From gnutls-devel at lists.gnutls.org Mon Jan 1 04:56:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Jan 2024 03:56:23 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: switch to using Fedora 39 (!1796) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1796 Project:Branches: dueno/gnutls:wip/dueno/ci-fedora39 to gnutls/gnutls:master Author: Daiki Ueno Also update year of copyright notices in doc/gnutls.texi. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 2 10:40:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Jan 2024 09:40:36 +0000 Subject: [gnutls-devel] web-pages | update OpenPGP release certificates, publishing minimal versions of each cert (Closes #6) (!10) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/web-pages/-/merge_requests/10#note_1710882272 okay, I will update it -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/10#note_1710882272 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 2 17:49:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Jan 2024 16:49:57 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) References: Message-ID: Jean-Luc Duprat created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1521 ## Description of problem: Cockpit (which uses gnuTLS) rejects certificate chain with distributed trust. The provided certificate file contains the certificate C for the TLS endpoint, followed by 3 chains of trust (Interm 2A, Interm 1A, Root A). The three roots cross-signed each other. Chain looks like so in PEM format: C Interm 2A Interm 1A Interm 2B Interm 1B Interm 2C Interm 1C KeyRootA_SignedB KeyRootA_SignedC KeyRootB_SignedA KeyRootB_SignedC KeyRootC_SignedA KeyRootC_SignedB Root A Root B Root C This is not a public chain. ## Version of gnutls used: gnutls-3.8.2-2.fc39.x86_64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 39 ## How reproducible: Steps to Reproduce: If I run (checks the certificates that will be used by cockpit): $ sudo /usr/libexec/cockpit-certificate-ensure --check with the above chain, I get the following error from gnuTLS cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. If I delete the cross-signed certifications of the roots from the chain, i.e.: RootA_SignedB RootA_SignedC RootB_SignedA RootB_SignedC RootC_SignedA RootC_SignedB then there is no error. Sorting this list of certificates should not cause an assertion. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 01:29:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 00:29:09 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1711820996 Thank you for the report. Could you clarify a couple of things: - What do you mean with "KeyRootX_SignedY", is it a root certificate X signed by Y? - Are A, B, and C a self-signed certificate? - What is your trust store setup wrt A, B, and C (i.e., `trust list --filter=ca-anchors` contains all)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1711820996 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 10:13:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 09:13:30 +0000 Subject: [gnutls-devel] web-pages | Update PGP release keyring (!11) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 10:13:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 09:13:30 +0000 Subject: [gnutls-devel] web-pages | Update PGP release keyring (!11) In-Reply-To: References: Message-ID: Reassigned merge request 11 https://gitlab.com/gnutls/web-pages/-/merge_requests/11 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 10:13:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 09:13:36 +0000 Subject: [gnutls-devel] web-pages | Update PGP release keyring (!11) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno I have prolonged the expiry date of my key and updated the keyring Signed-off-by: Zoltan Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 10:14:31 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 09:14:31 +0000 Subject: [gnutls-devel] web-pages | update OpenPGP release certificates, publishing minimal versions of each cert (Closes #6) (!10) In-Reply-To: References: Message-ID: All discussions on merge request !10 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/web-pages/-/merge_requests/10 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/10 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 10:14:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 09:14:26 +0000 Subject: [gnutls-devel] web-pages | update OpenPGP release certificates, publishing minimal versions of each cert (Closes #6) (!10) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/web-pages/-/merge_requests/10#note_1712174704 https://gitlab.com/gnutls/web-pages/-/merge_requests/11 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/10#note_1712174704 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 3 20:22:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 03 Jan 2024 19:22:16 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Jean-Luc Duprat commented: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713059207 A, B, and C are self-signed and not public. KeyRootA_SignedB is the key from A signed by B (cross-signed). A,B, and C are not in the trust store of the cockpit host, but it is serving these certs and not validating them so I don't expect this would matter. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713059207 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 06:30:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 05:30:59 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713449674 > KeyRootA_SignedB is the key from A signed by B (cross-signed). By "key" do you mean an X.509 private key? From the GnuTLS API point of view, it is not supported to mix certificates and keys in a single certificate chain, unless Cockpit is doing a special treatment for that. > A,B, and C are not in the trust store of the cockpit host, but it is serving these certs and not validating them so I don't expect this would matter. I'm not familiar with Cockpit, but as this issue is about validating a certificate chain with `cockpit-certificate-ensure`, I guess you would need to tell the tool that any of those root certificates are trusted? @martinpitt would you be able to shed some light on this? In any case, it would be helpful if you could create a similar certificate chain that could reproduce the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713449674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 08:12:28 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 07:12:28 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Martin Pitt commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713509108 I confirm that this is only about *validating* an user-provided certificate. It would probably be beset if @jlduprat could create a fresh one for reproducing and attach it here? The validation happens in https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c . Much of the code is unrelated to the problem, it's for finding the PEM/key files, picking apart a merged cert+key file (deprecated), and calling cockpit-certificate-helper in case there is no certificate. The main functionality for `--check` is [here](https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c#L329), where it loads the certificate with `gnutls_certificate_set_x509_key_mem()`, and then calls `gnutls_certificate_get_x509_crt()` and `gnutls_x509_crt_get_expiration_time()` to check for expiration. I suppose one of these places throws the assertion. > you would need to tell the tool that any of those root certificates are trusted That doesn't/shouldn't happen via a CLI argument, but by putting the CAs into the usual /etc/pki (Fedora/RHEL) or /etc/ssl (Debian) system-wide trust anchor directories. But this bug report is about the assertion, so we mostly need a good back trace and a standalone reproducer. I'm happy to massage cockpit-certificate-ensure.c into a standalone file which doesn't need any other files from the cockpit tree, once we get the cert files which reproduce this. Alternatively, @jlduprat are you comfortable with installing debug symbols and running `gdb` to generate a back trace yourself? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713509108 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 08:14:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 07:14:22 +0000 Subject: [gnutls-devel] web-pages | Update PGP release keyring (!11) In-Reply-To: References: Message-ID: Merge request !11 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 08:14:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 07:14:59 +0000 Subject: [gnutls-devel] web-pages | Update PGP release keyring (!11) In-Reply-To: References: Message-ID: Merge request !11 was merged Merge request URL: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/11 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 18:33:32 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 17:33:32 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Jean-Luc Duprat commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1714482880 > > KeyRootA_SignedB is the key from A signed by B (cross-signed). > By "key" do you mean an X.509 private key? From the GnuTLS API point of view, it is not supported to mix certificates and keys in a single certificate chain, unless Cockpit is doing a special treatment for that. I was not clear. KeyRootA_SignedB is the X509 cert that signs the key for RootA by RootB. In other words, the cross-signed certification of A by B. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1714482880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 4 18:34:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Jan 2024 17:34:53 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Jean-Luc Duprat commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1714486089 To be clear, I am distributing certs, not a mixture of keys and certs. I will create an equivalent chain of certs that I can share and reflects the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1714486089 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 5 08:51:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Jan 2024 07:51:34 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Jean-Luc Duprat commented: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1715238476 The two attached files demonstrate the problem. They were custom created to repro this issue, no concerns with the key being posted here. On Fedora 39, if dropped in /etc/cockpit/ws-certs.d/ when the following command is run `$ sudo /usr/libexec/cockpit-certificate-ensure --check` ``` cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. Aborted ``` [foo.crt](/uploads/9ee814f28f5a5a10e977eec8ae72e2e8/foo.crt) [foo.key](/uploads/a5b6023c849813bd01860ff9eb37d9f6/foo.key) The chain described above is contained in foo.crt and should help answer your questions and repro the issue. I am not sure of the API calls that cockpit-certificate-ensure is making, however they are likely over here: [https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c](https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1715238476 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 5 10:07:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Jan 2024 09:07:37 +0000 Subject: [gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521) In-Reply-To: References: Message-ID: Martin Pitt commented: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1715321386 Thanks @jlduprat ! With these certificates, we don't even need a custom reproducer, this is enough: ``` $ gnutls-serv --x509certfile=foo.crt --x509keyfile=foo.key gnutls-serv: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. Aborted (core dumped) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1715321386 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 12 11:26:21 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 12 Jan 2024 10:26:21 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) References: Message-ID: Clemens Lang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 Project:Branches: cllang/gnutls:cllang-fips-zeroization to gnutls/gnutls:master Author: Clemens Lang The standard says "temporary value(s) generated during the integrity test of the module's software [?] shall be zeroised from the module upon completion of the integrity test". That includes the computed HMAC value, which is currently not zeroized after the test. Add explicit calls to gnutls_memset() to fix that. Signed-off-by: Clemens Lang ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] ~Test suite updated with functionality tests~ * [ ] ~Test suite updated with negative tests~ * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 12 14:34:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 12 Jan 2024 13:34:34 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Clemens Lang commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1725290300 This should be rebased on top of !1796 once that's merged. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1725290300 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 12 14:39:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 12 Jan 2024 13:39:18 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Clemens Lang commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1725298880 None of the other test failures seem to be related to this change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1725298880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 01:49:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 00:49:41 +0000 Subject: [gnutls-devel] GnuTLS | Draft: .gitlab-ci.yml: switch to using Fedora 39 (!1796) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !1796 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 01:51:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 00:51:45 +0000 Subject: [gnutls-devel] GnuTLS | Assorted CI fixes (!1798) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798 Project:Branches: dueno/gnutls:wip/dueno/ci-fixes3 to gnutls/gnutls:master Author: Daiki Ueno Split from !1796, this includes the following fixes to pacify the CI failures: * .gitlab-ci.yml: Adjust to Alpine Linux' clang-format path change * tests: suppress leaks in libsofthsm2 * tests/pkcs11-tool.sh: skip if neither p11tool nor certool is built * Update year of copyright notices in doc/gnutls.texi ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 05:42:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 04:42:10 +0000 Subject: [gnutls-devel] GnuTLS | Assorted CI fixes (!1798) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798#note_1726764785 Merging without approval, as this includes only CI fixes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798#note_1726764785 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 05:42:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 04:42:12 +0000 Subject: [gnutls-devel] GnuTLS | Assorted CI fixes (!1798) In-Reply-To: References: Message-ID: Merge request !1798 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798 Project:Branches: dueno/gnutls:wip/dueno/ci-fixes3 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 05:51:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 04:51:54 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1726767774 @cllang could you rebase against master? The failures should be fixed now. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1726767774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 08:27:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 07:27:49 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Merge request !1797 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 Project:Branches: cllang/gnutls:cllang-fips-zeroization to gnutls/gnutls:master Author: Clemens Lang Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 10:26:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 09:26:36 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Clemens Lang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1727000462 Done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1727000462 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 12:07:32 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 11:07:32 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.3 (Oct 23, 2023?Jan 30, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/41 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 12:07:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 11:07:53 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: All discussions on merge request !1797 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 12:08:01 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 11:08:01 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1727193320 Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797#note_1727193320 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 15 12:08:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 11:08:11 +0000 Subject: [gnutls-devel] GnuTLS | fips: Zeroize temporary values (!1797) In-Reply-To: References: Message-ID: Merge request !1797 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 Project:Branches: cllang/gnutls:cllang-fips-zeroization to gnutls/gnutls:master Author: Clemens Lang -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 00:24:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 23:24:34 +0000 Subject: [gnutls-devel] GnuTLS | Regression in certtool handling Ed25519 keys from PKCS#11 in 3.8.2 (#1515) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.3 (Oct 23, 2023?Jan 30, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/41 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1515 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 00:25:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 15 Jan 2024 23:25:30 +0000 Subject: [gnutls-devel] GnuTLS | specify osstatus_error takes in an OSStatus as its first argument (!1794) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.3 (Oct 23, 2023?Jan 30, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/41 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1794 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 07:24:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 06:24:34 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.4 (Jan 17, 2024?Mar 15, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/42 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 07:24:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 06:24:50 +0000 Subject: [gnutls-devel] GnuTLS | Do not use HMAC-SHA1 for session ticket authentication algorithm (#1482) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.4 (Jan 17, 2024?Mar 15, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/42 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1482 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 08:56:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 07:56:43 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.3 (!1799) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.3 to gnutls/gnutls:master Author: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 09:45:01 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 08:45:01 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.3 (!1799) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799#note_1728544978 Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799#note_1728544978 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 09:44:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 08:44:45 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.3 (!1799) In-Reply-To: References: Message-ID: Merge request !1799 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.3 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 16 10:10:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 16 Jan 2024 09:10:10 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.3 (!1799) In-Reply-To: References: Message-ID: Merge request !1799 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.3 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1799 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 18 11:44:23 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 18 Jan 2024 10:44:23 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (#1424) In-Reply-To: References: Message-ID: Reassigned Issue 1424 https://gitlab.com/gnutls/gnutls/-/issues/1424 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 18 15:13:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 18 Jan 2024 14:13:57 +0000 Subject: [gnutls-devel] GnuTLS | Certtool error when generating a selfsigned x25519 certificate (#1524) References: Message-ID: Iisakki Jaakkola created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1524 ## Description of problem: Generating a selfsigned certificate with certtool fails with `crt_get_preferred_hash_algorithm: GnuTLS internal error.` ## Version of gnutls used: 3.8.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Arch Linux ## How reproducible: ```bash $ certtool --generate-privkey --key-type=x25519 --outfile test-certificate.key $ certtool --generate-self-signed --load-privkey test-certificate.key --outfile test-certificate.pem ``` You can just leave the answers to everything but the expiration date empty (it did happen with real data too). Finally after you confirm that everything is ok you will get this response: ```bash Signing certificate... crt_get_preferred_hash_algorithm: GnuTLS internal error. ``` No certificate file is produced. Exit code is 1. _I'm not quite sure whether this generation even should succeed, but surely there should at least be a more informative error._ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1524 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 19 11:26:02 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Jan 2024 10:26:02 +0000 Subject: [gnutls-devel] libtasn1 | Add new test cases that represent usage of libtasn1 (!89) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/libtasn1/-/merge_requests/89 was reviewed by Ahmed Zaki -- Ahmed Zaki commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/89#note_1733960497 Hi @jas was wondering if there is anything else I can help with to get these tests merged ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/89 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 19 11:39:19 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Jan 2024 10:39:19 +0000 Subject: [gnutls-devel] libtasn1 | Add new test cases that represent usage of libtasn1 (!89) In-Reply-To: References: Message-ID: Simon Josefsson commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/89#note_1733984499 Hi! We don't want generated source-code files in git, either you automate the extraction process but then we still have the licensing issue, contributions should be assigned to FSF and under the libtasn1 license. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/89#note_1733984499 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 19 15:38:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Jan 2024 14:38:08 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno Instead of loading all of the compression libraries like zlib, brotli and zstd, the libraries will be dynamically loaded as necessary when calling gnutls_compress_certificate_set_methods and deloaded during gnutls library deinitialization. Signed-off-by: Zoltan Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 19 15:38:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Jan 2024 14:38:04 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Reassigned merge request 1800 https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 19 15:38:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 19 Jan 2024 14:38:03 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 06:16:32 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 05:16:32 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Merge request !1800 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 06:16:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 05:16:33 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/compress.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800#note_1735603082 > +static void *_zlib_handle; > + > +static uLong (*_gnutls_zlib_compressBound)(uLong sourceLen); If you use `__typeof__` as in `lib/tpm2_esys.c`, you could ensure that the prototypes actually matches the declarations in the header at compile time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 06:16:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 05:16:33 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800#note_1735603088 Looks good to me overall. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800#note_1735603088 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 10:55:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 09:55:30 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/compress.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800#note_1735918405 > #include > #endif > > +#ifdef HAVE_LIBZ > +static void *_zlib_handle; > + > +static uLong (*_gnutls_zlib_compressBound)(uLong sourceLen); done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800#note_1735918405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 10:55:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 09:55:30 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: All discussions on merge request !1800 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 12:17:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 11:17:08 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Merge request !1800 was set to auto-merge by Zolt?n Fridrich Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 13:12:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 12:12:12 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (#1424) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich via merge request !1800 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1800) Issue #1424: https://gitlab.com/gnutls/gnutls/-/issues/1424 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1424 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 22 13:12:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 22 Jan 2024 12:12:11 +0000 Subject: [gnutls-devel] GnuTLS | Make compression libraries dynamically loadable (!1800) In-Reply-To: References: Message-ID: Merge request !1800 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1800 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 03:56:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 02:56:56 +0000 Subject: [gnutls-devel] GnuTLS | ktls: fix kernel version checking using utsname (!1801) In-Reply-To: References: Message-ID: Franti?ek Kren?elok was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 03:56:48 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 02:56:48 +0000 Subject: [gnutls-devel] GnuTLS | ktls: fix kernel version checking using utsname (!1801) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 Project:Branches: dueno/gnutls:wip/dueno/utsname-followup to gnutls/gnutls:master Author: Daiki Ueno This fixes an obvious typo in the `utsname.sysname` check. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 09:04:20 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 08:04:20 +0000 Subject: [gnutls-devel] GnuTLS | ktls: fix kernel version checking using utsname (!1801) In-Reply-To: References: Message-ID: Merge request !1801 was approved by Franti?ek Kren?elok Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 Project:Branches: dueno/gnutls:wip/dueno/utsname-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 12:35:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 11:35:03 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) References: Message-ID: Stanislav ?idek created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802 Project:Branches: ep69/gnutls:interop-version to gnutls/gnutls:master Author: Stanislav ?idek We were using wrong GnuTLS version for interop testing :( * TLS interoperability: test actual compiled master Previously, system (fedora) version of GnuTLS was used in TLS interoperability tests. Signed-off-by: Stanislav Zidek ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 14:05:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 13:05:40 +0000 Subject: [gnutls-devel] GnuTLS | ktls: fix kernel version checking using utsname (!1801) In-Reply-To: References: Message-ID: Merge request !1801 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 Project:Branches: dueno/gnutls:wip/dueno/utsname-followup to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Franti?ek Kren?elok -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1801 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 15:42:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 14:42:10 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1738485035 @dueno or @ZoltanFridrich could you have a look on this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1738485035 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 23 22:44:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 23 Jan 2024 21:44:36 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1739212720 Wouldn't it be sufficient to adjust `PATH` so the built executables (`./src/gnutls-serv`, etc.) are detected first? They are libtool wrapper [scripts](https://www.gnu.org/software/libtool/manual/html_node/Linking-executables.html#index-program-wrapper-scripts) which ensure that `LD_LIBRARY_PATH` is properly set, for example: ```console libtool --mode=execute src/gnutls-serv linux-vdso.so.1 (0x00007ffce99c8000) libgnutls.so.30 => /home/ueno/devel/gnutls/lib/.libs/libgnutls.so.30 (0x00007f19eb200000) libm.so.6 => /lib64/libm.so.6 (0x00007f19eb4b4000) ... ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1739212720 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 24 10:46:55 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Jan 2024 09:46:55 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: n3rdy commented: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1739822032 Hey @dueno , can I work on this issue? This would be my first contribution. I understand that there's been activity on this issue earlier, but I'm not sure if it's closed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1739822032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 24 11:48:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Jan 2024 10:48:59 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1739942802 @dueno Could try. I am a bit afraid what `tmt` can mess (with `PATH`) and did not find a good way to find out what gnutls library version is actually being used, so I wanted to make really sure that nothing could go wrong. Do you have any concerns with "my" solution? E.g., wrt. maintainability? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1739942802 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 24 23:47:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 24 Jan 2024 22:47:36 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1741109631 My main concern is the increase of CI running time for building and installing from git; while we are granted extra CI time for the Open Source [program](https://about.gitlab.com/solutions/open-source/), I guess we should try to avoid unnecessary use of CI resources as possible. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1741109631 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 25 09:14:39 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 25 Jan 2024 08:14:39 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1741560354 @aadit-n3rdy I think that's more of a question for @adrian.wijaya as he already opened a draft merge request (!1783). @adrian.wijaya sorry for not responding early. For decoding you are right; currently only DSA keys would benefit from the v2 format, though there might be more if we support PQC private keys ([example](https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-01.html#section-6)). For encoding, you could add a parameter to [`encode_to_private_key_info`](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/x509/privkey_pkcs8.c?ref_type=heads#L177), though we need to think about how to expose this control through a public API, e.g., gnutls_x509_privkey_export_pkcs8, maybe with a flag. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1741560354 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 25 11:03:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 25 Jan 2024 10:03:43 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1741737483 True. What about having less (just one perhaps) Fedora build job that would be configured in a similar way as in spec file? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1741737483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 25 11:09:27 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 25 Jan 2024 10:09:27 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: n3rdy commented: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1741747402 @adrian.wijaya can I work on this issue, if you aren't working on it anymore? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1741747402 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 25 14:37:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 25 Jan 2024 13:37:54 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: Adrian Wijaya commented: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1742500331 @aadit-n3rdy Sure you can takeover if you want. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1742500331 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 25 16:35:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 25 Jan 2024 15:35:59 +0000 Subject: [gnutls-devel] GnuTLS | Support reading and writing private keys in PKCS#8 v2 format (#1474) In-Reply-To: References: Message-ID: n3rdy commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1742800994 Alright, thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1474#note_1742800994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 26 08:45:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 26 Jan 2024 07:45:50 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1744439062 Sorry, I might not get it; what do you mean by "configured in a similar way as in spec file"? Looking at the changes in this MR, the only differences between fedora-minimal and fedora-interop are [crypto-policies](https://gitlab.com/gnutls/gnutls/-/merge_requests/1802/diffs#587d266bb27a4dc3022bbed44dfa19849df3044c_328_345) and install [locations](https://gitlab.com/gnutls/gnutls/-/merge_requests/1802/diffs#587d266bb27a4dc3022bbed44dfa19849df3044c_328_348). The former could be adjusted with GNUTLS_SYSTEM_PRIORITY_FILE and the latter wouldn't be necessary if you use the built executables. Is it really so hard to pass envvars through tmt? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1744439062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 26 10:29:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 26 Jan 2024 09:29:09 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1744727680 Changes in the spec file are the minimal amount necessary to make tests work, if I looked correctly, most of the configure options are different in Fedora. I can try the env vars if you like. Could you suggest a way to make sure they were respected and the compiled version was really used? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1744727680 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 27 03:11:32 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 27 Jan 2024 02:11:32 +0000 Subject: [gnutls-devel] GnuTLS | serv: fix memleak when a connected client disappears (!1803) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 Project:Branches: dueno/gnutls:wip/dueno/serv-memleak to gnutls/gnutls:master Author: Daiki Ueno * serv: fix memleak when a connected client disappears Reported by Hubert Kario. Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 27 10:42:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 27 Jan 2024 09:42:56 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1746443432 I don't seem to be able to make `GNUTLS_SYSTEM_PRIORITY_FILE` working with `fedora-minimal/build`, it seems to me that `--with-system-priority-file="/etc/crypto-policies/back-ends/gnutls.config""` leads to defining `DISABLE_SYSTEM_CONFIG`. Am I overlooking something? Shall I modify `fedora-minimal/build` to use `--with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config`, or is there a better way? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1746443432 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 28 02:54:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 28 Jan 2024 01:54:11 +0000 Subject: [gnutls-devel] GnuTLS | Certtool core dump when parsing the file which has certificates more than 16. (#1527) References: Message-ID: yixiangzhike yixiangzhike created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1527 Certtool core dump when use it to verify a PEM encoded certificate chain if more than 16 certificates. Steps to Reproduce: `# certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e` The stacks: `Reading symbols from certtool... Reading symbols from /usr/lib/debug//usr/bin/certtool-3.8.0-3.x86_64.debug... [New LWP 113834] [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib64/libthread_db.so.1". Core was generated by `certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_implementation (threadid=, signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; (gdb) bt #0 __pthread_kill_implementation (threadid=, signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44 #1 0x00007fe0c54fdf53 in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 #2 0x00007fe0c54b1d56 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fe0c549d197 in __GI_abort () at abort.c:79 #4 0x00007fe0c54f2037 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7fe0c562b5d9 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155 #5 0x00007fe0c558dd3a in __GI___fortify_fail (msg=msg at entry=0x7fe0c562b57f "buffer overflow detected") at fortify_fail.c:26 #6 0x00007fe0c558c656 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007fe0c5c5bebd in memcpy (__len=1160, __src=0x555bd8056110, __dest=0x7ffdcaec35a0) at /usr/include/bits/string_fortified.h:29 #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, data=data at entry=0x0, elements=elements at entry=0, flags=4, voutput=0x7ffdcaec3758, func=0x555bd61b2190 ) at verify-high.c:1475 #9 0x00007fe0c5c5cdc5 in gnutls_x509_trust_list_verify_crt (list=, cert_list=, cert_list_size=, flags=, voutput=, func=) at verify-high.c:1337 #10 0x0000555bd61b2dd5 in _verify_x509_mem (cert=0x7fe0c52bc010, cert_size=223196, cinfo=, use_system_trust=, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2496 #11 0x0000555bd61b771f in verify_certificate (cinfo=) at certtool.c:2584 #12 cmd_parser (argc=, argv=) at certtool.c:1493 #13 0x0000555bd61b084a in main (argc=3, argv=0x7ffdcaec3b88) at certtool.c:131 (gdb) f 8 #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, data=data at entry=0x0, elements=elements at entry=0, flags=4, voutput=0x7ffdcaec3758, func=0x555bd61b2190 ) at verify-high.c:1475 1475 **memcpy**(**sorted**, cert_list, **cert_list_size** * sizeof(gnutls_x509_crt_t)); (gdb) p cert_list_size $1 = **145** (gdb) ptype **sorted** type = struct gnutls_x509_crt_int { asn1_node cert; int use_extensions; unsigned int expanded; unsigned int modified; unsigned int flags; struct pin_info_st pin; gnutls_datum_t raw_dn; gnutls_datum_t raw_issuer_dn; gnutls_datum_t raw_spki; gnutls_datum_t der; gnutls_subject_alt_names_t san; gnutls_subject_alt_names_t ian; gnutls_x509_dn_st dn; gnutls_x509_dn_st idn; } *[**16**] (gdb) ` Missing the checking of cert_list_size for function gnutls_x509_trust_list_verify_crt2 in the commit [x509: rework issuer callback ](https://gitlab.com/gnutls/gnutls/-/commit/ebb19db9165fed30d73c83bab1b1b8740c132dfd#354f9842fb374676880f1b9cfcbb4c28abe5b38f_1314_1376). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1527 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 07:08:51 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 06:08:51 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS has incomplete fix for CVE-2023-5981 (#1522) In-Reply-To: References: Message-ID: Rajesh Thota commented: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1747023981 >From the documentation it is not very evident what versions of gnuTLS is impacted. Any help on this would be very useful. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1747023981 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 08:41:24 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 07:41:24 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS has incomplete fix for CVE-2023-5981 (#1522) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1747096438 The RSA-PSK code hasn't changed much since the initial addition, except the previous fix (#1511). So from 3.2.18 up to 3.8.2 inclusive. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1522#note_1747096438 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 15:00:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 14:00:46 +0000 Subject: [gnutls-devel] GnuTLS | serv: fix memleak when a connected client disappears (!1803) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803#note_1747717163 Looks good, with the patch: ``` ==125397== HEAP SUMMARY: ==125397== in use at exit: 110,969 bytes in 763 blocks ==125397== total heap usage: 26,365 allocs, 25,602 frees, 114,356,937 bytes allocated ==125397== ==125397== LEAK SUMMARY: ==125397== definitely lost: 0 bytes in 0 blocks ==125397== indirectly lost: 0 bytes in 0 blocks ==125397== possibly lost: 0 bytes in 0 blocks ==125397== still reachable: 110,969 bytes in 763 blocks ==125397== suppressed: 0 bytes in 0 blocks ==125397== Reachable blocks (those to which a pointer was found) are not shown. ==125397== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==125397== ==125397== For lists of detected and suppressed errors, rerun with: -s ==125397== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ``` Without the patch: ``` ==155353== HEAP SUMMARY: ==155353== in use at exit: 137,033 bytes in 1,125 blocks ==155353== total heap usage: 26,372 allocs, 25,247 frees, 114,357,441 bytes allocated ==155353== ==155353== 25,920 bytes in 360 blocks are definitely lost in loss record 78 of 79 ==155353== at 0x4849E60: calloc (vg_replace_malloc.c:1595) ==155353== by 0x411DA8: xcalloc (xmalloc.c:298) ==155353== by 0x4086C2: tcp_server (serv.c:1640) ==155353== by 0x406BBB: main (serv.c:1467) ==155353== ==155353== LEAK SUMMARY: ==155353== definitely lost: 25,920 bytes in 360 blocks ==155353== indirectly lost: 0 bytes in 0 blocks ==155353== possibly lost: 0 bytes in 0 blocks ==155353== still reachable: 111,113 bytes in 765 blocks ==155353== suppressed: 0 bytes in 0 blocks ==155353== Reachable blocks (those to which a pointer was found) are not shown. ==155353== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==155353== ==155353== For lists of detected and suppressed errors, rerun with: -s ==155353== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803#note_1747717163 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 15:00:47 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 14:00:47 +0000 Subject: [gnutls-devel] GnuTLS | serv: fix memleak when a connected client disappears (!1803) In-Reply-To: References: Message-ID: Merge request !1803 was approved by Hubert Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 Project:Branches: dueno/gnutls:wip/dueno/serv-memleak to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 23:30:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 22:30:17 +0000 Subject: [gnutls-devel] GnuTLS | serv: fix memleak when a connected client disappears (!1803) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803#note_1748444565 Thanks for checking! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803#note_1748444565 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 29 23:30:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 29 Jan 2024 22:30:26 +0000 Subject: [gnutls-devel] GnuTLS | serv: fix memleak when a connected client disappears (!1803) In-Reply-To: References: Message-ID: Merge request !1803 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 Project:Branches: dueno/gnutls:wip/dueno/serv-memleak to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1803 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 30 11:40:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Jan 2024 10:40:34 +0000 Subject: [gnutls-devel] GnuTLS | TLS interoperability: test actual compiled master (!1802) In-Reply-To: References: Message-ID: Stanislav ?idek commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1749165779 @dueno Maybe more important and general question: Do you prefer changing `fedora-minimal/build` (or some other existing build job) so it works for interop tests, or rather have a dedicated build job for interop tests? Needed changes to `fedora-minimal/build` are: * `--with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config` * remove `--disable-dhe` * remove `--disable-ecdhe` * remove `--without-p11-kit` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1802#note_1749165779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 30 20:39:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Jan 2024 19:39:37 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: William Roberts commented: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750222644 Is anyone looking at this? I just bumped into the same issue, it looks like we need to back port: - https://github.com/openssl/openssl/commit/19e277dd19f2897f6a7b7eb236abe46655e575bf -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750222644 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 30 21:38:07 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Jan 2024 20:38:07 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750291141 So it looks like Russ ported the changes over in openssl commit [19e277dd](https://github.com/openssl/openssl/commit/19e277dd19f2897f6a7b7eb236abe46655e575bf) which is in the current tree of `devel/openssl`. ```bash devel/openssl$ git show --summary --oneline 19e277dd 19e277dd19 aarch64: support BTI and pointer authentication in assembly ``` It looks like the last time the accelerated assembly was generated was in commit 332959c which occurred Nov 2020 and Russ patch landed in Aug 28 2021. I guess the question is what magic script does the auto generation. @ansasaki you were the last one that updated `lib/accelerated/aarch64/elf/aes-aarch64.s` any pointers? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750291141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 30 21:56:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Jan 2024 20:56:30 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750313795 Ahh `make asm-sources` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750313795 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 30 22:01:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 30 Jan 2024 21:01:11 +0000 Subject: [gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517) In-Reply-To: References: Message-ID: William Roberts commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750320388 But it doesn't matter the submodule head is too old and doesn't contain the needed patch. We would need to back port that all the way back to 1_1_1_h :-( -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517#note_1750320388 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: