From gnutls-devel at lists.gnutls.org Mon Dec 1 05:46:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Dec 2025 04:46:53 +0000 Subject: [gnutls-devel] GnuTLS | record: Allow setting/restoring all record state (!1968) In-Reply-To: References: Message-ID: Alistair Francis commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2923022619 Any more thoughts on this? The ktls-utils implementation is blocked by this -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2923022619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 1 10:20:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Dec 2025 09:20:47 +0000 Subject: [gnutls-devel] GnuTLS | Post-release administrivia (!2047) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.11-post to gnutls/gnutls:master Author: Daiki Ueno This adds changes for the next release: * devel/release-steps.md: update CI job name to the latest * abi-dump: update git submodule ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 1 10:20:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Dec 2025 09:20:58 +0000 Subject: [gnutls-devel] GnuTLS | Post-release administrivia (!2047) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 1 19:35:56 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Dec 2025 18:35:56 +0000 Subject: [gnutls-devel] GnuTLS | `gnutls_hash_output(..., NULL)` leads to SIGSEGV (#1769) References: Message-ID: Barnab?s P?cze created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1769 ## Description of problem: `gnutls_hash_output(..., NULL)` can lead to SIGSEGV ## Version of gnutls used: * 3.8.11 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) * Arch Linux ## How reproducible: Steps to Reproduce: * just doing the call triggers it every time (at least on my machine) ## Actual results: ``` Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bd3fcd in _nettle_write_be32 (length=, dst=0x0, src=0x5555555c0d40) at /usr/src/debug/nettle/nettle-3.10.2/write-be32.c:54 54 WRITE_UINT32(dst, src[i]); (gdb) bt full #0 0x00007ffff7bd3fcd in _nettle_write_be32 (length=, dst=0x0, src=0x5555555c0d40) at /usr/src/debug/nettle/nettle-3.10.2/write-be32.c:54 i = words = 8 leftover = 0 #1 0x00007ffff7bd7f25 in nettle_sha256_digest (ctx=0x5555555c0d40, length=, digest=) at /usr/src/debug/nettle/nettle-3.10.2/sha256.c:156 No locals. #2 0x00007ffff6b491fa in wrap_x86_hash_output (src_ctx=, digest=, digestsize=) at accelerated/x86/sha-x86-ssse3.c:329 ctx = __func__ = "wrap_x86_hash_output" [...] ``` ## Expected results: The hash state is reset as indicated in the documentation. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Dec 1 22:43:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 01 Dec 2025 21:43:35 +0000 Subject: [gnutls-devel] GnuTLS | gnutls failure (#1770) References: Message-ID: Dale Radcliff created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1770 I started on the gnome site and was redirected here. (https://discourse.gnome.org/t/tls-handshake-problems/32076) I am trying to figure out why I can't connect Evolution to my mail servers. Using gnutls-cli results in \*\*\* Fatal error: Error in the pull function. for two different mail servers. Can anyone help me diagnose what is going on here so I can fix it. In the past it worked but due to a drive failure I had to set up my mail client again and now I can't connect to two of my mail servers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 01:26:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 00:26:10 +0000 Subject: [gnutls-devel] GnuTLS | `gnutls_hash_output(..., NULL)` leads to SIGSEGV (#1769) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1769#note_2925553837 Thank you for the report; this indeed looks like a bug. There is a test in commit 7a7d3e44c0f769eb7bae6c6ee21a0a8a3f9e5144, but the original test swallows SIGSEGV for some reason and had never exhibited the issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1769#note_2925553837 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 08:59:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 07:59:22 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 Project:Branches: dueno/gnutls:wip/dueno/hash-output to gnutls/gnutls:master Author: Daiki Ueno * tests/slow: set TEST_EXTENSIONS for wrappers * crypto-selftests: exercise gnutls_hash_output(..., NULL) This moves the test introduced in commit 7a7d3e44c0f769eb7bae6c6ee21a0a8a3f9e5144, from tests/slow/hash-large.c to the library selftests, because the former is tailored for excessively large input, ignoring SIGSEGV. * accelerated: accept NULL as digest argument for gnutls_hash_output As a follow-up of commit eced4c0c2b3d3ee6a35dab99616a25910b623f79 this also extends the accelerated version of gnutls_hash_output to be able to reset the context by passing NULL as the digest argument. Fixes: #1769 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [x] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 09:38:20 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 08:38:20 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 12:26:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 11:26:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls failure (#1770) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1770: https://gitlab.com/gnutls/gnutls/-/issues/1770 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 12:26:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 11:26:30 +0000 Subject: [gnutls-devel] GnuTLS | gnutls failure (#1770) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1770#note_2926581485 This is not a user support forum, this bugtracker is for bugs in gnutls, and your inquiry sounds more like networking problems. Especially since other Fedora 42 / gnutls 3.8.10 users, myself included, can `gnutls-cli imap.mail.att.net:993 -d9` just fine. I suggest you try reproducing your issue 1. with a different internet service provider to rule out their meddling (why would it resolve to 98.137.156.39 for you?), and 2. with a different cryptographic library (e.g., with `openssl s_client imap.mail.att.net:993`). If you arrive at a conclusion that your issue is somehow gnutls-specific, I'd like to direct you towards gnutls-help at lists.gnutls.org or [#gnutls:matrix.org](https://riot.im/app/#/room/#gnutls:matrix.org) then. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1770#note_2926581485 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 14:25:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 13:25:03 +0000 Subject: [gnutls-devel] GnuTLS | Post-release administrivia (!2047) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047#note_2926925779 Reviewer's note to self: I've tried to generate a lossy, but high-SNR version of the abi-dump update so that it'd be humanly reviewable. ``` diff libgnutls elf-function-symbols: +gnutls_audit_current_context +gnutls_audit_pop_context +gnutls_audit_push_context +gnutls_handshake_update_receiving_key +gnutls_psk_allocate_client_credentials2 +gnutls_psk_allocate_server_credentials2 +gnutls_record_get_max_send_size ``` This does match the devel/libgnutls.abignore list. ``` diff libgnutls undefined-elf-function-symbols: +__getdelim -__gmpn_add_n -__gmpn_cmp -__gmpn_sec_add_1 -__gmpn_sec_add_1_itch -__gmpn_sec_div_r -__gmpn_sec_div_r_itch -__gmpn_sec_invert -__gmpn_sec_invert_itch -__gmpn_sec_mul -__gmpn_sec_mul_itch -__gmpn_sec_powm -__gmpn_sec_powm_itch -__gmpz_limbs_finish -__gmpz_limbs_write -__gmpz_size -atoi -atol +dcgettext -dgettext -fdopen -getline -nettle_cnd_memcpy +nettle_rsa_oaep_sha256_decrypt +nettle_rsa_oaep_sha256_encrypt +nettle_rsa_oaep_sha384_decrypt +nettle_rsa_oaep_sha384_encrypt +nettle_rsa_oaep_sha512_decrypt +nettle_rsa_oaep_sha512_encrypt +nettle_sha3_128_init +nettle_sha3_128_shake_output +nettle_sha3_128_update +nettle_sha3_256_shake_output -nettle_sha3_permute -p11_kit_module_initialize +p11_kit_modules_load -p11_kit_modules_load_and_initialize +stpcpy -strcat libdane undefined-elf-function-symbols: +dcgettext -dgettext -fdopen -fprintf -open ``` I'm not sure what happened to `atoi`/`atoi`, but, overall, that list doesn't look concerning to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047#note_2926925779 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Dec 2 14:25:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 13:25:34 +0000 Subject: [gnutls-devel] GnuTLS | Post-release administrivia (!2047) In-Reply-To: References: Message-ID: Merge request !2047 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.11-post to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Dec 3 00:59:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 02 Dec 2025 23:59:49 +0000 Subject: [gnutls-devel] GnuTLS | Post-release administrivia (!2047) In-Reply-To: References: Message-ID: Merge request !2047 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.11-post to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2047 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 4 10:08:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Dec 2025 09:08:21 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 4 10:20:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Dec 2025 09:20:23 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) In-Reply-To: References: Message-ID: Merge request !2048 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 Project:Branches: dueno/gnutls:wip/dueno/hash-output to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 4 10:20:38 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Dec 2025 09:20:38 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048#note_2932438776 Don't see any mistakes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048#note_2932438776 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Dec 4 11:43:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 04 Dec 2025 10:43:35 +0000 Subject: [gnutls-devel] GnuTLS | accelerated: accept NULL as digest argument for gnutls_hash_output (!2048) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on lib/accelerated/afalg.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048#note_2932667797 > struct kcapi_handle *handle = ctx; > > + if (digest == NULL) { ... `gnutls_hmac_output` also promises to reset the state, and I don't see that happening. A `digest=NULL` call would get silently swallowed in `_gnutls_mac_output`, and I'm not even sure how does one reach this function with `digest=NULL`. * Why do we need this? * Should it actually do something on the kcapi level instead? * Do we need a similar round of fixes for lib/accelerated/*/hmac*? -- Alexander Sosedkin started a new discussion on lib/crypto-selftests.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048#note_2932667818 > + } > + > + /* First feed a dummy content */ nit: "content" is uncountable -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2048 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Dec 5 02:16:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 05 Dec 2025 01:16:25 +0000 Subject: [gnutls-devel] GnuTLS | Unable to verify certificate chain on app.usmobile.com (#1771) References: Message-ID: Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1771 ## Description of problem: GnuTLS fails to verify the certificate chain on app.usmobile.com: ``` $ gnutls-cli app.usmobile.com Processed 393 CA certificate(s). Resolving 'app.usmobile.com:443'... Connecting to '2606:4700::6812:667:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=app.usmobile.com', issuer `CN=Cloudflare TLS Issuing ECC CA 3,O=SSL Corporation,C=US', serial 0x3d7fb41e831e456921073810e12e6290, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2025-11-12 18:05:49 UTC', expires `2026-11-12 17:47:06 UTC', pin-sha256="70y5eLrafXTVMjbptBrllO9Mw8FW9c2xuofNXy0Qqkc=" Public Key ID: sha1:edd8ffacf5be4501880ac4d61bb967f84583cb6f sha256:ef4cb978bada7d74d53236e9b41ae594ef4cc3c156f5cdb1ba87cd5f2d10aa47 Public Key PIN: pin-sha256:70y5eLrafXTVMjbptBrllO9Mw8FW9c2xuofNXy0Qqkc= - Certificate[1] info: - subject `CN=Cloudflare TLS Issuing ECC CA 3,O=SSL Corporation,C=US', issuer `CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US', serial 0x31eee88afb87cd9ef8336604743f9b27, EC/ECDSA key 256 bits, signed using ECDSA-SHA384, activated `2025-05-29 19:49:45 UTC', expires `2035-05-27 19:49:44 UTC', pin-sha256="44viFzTC+h/L+3OHRg4Rs5v4+AcpzHZvI9Tne2RDNGk=" - Certificate[2] info: - subject `CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US', issuer `CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00ad8d2df64681a0d36447eaa94fa273c1, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2024-06-21 00:00:00 UTC', expires `2028-12-31 23:59:59 UTC', pin-sha256="OXyj9ngbqO9cjLeO/+t9Ggl2EP4JTnVWHq4LEwhFM9w=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` firefox-145.0.1-1.fc43 accepts this with no problems, so ideally GnuTLS would as well. OpenSSL notably does not accept it (I tested `openssl s_client -connect app.usmobile.com:443`), but OpenSSL is notoriously not very good at certification path building. [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=app.usmobile.com&s=2606%3a4700%3a0%3a0%3a0%3a0%3a6812%3a767) proposes two possible valid certification paths, the second of which won't work by default with gnutls-cli because it requires downloading an intermediate certificate using AuthorityInformationAccess. But the first path probably ought to work? I wonder if there is some good reason to reject it? Daiki says this looks similar to #1741, although notably that issue involves duplicate certs in the certification path, which is not the case here. Here's the certificate chain, for posterity: [test.crt](/uploads/8c2b53dff1008f1bea676cfb912b5b08/test.crt) ## Version of gnutls used: gnutls-3.8.11-5.fc43 with ca-certificates-2025.2.80_v9.0.304-1.1.fc43: ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL): Fedora ## How reproducible: Always Steps to Reproduce: * `gnutls-cli app.usmobile.com` ## Actual results: Chain is rejected as untrusted ## Expected results: Chain should probably(?) verify successfully -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1771 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: