From gnutls-devel at lists.gnutls.org Tue Oct 1 10:09:42 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 01 Oct 2024 08:09:42 +0000 Subject: [gnutls-devel] GnuTLS | Ignore unknown compression algs when using CLI (!1881) In-Reply-To: References: Message-ID: Merge request !1881 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1881 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1881 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 1 10:09:44 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 01 Oct 2024 08:09:44 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli skips the whole compressed certificate negotiation when unknown algo is provided among known (#1587) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1881 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1881) Issue #1587: https://gitlab.com/gnutls/gnutls/-/issues/1587 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 1 10:09:25 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 01 Oct 2024 08:09:25 +0000 Subject: [gnutls-devel] GnuTLS | tests/key-material-set-dtls: retry send/recv on E_AGAIN/E_INTERRUPTED (!1880) In-Reply-To: References: Message-ID: Merge request !1880 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1880 Project:Branches: asosedkin/gnutls:tests-key-material-set-dtls-eagain to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1880 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 2 20:04:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 02 Oct 2024 18:04:04 +0000 Subject: [gnutls-devel] GnuTLS | Fixed the check at src/benchmark-tls.c (!1875) In-Reply-To: References: Message-ID: David Meliksetyan commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1875#note_2140221739 Good evening! I'm sorry it took me so long to respond. I did some research and found out, that right now it's pretty much impossible to verify my account from my country. I assume it will be easier and faster, if you create a separate MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1875#note_2140221739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 5 23:00:03 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Oct 2024 21:00:03 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Alan Coopersmith commented: https://gitlab.com/gnutls/gnutls/-/issues/782#note_2144348466 EOL of Solaris is not planned until 2037, despite past press reports. Use of alloca on Solaris requires including the `` header to get the critical `#define alloca(x) __builtin_alloca(x)` bit to make the compiler generate the stack-allocation code. Nettle itself handles this via autoconf m4 trickery to insert the include of `` into `config.h`: https://gitlab.com/gnutls/nettle/-/blob/nettle_3.10_release_20240616/aclocal.m4#L184-216 In gnutls-3.8.4, the configure scripts on Solaris end up with an `alloca.h` header in `gl/alloca.h` that is generated by gnulib scripts. Adding an '#include ' to `lib/nettle/int/nettle-internal.h` solves this problem for me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/782#note_2144348466 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 5 23:05:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 05 Oct 2024 21:05:22 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) References: Message-ID: Alan Coopersmith created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 Project:Branches: alanc4/gnutls:alloca to gnutls/gnutls:master Author: Alan Coopersmith * lib/nettle/int/nettle-internal.h: include alloca.h if configure found it Needed for alloca definition on Solaris, to avoid build error with gcc 14: lib/nettle/int/nettle-internal.h:59:39: error: implicit declaration of function 'alloca' [-Wimplicit-function-declaration] 59 | #define TMP_ALLOC(name, size) (name = alloca(sizeof(*name) * (size))) | ^~~~~~ Closes #782 Signed-off-by: Alan Coopersmith ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 7 21:49:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 07 Oct 2024 19:49:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls_record_send_file() (non-NULL offset) moves file descriptor offset while sending without KTLS (#1580) In-Reply-To: References: Message-ID: Brian Denton commented: https://gitlab.com/gnutls/gnutls/-/issues/1580#note_2147032848 I made a simple diff that "fixes" it. I haven't looked into the details of the gnutls build system so it's probably not what is wanted, but it's a start. [my-gnutls-diff.diff](/uploads/dfabb9efbee7d61cac1b52183eafe86e/my-gnutls-diff.diff) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1580#note_2147032848 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 03:53:50 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 01:53:50 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 Project:Branches: dueno/gnutls:wip/dueno/liboqs-update to gnutls/gnutls:master Author: Daiki Ueno * groups: register SecP256r1MLKEM768 and X25519MLKEM768 * pk: plumb ML-KEM 768 in addition to Kyber 768 * liboqs: provide SHA2 stubs * liboqs: check library version at run-time * liboqs: require version 0.11.0 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 04:01:22 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 02:01:22 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on lib/nettle/int/nettle-internal.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2147288173 > #define GNUTLS_NETTLE_INT_NETTLE_INTERNAL_H_INCLUDED > > #include > +#ifdef HAVE_ALLOCA_H I suppose we can include `` unconditionally, as a replacement header (from Gnulib) is always present if system doesn't have it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2147288173 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 04:04:15 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 02:04:15 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2147289602 @alanc4 the CI is blocked by a user verification error. Would it be possible for you to resolve it by following this [instruction](https://docs.gitlab.com/ee/security/identity_verification.html)? Otherwise I can create a new merge request cherry-picking the commit for you. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2147289602 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 08:33:37 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 06:33:37 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Reassigned merge request 1883 https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 08:33:24 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 06:33:24 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2147458994 @d-Dudas FYI, this includes SHA2 stubs. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2147458994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 08:33:54 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 06:33:54 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Alexander Sosedkin and Zolt?n Fridrich were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 18:49:33 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 16:49:33 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Alan Coopersmith commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2148677529 I did the phone number verification, but don't see any way to restart the CI pipelines. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2148677529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 21:24:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 19:24:26 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Geert Hendrickx commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2148883796 I tested interop of this branch with openssl+oqs-provider, Firefox, and Chrome. GROUP-X25519-KYBER768 works with all of them. GROUP-X25519-MLKEM768 fails with: - Firefox 132 beta: `Error code: SSL_ERROR_BAD_MAC_READ` - Chrome 130 beta: `ERR_SSL_PROTOCOL_ERROR` - openssl client to gnutls-serv: `error:0A000119:SSL routines::decryption failed or bad record mac` - gnutls-cli to openssl server: ``` |<1>| Discarded message[0] due to invalid decryption *** Fatal error: Decryption has failed. ``` and GROUP-SECP256R1-MLKEM768 fails with: - openssl client to gnutls-serv: `error:0A000417:SSL routines::ssl/tls alert illegal parameter` - gnutls-cli to openssl server: ``` *** Fatal error: A TLS fatal alert has been received. *** Received alert [47]: Illegal parameter ``` (X25519-MLKEM768 is different from X25519-KYBER768 in that the order of the key shares has been reversed.) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2148883796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 21:28:34 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 19:28:34 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Geert Hendrickx commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2148887756 You can reproduce this with google.com, which supports both X25519-KYBER768 and X25519-MLKEM768: ``` $ gnutls-cli --priority 'PFS:+GROUP-X25519-MLKEM768' google.com Processed 176 CA certificate(s). Resolving 'google.com:443'... Connecting to '2a00:1450:400c:c07::71:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [50]: Decode error ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2148887756 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 8 22:18:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 08 Oct 2024 20:18:49 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 was reviewed by Geert Hendrickx -- Geert Hendrickx started a new discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2148944070 > + { .name = "SECP256R1-MLKEM768", > + .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768, > + .curve = GNUTLS_ECC_CURVE_SECP521R1, ```suggestion:-0+0 .curve = GNUTLS_ECC_CURVE_SECP256R1, ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 11:43:19 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 09:43:19 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 was reviewed by Geert Hendrickx -- Geert Hendrickx started a new discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2149838759 > + { .name = "SECP256R1-MLKEM768", > + .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768, > + .curve = GNUTLS_ECC_CURVE_SECP521R1, ```suggestion:-0+0 .curve = GNUTLS_ECC_CURVE_SECP256R1, ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 12:27:44 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 10:27:44 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2149935069 Thanks @ghen2 for checking and pointing out the discrepancies in the implementation. I tried to rework the hybrid case to be more flexible, though still seeing errors against OpenSSL. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2149935069 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 12:51:12 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 10:51:12 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: All discussions on merge request !1883 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 12:54:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 10:54:30 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Geert Hendrickx commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2150000539 X25519MLKEM768 should be MLKEM first, whereas SecP256r1MLKEM768 should be P256 first. See [section 3. of draft-kwiatkowski-tls-ecdhe-mlkem](https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem-02#name-negotiated-groups) for rationale. The pre-standard Kyber hybrid is unchanged (x25519 first). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2150000539 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 18:32:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 16:32:46 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2150857662 > + pp->curve)) && > + (pp->pk == 0 || _gnutls_pk_exists(pp->pk))) > + groups[i++] = pp->id; is it desirable that it considers the linked group as supported if the linking group is supported? worrying about the case of enabling hybrids without enabling pure PQ ones. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 19:58:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 17:58:06 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Alan Coopersmith commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2150975127 Please go ahead and submit your own merge request if the CI on this one is not sufficient. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2150975127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 20:18:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 18:18:45 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Geert Hendrickx commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151001954 @dueno This fixes SECP256R1MLKEM768: ``` --- lib/algorithms/groups.c +++ lib/algorithms/groups.c @@ -37,6 +37,13 @@ .pk = GNUTLS_PK_EXP_KYBER768, }; +static const gnutls_group_entry_st group_mlkem768 = { + .name = "MLKEM768", + .id = GNUTLS_GROUP_INVALID, + .curve = GNUTLS_ECC_CURVE_INVALID, + .pk = GNUTLS_PK_MLKEM768, +}; + static const gnutls_group_entry_st group_x25519 = { .name = "X25519", .id = GNUTLS_GROUP_X25519, @@ -187,9 +194,9 @@ { .name = "SECP256R1-MLKEM768", .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768, .curve = GNUTLS_ECC_CURVE_SECP256R1, - .pk = GNUTLS_PK_MLKEM768, + .pk = GNUTLS_PK_ECDSA, .tls_id = 0x11EB, - .next = &group_secp256r1 }, + .next = &group_mlkem768 }, { .name = "X25519-MLKEM768", .id = GNUTLS_GROUP_EXP_X25519_MLKEM768, .curve = GNUTLS_ECC_CURVE_X25519, ``` (tested against OpenSSL/oqs-provider) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151001954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 9 21:19:42 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 19:19:42 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 was reviewed by Geert Hendrickx -- Geert Hendrickx started a new discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151076716 > + .pk = GNUTLS_PK_MLKEM768, > + .tls_id = 0x11EB, > + .next = &group_secp256r1 }, ```suggestion:-5+0 { .name = "SECP256R1-MLKEM768", .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768, .curve = GNUTLS_ECC_CURVE_SECP256R1, .pk = GNUTLS_PK_ECDSA, .tls_id = 0x11EB, .next = &group_mlkem768 }, ``` SECP256R1-MLKEM768 should be the other way around (original order), see my other comment. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:21:31 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:21:31 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Merge request !1882 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 Project:Branches: alanc4/gnutls:alloca to gnutls/gnutls:master Author: Alan Coopersmith Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:21:45 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:21:45 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: All discussions on merge request !1882 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:21:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:21:57 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Merge request !1882 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 Project:Branches: alanc4/gnutls:alloca to gnutls/gnutls:master Author: Alan Coopersmith -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:22:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:22:04 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/nettle-internal.h: include alloca.h if configure found it (!1882) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2151239305 Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1882#note_2151239305 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:21:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:21:58 +0000 Subject: [gnutls-devel] GnuTLS | Solaris build requires -D_XOPEN_SOURCE=600 -std=gnu99 (#782) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1882 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1882) Issue #782: https://gitlab.com/gnutls/gnutls/-/issues/782 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/782 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:31:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:31:26 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151245897 > .tls_id = 0x104 }, > #endif > #ifdef HAVE_LIBOQS > + { .name = "SECP256R1-MLKEM768", > + .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768, > + .curve = GNUTLS_ECC_CURVE_SECP256R1, > + .pk = GNUTLS_PK_MLKEM768, > + .tls_id = 0x11EB, > + .next = &group_secp256r1 }, Thank you; applied. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151245897 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:31:02 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:31:02 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/algorithms/groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151245693 > - if ((p->curve == 0 || > - _gnutls_ecc_curve_is_supported(p->curve)) && > - (p->pk == 0 || _gnutls_pk_exists(p->pk)) && > - (p->pk2 == 0 || _gnutls_pk_exists(p->pk2))) > - groups[i++] = p->id;); > + const gnutls_group_entry_st *p; > + > + for (p = supported_groups; p->name != NULL; p++) { > + const gnutls_group_entry_st *pp; > + > + for (pp = p; pp != NULL; pp = pp->next) { > + if ((pp->curve == 0 || > + _gnutls_ecc_curve_is_supported( > + pp->curve)) && > + (pp->pk == 0 || _gnutls_pk_exists(pp->pk))) > + groups[i++] = pp->id; Good catch, changed the logic to require all linked groups to match. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2151245693 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 00:31:27 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 09 Oct 2024 22:31:27 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: All discussions on merge request !1883 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 02:09:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 00:09:17 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 11:01:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 09:01:41 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2152095255 I personally haven't found any problems. Looks good imo. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2152095255 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 11:01:52 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 09:01:52 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request !1883 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 Project:Branches: dueno/gnutls:wip/dueno/liboqs-update to gnutls/gnutls:master Author: Daiki Ueno Assignee: Daiki Ueno Reviewers: Hubert Kario (@mention me if you need reply), Alexander Sosedkin, and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 13:29:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 11:29:53 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: Reassigned merge request 1884 https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 13:29:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 11:29:57 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: Daiki Ueno, Alexander Sosedkin, and George Pantelakis Closes: #1584 #1585 #1586 Signed-off-by: Zoltan Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 13:29:53 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 11:29:53 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: Daiki Ueno, Alexander Sosedkin, and George Pantelakis were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 13:51:25 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 11:51:25 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: George Pantelakis commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884#note_2152422022 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884#note_2152422022 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 13:59:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 11:59:04 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: George Pantelakis was removed from reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 15:17:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 13:17:17 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: Merge request !1884 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: Daiki Ueno and Alexander Sosedkin -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 19:46:48 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 17:46:48 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) started a new discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153213726 > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > > - if (curve->size * 2 + 1 != data_size) > + if (curve->size * 2 + 1 > buffer->length) > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, curve->size * 2 + 1); > > /* read the server's public key */ > - ret = _gnutls_ecc_ansi_x962_import(data, data_size, > + ret = _gnutls_ecc_ansi_x962_import(data.data, data.size, this doesn't do public key validation? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153213726 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 19:47:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 17:47:38 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) started a new discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153214532 > + > + case GNUTLS_PK_MLKEM768: > + case GNUTLS_PK_EXP_KYBER768: { > + gnutls_datum_t key; > + > + if (KYBER768_CIPHERTEXT_SIZE > buffer->length) > + return gnutls_assert_val( > + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, > + KYBER768_CIPHERTEXT_SIZE); > + > + ret = _gnutls_pk_decaps( > + group->pk, &key, &data, > + &session->key.kshare.kem_params.raw_priv); > + if (ret < 0) > + return gnutls_assert_val(ret); the decapsulation can fail, I think we should then send an alert, shouldn't we? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153214532 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 19:51:29 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 17:51:29 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153218521 > + > + case GNUTLS_PK_MLKEM768: > + case GNUTLS_PK_EXP_KYBER768: { > + gnutls_datum_t key; > + > + if (KYBER768_CIPHERTEXT_SIZE > buffer->length) > + return gnutls_assert_val( > + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, > + KYBER768_CIPHERTEXT_SIZE); > + > + ret = _gnutls_pk_decaps( > + group->pk, &key, &data, > + &session->key.kshare.kem_params.raw_priv); > + if (ret < 0) > + return gnutls_assert_val(ret); And I think the same issue exists with encapsulation: it should also return an illegal_parameter -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153218521 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 10 19:52:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 10 Oct 2024 17:52:43 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Hubert Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153219855 Side note: we already have a branch in tlslite-ng that supports both of the added groups, we could use that for interoperability testing. (I would have merged it already but I want to first create at least a rudimentary tlsfuzzer test script before doing that) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2153219855 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 13 05:16:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 13 Oct 2024 03:16:18 +0000 Subject: [gnutls-devel] GnuTLS | Inconsistent Certificate Chain Length Limits in GnuTLS Leading to Validation Failures (#1590) References: Message-ID: yao jia created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1590 ## Description of the feature: In GnuTLS version 3.8.7, the library limits the handling of certificate chains by restricting the total number of certificates rather than assessing the effective length of the chain. This approach can cause validation failures when a server includes additional certificates that, while not directly necessary for establishing a valid certificate path, may serve as cross-intermediate certificates providing alternative paths. As shown in the attached certificate chain[17certs_chain.pem](/uploads/7b207c8c6dd89067b980a1f135695e24/17certs_chain.pem), I configured a chain with 17 certificates. The valid certificate path could only be constructed using the first, second, and seventeenth certificates, with the others being irrelevant. This indicates that the actual effective length of the certificate path is merely 3. Nonetheless, the validation failed under these conditions.![17invalid](/uploads/a3fb744a6f5e49d00e024b715f4dbf22/17invalid.png) Interestingly, when I removed one irrelevant certificate?reducing the total number of certificates in the chain to 16 while maintaining the actual certificate path length at 3 ? the validation succeeded.![16valid](/uploads/9864737dc6bd0e6042556ed1f237c81a/16valid.png) ## Applications that this feature may be relevant to: This feature is particularly relevant to secure data transmission applications, including web browsers, email clients, and any client-server applications that rely on TLS for secure communication. The issue may surface in environments where servers are configured with extensive certificate chains or intermediate certificates are plentiful, potentially leading to failure to establish secure connections. ## Is this feature implemented in other libraries (and which) Other cryptographic libraries such as OpenSSL and MbedTLS handle certificate chains differently, often allowing more flexibility in the chain length by focusing on the effective length of the chain rather than the total count of certificates. This approach can accommodate a broader range of server configurations and is less likely to reject a valid certificate chain solely based on the number of certificates presented. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 13 05:17:26 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 13 Oct 2024 03:17:26 +0000 Subject: [gnutls-devel] GnuTLS | Inconsistent Certificate Chain Length Limits in GnuTLS Leading to Validation Failures (#1590) In-Reply-To: References: Message-ID: Issue was closed by yao jia Issue #1590: https://gitlab.com/gnutls/gnutls/-/issues/1590 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 13 05:19:30 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 13 Oct 2024 03:19:30 +0000 Subject: [gnutls-devel] GnuTLS | Inconsistent Certificate Chain Length Limits in GnuTLS Leading to Validation Failures (#1590) In-Reply-To: References: Message-ID: Issue was reopened by yao jia Issue 1590: https://gitlab.com/gnutls/gnutls/-/issues/1590 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1590 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 14 14:19:52 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Oct 2024 12:19:52 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Geert Hendrickx commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2157386739 This version properly interoperates with Firefox and OpenSSL with all 3 hybrid KEM's. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2157386739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 14 17:14:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 14 Oct 2024 15:14:16 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 was reviewed by Geert Hendrickx -- Geert Hendrickx started a new discussion on lib/ext/supported_groups.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2157749867 > - } else if (IS_EC(group->pk)) { > + } else if (IS_EC(group->pk) || > + IS_KEM(group->pk)) { This only works for hybrids where the PQC KEM comes last, eg. for X25519-KYBER768 or SECP256R1-MLKEM768, but not for X25519-MLKEM768, where it comes first. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 15 05:50:06 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Oct 2024 03:50:06 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2158509634 > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > > - if (curve->size * 2 + 1 != data_size) > + if (curve->size * 2 + 1 > buffer->length) > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, curve->size * 2 + 1); > > /* read the server's public key */ > - ret = _gnutls_ecc_ansi_x962_import(data, data_size, > + ret = _gnutls_ecc_ansi_x962_import(data.data, data.size, Not sure what kind of public key validation you mean, but: - `_gnutls_ecc_ansi_x962_import` checks if the point is in the uncompressed format - `_gnutls_pk_derive` (the function calculates a shared secret) performs the SP800-56A full public key validation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2158509634 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 15 05:55:04 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Oct 2024 03:55:04 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2158512299 > + > + case GNUTLS_PK_MLKEM768: > + case GNUTLS_PK_EXP_KYBER768: { > + gnutls_datum_t key; > + > + if (KYBER768_CIPHERTEXT_SIZE > buffer->length) > + return gnutls_assert_val( > + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, > + KYBER768_CIPHERTEXT_SIZE); > + > + ret = _gnutls_pk_decaps( > + group->pk, &key, &data, > + &session->key.kshare.kem_params.raw_priv); > + if (ret < 0) > + return gnutls_assert_val(ret); The return value is automatically translated into an alert, using `gnutls_error_to_alert`, though it is possible that the error code returned from `_gnutls_pk_{encaps,decaps}` may turn into a different alert than illegal_parameter. I'll fix it to manually return `GNUTLS_E_ILLEGAL_PARAMETER`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2158512299 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 15 14:29:43 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Oct 2024 12:29:43 +0000 Subject: [gnutls-devel] GnuTLS | Prohibit "duplexing the sponge" (#1592) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1592 A caller might alternate calls to `gnutls_hash_squeeze` with calls to `gnutls_hash` and expect that to work. gnutls_hash_init(&h, GNUTLS_DIG_SHAKE_128); gnutls_hash(h, "aaa", 5); // definitely legal and repeatable gnutls_hash_squeeze(h, digest, 128); // definitely legal and repeatable gnutls_hash(h, "bbbb", 5); // <- sha3.c:76: _nettle_sha3_update: Assertion `pos < block_size' failed. (4294967167 < 168) gnutls_hash_squeeze(h, digest + 128, 128); // <- if alternating is well-defined, what would the result be? But I couldn't find neither test vectors nor well-defined explanations of what must happen for SHAKE in that case. Calling `gnutls_hash` after `gnutls_hash_squeeze` has been called at least once should be prohibited with a flag or something, and it should survive copying the handle. Additionally, the documentation for `gnutls_hash_squeeze` could benefit from a sentence telling API user to refrain form absorb-after-squeezing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 15 14:36:44 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Oct 2024 12:36:44 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2159337983 > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > > - if (curve->size * 2 + 1 != data_size) > + if (curve->size * 2 + 1 > buffer->length) > return gnutls_assert_val( > GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, curve->size * 2 + 1); > > /* read the server's public key */ > - ret = _gnutls_ecc_ansi_x962_import(data, data_size, > + ret = _gnutls_ecc_ansi_x962_import(data.data, data.size, yes, that's the one I meant, but I'm asking because I'm not sure if the those failures will result in `GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER` (and I suppose, an Alert being sent as a result of that) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2159337983 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 15 14:37:09 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 15 Oct 2024 12:37:09 +0000 Subject: [gnutls-devel] GnuTLS | Update liboqs version requirement to 0.11.0 to support final version of ML-KEM (!1883) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented on a discussion on lib/ext/key_share.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2159339348 > + > + case GNUTLS_PK_MLKEM768: > + case GNUTLS_PK_EXP_KYBER768: { > + gnutls_datum_t key; > + > + if (KYBER768_CIPHERTEXT_SIZE > buffer->length) > + return gnutls_assert_val( > + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); > + _gnutls_buffer_pop_datum(buffer, &data, > + KYBER768_CIPHERTEXT_SIZE); > + > + ret = _gnutls_pk_decaps( > + group->pk, &key, &data, > + &session->key.kshare.kem_params.raw_priv); > + if (ret < 0) > + return gnutls_assert_val(ret); OK -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1883#note_2159339348 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 11:45:20 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 09:45:20 +0000 Subject: [gnutls-devel] GnuTLS | decode_error with a very big compress certificate message (#1594) References: Message-ID: George Pantelakis created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1594 ## Description of problem: When we have a very big compressed certificate message then we get a decode_error from the server but the message has the correct format. The message should pass the decoding error and pass. For example, if we have the message "0x19 + 0x4c4b48 + 0x0001 + 0x000fff + 0x4c4b40 + (5000000 * 0x00)", which is a valid message according to RFC, it should be decoded correctly and then sent back a bad_certificate alert since the compressed message cannot be decompressed. ## Version of gnutls used: gnutls-3.8.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) RHEL and Fedora ## How reproducible: Always Steps to Reproduce: * Run https://github.com/tlsfuzzer/tlsfuzzer/blob/master/scripts/test-tls13-client-certificate-compression.py with "--random-fuzz-size 5" against a GnuTLS server. ## Actual results: Tests "fuzzing of * bytes" from test-tls13-client-certificate-compression.py fail ## Expected results: Tests "fuzzing of * bytes" from test-tls13-client-certificate-compression.py should pass -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1594 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 10:48:39 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 08:48:39 +0000 Subject: [gnutls-devel] GnuTLS | bad_certificate instead of decode_error alert in compressed certificate (#1584) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich with merge request !1884 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1884) Issue #1584: https://gitlab.com/gnutls/gnutls/-/issues/1584 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 10:48:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 08:48:40 +0000 Subject: [gnutls-devel] GnuTLS | bad_certificate instead of illegal_parameter alert in compressed certificate (#1585) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich with merge request !1884 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1884) Issue #1585: https://gitlab.com/gnutls/gnutls/-/issues/1585 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1585 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 10:48:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 08:48:41 +0000 Subject: [gnutls-devel] GnuTLS | padded compressed certificate extension doesn't throw an error (#1586) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich with merge request !1884 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1884) Issue #1586: https://gitlab.com/gnutls/gnutls/-/issues/1586 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1586 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 10:48:41 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 08:48:41 +0000 Subject: [gnutls-devel] GnuTLS | compress_certificate: improve error checks (!1884) In-Reply-To: References: Message-ID: Merge request !1884 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: Daiki Ueno and Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1884 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 08:59:40 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 06:59:40 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 Project:Branches: dueno/gnutls:wip/dueno/hash-after-squeeze to gnutls/gnutls:master Author: Daiki Ueno * hash: return error if gnutls_hash is called after squeeze Previously, when gnutls_hash is called after gnutls_hash_squeeze, it hits an assertion failure in nettle: ``` sha3.c:76: _nettle_sha3_update: Assertion `pos < block_size' failed. ``` This adds an internal function to check whether the hash context has already been finalized with squeezing and in that case errors out. Fixes: #1592 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 11:39:17 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 09:39:17 +0000 Subject: [gnutls-devel] GnuTLS | bad_certificate instead of decode_error alert when empty compress certificate message (#1593) References: Message-ID: George Pantelakis created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1593 ## Description of problem: When a compressed certificate is used we send the following compressed certificate message: struct { CertificateCompressionAlgorithm algorithm; uint24 uncompressed_length; opaque compressed_certificate_message\<1..2^24-1\>; } CompressedCertificate; When we are sending an empty compressed_certificate_message with a length of 0 bytes then we should get a decode error since the minimum accepted message is of size 1 byte. Instead, we are getting a bad_certificate error. ## Version of gnutls used: gnutls-3.8.7 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) RHEL and Fedora ## How reproducible: Always Steps to Reproduce: * Run https://github.com/tlsfuzzer/tlsfuzzer/blob/master/scripts/test-tls13-client-certificate-compression.py against a GnuTLS server. ## Actual results: Test "Empty compressed message" from test-tls13-client-certificate-compression.py fail ## Expected results: Test "Empty compressed message" from test-tls13-client-certificate-compression.py should pass -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 10:30:38 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 08:30:38 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/nettle/mac.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885#note_2160815869 > update_func update; > digest_func digest; > init_func init; > + finished_func finished; I don't think it's zero-initialized, which could be disastrous. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885#note_2160815869 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 09:07:49 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 07:07:49 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 16 09:07:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 07:07:57 +0000 Subject: [gnutls-devel] GnuTLS | Prohibit "duplexing the sponge" (#1592) In-Reply-To: References: Message-ID: Reassigned Issue 1592 https://gitlab.com/gnutls/gnutls/-/issues/1592 Daiki Ueno was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 17 00:17:15 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 22:17:15 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: All discussions on merge request !1885 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 17 00:17:16 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 16 Oct 2024 22:17:16 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on lib/nettle/mac.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885#note_2162221690 > update_func update; > digest_func digest; > init_func init; > + finished_func finished; Good catch, fixed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885#note_2162221690 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 17 15:27:18 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Oct 2024 13:27:18 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: Merge request !1885 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 Project:Branches: dueno/gnutls:wip/dueno/hash-after-squeeze to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 17 19:07:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Oct 2024 17:07:46 +0000 Subject: [gnutls-devel] GnuTLS | Prohibit "duplexing the sponge" (#1592) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1885 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1885) Issue #1592: https://gitlab.com/gnutls/gnutls/-/issues/1592 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1592 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 17 19:07:46 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 17 Oct 2024 17:07:46 +0000 Subject: [gnutls-devel] GnuTLS | hash: return error if gnutls_hash is called after squeeze (!1885) In-Reply-To: References: Message-ID: Merge request !1885 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 Project:Branches: dueno/gnutls:wip/dueno/hash-after-squeeze to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1885 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 18 15:16:57 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 18 Oct 2024 13:16:57 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_ALPN_MANDATORY is enforced in server mode only (#1595) References: Message-ID: Robert Pluim created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1595 ## Description of problem: gnutls_alpn_set_protocols is documented to accept GNUTLS_ALPN_MANDATORY to mean "Require ALPN negotiation", but that flag is only checked when running in server mode, not in client mode. ## Version of gnutls used: 3.7.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Always Steps to Reproduce: 1. Patch gnutls/src/cli.c to pass GNUTLS_ALPN_MANDATORY in the call to gnutls_alpn_set_protocols 2. Run the modified gnutls-cli: `gnutls-cli --http --port 6666 --alpn=h2` against a gnutls-serv without any alpn flags specified ## Actual results: Connection succeeds ## Expected results: *** Fatal error: No common application protocol could be negotiated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1595 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 21 20:57:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 21 Oct 2024 18:57:58 +0000 Subject: [gnutls-devel] GnuTLS | Draft: nettle: mangle struct sha3_128_ctx (!1886) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1886 Project:Branches: asosedkin/gnutls:mangle-shake-ctx to gnutls/gnutls:master Author: Alexander Sosedkin Without this, I cannot compile against nettle-3.10-3.fc41: ``` ../../../lib/nettle/int/sha3-shake.h:55:8: error: redefinition of 'struct sha3_128_ctx' 55 | struct sha3_128_ctx { | ^~~~~~~~~~~~ ``` ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 22 10:32:11 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Oct 2024 08:32:11 +0000 Subject: [gnutls-devel] GnuTLS | nettle: mangle struct sha3_128_ctx (!1886) In-Reply-To: References: Message-ID: Alexander Sosedkin marked merge request !1886 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1886 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 22 14:11:07 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Oct 2024 12:11:07 +0000 Subject: [gnutls-devel] GnuTLS | GNUTLS_ALPN_MANDATORY is enforced in server mode only (#1595) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1595#note_2171143422 (the other ALPN flag, GNUTLS_ALPN_SERVER_PRECEDENCE also is something that servers act on. maybe we should document both as server-only?) Can the use case you have in mind be covered by the application and not the library? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1595#note_2171143422 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 22 14:17:58 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Oct 2024 12:17:58 +0000 Subject: [gnutls-devel] GnuTLS | nettle: mangle struct sha3_128_ctx (!1886) In-Reply-To: References: Message-ID: Merge request !1886 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1886 Project:Branches: asosedkin/gnutls:mangle-shake-ctx to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 22 16:33:13 2024 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 22 Oct 2024 14:33:13 +0000 Subject: [gnutls-devel] GnuTLS | Subnet mask analysis (#1596) References: Message-ID: dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1596 RFC5280 stipulates that the IP address in the name constraint extension of the X.509 certificate must contain a subnet mask. For the malformed subnet mask, gnutls_x509_crt_import correctly parses it. In contrast, Golang's x509.ParseCertificate throws an error: parsing x509: IP constraint contained invalid mask xxxxxxxx I found this issue using gnutls-cli 3.7.3 See the attached test case [Cert17290457531910.der](/uploads/1eb475c4434a91c485f0d1dae5aece4a/Cert17290457531910.der) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1596 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: