From gnutls-devel at lists.gnutls.org Thu May 2 13:03:35 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 May 2024 11:03:35 +0000 Subject: [gnutls-devel] GnuTLS | Fix configuration with multi-word GMP_LIBS. (!1832) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832#note_1889883785 Thanks; this looks good to me! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832#note_1889883785 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 2 13:03:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 May 2024 11:03:08 +0000 Subject: [gnutls-devel] GnuTLS | Fix configuration with multi-word GMP_LIBS. (!1832) In-Reply-To: References: Message-ID: Merge request !1832 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 Project:Branches: dg0yt/gnutls:dg0yt-master-patch-98306 to gnutls/gnutls:master Author: Kai Pastor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 2 13:03:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 May 2024 11:03:43 +0000 Subject: [gnutls-devel] GnuTLS | Fix configuration with multi-word GMP_LIBS. (!1832) In-Reply-To: References: Message-ID: Merge request !1832 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 Project:Branches: dg0yt/gnutls:dg0yt-master-patch-98306 to gnutls/gnutls:master Author: Kai Pastor Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 3 10:22:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 May 2024 08:22:43 +0000 Subject: [gnutls-devel] GnuTLS | Fixed DHE params output in gnutls-cli-debug (!1822) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1822 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1822#note_1891402278 > + "could not be accessed.\n"); > + printf("***************************************************************" > + "**\033[0m\n"); It looks a bit too fancy to me :-) Maybe you could (1) print the log to stderr and (2) use `strerror` to print the cause: ```c fprintf(stderr, "unable to open file %s: %s\n", dhparams_value, strerror(errno)); ``` -- Daiki Ueno started a new discussion on src/tests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1822#note_1891402291 > + } > + fclose(fp); > + } else { The content of this `else` branch is basically a duplicate of the above `if` branch, except that the output is printed using `printf` instead of `fprintf(fp, ...)`. Maybe you could consolidate them by assigning `fp = stdout` if `--dhparams-out` is not specified? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1822 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 3 12:28:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 May 2024 10:28:09 +0000 Subject: [gnutls-devel] GnuTLS | Fix configuration with multi-word GMP_LIBS. (!1832) In-Reply-To: References: Message-ID: Merge request !1832 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 Project:Branches: dg0yt/gnutls:dg0yt-master-patch-98306 to gnutls/gnutls:master Author: Kai Pastor -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 00:50:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 May 2024 22:50:06 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions of libtasn1 errors and GnuTLS errors (!1834) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 Project:Branches: dueno/gnutls:wip/dueno/error-asn1 to gnutls/gnutls:master Author: Daiki Ueno * build: fix confusions of libtasn1 errors and GnuTLS errors libtasn1 error codes returned from asn1_{read,write}_value are always positive. Check against ASN1_SUCCESS or convert them first with _gnutls_asn2err. Signed-off-by: Daiki Ueno * _gnutls_asn2err: accept ASN1_SUCCESS This enables to unconditionally wrap calls to libtasn1 functions which return error codes, like `_gnutls_asn2err(asn1_read_value(...))`. Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 00:57:01 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 May 2024 22:57:01 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Reassigned merge request 1834 https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 00:57:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 05 May 2024 22:57:18 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 10:20:31 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 May 2024 08:20:31 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893428498 @tomato42 @ZoltanFridrich @asosedkin Any further comments on this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893428498 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 10:53:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 May 2024 08:53:03 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1893512734 It turned out we can't simply generalize `_gnutls_asn2err` to accept `ASN1_E_SUCCESS`, as some code paths actually treats it as an error(!), where `ASN1_E_MEM_ERROR` is expected. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1893512734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 11:03:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 May 2024 09:03:26 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/x509/pkcs7-crypt.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893532829 > ¶ms->key_size); > if (result < 0) { > params->key_size = 0; > + } else { > + params->key_size_present = true; > } > > - if (params->key_size > MAX_CIPHER_KEY_SIZE) { (non-blocking) why wasn't it a problem before? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893532829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 11:04:07 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 May 2024 09:04:07 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893534526 Basically no comments from my side except that the diff is very hard to review. Maybe moving at least the no-op refactoring into separate commits would've made it more review-friendly. But I found almost nothing suspicious in ~20 minutes of reading, so here's that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893534526 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 6 11:16:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 May 2024 09:16:50 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893563829 Oh, I didn't notice that the no length example from the I-D was actually accepted, not unused in the test coverage... Yeah, we really needed to fix that. And speaking of that, do we have any sanity checks on the length of the key generated by the KDF? Section 9. Security Considerations recommends to reject any that are shorter than 20 bytes... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1893563829 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 8 09:58:10 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 08 May 2024 07:58:10 +0000 Subject: [gnutls-devel] GnuTLS | Draft: DTLS1_3-client (!1667) In-Reply-To: References: Message-ID: All discussions on merge request !1667 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1667 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 9 15:43:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 May 2024 13:43:56 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1899288452 Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1899288452 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 9 15:43:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 May 2024 13:43:41 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Merge request !1834 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 Project:Branches: dueno/gnutls:wip/dueno/error-asn1 to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 9 15:53:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 May 2024 13:53:37 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Merge request !1834 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 Project:Branches: dueno/gnutls:wip/dueno/error-asn1 to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewer: Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 9 15:53:35 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 May 2024 13:53:35 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1899305960 Thanks for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834#note_1899305960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 9 16:32:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 May 2024 14:32:41 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment (!1835) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 Project:Branches: dueno/gnutls:wip/dueno/ci-gitlab-tag-change to gnutls/gnutls:master Author: Daiki Ueno * .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment The "shared", "linux", and "docker" tags we use to select shared CI runners are consolidated into "saas-linux-small-amd64" in GitLab 1.70: https://docs.gitlab.com/ee/update/deprecations.html#removal-of-tags-from-small-saas-runners-on-linux Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 10 12:17:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 May 2024 10:17:46 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment (!1835) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835#note_1900403057 Merging this without approval, as this is only about the CI. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835#note_1900403057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 10 12:17:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 May 2024 10:17:50 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment (!1835) In-Reply-To: References: Message-ID: Merge request !1835 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 Project:Branches: dueno/gnutls:wip/dueno/ci-gitlab-tag-change to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 10 12:19:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 May 2024 10:19:03 +0000 Subject: [gnutls-devel] GnuTLS | .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment (!1835) In-Reply-To: References: Message-ID: Merge request !1835 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 Project:Branches: dueno/gnutls:wip/dueno/ci-gitlab-tag-change to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1835 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 11 20:25:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 11 May 2024 18:25:40 +0000 Subject: [gnutls-devel] libtasn1 | Fixes for gtkdocize and gcc/clang. (!100) References: Message-ID: Simon Josefsson created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/100 Project:Branches: jas/libtasn1:wip to gnutls/libtasn1:master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/100 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 11 21:05:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 11 May 2024 19:05:06 +0000 Subject: [gnutls-devel] libtasn1 | Fixes for gtkdocize and gcc/clang. (!100) In-Reply-To: References: Message-ID: Merge request !100 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/100 Project:Branches: jas/libtasn1:wip to gnutls/libtasn1:master Author: Simon Josefsson -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/100 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 12 02:49:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 May 2024 00:49:22 +0000 Subject: [gnutls-devel] GnuTLS | Consider removing bundled AArch64 acceleration (#1549) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1549 Prompted by !1804 I tried to run `gnutls-cli` on Raspberry Pi 5 ([BCM2712](https://www.raspberrypi.com/documentation/computers/processors.html#bcm2712)) with and without `GNUTLS_CPUID_OVERRIDE=0x1` (i.e., all crypto operations are delegated to Nettle). Using the current Nettle master branch, here are the results for the algorithms with AArch64 acceleration: - AES-128-GCM: Nettle implementation is twice faster (1) - AES-192-GCM: Not tested - AES-256-GCM: Not tested - AES-128-CCM: Comparable - AES-192-CCM: Not tested - AES-256-CCM: Not tested - AES-128-CBC: Bundled implementation is twice faster (2) - AES-192-CBC: Not tested - AES-256-CBC: Not tested - HMAC-SHA1: Comparable - HMAC-SHA256: Comparable - HMAC-SHA512: Comparable (1) is a bit surprising as `nettle-benchmark` included in Nettle actually indicates the opposite for encrypt/decrypt operations, while the update operation is indeed faster. (2) is also interesting as ECB results in `nettle-benchmark` are comparable with OpenSSL. Overall, I think it's mostly ready to drop AArch64 after a bit closer look at (2). The more detailed results are below: With `GNUTLS_CPUID_OVERRIDE=0x1`: ```console LD_LIBRARY_PATH=$PWD/../nettle/install/lib GNUTLS_CPUID_OVERRIDE=0x1 libtool --mode=execute ./src/gnutls-cli --benchmark-ciphers Checking AEAD ciphers, payload size: 16384 AES-128-GCM 1.58 GB/sec AES-128-CCM 0.69 GB/sec CHACHA20-POLY1305 0.41 GB/sec Checking cipher-MAC combinations, payload size: 16384 SALSA20-256-SHA1 0.36 GB/sec AES-128-CBC-SHA1 0.55 GB/sec AES-128-CBC-SHA256 0.57 GB/sec GOST28147-TC26Z-CNT-GOST28147-TC26Z-IMIT 31.95 MB/sec Checking MAC algorithms, payload size: 16384 SHA1 1.32 GB/sec SHA256 1.47 GB/sec SHA512 0.38 GB/sec GOST28147-TC26Z-IMIT 99.20 MB/sec GOSTR341194 46.45 MB/sec STREEBOG-512 69.03 MB/sec Checking ciphers, payload size: 16384 3DES-CBC 19.06 MB/sec AES-128-CBC 0.91 GB/sec AES-128-XTS 0.81 GB/sec AES-256-XTS 0.69 GB/sec SALSA20-256 0.48 GB/sec NULL 13.96 GB/sec GOST28147-TC26Z-CNT 47.01 MB/sec ``` Without `GNUTLS_CPUID_OVERRIDE=0x1`: ```console LD_LIBRARY_PATH=$PWD/../nettle/install/lib libtool --mode=execute ./src/gnutls-cli --benchmark-ciphers Checking AEAD ciphers, payload size: 16384 AES-128-GCM 0.75 GB/sec AES-128-CCM 0.63 GB/sec CHACHA20-POLY1305 0.41 GB/sec Checking cipher-MAC combinations, payload size: 16384 SALSA20-256-SHA1 0.37 GB/sec AES-128-CBC-SHA1 0.83 GB/sec AES-128-CBC-SHA256 0.85 GB/sec GOST28147-TC26Z-CNT-GOST28147-TC26Z-IMIT 31.93 MB/sec Checking MAC algorithms, payload size: 16384 SHA1 1.43 GB/sec SHA256 1.48 GB/sec SHA512 0.38 GB/sec GOST28147-TC26Z-IMIT 99.20 MB/sec GOSTR341194 46.46 MB/sec STREEBOG-512 68.80 MB/sec Checking ciphers, payload size: 16384 3DES-CBC 19.05 MB/sec AES-128-CBC 1.91 GB/sec AES-128-XTS 0.80 GB/sec AES-256-XTS 0.69 GB/sec SALSA20-256 0.49 GB/sec NULL 13.96 GB/sec GOST28147-TC26Z-CNT 46.89 MB/sec ``` `nettle-benchmark`: ```console LD_LIBRARY_PATH=$PWD/.lib examples/nettle-benchmark Algorithm mode Mbyte/s memxor aligned 11897.54 memxor unaligned 7149.55 memxor3 aligned 12008.90 memxor3 unaligned01 7565.25 memxor3 unaligned11 7116.17 memxor3 unaligned12 5138.12 md2 update 6.94 md4 update 679.35 md5 update 376.36 openssl md5 update 377.82 sha1 update 1317.35 openssl sha1 update 1407.35 sha224 update 1463.49 sha256 update 1463.49 sha384 update 375.19 sha512 update 376.08 sha512_224 update 375.20 sha512_256 update 376.02 sha3_224 update 217.71 sha3_256 update 209.93 sha3_384 update 156.12 sha3_512 update 108.54 ripemd160 update 269.93 gosthash94 update 45.02 gosthash94cp update 45.02 streebog256 update 74.01 streebog512 update 74.03 sm3 update 215.34 umac32 update 7091.12 umac64 update 2636.61 umac96 update 1884.70 umac128 update 1457.98 cmac-aes128 update 1019.49 poly1305-aes update 925.05 aes128 ECB encrypt 3567.71 aes128 ECB decrypt 3566.64 aes128 CBC encrypt 911.02 aes128 CBC decrypt 2743.49 aes128 (in-place) 2489.08 aes128 CTR 2061.18 aes128 (in-place) 1977.04 aes192 ECB encrypt 2985.42 aes192 ECB decrypt 2984.63 aes192 CBC encrypt 814.95 aes192 CBC decrypt 2385.25 aes192 (in-place) 2188.22 aes192 CTR 1852.44 aes192 (in-place) 1785.40 aes256 ECB encrypt 2566.49 aes256 ECB decrypt 2565.93 aes256 CBC encrypt 748.30 aes256 CBC decrypt 2110.19 aes256 (in-place) 1951.08 aes256 CTR 1680.12 aes256 (in-place) 1630.13 openssl aes128 ECB encrypt 3296.32 openssl aes128 ECB decrypt 3295.94 openssl aes192 ECB encrypt 2808.85 openssl aes192 ECB decrypt 2808.83 openssl aes256 ECB encrypt 2419.09 openssl aes256 ECB decrypt 2419.12 blowfish128 ECB encrypt 109.17 blowfish128 ECB decrypt 113.48 blowfish128 CBC encrypt 73.83 blowfish128 CBC decrypt 112.47 blowfish128 (in-place) 111.62 blowfish128 CTR 100.29 blowfish128 (in-place) 99.48 camellia128 ECB encrypt 115.59 camellia128 ECB decrypt 115.59 camellia128 CBC encrypt 102.06 camellia128 CBC decrypt 114.52 camellia128 (in-place) 113.71 camellia128 CTR 113.13 camellia128 (in-place) 112.52 camellia192 ECB encrypt 86.77 camellia192 ECB decrypt 86.78 camellia192 CBC encrypt 79.32 camellia192 CBC decrypt 86.19 camellia192 (in-place) 85.71 camellia192 CTR 85.28 camellia192 (in-place) 85.00 camellia256 ECB encrypt 86.78 camellia256 ECB decrypt 86.77 camellia256 CBC encrypt 79.32 camellia256 CBC decrypt 86.18 camellia256 (in-place) 85.71 camellia256 CTR 85.29 camellia256 (in-place) 85.01 cast128 ECB encrypt 109.75 cast128 ECB decrypt 110.17 cast128 CBC encrypt 71.62 cast128 CBC decrypt 108.78 cast128 (in-place) 108.14 cast128 CTR 100.80 cast128 (in-place) 100.69 des ECB encrypt 62.84 des ECB decrypt 62.78 des CBC encrypt 51.00 des CBC decrypt 62.46 des (in-place) 62.21 des CTR 59.77 des (in-place) 59.68 des3 ECB encrypt 20.94 des3 ECB decrypt 20.94 des3 CBC encrypt 18.16 des3 CBC decrypt 20.89 des3 (in-place) 20.86 des3 CTR 20.57 des3 (in-place) 20.54 serpent256 ECB encrypt 73.71 serpent256 ECB decrypt 86.51 serpent256 CBC encrypt 65.50 serpent256 CBC decrypt 86.03 serpent256 (in-place) 86.01 serpent256 CTR 72.70 serpent256 (in-place) 72.37 twofish128 ECB encrypt 137.69 twofish128 ECB decrypt 134.44 twofish128 CBC encrypt 125.72 twofish128 CBC decrypt 132.97 twofish128 (in-place) 131.78 twofish128 CTR 133.91 twofish128 (in-place) 133.23 twofish192 ECB encrypt 137.67 twofish192 ECB decrypt 134.44 twofish192 CBC encrypt 125.73 twofish192 CBC decrypt 132.95 twofish192 (in-place) 131.78 twofish192 CTR 133.89 twofish192 (in-place) 133.18 twofish256 ECB encrypt 137.68 twofish256 ECB decrypt 134.45 twofish256 CBC encrypt 125.71 twofish256 CBC decrypt 132.95 twofish256 (in-place) 131.78 twofish256 CTR 133.71 twofish256 (in-place) 133.01 sm4 ECB encrypt 73.29 sm4 ECB decrypt 73.29 sm4 CBC encrypt 66.87 sm4 CBC decrypt 72.87 sm4 (in-place) 72.56 sm4 CTR 72.19 sm4 (in-place) 72.06 arcfour128 encrypt 396.90 arcfour128 decrypt 396.90 salsa20 encrypt 462.02 salsa20 decrypt 465.80 salsa20r12 encrypt 659.52 salsa20r12 decrypt 658.80 chacha encrypt 676.57 chacha decrypt 676.55 cbc_aes128 encrypt 881.78 cbc_aes192 encrypt 830.92 cbc_aes256 encrypt 724.60 gcm_aes128 encrypt 1614.26 gcm_aes128 decrypt 1622.30 gcm_aes128 update 5816.98 gcm_aes192 encrypt 1500.22 gcm_aes192 decrypt 1479.97 gcm_aes192 update 5817.06 gcm_aes256 encrypt 1380.56 gcm_aes256 decrypt 1366.11 gcm_aes256 update 5817.06 openssl gcm_aes128 encrypt 2287.15 openssl gcm_aes128 decrypt 2353.98 openssl gcm_aes128 update 4816.93 openssl gcm_aes192 encrypt 2062.99 openssl gcm_aes192 decrypt 2100.81 openssl gcm_aes192 update 4818.81 openssl gcm_aes256 encrypt 1830.44 openssl gcm_aes256 decrypt 1927.47 openssl gcm_aes256 update 4816.94 gcm_camellia128 encrypt 110.85 gcm_camellia128 decrypt 110.85 gcm_camellia128 update 5818.36 gcm_camellia256 encrypt 84.06 gcm_camellia256 decrypt 84.07 gcm_camellia256 update 5815.41 eax_aes128 encrypt 687.48 eax_aes128 decrypt 686.52 eax_aes128 update 1044.49 chacha_poly1305 encrypt 391.71 chacha_poly1305 decrypt 391.68 chacha_poly1305 update 929.00 ocb_aes128 encrypt 1285.49 ocb_aes128 decrypt 1282.56 ocb_aes128 update 1525.43 hmac-md5 64 bytes 113.14 hmac-md5 256 bytes 237.08 hmac-md5 1024 bytes 327.40 hmac-md5 4096 bytes 360.23 hmac-md5 single msg 370.98 hmac-sha1 64 bytes 312.78 hmac-sha1 256 bytes 730.61 hmac-sha1 1024 bytes 1079.82 hmac-sha1 4096 bytes 1229.92 hmac-sha1 single msg 1283.38 hmac-sha256 64 bytes 301.64 hmac-sha256 256 bytes 744.35 hmac-sha256 1024 bytes 1175.25 hmac-sha256 4096 bytes 1362.03 hmac-sha256 single msg 1429.03 hmac-sha512 64 bytes 79.35 hmac-sha512 256 bytes 171.81 hmac-sha512 1024 bytes 287.39 hmac-sha512 4096 bytes 343.00 hmac-sha512 single msg 363.48 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1549 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 07:41:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 05:41:08 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/pkcs7-crypt.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904050170 > ¶ms->key_size); > if (result < 0) { > params->key_size = 0; > + } else { > + params->key_size_present = true; > } > > - if (params->key_size > MAX_CIPHER_KEY_SIZE) { That's because PBKDF2 is previously only used for generating encryption keys, whose maximum length (32) is shorter than the one with MAC keys (64). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904050170 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 07:41:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 05:41:08 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: All discussions on merge request !1833 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 07:44:08 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 05:44:08 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904053648 I tried to split the diff into two: gnutls_pkcs12_generate_mac2 is first rewritten using a helper function (generate_mac_pkcs12) and then generalized with PBMAC1 support. Also PBMAC1 functions have been moved from pkcs12.c to pkcs7-crypt.c to avoid mixups. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904053648 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 07:44:52 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 05:44:52 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904054914 Added a check for the minimum 20 bytes; we can't test as we don't support such MACs (e.g., MD5) in X.509 at all. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904054914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 11:27:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 09:27:06 +0000 Subject: [gnutls-devel] GnuTLS | Draft: DTLS1_3 (!1667) In-Reply-To: References: Message-ID: Franti?ek Kren?elok marked merge request !1667 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 14:30:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 12:30:45 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) started a new discussion on lib/x509/pkcs7-crypt.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904777723 > + gnutls_assert(); > + goto error; > + } > + > + result = read_pbmac1_auth(pasn, &tmp); > + if (result < 0) { > + gnutls_assert(); > + goto error; > + } > + *mac = result; > + > + /* The keyLength field must present and the minimum is 20 bytes. > + */ > + if (kdf_params->key_size < 20) { > + gnutls_assert(); > + result = GNUTLS_E_ILLEGAL_PARAMETER; Maybe INSUFFICIENT_SECURITY would be better match here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904777723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 14:36:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 12:36:09 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904789658 we don't need a hash with small output to have KDF with small output, those are independent: PBKDF2 can output arbitrary length and the HMAC can accept arbitrary key size... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904789658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:17:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:17:03 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Merge request !1833 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 Project:Branches: dueno/gnutls:wip/dueno/pkcs12-pbmac1 to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Hubert Kario (@mention me if you need reply), Alexander Sosedkin, and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:17:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:17:56 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904876441 No issues found by me. The change looks nice. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904876441 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:28:15 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:28:15 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904898400 OK, I was able to create a test [file](https://gitlab.com/gnutls/gnutls/-/raw/5bdc684071a8c4a3559fdef11e53e1bf5b5cc0e1/tests/cert-tests/data/pbmac1_256_256.short-len.p12) with keyLength = 19, which properly exercise the condition. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904898400 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:28:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:28:53 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/x509/pkcs7-crypt.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904899664 > + gnutls_assert(); > + goto error; > + } > + > + result = read_pbmac1_auth(pasn, &tmp); > + if (result < 0) { > + gnutls_assert(); > + goto error; > + } > + *mac = result; > + > + /* The keyLength field must present and the minimum is 20 bytes. > + */ > + if (kdf_params->key_size < 20) { > + gnutls_assert(); > + result = GNUTLS_E_ILLEGAL_PARAMETER; Done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904899664 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:29:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:29:12 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904900258 Thank you for the reviews and suggestions! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833#note_1904900258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:29:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:29:18 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Merge request !1833 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 Project:Branches: dueno/gnutls:wip/dueno/pkcs12-pbmac1 to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Hubert Kario (@mention me if you need reply), Alexander Sosedkin, and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 15:28:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 13:28:53 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: All discussions on merge request !1833 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 14 17:01:31 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 May 2024 15:01:31 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Merge request !1833 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 Project:Branches: dueno/gnutls:wip/dueno/pkcs12-pbmac1 to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Hubert Kario (@mention me if you need reply), Alexander Sosedkin, and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 04:45:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 02:45:22 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 Project:Branches: dueno/gnutls:wip/dueno/nettle-aes-cbc to gnutls/gnutls:master Author: Daiki Ueno * nettle: utilize nettle_cbc_aes*_encrypt for performance While CBC encryption is inherently slow for lack of parallelisim, Nettle >= 3.8 provides specialized AES-CBC encryption functions to improve performance by avoiding multiple calls to block cipher initialization. This patch makes GnuTLS use those functions if available. Here are the results of benchmark: * GNUTLS_CPUID_OVERRIDE=0x1, without nettle_cbc_aes*_encrypt: ``` Checking cipher-MAC combinations, payload size: 16384 AES-128-CBC-SHA1 0.90 GB/sec AES-128-CBC-SHA256 0.88 GB/sec Checking ciphers, payload size: 16384 AES-128-CBC 1.56 GB/sec ``` * GNUTLS_CPUID_OVERRIDE=0x1, with nettle_cbc_aes*_encrypt: ``` Checking cipher-MAC combinations, payload size: 16384 AES-128-CBC-SHA1 1.08 GB/sec AES-128-CBC-SHA256 1.05 GB/sec Checking ciphers, payload size: 16384 AES-128-CBC 2.16 GB/sec ``` * GNUTLS_CPUID_OVERRIDE unset: ``` Checking cipher-MAC combinations, payload size: 16384 AES-128-CBC-SHA1 1.13 GB/sec AES-128-CBC-SHA256 1.05 GB/sec Checking ciphers, payload size: 16384 AES-128-CBC 2.24 GB/sec ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 05:20:27 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 03:20:27 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Reassigned merge request 1836 https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 05:20:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 03:20:49 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Alexander Sosedkin and Zolt?n Fridrich were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 07:51:42 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 05:51:42 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.8.5 broke TLS connections to RSA cert using hosts (#1540) In-Reply-To: References: Message-ID: Vladim?r ?un?t commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1906158098 Thanks for the fix, but it's a bit trap that the latest release is still kept on a version with this kind of breakage. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1906158098 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:49:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:49:16 +0000 Subject: [gnutls-devel] GnuTLS | Support PBMAC1 usage in PKCS#12 (!1833) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.6 (Apr 5, 2024?Jun 15, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/44 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1833 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:50:15 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:50:15 +0000 Subject: [gnutls-devel] GnuTLS | Fix configuration with multi-word GMP_LIBS. (!1832) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.6 (Apr 5, 2024?Jun 15, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/44 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1832 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:50:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:50:43 +0000 Subject: [gnutls-devel] GnuTLS | build: fix confusions between libtasn1 and GnuTLS error codes (!1834) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.6 (Apr 5, 2024?Jun 15, 2024) ( https://gitlab.com/gnutls/gnutls/-/milestones/44 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:52:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:52:17 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS 3.8.5 broke TLS connections to RSA cert using hosts (#1540) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1906301781 Yeah, let's target 3.8.6 release a little earlier (end of May). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1906301781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:52:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:52:09 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Merge request !1836 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 Project:Branches: dueno/gnutls:wip/dueno/nettle-aes-cbc to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 09:52:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 07:52:33 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836#note_1906302210 Looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836#note_1906302210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 11:58:39 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 09:58:39 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836#note_1906557957 Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836#note_1906557957 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 11:58:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 09:58:46 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Merge request !1836 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 Project:Branches: dueno/gnutls:wip/dueno/nettle-aes-cbc to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 15 11:59:55 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 May 2024 09:59:55 +0000 Subject: [gnutls-devel] GnuTLS | nettle: utilize nettle_cbc_aes*_encrypt for performance (!1836) In-Reply-To: References: Message-ID: Merge request !1836 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 Project:Branches: dueno/gnutls:wip/dueno/nettle-aes-cbc to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1836 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 16 10:58:20 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 May 2024 08:58:20 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.11 (!1831) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1908426176 I turned off p11-kit in mingw builds to fix the build failures, but I don't understand why the static analysis fails. It says there is a problem in verify-high.c:1416 but I see no problem. @dueno could you please check? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1908426176 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 16 15:23:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 May 2024 13:23:17 +0000 Subject: [gnutls-devel] GnuTLS | honor_crq_extensions breaks certificate generation if trying to use a CSR that includes a Subject_Key_Identifier (#1550) References: Message-ID: Andreas Pousette created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1550 ## Description of problem: In certtool, if using the option `honor_crq_extensions` when generating/signing a certificate from a CSR containing a `Subject_Key_Identifier`, certtool fails. The error stated is: `set_subject_key_id: The request is invalid`. If not using `honor_crq_extensions` the certificate can be created from the CSR, but then the other crq extensions are not carried over either. Note that a new `Subject_Key_Identifier` is created in tihs case. ## Version of gnutls used: 3.6.16-8.el8_9.3.x86_64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Rocky (RHEL) ## How reproducible: Steps to Reproduce: * one: Create a CSR containing a Subject_Key_Identifier * two: Try to create a certificate from that CSR using certtool and using the option honor_crq_extensions ## Actual results: Certtool fails with an error. The error stated is: set_subject_key_id: The request is invalid ## Expected results: A certificate is created from the CSR containing the CRQ extensions. Regarding the `Subject_Key_Identifier` there are probably two ways to handle this, either overwrite the existing `Subject_Key_Identifier` or respect the one from the CSR. What is the best option I leave up to you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1550 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 17 03:09:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 May 2024 01:09:34 +0000 Subject: [gnutls-devel] GnuTLS | honor_crq_extensions breaks certificate generation if trying to use a CSR that includes a Subject_Key_Identifier (#1550) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1550#note_1909776053 > A certificate is created from the CSR containing the CRQ extensions. Regarding the `Subject_Key_Identifier` there are probably two ways to handle this, either overwrite the existing `Subject_Key_Identifier` or respect the one from the CSR. What is the best option I leave up to you. I think we should overwrite it, as CA should have full control of such extension. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1550#note_1909776053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 17 03:39:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 May 2024 01:39:33 +0000 Subject: [gnutls-devel] GnuTLS | build: suppress static analyzer warnings (!1837) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837 Project:Branches: dueno/gnutls:wip/dueno/sast to gnutls/gnutls:master Author: Daiki Ueno * shuffle_exts: avoid theoretical wrap around of unsigned integer Signed-off-by: Daiki Ueno * load_dir_certs: avoid memleak Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 18 12:14:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 May 2024 10:14:45 +0000 Subject: [gnutls-devel] GnuTLS | build: suppress static analyzer warnings (!1837) In-Reply-To: References: Message-ID: Ajit Singh was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 18 21:39:48 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 May 2024 19:39:48 +0000 Subject: [gnutls-devel] GnuTLS | build: suppress static analyzer warnings (!1837) In-Reply-To: References: Message-ID: Ajit Singh commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837#note_1911537809 LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837#note_1911537809 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 18 22:35:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 May 2024 20:35:09 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) References: Message-ID: Elliott Mitchell created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838 Project:Branches: ehem/gnutls:master to gnutls/gnutls:master Author: Elliott Mitchell The result of doing rough checking of DNS validity on receive is it makes the library conservative on reception, liberal on send. This is the exact opposite of the need of interoperability. Further while IPv6 addresses were being rejected by the rough test, IPv4 addresses were being accepted. This can enhance shadow networks and increase trouble, rather than reducing it. I suspect most server programs using GnuTLS can likely deal with more or less arbitrary names. As such, rejecting nul characters is about the only reasonable test. I believe this means the existing tests continue to behave. I'm quite unsure of how the situation should be handled, but the mismatch between IPv4/IPv6 addresses and the checking on reception not send are both **highly** problematic. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 19 11:01:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 May 2024 09:01:37 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911657112 Looks sensible to me. Could you apply the [changes](https://gitlab.com/ehem/gnutls/-/jobs/6885214692#L54) that clang-format suggests? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911657112 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 19 13:27:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 May 2024 11:27:38 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) In-Reply-To: References: Message-ID: Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911680093 > I suspect most server programs using GnuTLS can likely deal with more or less arbitrary names. As such, rejecting nul characters is about the only reasonable test. [...] Isn't "I suspect" a little bit weak here, i.e. shouldn't we rather continue to be restrictive when accepting network-fed content? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911680093 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 20 00:15:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 May 2024 22:15:54 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) In-Reply-To: References: Message-ID: Elliott Mitchell commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699 There are actually 2 distinct issues here. First, `_gnutls_dnsname_is_valid()` is rather inconsistent in what it accepts. Far too much is accepted which should not be and as a result it seems more likely to cause a false sense of security than actually usefully trigger. Some notable examples: (I'll leave the length calculation as an exercise) ``` _gnutls_dnsname_is_valid("127.0.0.1",) => 1 _gnutls_dnsname_is_valid("2130706433",) => 1 _gnutls_dnsname_is_valid("::1",) => 0 _gnutls_dnsname_is_valid("10.0.0.1",) => 1 _gnutls_dnsname_is_valid("167772161",) => 1 _gnutls_dnsname_is_valid("fd12:3456:7890::1",) => 0 _gnutls_dnsname_is_valid("123.4567.890",) => 1 _gnutls_dnsname_is_valid("-www-.example.com",) => 1 ``` Yet not one of these is acceptable by RFC 6066 (they could not occur in DNS). Worse, filtering out IPv6 addresses, but not IPv4 addresses could help create issues posed by shadow networks. As the most likely server implementation will be roughly `if(find_in_table(sni)) { do_found_thing } else { display_default_unmatched_thing }` I think it is likely best to do minimal filtering. The other issue is testing is **only** being done in `_gnutls_server_name_recv_params()` and not `_gnutls_server_name_send_params()`. The result is GnuTLS is being liberal in what it sends, conservative in what it accepts. This is how you destroy interoperability. I'm less sure of nul-characters testing in `_gnutls_server_name_send_params()`. That might be useful for testing _other_ servers and is so broken I'm unsure it is worth bothering with. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 20 00:27:14 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 May 2024 22:27:14 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) In-Reply-To: References: Message-ID: Elliott Mitchell commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911800582 Hmm, now to figure out branch protection and see whether I can get this to update... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911800582 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 20 03:14:00 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 May 2024 01:14:00 +0000 Subject: [gnutls-devel] GnuTLS | build: suppress static analyzer warnings (!1837) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837#note_1911835746 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837#note_1911835746 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 20 03:14:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 May 2024 01:14:06 +0000 Subject: [gnutls-devel] GnuTLS | build: suppress static analyzer warnings (!1837) In-Reply-To: References: Message-ID: Merge request !1837 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837 Project:Branches: dueno/gnutls:wip/dueno/sast to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Ajit Singh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 20 08:20:05 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 May 2024 06:20:05 +0000 Subject: [gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910 Elliott Mitchell commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699 > There are actually 2 distinct issues here. First, `_gnutls_dnsname_is_valid()` is rather inconsistent in what it accepts. [...] > The other issue is testing is **only** being done in `_gnutls_server_name_recv_params()` and not `_gnutls_server_name_send_params()`. The result is GnuTLS is being liberal in what it sends, conservative in what it accepts. This is how you destroy interoperability. [...] Yessish. However you proposed to solve both issues by "dropping the checking". My question was whether this was the correct solution. To my eyes nowadays decreasing enforcement of RFC-compliance on the server side seems quite strange. Usually nowadays one tries to decrease complexity and attack surface. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 22 15:25:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 May 2024 13:25:06 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.11 (!1831) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1916515415 `cppcheck --force -Igl/ -Ilib/ lib/x509/verify-high.c` reproduces the error for me, `-E` reveals [what it thinks it preprocesses into](https://gitlab.com/-/snippets/3712311). That is, a [horrendous horror](https://github.com/coreutils/gnulib/blob/0a301c5267edd935e8b6161cfe4f36218d9df694/lib/intprops-internal.h#L260) instead of a [neat builtin](https://github.com/coreutils/gnulib/blob/0a301c5267edd935e8b6161cfe4f36218d9df694/lib/intprops-internal.h#L152). cppcheck thinks horrendous horror contains signed overflows. IDK what to do about it. Suppress? Try to sway it towards expanding into the neat builtin? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1916515415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 23 06:33:48 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 May 2024 04:33:48 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.11 (!1831) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1917746117 Just ignore the failures for now, see: - https://gitlab.com/gnutls/gnutls/-/commit/0aec13a6eb3a6b16e759c78d0c000ca6ac13405f - https://gitlab.com/gnutls/gnutls/-/commit/599f6c2e9d52a59300e5879d47d1d1e86f8eec52 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831#note_1917746117 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 23 12:19:56 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 May 2024 10:19:56 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.7.11 (!1831) In-Reply-To: References: Message-ID: Merge request !1831 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel3 to gnutls/gnutls:gnutls_3_7_x Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1831 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 24 02:37:47 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 May 2024 00:37:47 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake() failed: An unexpected TLS packet was received. (#1551) References: Message-ID: Felix Adrianto created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1551 ## Description of problem: I have git client from Debian Bookworm which is supported by gnutls. I'm having issue cloning any git repository hosted by Github. ``` I did a little bit deeper opening TLS connection with gnutls-cli. Connecting to github.com produce an error below. I tested with google.com, bitbucket.org, gitlab.com, docker.com the TLS connections were established without any issue. The issue seems specific to github. ``` gnutls-cli -V -d 9999 github.com |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 |<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 Processed 140 CA certificate(s). Resolving 'github.com:443'... Connecting to '140.82.112.3:443'... |<5>| REC[0x55a4f0103cd0]: Allocating epoch #0 |<2>| added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list |<5>| REC[0x55a4f0103cd0]: Allocating epoch #1 |<4>| HSK[0x55a4f0103cd0]: Adv. version: 3.3 |<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) |<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) |<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) |<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) |<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (OCSP Status Request/5) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension OCSP Status Request/5 (5 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Client Certificate Type/19) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Client certificate type was set to default cert type (X.509). We therefore do not send this extension. |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Server Certificate Type/20) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Server certificate type was set to default cert type (X.509). We therefore do not send this extension. |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported Groups/10) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sent group SECP256R1 (0x17) |<4>| EXT[0x55a4f0103cd0]: Sent group SECP384R1 (0x18) |<4>| EXT[0x55a4f0103cd0]: Sent group SECP521R1 (0x19) |<4>| EXT[0x55a4f0103cd0]: Sent group X25519 (0x1d) |<4>| EXT[0x55a4f0103cd0]: Sent group X448 (0x1e) |<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE2048 (0x100) |<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE3072 (0x101) |<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE4096 (0x102) |<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE6144 (0x103) |<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE8192 (0x104) |<4>| EXT[0x55a4f0103cd0]: Sending extension Supported Groups/10 (22 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported EC Point Formats/11) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Supported EC Point Formats/11 (2 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (SRP/12) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Signature Algorithms/13) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: sent signature algo (4.1) RSA-SHA256 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.9) RSA-PSS-SHA256 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (4.3) ECDSA-SHA256 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.7) EdDSA-Ed25519 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (5.1) RSA-SHA384 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.10) RSA-PSS-SHA384 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (5.3) ECDSA-SHA384 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.8) EdDSA-Ed448 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (6.1) RSA-SHA512 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.11) RSA-PSS-SHA512 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (6.3) ECDSA-SHA512 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (2.1) RSA-SHA1 |<4>| EXT[0x55a4f0103cd0]: sent signature algo (2.3) ECDSA-SHA1 |<4>| EXT[0x55a4f0103cd0]: Sending extension Signature Algorithms/13 (34 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (SRTP/14) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Heartbeat/15) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (ALPN/16) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Encrypt-then-MAC/22 (0 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Extended Master Secret/23) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Extended Master Secret/23 (0 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Session Ticket/35) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Session Ticket/35 (0 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Key Share/51) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: sending key share for SECP256R1 |<4>| EXT[0x55a4f0103cd0]: sending key share for X25519 |<4>| EXT[0x55a4f0103cd0]: Sending extension Key Share/51 (107 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported Versions/43) for 'client hello' |<2>| Advertizing version 3.4 |<2>| Advertizing version 3.3 |<2>| Advertizing version 3.2 |<2>| Advertizing version 3.1 |<4>| EXT[0x55a4f0103cd0]: Sending extension Supported Versions/43 (9 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Post Handshake Auth/49) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Safe Renegotiation/65281) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Safe Renegotiation/65281 (1 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Server Name Indication/0) for 'client hello' |<2>| HSK[0x55a4f0103cd0]: sent server name: 'github.com' |<4>| EXT[0x55a4f0103cd0]: Sending extension Server Name Indication/0 (15 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Cookie/44) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Early Data/42) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension PSK Key Exchange Modes/45 (3 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Record Size Limit/28) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Sending extension Record Size Limit/28 (2 bytes) |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Maximum Record Size/1) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Compress Certificate/27) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (ClientHello Padding/21) for 'client hello' |<4>| EXT[0x55a4f0103cd0]: Preparing extension (Pre Shared Key/41) for 'client hello' |<4>| HSK[0x55a4f0103cd0]: CLIENT HELLO was queued [387 bytes] |<11>| HWRITE: enqueued [CLIENT HELLO] 387. Total 387 bytes. |<11>| HWRITE FLUSH: 387 bytes in buffer. |<5>| REC[0x55a4f0103cd0]: Preparing Packet Handshake(22) with length: 387 and min pad: 0 |<9>| ENC[0x55a4f0103cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<11>| WRITE: enqueued 392 bytes for 0x3. Total 392 bytes. |<5>| REC[0x55a4f0103cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 392 |<11>| HWRITE: wrote 1 bytes, 0 bytes left. |<11>| WRITE FLUSH: 392 bytes in buffer. |<11>| WRITE: wrote 392 bytes, 0 bytes left. |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185 |<10>| READ: Got 5 bytes from 0x3 |<10>| READ: read 5 bytes from 0x3 |<10>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<10>| RB: Requested 5 bytes |<5>| REC[0x55a4f0103cd0]: SSL 84.84 Unknown Packet packet received. Epoch 0, length: 20527 |<3>| ASSERT: ../../lib/record.c[check_recv_type]:634 |<1>| Received record packet of unknown type 72 |<3>| ASSERT: ../../lib/record.c[recv_headers]:1228 |<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1321 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1467 |<3>| ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1600 |<3>| ASSERT: ../../lib/handshake.c[handshake_client]:3075 |<13>| BUF[HSK]: Emptied buffer *** Fatal error: An unexpected TLS packet was received. |<5>| REC: Sending Alert[2|10] - Unexpected message |<5>| REC[0x55a4f0103cd0]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<9>| ENC[0x55a4f0103cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<11>| WRITE: enqueued 7 bytes for 0x3. Total 7 bytes. |<11>| WRITE FLUSH: 7 bytes in buffer. |<11>| WRITE: wrote 7 bytes, 0 bytes left. |<5>| REC[0x55a4f0103cd0]: Sent Packet[2] Alert(21) in epoch 0 and length: 7 ``` ## Version of gnutls used: libgnutls30 3.7.9-2+deb12u2 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian Bookworm (stable) ## How reproducible: Steps to Reproduce: * git clone https://github.com/MythTV/mythtv.git ## Actual results: gnutls[1]: Received record packet of unknown type 72 fatal: unable to access 'https://github.com/MythTV/mythtv.git/': gnutls_handshake() failed: An unexpected TLS packet was received. ``` ## Expected results: TLS connection established. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1551 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 24 16:19:13 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 May 2024 14:19:13 +0000 Subject: [gnutls-devel] GnuTLS | static linking: multiple definition of `mpn_cnd_add_n' (#1552) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1552 When statically linking with libgnutls.a and libhogweed.a, the linker complains about multiple definition of several `mpn_` functions. In my case it is building and linking the fuzzers for `wget` and `wget2` on oss-fuzz. This problem exists since ~11.03.2024. ``` /src/wget2_deps/lib/libhogweed.a(gmp-glue.o): in function `mpn_cnd_add_n': gmp-glue.c:(.text.mpn_cnd_add_n[mpn_cnd_add_n]+0x0): multiple definition of `mpn_cnd_add_n'; /usr/bin/ld: DWARF error: invalid or unhandled FORM value: 0x25 /src/wget2_deps/lib/libgnutls.a(gmp-glue.o):gmp-glue.c:(.text.mpn_cnd_add_n[mpn_cnd_add_n]+0x0): first defined here ``` (*) The "DWARF error" here seems to be side-effect and isn't the cause. The build script, which includes the static build instructions for nettle and gnutls, is [here](https://github.com/google/oss-fuzz/blob/master/projects/wget2/build.sh). More info: https://github.com/google/oss-fuzz/issues/11698 A possible work-around is using `libgmp.a` instead of mini-nettle ... but the oss-fuzz builds require clang, and from what I remember, `libgmp` fails to build with clang (at least the last time I tried it, which is a while ago). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1552 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 24 18:52:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 May 2024 16:52:49 +0000 Subject: [gnutls-devel] GnuTLS | static linking: multiple definition of `mpn_cnd_add_n' (#1552) In-Reply-To: References: Message-ID: Tim R?hsen commented: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1921302294 I figured out that `gmp-6.3.0` builds with clang. Using that instead of mini-gmp fixed the oss-fuzz build of wget2. So I am not blocked by this issue :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1921302294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 25 13:11:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 May 2024 11:11:41 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_handshake() failed: An unexpected TLS packet was received. (#1551) In-Reply-To: References: Message-ID: Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/issues/1551#note_1921898090 FWIW this (gnutls-cli -V -d 9999 github.com) works for me in my bookworm chroot. Where you have > |<5>| REC[0x55a4f0103cd0]: SSL 84.84 Unknown Packet packet received. Epoch 0, length: 20527 I get > |<5>| REC[0x56072cbb63b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 155 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1551#note_1921898090 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 26 00:39:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 25 May 2024 22:39:36 +0000 Subject: [gnutls-devel] GnuTLS | static linking: multiple definition of `mpn_cnd_add_n' (#1552) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1922035983 My theory is something like the following: - in gnutls/lib/nettle/int/dsa-compute-k.c, we use `#ifdef mpn_cnd_add_n` to detect whether `mpn_cnd_add_n` is available in GMP - on the other hand, nettle/gmp-glue.c defines the function anyway (not as a macro) when `NETTLE_USE_MINI_GMP` is true - when linking libgnutls.a with libgmp.a, where `mpn_cnd_add_n` is present, the code is copied and linked - then it clashes with nettle's definition -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1922035983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun May 26 23:48:02 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 26 May 2024 21:48:02 +0000 Subject: [gnutls-devel] GnuTLS | static linking: multiple definition of `mpn_cnd_add_n' (#1552) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1922362252 @rockdaboot could you try [nettle-mini-gmp.patch](/uploads/86c6b24aa8b9019953a47b169824c51f/nettle-mini-gmp.patch) ? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1552#note_1922362252 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 28 09:21:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 07:21:09 +0000 Subject: [gnutls-devel] build-images | Draft: .gitlab-ci.yml: fix jobs not being scheduled anywhere (!34) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/build-images/-/merge_requests/34 Project:Branches: asosedkin/build-images:fix-ci to gnutls/build-images:master Author: Alexander Sosedkin GitLab 1.70 has deprecated `shared` runner tag: https://docs.gitlab.com/ee/update/deprecations.html#removal-of-tags-from-small-saas-runners-on-linux -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 28 10:01:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 08:01:49 +0000 Subject: [gnutls-devel] build-images | Draft: .gitlab-ci.yml: fix jobs not being scheduled anywhere (!34) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1924349916 > error running container: error creating container for \[...\]: container_linux.go:345: starting container process caused "process_linux.go:281: applying cgroup configuration for process caused "mountpoint for cgroup not found"" : exit status 1 oh no, not this thing again... I've already encountered it in crypto-policies CI, and there I gave up and switched to docker:dind. Suggesting the same here, but only because I don't know what else to do. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1924349916 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 28 10:13:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 08:13:37 +0000 Subject: [gnutls-devel] build-images | .gitlab-ci.yml: fix jobs not being scheduled anywhere (!34) In-Reply-To: References: Message-ID: Alexander Sosedkin marked merge request !34 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 28 21:39:44 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 19:39:44 +0000 Subject: [gnutls-devel] build-images | .gitlab-ci.yml: fix jobs not being scheduled anywhere, switch to Docker (!34) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1925874913 Replace `shared` with \`saas-linux-small-amd64\` . See https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=17.0#removal-of-tags-from-small-saas-runners-on-linux -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1925874913 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 28 21:50:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 19:50:09 +0000 Subject: [gnutls-devel] build-images | .gitlab-ci.yml: fix jobs not being scheduled anywhere, switch to Docker (!34) In-Reply-To: References: Message-ID: Nikos Mavrogiannopoulos commented on a discussion: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1925887485 And I see that you tried that already. The problem may be related to the buildah/buildah image. In openconnect we use the `registry.fedoraproject.org/fedora-minimal` image and the build works. Docker-in-docker is just unnecessary complexity. podman doesn't work with the fedora-minimal image, I'd recommend https://github.com/GoogleContainerTools/kaniko -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1925887485 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 29 00:44:59 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 May 2024 22:44:59 +0000 Subject: [gnutls-devel] build-images | .gitlab-ci.yml: fix jobs not being scheduled anywhere, switch to Docker (!34) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on .gitlab-ci.yml: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1926086276 > ALPINE_BUILD: buildenv-alpine > > Fedora39: > - image: buildah/buildah > + image: docker You could use `quay.io/podman/stable` instead; `buildah/buildah` turned to be unmaintained and too old. See nettle-build-images for [example](https://gitlab.com/gnutls/nettle-build-images/-/blob/main/.gitlab-ci.yml?ref_type=heads). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/build-images/-/merge_requests/34#note_1926086276 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 29 10:45:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 May 2024 08:45:22 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: expose SHAKE from public API (!1839) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1839 Project:Branches: dueno/gnutls:wip/dueno/shake to gnutls/gnutls:master Author: Daiki Ueno * algorithms: expose SHAKE from public API This adds a new function gnutls_hash_squeeze, which works similarly to gnutls_hash_output but enables to retrieve output of arbitrary length. Signed-off-by: Daiki Ueno * nettle: vendor-in SHAKE implementation Signed-off-by: Daiki Ueno * devel: update nettle submodule Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 29 10:45:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 May 2024 08:45:40 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: expose SHAKE from public API (!1839) In-Reply-To: References: Message-ID: Reassigned merge request 1839 https://gitlab.com/gnutls/gnutls/-/merge_requests/1839 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 29 10:45:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 May 2024 08:45:38 +0000 Subject: [gnutls-devel] GnuTLS | algorithms: expose SHAKE from public API (!1839) In-Reply-To: References: Message-ID: Alexander Sosedkin and Zolt?n Fridrich were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1839 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 29 19:06:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 29 May 2024 17:06:43 +0000 Subject: [gnutls-devel] GnuTLS | The GNUTLS Release 3.6.16 has a bug in the DTLS Non-Blocking logic, bug located at gnutls-3.6.16/lib/record.c in function _gnutls_recv_in_buffers at lines 1307 and 1322 (#1413) In-Reply-To: References: Message-ID: Andy Zhang commented: https://gitlab.com/gnutls/gnutls/-/issues/1413#note_1927644908 @alex2 Are there any updates on this bug? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1413#note_1927644908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 30 13:23:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 May 2024 11:23:34 +0000 Subject: [gnutls-devel] GnuTLS | Draft: remove testcompat-* tests (!1840) In-Reply-To: References: Message-ID: Reassigned merge request 1840 https://gitlab.com/gnutls/gnutls/-/merge_requests/1840 Stanislav ?idek was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 30 13:23:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 30 May 2024 11:23:38 +0000 Subject: [gnutls-devel] GnuTLS | Draft: remove testcompat-* tests (!1840) References: Message-ID: Stanislav ?idek created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1840 Project:Branches: ep69/gnutls:remove-testcompat to gnutls/gnutls:master Author: Stanislav ?idek Assignee: Stanislav ?idek * remove testcompat-* tests ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 31 16:10:36 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 31 May 2024 14:10:36 +0000 Subject: [gnutls-devel] GnuTLS | remove testcompat-* tests (!1840) In-Reply-To: References: Message-ID: Stanislav ?idek marked merge request !1840 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1840 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: