From gnutls-devel at lists.gnutls.org Fri Feb 2 21:12:19 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 02 Feb 2024 20:12:19 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1756120686 I think I have this all working by upgrading openssl to 3.2.1 and some other tweaks, however I need to do some more testing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1756120686 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 5 19:21:05 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 05 Feb 2024 18:21:05 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) References: Message-ID: William Roberts created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 Project:Branches: wcrobertarm/gnutls:update-openssl-to-3.2.1-add-pac-bti to gnutls/gnutls:master Author: William Roberts * lib/accellerated: update asm and enable PAC/BTI Update the asm sources generated from devel/openssl which have the BTI and PAC support. Add the -mbranch-protection=standard build flag to the generated sources. On older machines that don't have support, the options are in the NOP space and will be NOP'd, on architectures with support the instructions are executed as expected. Note that this updates the ELF GNU NOTES section to indicate that BTI and PAC are enabled. For BTI this must be in all the ELF files loaded and linked or the feature is disabled as all execution segments need it. readelf -n ./lib/.libs/libgnutls.so Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI, PAC Signed-off-by: Bill Roberts * cfg.mk: add common headers used for asm gen The common headers are needed when generating the assembly, so make them depencies of the build target. * openssl: update 3.2.1 Signed-off-by: Bill Roberts ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 02:55:47 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 01:55:47 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1759530871 Nice, thank you! Would you mind adjusting .gitlab-ci.yml to fix the gcovr [error](https://gitlab.com/wcrobertarm/gnutls/-/jobs/6100104361#L2222)? By the way, I wonder if there are still any performance gaps between the AArch64 assembly from OpenSSL and the Nettle implementation; if they are negligible, we might want to drop the former. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1759530871 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 13:43:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 12:43:17 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1760366078 @dueno Are you ok with changes to `fedora-minimal/build` I proposed above? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1760366078 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 15:00:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 14:00:12 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1760516736 So you want me to add, `--gcov-ignore-parse-errors`? For performance I have no idea, but OpenSSL is pretty well tested and tweaked. Glancing at nettle they are missing the BTI and PAC implementations. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1760516736 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 19:43:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 18:43:18 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761083121 I think I got it, pipeline is happy now -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761083121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 21:29:29 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 20:29:29 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: All discussions on merge request !1804 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 21:29:27 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 20:29:27 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761201381 Thank you. Re: Nettle, I was just curious as we know AES is still slower on x86_64 while we haven't tested other architectures; nevertheless I guess it would be nice to introduce BTI and PAC in Nettle as well. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761201381 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 6 21:29:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Feb 2024 20:29:58 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: Merge request !1804 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 Project:Branches: wcrobertarm/gnutls:update-openssl-to-3.2.1-add-pac-bti to gnutls/gnutls:master Author: William Roberts Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 7 02:07:19 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 07 Feb 2024 01:07:19 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761430741 I'm on it :-p -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1761430741 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 8 13:44:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Feb 2024 12:44:46 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Support RSA-OAEP (!1805) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 Project:Branches: dueno/gnutls:wip/dueno/rsa-oaep to gnutls/gnutls:master Author: Daiki Ueno This plumbs support for RSA-OAEP from Nettle, through the following commits: * tests: add basic test for RSA-OAEP encryption * certtool: support generating RSA-OAEP private key * abstract: plumb RSA-OAEP in the abstract key types API * x509: plumb RSA-OAEP in X.509 interface * nettle: plumb RSA-OAEP in the Nettle crypto backend * spki: support RSA-OAEP parameters * algorithms: register RSA-OAEP * nettle: vendor-in RSA-OAEP implementation * .gitlab-ci.yml: use clang-format from Clang 17 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 8 13:48:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Feb 2024 12:48:56 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Support RSA-OAEP (!1805) In-Reply-To: References: Message-ID: Reassigned merge request 1805 https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 9 08:08:24 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Feb 2024 07:08:24 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_der doesn't accept empty OCTET STRING (#48) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/48 ## Description of problem: While `asn1_encode_simple_der` seems to handle empty input, the result cannot be decoded with `asn1_decode_simple_der`, yielding DER_ERROR. ## Version of libtasn1 used: libtasn1-4.19.0-3.fc39.x86_64 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: Steps to Reproduce: * compile a test [program](/uploads/5f0777f0c98a2160e9657a938e357cba/test-empty-octet-string.c), with: ```console gcc -o test-empty-octet-string test-empty-octet-string.c `pkg-config libtasn1 --cflags --libs` ``` * run it ## Actual results: ```console non-empty: succeeded empty: failed: DER_ERROR ``` ## Expected results: ```console non-empty: succeeded empty: succeeded ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/48 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 9 09:42:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Feb 2024 08:42:22 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_der doesn't accept empty OCTET STRING (#48) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1765719454 I think there are more examples of this empty vs missing confusion in libtasn1, almost to the point that the simplest solution is to treat this as intentional while sub-optimal behavior. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1765719454 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 9 10:28:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Feb 2024 09:28:17 +0000 Subject: [gnutls-devel] libtasn1 | Draft: asn1_decode_simple_der: accept empty OCTET STRING (!95) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95 Project:Branches: dueno/libtasn1:wip/dueno/empty-octet-string to gnutls/libtasn1:master Author: Daiki Ueno When the input was an empty OCTET STRING (i.e., 0x04 0x00 in DER), asn1_decode_simple_der previously returned ASN1_DER_ERROR. With this patch, the function properly returns zero as the length, while the output pointer is set to the start of the input, to satisfy the invariant that it is a valid pointer inside the input. Fixes: #48 ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 10 05:22:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Feb 2024 04:22:56 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_der doesn't accept empty OCTET STRING (#48) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1767178044 Right, I agree. In this specific case, I guess a workaround would be to allocate one more byte as input so the input length never be zero after reading. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1767178044 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 10 05:25:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Feb 2024 04:25:10 +0000 Subject: [gnutls-devel] libtasn1 | Draft: asn1_decode_simple_der: accept empty OCTET STRING (!95) In-Reply-To: References: Message-ID: Merge request !95 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95 Project:Branches: dueno/libtasn1:wip/dueno/empty-octet-string to gnutls/libtasn1:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 10 05:25:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Feb 2024 04:25:09 +0000 Subject: [gnutls-devel] libtasn1 | Draft: asn1_decode_simple_der: accept empty OCTET STRING (!95) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95#note_1767178556 Let's just work around in the caller (see #48). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/95#note_1767178556 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 10 09:28:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Feb 2024 08:28:33 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use clang-format from Clang 17 (!1806) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806 Project:Branches: dueno/gnutls:wip/dueno/clang-format17 to gnutls/gnutls:master Author: Daiki Ueno * .gitlab-ci.yml: use clang-format from Clang 17 Signed-off-by: Daiki Ueno ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 10 11:56:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Feb 2024 10:56:04 +0000 Subject: [gnutls-devel] libtasn1 | asn1_decode_simple_der doesn't accept empty OCTET STRING (#48) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1767277389 To clarify, I'm not OPPOSED to fixing this in libtasn1. However, my experiments with fixing similar empty vs missing confusion before always led to complicated corner-cases that also break existing users of libtasn1. Closing the gap would be nice, but I mostly wanted to raise a word of caution to change the ABI expectations without considering if there is existing code that rely on the current behaviour. I didn't study this example in detail: it may be possible to prove that it isn't possible to rely on the existing libtasn1 behaviour in any reasonable and useful way. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/48#note_1767277389 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 12 17:17:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Feb 2024 16:17:40 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) References: Message-ID: Xin Long created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 Project:Branches: lxin.redhat/gnutls:master to gnutls/gnutls:master Author: Xin Long The first one was found in my app running on aarch64 machine where I think stack variables are not initialized by default, and the 2nd one was noticed by reviewing code only. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 00:44:24 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Feb 2024 23:44:24 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1769865284 Thank you for the patch. Looks good to me! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1769865284 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 00:44:24 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Feb 2024 23:44:24 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/tls13/early_data.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1769865268 > if (!(session->internals.flags & GNUTLS_NO_END_OF_EARLY_DATA)) { > ret = _gnutls_recv_handshake( > session, GNUTLS_HANDSHAKE_END_OF_EARLY_DATA, 0, &buf); As the content of `buf` is not used, maybe we could pass `NULL` to `_gnutls_recv_handshake` and remove the local variable entirely? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 00:44:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Feb 2024 23:44:26 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Merge request !1807 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 Project:Branches: lxin.redhat/gnutls:master to gnutls/gnutls:master Author: Xin Long Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 09:51:07 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 08:51:07 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Add pkcs11 crypto backend configuration (!1808) In-Reply-To: References: Message-ID: Reassigned merge request 1808 https://gitlab.com/gnutls/gnutls/-/merge_requests/1808 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 09:51:13 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 08:51:13 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Add pkcs11 crypto backend configuration (!1808) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich This is a prototype for a PKCS11 provider in gnutls. Signed-off-by: Zoltan Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 10:52:14 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 09:52:14 +0000 Subject: [gnutls-devel] GnuTLS | lib/mpi.c: extract flag correctly (!1809) References: Message-ID: Avinash Sonawane created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 Project:Branches: rootkea/gnutls:flags to gnutls/gnutls:master Author: Avinash Sonawane * lib/mpi.c: extract flag correctly Signed-off-by: Avinash Sonawane ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 12:04:29 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 11:04:29 +0000 Subject: [gnutls-devel] GnuTLS | lib/mpi.c: extract flag correctly (!1809) In-Reply-To: References: Message-ID: Merge request !1809 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 Project:Branches: rootkea/gnutls:flags to gnutls/gnutls:master Author: Avinash Sonawane Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 12:04:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 11:04:46 +0000 Subject: [gnutls-devel] GnuTLS | lib/mpi.c: extract flag correctly (!1809) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809#note_1770618254 Looks good, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809#note_1770618254 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 12:09:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 11:09:46 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1770638722 @lxin.redhat Please set the CI timeout to 2h or higher otherwise the tests won't pass (see Settings/CICD/General pipelines/Timeout) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1770638722 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 12:11:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 11:11:08 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1770643905 I would rather like to keep `fedora-minimal` as is with the minimal configuration. I wonder if we could have a separate pipeline stage simulating the Fedora package building, maybe actually calling packit? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1770643905 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 12:47:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 11:47:16 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1770748197 @dueno I did it by changes to `fedora-minimal` because of your earlier objections regarding increasing the CI time. So you are fine with adding a separate build job? About packit - I can try, never did it, would be more work for me, but I'll do it if you tell me. Easier way for me now would be just replicating params for configure so they are same as in Fedora. Would you be ok with that perhaps? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1770748197 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 13:43:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 12:43:12 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use clang-format from Clang 17 (!1806) In-Reply-To: References: Message-ID: Merge request !1806 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806 Project:Branches: dueno/gnutls:wip/dueno/clang-format17 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 13:44:00 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 12:44:00 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use clang-format from Clang 17 (!1806) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806#note_1770928590 Turned out we anyway need to update Fedora image to Fedora 39 to pull in Clang 17. Closing this in favor of !1796. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1806#note_1770928590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 18:13:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 17:13:23 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/x509.c: add missing argument to macro invokation (!1810) References: Message-ID: Avinash Sonawane created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 Project:Branches: rootkea/gnutls:parm to gnutls/gnutls:master Author: Avinash Sonawane * lib/x509/x509.c: add missing argument to macro invokation Signed-off-by: Avinash Sonawane ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 23:03:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 22:03:43 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Xin Long commented on a discussion on lib/tls13/early_data.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772004337 > > if (!(session->internals.flags & GNUTLS_NO_END_OF_EARLY_DATA)) { > ret = _gnutls_recv_handshake( > session, GNUTLS_HANDSHAKE_END_OF_EARLY_DATA, 0, &buf); That makes sense, and I have reposted it. Thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772004337 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 23:03:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 22:03:41 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: All discussions on merge request !1807 were resolved by Xin Long https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 13 23:24:32 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Feb 2024 22:24:32 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Xin Long commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772021419 buf is actually used in _gnutls13_recv_end_of_early_data(): when buf.length != 0, it returns error. Also, I'm not sure if buf.length == 0 means buf.allocd, so I just fixed the issue by simply adding a _gnutls_buffer_init() call in the beginning of the function in the version 3 post. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772021419 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 08:01:55 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 07:01:55 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: n3rdy commented: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1772301567 @dueno after going through the source code, these are the changes I've identified: - Modify `lib/pkix.asn` to include the publicKey field, with RFC 5958 as a reference - Encoding: Modify `encode_to_private_key_info` as mentioned before, and add a function `gnutls_x509_privkey_export_pkcs8v2` (exposing it to the public API) with the same parameters as gnutls_x509_privkey_export_pkcs8, and an additional public_key datum, which may be set to NULL. - Decoding: Modify `_decode_pkcs8_dsa_key` in `/lib/x509/privkey_pkcs8.c` to read the "publicKey" field if it exists. Are these changes fine? Also, I didn't quite understand where the public key would be stored in the gnutls_x509_privkey_t data structure if they would be stored at all. Additionally, the decode functions for other algorithms could be changed, to retrieve the public key from the publicKey field if it exists, instead of computing it (as in the case of edDSA and ed25519). So can I modify those as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1772301567 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 10:48:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 09:48:23 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772510766 I see, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807#note_1772510766 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 10:48:44 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 09:48:44 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: All discussions on merge request !1807 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 10:48:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 09:48:54 +0000 Subject: [gnutls-devel] GnuTLS | lib: fix two segfault issues caused by freeing uninitialized buf (!1807) In-Reply-To: References: Message-ID: Merge request !1807 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 Project:Branches: lxin.redhat/gnutls:master to gnutls/gnutls:master Author: Xin Long -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1807 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 10:54:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 09:54:53 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1772521339 That sounds sensible to me. For decoding it would be nice to transparently decode both formats with the same API by default, though I would suggest adding a new flag to control the behavior. For encoding, I agree that we need a new function to explicitly pass in the public key if it cannot be derived from the private key. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1772521339 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 14 12:28:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 11:28:22 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 Project:Branches: asosedkin/gnutls:fips-skip-pkcs11-tool to gnutls/gnutls:master Author: Alexander Sosedkin tests: skip pkcs11-tool.sh in FIPS mode Signed-off-by: Alexander Sosedkin ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 00:47:55 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 23:47:55 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on tests/pkcs11-tool.sh: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811#note_1773722025 > . "$srcdir/scripts/common.sh" > > testdir=`create_testdir ktls_keyupdate` Not a fault of this MR, but this test has nothing to do with KTLS; could you rename it? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 00:47:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 23:47:56 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: Merge request !1811 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 Project:Branches: asosedkin/gnutls:fips-skip-pkcs11-tool to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 00:47:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 23:47:58 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811#note_1773722029 Thank you, that makes sense. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811#note_1773722029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 00:49:02 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 23:49:02 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/x509.c: add missing argument to macro invokation (!1810) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810#note_1773722482 Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810#note_1773722482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 00:48:52 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Feb 2024 23:48:52 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/x509.c: add missing argument to macro invokation (!1810) In-Reply-To: References: Message-ID: Merge request !1810 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 Project:Branches: rootkea/gnutls:parm to gnutls/gnutls:master Author: Avinash Sonawane Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 09:28:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 08:28:11 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/x509.c: add missing argument to macro invokation (!1810) In-Reply-To: References: Message-ID: Merge request !1810 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 Project:Branches: rootkea/gnutls:parm to gnutls/gnutls:master Author: Avinash Sonawane -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1810 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 09:28:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 08:28:49 +0000 Subject: [gnutls-devel] GnuTLS | lib/mpi.c: extract flag correctly (!1809) In-Reply-To: References: Message-ID: Merge request !1809 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 Project:Branches: rootkea/gnutls:flags to gnutls/gnutls:master Author: Avinash Sonawane Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 10:27:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 09:27:59 +0000 Subject: [gnutls-devel] GnuTLS | lib/mpi.c: extract flag correctly (!1809) In-Reply-To: References: Message-ID: Merge request !1809 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 Project:Branches: rootkea/gnutls:flags to gnutls/gnutls:master Author: Avinash Sonawane -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 13:41:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 12:41:08 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: All discussions on merge request !1811 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 13:41:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 12:41:23 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: Merge request !1811 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 Project:Branches: asosedkin/gnutls:fips-skip-pkcs11-tool to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 14:11:27 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 13:11:27 +0000 Subject: [gnutls-devel] GnuTLS | build: allow GMP to be statically linked (!1635) In-Reply-To: References: Message-ID: Merge request !1635 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 Project:Branches: dueno/gnutls:wip/dueno/gmp-static to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 14:11:39 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 13:11:39 +0000 Subject: [gnutls-devel] GnuTLS | build: allow GMP to be statically linked (!1635) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635#note_1774528800 I don't see what can go wrong. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635#note_1774528800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 14:14:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 13:14:10 +0000 Subject: [gnutls-devel] GnuTLS | build: allow GMP to be statically linked (!1635) In-Reply-To: References: Message-ID: Merge request !1635 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 Project:Branches: dueno/gnutls:wip/dueno/gmp-static to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 14:14:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 13:14:22 +0000 Subject: [gnutls-devel] GnuTLS | build: allow GMP to be statically linked (!1635) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635#note_1774534202 Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635#note_1774534202 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 14:55:42 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 13:55:42 +0000 Subject: [gnutls-devel] GnuTLS | build: allow GMP to be statically linked (!1635) In-Reply-To: References: Message-ID: Merge request !1635 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 Project:Branches: dueno/gnutls:wip/dueno/gmp-static to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 15 16:01:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Feb 2024 15:01:23 +0000 Subject: [gnutls-devel] GnuTLS | tests: skip pkcs11-tool.sh in FIPS mode (!1811) In-Reply-To: References: Message-ID: Merge request !1811 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 Project:Branches: asosedkin/gnutls:fips-skip-pkcs11-tool to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1811 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 16 15:24:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Feb 2024 14:24:37 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Add pkcs11 crypto backend configuration (!1808) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 16 16:20:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Feb 2024 15:20:59 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528) References: Message-ID: Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1528 ## Description of problem: gnutls_x509_trust_list_add_system_trust() is surprisingly very slow. [This is causing a performance problem for WebKitGTK.](https://bugs.webkit.org/show_bug.cgi?id=251336#c19) * When running outside flatpak, on my computer the first call takes 100-300 milliseconds and all subsequent calls take 1-3 milliseconds. This isn't great as I didn't realize gnutls_x509_trust_list_add_system_trust() would block for a significant amount of time. But I assume it's probably necessary? * When running under flatpak, on my computer every call takes 100-300 milliseconds. GnuTLS is presumably contacting p11-kit-server every time. This seems like overkill. Would it be possible to cache these results instead so it doesn't happen again and again? Maybe p11-kit-server could notify GnuTLS only when there has been a change? ## Version of gnutls used: 3.8.0 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora (outside flatpak), freedesktop-sdk (inside flatpak) ## How reproducible: Always Steps to Reproduce: * Build glib-networking using [this debug patch](https://gitlab.gnome.org/GNOME/gnome-build-meta/-/raw/f7d857743fc9ea57899a31e43e4a44d113325b70/patches/glib-networking/extra-debug.patch) * Run `G_MESSAGES_DEBUG=GLib-Net epiphany -p https://cnn.com` ## Actual results: Many slow calls to gnutls_x509_trust_list_add_system_trust() ## Expected results: It should be less slow -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 16 20:52:55 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Feb 2024 19:52:55 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528) In-Reply-To: References: Message-ID: Michael Catanzaro commented: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1777294274 [Here's a solution I developed for glib-networking](https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/249) to reduce how often we need to initialize the trust list. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1777294274 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 16 21:44:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Feb 2024 20:44:22 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528) In-Reply-To: References: Message-ID: Michael Catanzaro commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1777334493 (I hope it's OK to share the same gnutls_certificate_credentials_t object between a bunch of different gnutls_session_t. I assume so.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1777334493 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 17 15:16:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Feb 2024 14:16:37 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: Merge request !1804 was closed by William Roberts Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 Project:Branches: wcrobertarm/gnutls:update-openssl-to-3.2.1-add-pac-bti to gnutls/gnutls:master Author: William Roberts Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 17 17:51:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Feb 2024 16:51:45 +0000 Subject: [gnutls-devel] GnuTLS | Support RSA-OAEP (!1805) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !1805 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 17 23:16:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Feb 2024 22:16:58 +0000 Subject: [gnutls-devel] GnuTLS | openssl: update 3.2.1, enable PAC/BTI, Fix deps in Makefile (!1804) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1777803285 @wcrobertarm Why did you close the MR and remove the branch? Although I still have a bit of a [concern](https://github.com/openssl/openssl/issues/23499) on licensing notice, I think it's mostly safe to merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1804#note_1777803285 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 03:15:02 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 02:15:02 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Add pkcs11 crypto backend configuration (!1808) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808#note_1777996677 The overall approach looks good to me. Some suggestions: - maybe good to create a directory, say `lib/pkcs11/`, and host all the backend implementation, e.g., pk.c, cipher.c, mac.c., as in `lib/nettle/` - you might want to extend `lib/pkcs11*.c` to be a thin wrapper around PKCS#11 API, like pk11wrap library in NSS. For example, it provides more ergonomic API for [encryption](https://searchfox.org/mozilla-central/rev/3da086bd7bce12353fc65968802445dca46f4537/security/nss/lib/pk11wrap/pk11pub.h#562) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1808#note_1777996677 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 06:42:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 05:42:18 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) References: Message-ID: Hoang Long created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812 Project:Branches: sudo-rainman/gnutls:master to gnutls/gnutls:master Author: Hoang Long * Add wycheproof test for ECDH. Signed-off-by: Long Hoang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 07:02:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 06:02:56 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Hoang Long commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778070588 @dueno While implementing the ECDH test vector, I encountered an issue as I couldn't find any public function in GnuTLS to parse ASN.1 encoded public keys from the test vector. For instance, in the ecdh_secp256r1_test.json, the test with tcId 1 has a public key encoded as 3059301306072a8648ce3d020106082a8648ce3d0301070342000462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf. Currently, I'm temporarily converting it to 04410462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf to use gnutls_pubkey_import_ecc_x962 with ECParameters fixed in secp256r1. But I'm afraid tampering with ASN.1 encoded of public key could harm affect the correctness of bug types like "InvalidAsn" defined in the test vector. Should I extract the public key information from the test vector and parse it into the correct ASN.1 encoding that the GnuTLS library accepts? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778070588 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 07:59:13 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 06:59:13 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778077934 I think you could use regular API, such as `gnutls_pubkey_import` to deal with that format, as certtool can decode it properly: ```console $ echo 3059301306072a8648ce3d020106082a8648ce3d0301070342000462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf | sed 's/../\\\\x\0/g' | xargs printf | certtool --pubkey-info --inder Public Key Information: Public Key Algorithm: EC/ECDSA Algorithm Security Level: High (256 bits) Curve: SECP256R1 X: 62:d5:bd:33:72:af:75:fe:85:a0:40:71:5d:0f:50:24 28:e0:70:46:86:8b:0b:fd:fa:61:d7:31:af:e4:4f:26 Y: 00:ac:33:3a:93:a9:e7:0a:81:cd:5a:95:b5:bf:8d:13 99:0e:b7:41:c8:c3:88:72:b4:a0:7d:27:5a:01:4e:30 cf Public Key ID: sha1:cc558fb828759c01bb7066093f52ecd29cbe6a43 sha256:a49d5e91410cec8881d7847d9de258b3fedddb71bf37d6ab8509354be06ce215 Public Key PIN: pin-sha256:pJ1ekUEM7IiB14R9neJYs/7d23G/N9arhQk1S+Bs4hU= -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYtW9M3Kvdf6FoEBxXQ9QJCjgcEaG iwv9+mHXMa/kTyasMzqTqecKgc1albW/jROZDrdByMOIcrSgfSdaAU4wzw== ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778077934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 08:35:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 07:35:54 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Hoang Long commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778088253 I think I've tried that before, but I keep getting errors in DER parsing, and I'm not sure why. ` gnutls_datum_t ecpoint; const char *ecpoint_hex_string = "3059301306072a8648ce3d020106082a8648ce3d0301070342000462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf"; gen_data(ecpoint_hex_string, &ecpoint); gnutls_pubkey_t pubkey; ret = gnutls_pubkey_init(&pubkey); ret = gnutls_pubkey_import(pubkey,&ecpoint, GNUTLS_X509_FMT_DER);` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778088253 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 09:55:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 08:55:18 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1778108934 If the trust store is only backed by PKCS#11, the certificate lookup is deferred to the p11-kit-trust.so, so I would say it doesn't make sense to call `gnutls_x509_trust_list_add_system_trust` more than once. For the slowness of the first time invocation, there's indeed a room for improvement; GnuTLS only needs the number of CA certificates in the trust store, while it tries to retrieve everything. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1778108934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 18 15:57:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 18 Feb 2024 14:57:09 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528) In-Reply-To: References: Message-ID: Michael Catanzaro commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1778173477 > If the trust store is only backed by PKCS#11, the certificate lookup is deferred to the p11-kit-trust.so, so I would say it doesn't make sense to call `gnutls_x509_trust_list_add_system_trust` more than once. I've reduced it to twice. Can't get it down to only once because GTlsDatabaseGnutls needs to keep a gnutls_x509_trust_list_t for itself, but gnutls_certificate_credentials_t takes ownership. There's also no way to duplicate an existing gnutls_x509_trust_list_t. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528#note_1778173477 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 01:36:47 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 00:36:47 +0000 Subject: [gnutls-devel] GnuTLS | Support RSA-OAEP (!1805) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805#note_1778292012 @ZoltanFridrich could you review? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805#note_1778292012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 01:53:14 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 00:53:14 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778295377 I suspect `out->size = strlen(byte_array)` might be the cause, as `strlen` only works with NUL terminated string and the decoded `byte_array` may contain a NUL byte (`\0`). Try: ```c gnutls_datum_t hex, der = { NULL, 0 }; hex.data = "3059301306072a8648ce3d020106082a8648ce3d0301070342000462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf"; hex.size = strlen(hex.data); gnutls_hex_decode2(&hex, &der); ... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1778295377 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 11:46:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 10:46:36 +0000 Subject: [gnutls-devel] GnuTLS | Support RSA-OAEP (!1805) In-Reply-To: References: Message-ID: Reassigned merge request 1805 https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 Daiki Ueno was added as an assignee. Zolt?n Fridrich was removed as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 11:46:52 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 10:46:52 +0000 Subject: [gnutls-devel] GnuTLS | Support RSA-OAEP (!1805) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1805 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 15:29:07 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 14:29:07 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS has incomplete fix for CVE-2023-5981 (#1522) In-Reply-To: References: Message-ID: Andrea Mattiazzo commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1779194843 Thanks @dueno for the info. Just as confirmation, I saw that rsa_psk.c was added in version 3.2.4 ([commit])(https://gitlab.com/gnutls/gnutls/-/commit/6d25d31976892cadd8c8cef7c93509bd6ede7dbe), so we could consider the version from 3.2.4 to 3.2.17 as not affected? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1779194843 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 18:21:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 17:21:09 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: All discussions on merge request !1812 were resolved by Hoang Long https://gitlab.com/gnutls/gnutls/-/merge_requests/1812 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 18:21:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 17:21:09 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Hoang Long commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1779475455 You're right. Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1779475455 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 18:32:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 17:32:38 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Hoang Long commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1779490758 @dueno Can you review my approach and let me know if any adjustments are needed? What should I do with the test output? Also, currently, I'm using dummy x and y points for the privkey variable because I want the gnutls_privkey_derive_secret API to check if the public key point is valid or not. I was wondering if there's a better way to handle this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1779490758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 22:28:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 21:28:50 +0000 Subject: [gnutls-devel] GnuTLS | Check all OCSP responses (#1372) In-Reply-To: References: Message-ID: lovetox commented: https://gitlab.com/gnutls/gnutls/-/issues/1372#note_1780039288 This also affects our users at Gajim (XMPP Messaging Client), sometimes users have ocsp stapling on, and then cert verification fails, while it works fine when they use other clients with other TLS libs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1372#note_1780039288 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 19 23:50:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Feb 2024 22:50:08 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1780082436 The general approach looks good to me, thanks for working on that! I suggest: - integrating this test into autotools, i.e., `TESTS` in `tests/Makefile.am` (or `tests/suite/Makefile.am` if you don't want to distribute Wycheproof tests in the tarball) - using Git [submodule](https://git-scm.com/book/en/v2/Git-Tools-Submodules) for wycheproof As for `gnutls_privkey_derive_secret`, I guess in this case using either a random point or the same X and Y of the public key would work, as they will not be used. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1780082436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 21 10:49:05 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Feb 2024 09:49:05 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1782705048 @dueno I made packit build work finally [pipeline](https://gitlab.com/ep69/gnutls/-/pipelines/1183846699), [branch](https://gitlab.com/ep69/gnutls/-/commits/interop-version-packit-separate) (please ignore failing tests for now), but I'd vote against it because of long duration (40m vs. 20m) and potential instability. But I will do it if you say so. Otherwise, I can add separate build for interop tests that uses same configure parameters as we use in Fedora. What do you think? Which direction is better? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1782705048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 22 09:49:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Feb 2024 08:49:38 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1784450009 @dueno If I just use the configure args from Fedora, build takes 10m longer than the minimal one: https://gitlab.com/ep69/gnutls/-/pipelines/1185434226 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1784450009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 07:31:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 06:31:11 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in dh-compute* tests (!1813) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 Project:Branches: dueno/gnutls:wip/dueno/ecdh-compute-tests to gnutls/gnutls:master Author: Daiki Ueno * tests: support KAT in dh-compute* tests While the logic existed, known answer tests were omitted in tests/dh-compute, tests/dh-compute2, tests/ecdh-compute, and tests/ecdh-compute2. This enables the support for it as well as fixes a couple of issues in the logic: avoid using `success` variable as it shadows the helper function with the same name defined in tests/utils.h, invert the memcmp condition, and properly use peer_x and peer_y in place of x and y in ecdh-compute2. Signed-off-by: Daiki Ueno ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 07:43:28 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 06:43:28 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1786151467 Btw, this MR provoked some issues in the `tests/*dh-compute*` tests, which I'm fixing in !1813. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1786151467 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 09:34:28 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 08:34:28 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in (EC)DH tests (!1813) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 09:34:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 08:34:08 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in (EC)DH tests (!1813) In-Reply-To: References: Message-ID: Reassigned merge request 1813 https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 12:34:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 11:34:36 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib and copyright years. (!96) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/96 Project:Branches: jas/libtasn1:update-gnulib to gnutls/libtasn1:master Author: Simon Josefsson This fixes pipeline failures. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/96 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 23 12:35:19 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Feb 2024 11:35:19 +0000 Subject: [gnutls-devel] libtasn1 | Update gnulib and copyright years. (!96) In-Reply-To: References: Message-ID: Merge request !96 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/96 Project:Branches: jas/libtasn1:update-gnulib to gnutls/libtasn1:master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/96 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 25 01:15:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 25 Feb 2024 00:15:30 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Work on issue #1475 (!1812) In-Reply-To: References: Message-ID: Hoang Long commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1788093631 Oh, nice. Thanks for your changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1812#note_1788093631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 26 21:38:48 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 26 Feb 2024 20:38:48 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) In-Reply-To: References: Message-ID: Sahil Siddiq commented: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1790129837 Hi. I am new to GnuTLS and would like to give this issue a shot. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1790129837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 07:46:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 06:46:18 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) References: Message-ID: Gary Lin created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/49 ## Description of problem: When merging libtasn1 into grub2, a potential buffer overrun issue was spotted by coverity: ``` *** CID 435762: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ /grub-core/lib/libtasn1/lib/coding.c: 152 in _asn1_tag_der() 146 if (k > ASN1_MAX_TAG_SIZE - 1) 147 break; /* will not encode larger tags */ 148 } 149 *ans_len = k + 1; 150 while (k--) 151 ans[*ans_len - 1 - k] = temp[k] + 128; >>> CID 435762: Memory - corruptions (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 4 by dereferencing pointer "ans + (*ans_len - 1)". 152 ans[*ans_len - 1] -= 128; 153 } 154 } 155 156 /** 157 * asn1_octet_der: ``` Here is the code snippet: ``` k = 0; while (tag_value != 0) { temp[k++] = tag_value & 0x7F; tag_value >>= 7; if (k > ASN1_MAX_TAG_SIZE - 1) break; /* will not encode larger tags */ } *ans_len = k + 1; while (k--) ans[*ans_len - 1 - k] = temp[k] + 128; ``` In the first while loop, `k` may become `ASN1_MAX_TAG_SIZE`, i.e.`4`, and trigger `break`. Then, in the second while loop, the iteration will be like this: ``` *ans_len - 1 - k: 1, k: 3 *ans_len - 1 - k: 2, k: 2 *ans_len - 1 - k: 3, k: 1 *ans_len - 1 - k: 4, k: 0 ``` The code may access ans\[4\] which excesses the boundary of the array. Maybe the if statement should be `k >= ASN1_MAX_TAG_SIZE - 1` to cap `k` below `ASN1_MAX_TAG_SIZE`. The full report is available in grub-devel mailing list: https://lists.gnu.org/archive/html/grub-devel/2024-02/txtKIuUb5lf3O.txt ## Version of libtasn1 used: 4.19 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Upstream official tarball ## How reproducible: Steps to Reproduce: * one * two * three ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 08:24:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 07:24:59 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790518004 Thanks - your analysis looks correct. Did you look into if any call path to this function are vulnerable? I'll see if I can create a reproducer. Changing `>` to `>=' may work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790518004 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 08:41:28 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 07:41:28 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790536153 For this to be triggered, `tag_value` has to be quite large -- maybe the function should do a `ETYPE_OK(tag_value)` before using it. Several of the callers do something like that already, so it is not clear it is easily exploitable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790536153 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 09:51:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 08:51:26 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790640559 Probably the only potentially vulnerable call path is via `_asn1_insert_tag_der`, the other doesn't lead to large `tag_value`s. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790640559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 11:57:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 10:57:03 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790913215 And `_asn1_insert_tag_der` is only used via `asn1_der_coding` where the tags come from the ASN.1 schema and is likely safe, except for implicit tags but I'm not convinced they are ever attacker controller. The code should be improved to not be safe just because it is just in particular ways. Since `_asn1_tag_der` only supports tags 1..4 bytes I think it can be implemented without loops. It would be nice to add white-box testing of similar internal functions, but library export visibility makes it a bit difficult. There are other coverity finds in your link that looks interesting. I thought we already ran coverity checks on libtasn1 and had looked into them, but it was a long time ago and I may have forgotten the details. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790913215 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 12:23:00 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 11:23:00 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in (EC)DH tests (!1813) In-Reply-To: References: Message-ID: Merge request !1813 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 Project:Branches: dueno/gnutls:wip/dueno/ecdh-compute-tests to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 12:28:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 11:28:16 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in (EC)DH tests (!1813) In-Reply-To: References: Message-ID: Merge request !1813 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 Project:Branches: dueno/gnutls:wip/dueno/ecdh-compute-tests to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 12:27:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 11:27:58 +0000 Subject: [gnutls-devel] GnuTLS | tests: support KAT in (EC)DH tests (!1813) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813#note_1790977743 Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1813#note_1790977743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 15:26:15 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 14:26:15 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49) In-Reply-To: References: Message-ID: Gary Lin commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1791354981 Thanks for the detailed examination. I'm still looking into other coverity warnings. To be honest, I'm not familiar with libtasn1, so the progress is quite slow. Will post other issue if there is other valid warning. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1791354981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 27 18:44:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Feb 2024 17:44:23 +0000 Subject: [gnutls-devel] GnuTLS | Typo in definition of `_gnutls_no_log` when `C99_MACROS` is undefined. (#1530) References: Message-ID: Andrew Lilley Brinker created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1530 ## Description of problem: The offending line is here: https://gitlab.com/gnutls/gnutls/-/blob/master/lib/errors.h?ref_type=heads#L173 The macro is defined to be `_gnutle_null_log` instead of `_gnutls_null_log`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1530 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 29 08:42:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Feb 2024 07:42:58 +0000 Subject: [gnutls-devel] libtasn1 | Potential Buffer Overrun in asn1_der_decoding2() (#50) References: Message-ID: Gary Lin created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/50 ## Description of problem: >From the grub2 [coverity report](https://lists.gnu.org/archive/html/grub-devel/2024-02/txtKIuUb5lf3O.txt), it raised a potential buffer overrun in asn1_der_decoding2(): ``` ________________________________________________________________________________________________________ *** CID 435766: Memory - corruptions (OVERRUN) /grub-core/lib/libtasn1/lib/decoding.c: 1204 in asn1_der_decoding2() 1198 } 1199 1200 DECR_LEN (ider_len, len2); 1201 1202 tlen = strlen (temp); 1203 if (tlen > 0) >>> CID 435766: Memory - corruptions (OVERRUN) >>> Allocating insufficient memory for the terminating null of the string. 1204 _asn1_set_value (p, temp, tlen); 1205 1206 counter += len2; 1207 move = RIGHT; 1208 break; 1209 case ASN1_ETYPE_OCTET_STRING: ``` However, this seems to be false positive since DER format doesn't need the terminating null. I'd need the confirmation from libtasn1 upstream. ## Version of libtasn1 used: 4.19 ## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL) Upstream official tarball ## How reproducible: Steps to Reproduce: * one * two * three ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/50 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 29 17:04:01 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Feb 2024 16:04:01 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) In-Reply-To: References: Message-ID: Ramesh Adhikari commented: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1795793326 I'm currently using GnuTLS version 3.8.3 on Linux Mint, and it's working fine for me. To assist in diagnosing the issue you're facing, could you please try the following steps? ``` export GNUTLS_DEBUG_LEVEL=9 `` and try re-running the GnuTLS command -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1795793326 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 29 17:04:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Feb 2024 16:04:36 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) In-Reply-To: References: Message-ID: Ramesh Adhikari commented: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1795794528 I'm currently using GnuTLS version 3.8.3 on Linux Mint, and it's working fine for me. To assist in diagnosing the issue you're facing, could you please try the following steps? ``` export GNUTLS_DEBUG_LEVEL=9 `` and try re-running the GnuTLS command -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1795794528 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 29 21:41:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Feb 2024 20:41:59 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1796126203 Hi, thank you. I wasn't aware of the `GNUTLS_DEBUG_LEVEL` environment variable. Anyway, I have found a potential cause of this issue. It's because in [`gnutls_pubkey_get_preferred_hash_algorithm`](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/pubkey.c?ref_type=heads#L283), `key->params.algo` does not match any algorithm. The next step would now be to understand why it doesn't match any algorithm in Arch Linux. I set the given environment variable. I haven't investigated this part thoroughly enough but I am under the impression that `key->params.algo` should be `GNUTLS_PK_ECDH_X25519` in this case but it is not. I'll have to investigate this further. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1796126203 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 29 21:44:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Feb 2024 20:44:16 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) In-Reply-To: References: Message-ID: Sahil Siddiq commented: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1796128168 > _I'm not quite sure whether this generation even should succeed, but surely there should at least be a more informative error._ I agree. Maybe in this particular case, it should log something like `Couldn't identify appropriate algorithm` along with the "internal error" message. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524#note_1796128168 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: