified on the doc it does not execute the destructors. https://pubs.opengroup.org/onlinepubs/009695299/functions/pthread_key_delete.html I guess the safest aproach is to call pthread_key_delete and free the context on _gnutls_rnd_deinit ``` void _gnutls_rnd_deinit(void) { void *gnutls_rnd_ctx = pthread_getspecific(ctxkey); rnd_initialized = 0; /** * Remove the key and free the context. * Context is not freed from the main thread unless it exists * with pthread_exit which is not guaranteed. * So we delete the key and remove the context */ pthread_key_delete(ctxkey); freectx(gnutls_rnd_ctx); _rnd_system_entropy_deinit(); } -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112075188 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 12:52:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 10:52:01 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112084826 Right, I suggested the function before I read its man page Xd. Yes, the context also needs to be freed, that looks better. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112084826 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 14:38:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 12:38:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Closes #1401 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 14:38:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 12:38:02 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Reassigned merge request 1647 https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 16:54:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 14:54:53 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112508623 @petermartx I have opened a MR !1647. I would like to properly acknowledge your contribution in the commit message but I don't know your email address. If you let me know I could add it in. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112508623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 23 17:06:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Sep 2022 15:06:20 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Pedro Marzo commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112525708 My email is marzo.pedro at gmail.com but not sure I deserve any acknowledge, my patch was just an idea. Anyway I am glad to help somehow. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1112525708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Sep 24 05:00:17 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 24 Sep 2022 03:00:17 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113011379 > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; Why not define as `static`? -- Daiki Ueno started a new discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113011380 > - * used during deinitialization. */ > -GNUTLS_STATIC_MUTEX(gnutls_rnd_ctx_list_mutex); > -static struct rnd_ctx_list_st *head = NULL; We might want to keep this global list, because the glthread/tls documentation says: "On some platforms, the destructor function is not called at all." -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 08:49:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 06:49:45 +0000 Subject: [gnutls-devel] GnuTLS | boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age (#1403) In-Reply-To: References: Message-ID: Tatsuhiro Tsujikawa commented: boringssl's age calculation might be inaccurate, but there is no requirement for server to check client ticket age must be smaller than or equal to server ticket age. It is possible that client clock might be adjusted between the time when it received session ticket and actually using it in a way that client ticket age becomes 1 second larger which can lead to this issue. I tested BoringSSL client against OpenSSL, BoringSSL, wolfSSL, picotls, and GnuTLS servers, and only GnuTLS server often fails to accept early data because of the check. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403#note_1113698652 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 09:03:42 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 07:03:42 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113711739 > #endif > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; because global variables are static by default -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113711739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 09:12:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 07:12:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113722048 > #endif > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; That's not correct; see 6.2.2 of [n1250](https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf): > There are three kinds of linkage: external, internal, and none. [...] > If the declaration of a file scope identifier for an object or a function contains the storage- class specifier static, the identifier has internal linkage. [...] > If the declaration of an identifier for an object has file scope and no storage-class specifier, its linkage is external. If you check with `nm -g random.o`, you will see something like `0000000000000000 B rnd_initialized`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113722048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 09:17:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 07:17:09 +0000 Subject: [gnutls-devel] GnuTLS | Incomplete API listing under NEWS (#1406) In-Reply-To: References: Message-ID: Daiki Ueno commented: Sure, patches are welcome :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1406#note_1113726692 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 09:20:58 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 07:20:58 +0000 Subject: [gnutls-devel] GnuTLS | Failed to set TLS options (default:). error: The request is invalid. (#1405) In-Reply-To: References: Message-ID: Daiki Ueno commented: Are you sure that either squid or curl is using GnuTLS for TLS? I only see: > curl version curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.7 libidn/1.28 libssh2/1.4.3 nghttp2/1.31.1 That probably means it only links to OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1405#note_1113731059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 09:30:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 07:30:53 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113743433 > #endif > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; This kind of blew my mind right now. I am pretty sure that I read it in a book at some point and I did not just made it up. Very good to know, thank you. I should definitely put them as static then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1113743433 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 13:40:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 11:40:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114215674 > - > -/* A global list of all allocated contexts - to be > - * used during deinitialization. */ > -GNUTLS_STATIC_MUTEX(gnutls_rnd_ctx_list_mutex); > -static struct rnd_ctx_list_st *head = NULL; > +static size_t hhasher(const void *entry, size_t n) > +{ > + (void)entry; > + return gl_thread_self() % n; > +} > > -static int append(void *ctx) > +static void free_ctx(void *ctx) > { > - struct rnd_ctx_list_st *e = gnutls_malloc(sizeof(*e)); > + hash_remove(htable, ctx); might cause problems when set as data_freer in hash_initialize -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114215674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 13:40:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 11:40:54 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114217055 > > void _gnutls_rnd_deinit(void) > { > - if (_gnutls_rnd_ops.deinit != NULL) { > - struct rnd_ctx_list_st *e = head, *next; > - > - while(e != NULL) { > - next = e->next; > - _gnutls_rnd_ops.deinit(e->ctx); > - gnutls_free(e); > - e = next; > - } > - head = NULL; > - } > - > + free_ctx(gl_tls_get(ctx_key)); unnecessary -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114217055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 13:45:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 11:45:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114227861 > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; > > -struct rnd_ctx_list_st { > - void *ctx; > - struct rnd_ctx_list_st *next; > -}; > - > -/* A global list of all allocated contexts - to be > - * used during deinitialization. */ > -GNUTLS_STATIC_MUTEX(gnutls_rnd_ctx_list_mutex); > -static struct rnd_ctx_list_st *head = NULL; I have added a hash table where the key is the calling threads ID. We cant really use linked list as we would have to index the contexts inside by the thread ID anyway, otherwise we wouldn't be able to free the contexts on thread exit. Not sure though what to do if collision where to happen. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114227861 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 14:36:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 12:36:04 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich started a new discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114328299 Semaphors are missing for the concurrent hash table management -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1114328299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Sep 26 17:16:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 15:16:20 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: All discussions on merge request !1647 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 01:29:28 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Sep 2022 23:29:28 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1115177278 > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; > > -struct rnd_ctx_list_st { > - void *ctx; > - struct rnd_ctx_list_st *next; > -}; > - > -/* A global list of all allocated contexts - to be > - * used during deinitialization. */ > -GNUTLS_STATIC_MUTEX(gnutls_rnd_ctx_list_mutex); > -static struct rnd_ctx_list_st *head = NULL; An alternative approach would be to make list entry object (`struct rnd_ctx_list_st *head`) thread-local instead of the actual context (`void *ctx`). In the TLS destructor, you could release `head->ctx` and set it to NULL. Then in the global destructor, you could traverse the list and release the elements, something like: ```c struct rnd_ctx_list_st { void *ctx; struct rnd_ctx_list_st *next; }; static struct rnd_ctx_list_st *head = NULL; ... static void * rnd_ctx_list_destructor(void *p) { struct rnd_ctx_list_st *e = p; free_ctx(e->ctx); e->ctx = NULL; return NULL; } ... static inline int _gnutls_rnd_init(void) { ... glthread_tls_key_init(&ctx_key, rnd_ctx_list_destructor); glthread_tls_set(&ctx_key, ctx); ... } ... void _gnutls_rnd_deinit(void) { struct rnd_ctx_list_st *e = head; while (e) { struct rnd_ctx_list_st *next = e->next; free_ctx(e->ctx); gnutls_free(e); e = next; } head = NULL; } ``` One drawback with this approach is that if destructor is not called on some platforms, list entries will remain unreleased, though it's only until `_gnutls_rnd_deinit` is called. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1115177278 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 08:02:05 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 06:02:05 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: Daiki Ueno commented: The logic looks pretty solid now and also CI is passing. Can we merge this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1115437528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 08:02:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 06:02:06 +0000 Subject: [gnutls-devel] GnuTLS | WIP: KTLS key update support (!1625) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/system/ktls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1115437509 > > -int _gnutls_ktls_set_keys(gnutls_session_t session) > +gnutls_transport_ktls_enable_flags_t I would keep the return type as `int`, because this function could return error codes, which are not part of the `gnutls_transport_ktls_enable_flags_t` enum, and that may confuse the caller. -- Daiki Ueno started a new discussion on lib/handshake.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1115437512 > if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { > - _gnutls_ktls_set_keys(session); > + _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); No check on the return value? -- Daiki Ueno started a new discussion on lib/tls13/key_update.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1115437517 > ret = _tls13_write_connection_state_init(session, stage); > + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) > + ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); This overwrites `ret` previously set. Maybe if could add: ```c if (ret < 0) return gnutls_assert_val(ret); ``` before the `if`? -- Daiki Ueno started a new discussion on lib/record.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1115437520 > > /* When using this, the outgoing handshake messages should > * also be handled manually */ Good to expand the comment explaining why KTLS is special here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 09:23:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 07:23:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/random.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1115527568 > > /* Per thread context of random generator, and a flag to indicate initialization */ > -static _Thread_local void *gnutls_rnd_ctx; > -static _Thread_local unsigned rnd_initialized = 0; > +gl_tls_key_t ctx_key; > +_Thread_local unsigned rnd_initialized = 0; > > -struct rnd_ctx_list_st { > - void *ctx; > - struct rnd_ctx_list_st *next; > -}; > - > -/* A global list of all allocated contexts - to be > - * used during deinitialization. */ > -GNUTLS_STATIC_MUTEX(gnutls_rnd_ctx_list_mutex); > -static struct rnd_ctx_list_st *head = NULL; I have used list from gnulib. This should be resolved. I guess that can be expected that the contexts will remain in use until rnd_deinit if the destructor isnt called on thread exit. If the destructor is called, then the context is also removed from the list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647#note_1115527568 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 09:23:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 07:23:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_rnd manage memory per-thread (!1647) In-Reply-To: References: Message-ID: All discussions on merge request !1647 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1647 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 09:58:23 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 07:58:23 +0000 Subject: [gnutls-devel] GnuTLS | Discussion: tarball signing practice (#1407) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1407 We recently [started](https://gitlab.com/gnutls/web-pages/-/issues/3) signing release tarballs with multiple keys. As that imposes some overhead in the release process, it might need further discussion. - Do we want to keep this practice (multiple signatures)? What are the benefits and drawbacks? - Is the keyring management good enough? - Can we simplify the process by automation, e.g., by signing with a vault key shared by multiple people as in libreswan? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1407 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 12:19:39 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 10:19:39 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: @petermartx @ryanhope97 Fix is ready. I have seen this issue being discussed here as well https://bugs.gnunet.org/view.php?id=7308. Could you try the !1647 patch and tell me if it helped? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1115798008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 12:40:02 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 10:40:02 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Merge request !1642 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 Project:Branches: dueno/gnutls:wip/dueno/cpuid-symbol-rename to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 12:40:24 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 10:40:24 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: Don't see any problem with this patch. Approving. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642#note_1115830623 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 12:40:32 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 10:40:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls 3.7.5 libgnutls-symbols.expsym not in: lib/.libs/libgnutls.30.dylib (#1370) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich via merge request !1642 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1642) Issue #1370: https://gitlab.com/gnutls/gnutls/-/issues/1370 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1370 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 12:40:31 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 10:40:31 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: avoid symbol export mismatch with _gnutls_x86_cpuid_s (!1642) In-Reply-To: References: Message-ID: Merge request !1642 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 Project:Branches: dueno/gnutls:wip/dueno/cpuid-symbol-rename to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 13:12:03 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 11:12:03 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.8 (!1646) In-Reply-To: References: Message-ID: Alexander Sosedkin marked merge request !1646 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 13:14:50 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 11:14:50 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.8 (!1646) In-Reply-To: References: Message-ID: Reassigned merge request 1646 https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 Assignee changed to Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 13:16:33 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 11:16:33 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.8 (!1646) In-Reply-To: References: Message-ID: Merge request !1646 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 Project:Branches: asosedkin/gnutls:3.7.8 to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 13:17:14 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 11:17:14 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.8 (!1646) In-Reply-To: References: Message-ID: Merge request !1646 was scheduled to merge after pipeline succeeds by Zolt?n Fridrich Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 Project:Branches: asosedkin/gnutls:3.7.8 to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 13:50:16 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 11:50:16 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Pedro Marzo commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1115929245 It works fine for me, heap memory usage is not increased Thank you Zolt?n! ![image](/uploads/7b92f8bba6284745ae642f86339460fd/image.png) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401#note_1115929245 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Sep 27 14:39:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Sep 2022 12:39:19 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.8 (!1646) In-Reply-To: References: Message-ID: Merge request !1646 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 Project:Branches: asosedkin/gnutls:3.7.8 to gnutls/gnutls:master Author: Alexander Sosedkin Assignee: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1646 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 28 09:20:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Sep 2022 07:20:49 +0000 Subject: [gnutls-devel] GnuTLS | boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age (#1403) In-Reply-To: References: Message-ID: Daiki Ueno commented: Hello, GnuTLS implements [Client Hello Recording](https://datatracker.ietf.org/doc/html/rfc8446#section-8.2) to detect replay attacks and the condition `server_ticket_age >= client_ticket_age` is a prerequisite to calculate [expected_arrival_time](https://datatracker.ietf.org/doc/html/rfc8446#section-8.3), though we ignore estimated RTT. Perhaps adding this parameter as a margin might mitigate the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403#note_1117024113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Sep 28 22:51:46 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Sep 2022 20:51:46 +0000 Subject: [gnutls-devel] GnuTLS | Discussion: tarball signing practice (#1407) In-Reply-To: References: Message-ID: Adam Sampson commented: One downside of multiple signatures with the 3.7.8 release: one of the signatures on the tarball is from Alexander Sosedkin, whose key isn't in the [release keyring](https://www.gnutls.org/gnutls-release-keyring.gpg) linked from the download page (and isn't listed on the [maintainers page](https://www.gnutls.org/contrib.html)). So, as a packager, when I import the keyring with GnuPG and then try to verify the tarball's signature, it fails because one of the signatures can't be verified even though the other two are OK. It'd be good to check that the keyring is up to date as part of the release process. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118249186 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 10:49:30 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 08:49:30 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/30 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 10:49:35 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 08:49:35 +0000 Subject: [gnutls-devel] GnuTLS | Add a priority string modifier to disable sending status_request extension (#1378) In-Reply-To: References: Message-ID: Reassigned Issue 1378 https://gitlab.com/gnutls/gnutls/-/issues/1378 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1378 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 10:51:45 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 08:51:45 +0000 Subject: [gnutls-devel] GnuTLS | Discussion: tarball signing practice (#1407) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: I've appended the key in https://gitlab.com/gnutls/web-pages/-/commit/f1881d8d8fadc2fdefe69788c3b6ced3951ca29e -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118727614 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 11:41:40 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 09:41:40 +0000 Subject: [gnutls-devel] GnuTLS | _gnutls_rnd_init allocates memory per thread but does not seem to deallocate it (#1401) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/30 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1401 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 11:42:09 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 09:42:09 +0000 Subject: [gnutls-devel] GnuTLS | Reduce sensitive language (!1640) In-Reply-To: References: Message-ID: Merge request !1640 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1640 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 12:52:57 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 10:52:57 +0000 Subject: [gnutls-devel] GnuTLS | Failed to set TLS options (default:). error: The request is invalid. (#1405) In-Reply-To: References: Message-ID: KENJI AKIHARA commented: Thank you for your advice. Squid is recognized using gnutls as follows. ------------------------------------------ root:# which squid /usr/sbin/squid root:# root:# ls -l /usr/sbin/squid lrwxrwxrwx 1 root system 29 Sep 13 17:12 /usr/sbin/squid -> ../../opt/freeware/sbin/squid root:# root:# ldd ../../opt/freeware/sbin/squid | grep -e ssl -e tls /opt/freeware/lib/libgnutls.a(libgnutls.so.30) root:# ls -l /opt/freeware/lib/libgnutls.a -rwxr-xr-x 1 root system 24722749 May 5 2021 /opt/freeware/lib/libgnutls.a root:# root:# rpm -qf /opt/freeware/lib/libgnutls.a gnutls-3.7.1-1.ppc root:# -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1405#note_1118928642 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 15:46:49 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 13:46:49 +0000 Subject: [gnutls-devel] GnuTLS | Library becomes unusable after XTS key check fails (#1408) References: Message-ID: Zolt?n Fridrich created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1408 Assignee: Zolt?n Fridrich With FIPS mode enabled, if a `key = key1|key2` given to the XTS setkey functions is such that `key1 = key2` the library is put into an error state and becomes unusable. ` if (_gnutls_fips_mode_enabled() && gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) _gnutls_switch_lib_state(LIB_STATE_ERROR); ` **Expectation**: Setkey fails but the library is still usable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1408 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 15:50:07 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 13:50:07 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Reviewer changed to Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 15:50:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 13:50:08 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno Closes #1408 ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 15:50:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 13:50:08 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Reassigned merge request 1648 https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 Assignee changed to Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 15:53:59 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 13:53:59 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119254684 > + case GNUTLS_CIPHER_AES_256_XTS: > + if (_gnutls_fips_mode_enabled() && > + gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) This condition only works with `GNUTLS_CIPHER_AES_128_XTS` not `GNUTLS_CIPHER_AES_256_XTS`. -- Daiki Ueno started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119254690 > _xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, Maybe you could remove those wrapper functions. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:06:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:06:04 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119278437 > _xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, I left them there because there were other wrapper functions that added nothing like `_des3_set_key`. I will remove those too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119278437 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:18:54 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:18:54 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: All discussions on merge request !1648 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:24:53 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:24:53 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119310691 > -static void _des_set_key(struct des_ctx *ctx, const uint8_t *key) > -{ > - des_set_key(ctx, key); The reason why we have those functions is that `des_set_key` and `des3_set_key` return int, while `xts_aes128_set_encrypt_key` etc. don't. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:26:08 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:26:08 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119312731 > - > switch (ctx->cipher->algo) { > + case GNUTLS_CIPHER_AES_128_XTS: > + if (_gnutls_fips_mode_enabled() && > + gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + break; > + case GNUTLS_CIPHER_AES_256_XTS: > + if (_gnutls_fips_mode_enabled() && > + gnutls_memcmp(key, (char *)key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) > + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); > + break; > case GNUTLS_CIPHER_AES_128_GCM: > case GNUTLS_CIPHER_AES_192_GCM: > case GNUTLS_CIPHER_AES_256_GCM: > ctx->rekey_counter = 0; Hmm, I would only reset this counter after key is successfully set. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119312731 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:33:29 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:33:29 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: All discussions on merge request !1648 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:48:20 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:48:20 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119358082 > .ctx_size = sizeof(struct CBC_CTX(struct des_ctx, DES_BLOCK_SIZE)), > .encrypt = _cbc_encrypt, > .decrypt = _cbc_decrypt, > - .set_encrypt_key = (nettle_set_key_func*)_des_set_key, > - .set_decrypt_key = (nettle_set_key_func*)_des_set_key, > + .set_encrypt_key = (nettle_set_key_func*)des_set_key, > + .set_decrypt_key = (nettle_set_key_func*)des_set_key, Shouldn't those changes be reverted? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119358082 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:55:04 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:55:04 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/nettle/cipher.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119378703 > .ctx_size = sizeof(struct CBC_CTX(struct des_ctx, DES_BLOCK_SIZE)), > .encrypt = _cbc_encrypt, > .decrypt = _cbc_decrypt, > - .set_encrypt_key = (nettle_set_key_func*)_des_set_key, > - .set_decrypt_key = (nettle_set_key_func*)_des_set_key, > + .set_encrypt_key = (nettle_set_key_func*)des_set_key, > + .set_decrypt_key = (nettle_set_key_func*)des_set_key, OMG, sorry for these dumb mistakes. I was just quickly trying to fix the issues. I should actually review my code before I upload it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119378703 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 16:56:15 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 14:56:15 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: All discussions on merge request !1648 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 17:08:06 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 15:08:06 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Daiki Ueno commented: Looks good to me. If possible, it would be nice to have a test case that exercise the error case. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119405282 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 17:08:26 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 15:08:26 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Merge request !1648 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Sep 29 17:13:19 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Sep 2022 15:13:19 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119413069 Okay, I can add a test. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648#note_1119413069 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 30 13:51:01 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Sep 2022 11:51:01 +0000 Subject: [gnutls-devel] GnuTLS | Make XTS key check failure not fatal (!1648) In-Reply-To: References: Message-ID: All discussions on merge request !1648 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 30 15:38:36 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Sep 2022 13:38:36 +0000 Subject: [gnutls-devel] GnuTLS | NSS interoperability test - 2way TLSv1.3 (!1649) References: Message-ID: Stanislav ?idek created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1649 Project:Branches: ep69/gnutls:interop-nss to gnutls/gnutls:master Author: Stanislav ?idek Added TLSv1.3 2way interoperability test with NSS. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1649 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Sep 30 20:31:18 2022 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Sep 2022 18:31:18 +0000 Subject: [gnutls-devel] GnuTLS | NSS interoperability test - 2way TLSv1.3 (!1649) In-Reply-To: References: Message-ID: Stanislav ?idek commented: @dueno could you review and perhaps merge? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1649#note_1121010745 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: