From gnutls-devel at lists.gnutls.org Sat Feb 1 22:17:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:17:09 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) References: Message-ID: Andrew Hamilton created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 Project:Branches: adhamilt/libtasn1:testCoverageBumpv2 to gnutls/libtasn1:master Author: Andrew Hamilton 1. tests/ : Improve test coverage of libtasn1 executables asn1Decoding.c, asn1Parser.c, and asn1Coding.c. With the test additions, the following change in code coverage was observed: (before): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.4 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 38.2 % | | libtasn1/libtasn1/src/gl | 0.0 % | | /usr/include | 100.0 % | (after): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.6 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 86.8 % | | libtasn1/libtasn1/src/gl | 100.0 % | | /usr/include | 100.0 % | 2. asn1Decoding.c: Made the following corrections observed during test development: - Removed a stray / unused "c" option from the short option list. - Ensure tmplen is initialized prior to use in all possible error paths. - Ensure realloc is not called with a zero length when the debug option is set and an empty input is provided - realloc with size zero appears to have undefined behavior per the function definition. ## Checklist * [X] Code modified for feature * [X] Test suite updated with functionality tests * [X] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:18:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:18:55 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:29:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:29:02 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 16:53:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 02 Feb 2025 15:53:31 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:26:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:26:54 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1653 On Fedora gnutls-3.8.8-3.fc41 and/or master (2b8c3e4c), I can't seem to generate a PKCS#8 RSA-OAEP key without going into FIPS mode or going beyond certtool. * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> raw RSA key with no OAEP parameters encoded * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -> same, raw RSA key but * `env GNUTLS_FORCE_FIPS_MODE=1 certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> `:rsaesOaep` OID key with `:1.3.6.1.4.1.2312.18.8.1` validation params present despite * `env GNUTLS_FORCE_FIPS_MODE=1 build/src/certtool --generate-privkey --key-type rsa-oaep --outfile oaep --provable` -> `The --provable parameter can only be used with RSA and DSA keys.` That doesn't look right to me at all, I'd rather expect all of the above to produce `:rsaesOaep`-tagged keys and `--provable` not tell me I cannot generate provable keys when I actually can. My current workaround is to generate regular RSA keys, import and `gnutls_x509_spki_set_rsa_oaep_params()` them into OAEP keys with the parameters I need. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:28:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:28:00 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 >From my brief exploration of the code, I couldn't find why the FIPS and non-FIPS results differ, but here are two ltrace snippets that might be of interest: non-FIPS: ``` gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55a8a382ff30, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55a8a3830150, 0x55a8a3813510, 2, 0x55a8a3813a50) = 2 gnutls_x509_privkey_verify_params(0x55a8a382ff30, 0x55a8a3830140, 0x55adf9093df0, 4) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55a8a382ff30, 0x7ffe74f64bf0, 0x55a8a382ff30, 7) = 13 gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST fwrite("Public Key Info:\n", 1, 17, 0x55a8a382f450) = 17 ``` FIPS: ``` gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55ce108b3200, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55ce108b3420, 0x55ce108811b0, 2, 0x55ce108810f0) = 2 gnutls_x509_privkey_verify_params(0x55ce108b3200, 0x55ce108b3410, 0x55cb4c6b1873, 5) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55ce108b3200, 0x7ffc1fb6c220, 0x55ce108b3200, 7) = 13 gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffcd # <- GNUTLS_E_SHORT_MEMORY_BUFFER, suggesting key->params.seed_size is set fwrite("Assuming --pkcs8 is given; prova"..., 1, 87, 0x7fdc0c9f74e0) = 87 fwrite("Public Key Info:\n", 1, 17, 0x55ce108a3010) = 17 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 14:13:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 13:13:48 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 @dulanshuangqiao Thank you for the report. Could you please provide a reproducer for this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 20:59:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 19:59:59 +0000 Subject: [gnutls-devel] GnuTLS | Draft: add cmake (!1908) In-Reply-To: References: Message-ID: Merge request !1908 was closed by Tal Regev Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 Project:Branches: tal.regev/gnutls:TalR/cmake to gnutls/gnutls:master Author: Tal Regev Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:09:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:09:57 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 > `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -\> same, raw RSA key The `--p8` in this command line expands to `--p8-info`, as the abbreviation is [unique](https://www.gnu.org/software/libc/manual/html_node/Getopt-Long-Options.html), which doesn't change the key generation behavior. The correct command line is: `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --pkcs8 --empty-password` That said, that should be the default behavior; currently it's not because of a missing key type check in `switch_to_pkcs8_when_needed` in src/certtool-common.h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:46:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:46:22 +0000 Subject: [gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656) References: Message-ID: Xi Ruoyao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1656 ## Description of problem: We have such a p11 object which is converted from Mozilla certificate data: ``` [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" class: x-certificate-extension object-id: 2.5.29.37 value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01" modifiable: false -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad2 6jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABF HrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJ xDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPM wsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7 NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySk cQIDAQAB -----END PUBLIC KEY----- [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" trusted: true nss-mozilla-ca-policy: true modifiable: false nss-server-distrust-after: "241130235959Z" nss-email-distrust-after: "%00" -----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g== -----END CERTIFICATE----- ``` Note that the certificate has a `nss-server-distrust-after` field. But when trying a website using this root CA with `gnutls-cli www.fidelity.com -d9999`: ``` |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<2>| get_distrust_after: did not find cert, using issuer DN + serial, using DN only |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4861 |<2>| p11: No login requested. |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4876 |<2>| get_distrust_after: did not find any cert ``` So it seems GnuTLS has not really found the field. ## Version of gnutls used: 3.8.8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Originally found on Beyond Linux From Scratch, same result on Fedora Rawhide ## How reproducible: See above. ## Actual results: GnuTLS accept the certificate (the behavior is correct) but the debug info shows the `nss-server-distrust-after` field isn't found at all. ## Expected results: GnuTLS still accept the certificate, but after comparing the `nss-server-distrust-after` field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 01:35:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 00:35:07 +0000 Subject: [gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656) In-Reply-To: References: Message-ID: Xi Ruoyao commented: https://gitlab.com/gnutls/gnutls/-/issues/1656#note_2333385533 Now fidelity.com has changed the certificate, it's better to use ustreas.gov as an example (hope it won't switch the certificate before we can do the diagnostic...) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656#note_2333385533 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 16:51:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 15:51:51 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2334748932 I am hoping version 4.20.0 resolve this, so I'm making this bug report public and closing it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2334748932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 16:51:52 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 15:51:52 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson Issue #52: https://gitlab.com/gnutls/libtasn1/-/issues/52 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 00:14:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 23:14:08 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) References: Message-ID: Maciej S_ Szmigiero created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1658 ## Description of the feature: The built `libgnutls.so.30.40.2` library lacks CET/shadow stack markings: ``` $ readelf -n /usr/lib64/libgnutls.so.30.40.2 | grep -a SHSTK (empty) ``` Now that shadow stack-enabled CPUs are getting more common each program which links to `libgnutls` cannot benefit from shadow stack enforcement, since such enforcement requires that *all* of its library dependencies carry appropriate markings. Tested on a distribution which enables `-fcf-protection` by default in GCC (Gentoo). This causes most of other libraries to get build with proper CET support. I think the most likely reason that `libgnutls` is missing CET markings is that assembly source files in `lib/accelerated/x86/elf` are missing them. ## Is this feature implemented in other libraries (and which) OpenSSL 3 has proper CET support: ``` $ readelf -n /usr/lib64/libssl.so.3 | grep -a SHSTK Properties: x86 feature: IBT, SHSTK ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:28 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !1928 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:40 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:48 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 08:36:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 07:36:25 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:07:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 08:07:48 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:08:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 08:08:05 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2336092674 Looks good. No mistakes found. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2336092674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:02:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:02:14 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:02:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:02:14 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1928 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1928) Issue #1653: https://gitlab.com/gnutls/gnutls/-/issues/1653 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:38:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:38:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Andreas Stieger commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336379502 Thank. The "uses 100% of CPU" part of this issue should be treated with a grain of salt. This is simply the machine attempting to solve a single-threaded while not limited by IO. You actually *want* it to do it as fast as possible, that is not a security issue in itself. The part where the scaling factor is undesirable, however, is. Do you agree with CVSS v3.1 base [3.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)?](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336379502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:47:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:47:07 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336395888 Yeah I think the severity of this problem is low. I agree that it is the scaling factor that is the real concern. Re CVSS I think it is really complicated topic, but shouldn't Attack Complexity be Low? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336395888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:51:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:51:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Andreas Stieger commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336406135 I believe you could argue for both: `AC:L` because it seems straightforward to generate such a certificate. But also `AC:H` as you would need to get the application to process it. So the adversary would need to control one party (or be MITM), or the client needs to connect to peers based on the adversary input, or the client routinely connects to new peers, some of which turn out present specially crafted certificates. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336406135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:58:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:58:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336419873 I suppose you picking AC:H results in a more appropriate resulting security base score overall, and now we even have some documented justification for using AC:H (which people may disagree with, but things are what they are), so +1 from me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336419873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 11:33:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 10:33:59 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336491914 ... or an adversary client sends a specially crafted client certificate to a server that's configured to accept them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336491914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 14:09:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 13:09:14 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: dulanshuangqiao commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2336764264 I use this program to call the relevant API to convert der to pem format [DtoP.c](/uploads/8637353e989cd4f9e4d590197c73ccf4/DtoP.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2336764264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 23:43:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 22:43:34 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2337858357 Sorry @apteryks, we'll have to revert this change, at least the removal of `$(srcdir)/` part, because that causes a rebuild of .info files at `make distcheck`, which does VPATH build outside a read-only tree and leads to a permission error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2337858357 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 00:01:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 23:01:02 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno * Revert "doc: Fix races in a parallel build." This reverts commit 8daba130cc0c4100186af0b61bc3e65d54a46727, which turned out to cause a rebuild of .info files at "make distcheck" in a read-only srcdir. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 01:08:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 00:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929#note_2337901397 As this is just a revert commit (and a release blocker), I'm merging it without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929#note_2337901397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 01:08:41 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 00:08:41 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) In-Reply-To: References: Message-ID: Merge request !1929 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 05:39:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 04:39:47 +0000 Subject: [gnutls-devel] GnuTLS | Unblock 3.8.9 release (!1929) In-Reply-To: References: Message-ID: Merge request !1929 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 09:49:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 08:49:45 +0000 Subject: [gnutls-devel] GnuTLS | CI: run doc-dist.Fedora with a regular user (#1659) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1659 The doc-dist.Fedora target ensures that `make distcheck` can create a distribution tarball. However, as the CI runs as the root user, it currently bypasses the permission checks enforced by Automake, e.g., to not pollute srcdir, it removes writable bit from the permissions of srcdir. To detect such issues early, it would be nice to run this CI target as a regular user. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:34:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:34:58 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338489180 ah, sorry for not catching this. I'll try to reproduce locally and see if I can resolve that problem. Thanks for the heads-up! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338489180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:49:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:49:24 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338517686 Is this the issue you were seeing in `make distcheck` ? ``` make[3]: Entering directory '/home/maxim/src/gnutls/doc/manpages' make distdir-am make[4]: Entering directory '/home/maxim/src/gnutls/doc/manpages' cp: cannot stat './dane_cert_type_name.3': No such file or directory make[4]: *** [Makefile:3643: distdir-am] Error 1 make[4]: Leaving directory '/home/maxim/src/gnutls/doc/manpages' make[3]: *** [Makefile:3640: distdir] Error 2 make[3]: Leaving directory '/home/maxim/src/gnutls/doc/manpages' make[2]: *** [Makefile:2983: distdir-am] Error 1 make[2]: Leaving directory '/home/maxim/src/gnutls' make[1]: *** [Makefile:2977: distdir] Error 2 make[1]: Leaving directory '/home/maxim/src/gnutls' make: *** [Makefile:3085: dist] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338517686 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:53:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:53:04 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338522302 It's not really that I removed `$(srcdir)`, but that I made the targets depend on other targets (instead of re-invoking make in the recipe, which is racy). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338522302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:58:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:58:49 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338529796 Nevermind, that seems to be because of: ``` Creating man pages for socket.h.../bin/sh: ../../doc/scripts/getfuncs.pl: /usr/bin/perl: bad interpreter: No such file or directory ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338529796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 14:33:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 13:33:09 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338541157 That's fixed on my side, but still getting: ``` [...] make distdir-am make[4]: Entering directory '/home/maxim/src/gnutls/doc/manpages' cp: cannot stat './dane_cert_type_name.3': No such file or directory ``` How are these supposed to come into existence? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338541157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 15:13:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 14:13:24 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338547218 OK, I think it's from the `stamp_mans`, which had failed due to the perl error above but still stamped the file apparently. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338547218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 22:20:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 21:20:36 +0000 Subject: [gnutls-devel] libtasn1 | fix memleaks in asn1_array2tree, free the unused child (!62) In-Reply-To: References: Message-ID: Andrew Hamilton commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/62#note_2338635132 I was looking into a failure on oss-fuzz related to a memory leak and found that I think this is the same issue. Here is how I was able to reproduce the issue: Download reproducer from oss fuzz: https://oss-fuzz.com/download?testcase_id=5118451781206016 Install CLANG (I used clang-19 on Debian) export CC=clang-19 export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" export CFLAGS="$CFLAGS -fsanitize=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,unsigned-integer-overflow,vla-bound,vptr -fno-sanitize-recover=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr" ./configure --enable-fuzzing --disable-doc --disable-gcc-warnings make clean make -j$(nproc) cd fuzz UBSAN_OPTIONS=print_stacktrace=1 ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-19/bin/llvm-symbolizer /libtasn1_array2tree_fuzzer < /libtasn1/clusterfuzz-testcase-minimized-libtasn1_array2tree_fuzzer-5118451781206016 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/62#note_2338635132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 00:10:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 23:10:48 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1660 RFC 8446 allows only limited [changes](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2) to the second Client Hello to the first one, though after !1737 the extensions are shuffled, leading to a connectivity issue: https://github.com/luakit/luakit/issues/1101 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 02:37:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 01:37:35 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno * handshake: only shuffle extensions in the first Client Hello RFC 8446 section 4.1.2 states that the second Client Hello after HRR should preserve the same content as the first Client Hello with limited exceptions. Since GnuTLS 3.8.5, however, the library started shuffling the order of extensions for privacy reasons and that didn't comply with the RFC, leading to a connectivity issue against the server configuration with a stricter check on that. Fixes: #1660 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:46:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:46:04 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931 Project:Branches: apteryks/gnutls:add-guix-scm-file-and-related-improvements to gnutls/gnutls:master Author: Maxim Cournoyer This makes it easier to build on Guix System or other non File-Hierarchy-Standard distributions (e.g. NixOS). It also add a `guix.scm` file which can be used to enter a complete development environment with just `guix shell`. The build environment of GnuTLS is complex enough that this should help when wanting to run for example `make distcheck`, as I need to do to investigate a fix for https://gitlab.com/gnutls/gnutls/-/merge_requests/1911, now reverted. * tests: Remove dependency on `which' command. A POSIX equivalent (command) works just as well. * tests/pkcs11-tool.sh: Replace 'which' invocations with 'command'. * tests/tpm2.sh: Likewise. * tests/tpmtool_test.sh: Likewise. * tests: Lookup softhsm tools from PATH. This is more portable, e.g. on non-FHS systems. * tests/testpkcs11.softhsm (init_card): Use POSIX's 'command' to test if softhsm2-util or softhsm is available from PATH. tests: Check softhsm2-util from PATH. * tests/pkcs11/softhsm.h (softhsm_bin): Check from PATH. * bootstrap: Invoke gnulib-tool script via 'sh'. This is to workaround the lack /bin/sh on non-FHS systems such as Guix. * guix.scm: New file. This is to make bootstrapping a complete development environment easier, along other Guix-provided perks such as build isolation and reproducibility tooling, etc. * README.md: Document. * guix.scm: New file. * Makefile.am (EXTRA_DIST): Register it. * Makefile.am: Hint at libdane requirement for distcheck target. * scripts: Use /usr/bin/env for more portable shebangs. Lookup perl from PATH instead of from its fixed expected location, which may not exist on non-FHS systems like Guix System and NixOS. * doc/scripts/gdoc: Adjust shebang to use /usr/bin/env. * doc/scripts/getfuncs.pl: Likewise. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:51:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:51:31 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/cligen/-/merge_requests/7 Project:Branches: apteryks/cligen:usr-bin-env-shebangs to gnutls/cligen:main Author: Maxim Cournoyer This is more portable, e.g. on non-FHS systems. * cli-codegen.py: Use env in script shebang. * cli-docgen.py: Likewise. Signed-off-by: Maxim Cournoyer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/7 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:52:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:52:34 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338817812 Related: https://gitlab.com/gnutls/cligen/-/merge_requests/7 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338817812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:51:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 14:51:50 +0000 Subject: [gnutls-devel] GnuTLS | certtool-pkcs11 test fails (#1661) References: Message-ID: Maxim Cournoyer created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1661 ## Description of problem: When running `make check`, the certtool-pkcs11 test fails consistently. ## Version of gnutls used: Using the current latest commit (477a73324) of the master branch, 3.8.9. ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) N/A. ## How reproducible: Simply by running the test suite. Steps to Reproduce: Using Guix (with the guix.scm file available from https://gitlab.com/gnutls/gnutls/-/merge_requests/1931) * enter dev environment with `guix shell --pure` * run `sh bootstrap --no-git --gnulib-srcdir=gnulib --skip-po` * run `./configure --with-brotli=link --with-zlib=link --with-zstd=link` * run `make -j$(nproc) * run `make check -j$(nproc) ## Actual results: ``` ============================================================================ Testsuite summary for GnuTLS 3.8.9 ============================================================================ # TOTAL: 501 # PASS: 455 # SKIP: 45 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 ============================================================================ See tests/test-suite.log ``` >From test-suite.log, the failure is: ``` FAIL: certtool-pkcs11 ===================== Testing PKCS11 verification * Initializing smart card... ok * Token: Could not find generated token check verify-pkcs11.debug for additional debugging information tail: cannot open 'verify-pkcs11.debug' for reading: No such file or directory FAIL certtool-pkcs11.sh (exit status: 1) ``` ## Expected results: All tests passing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:56:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 14:56:45 +0000 Subject: [gnutls-devel] GnuTLS | Build failure when building from git (#1633) In-Reply-To: References: Message-ID: Issue was closed by Maxim Cournoyer Issue #1633: https://gitlab.com/gnutls/gnutls/-/issues/1633 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:19:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 15:19:05 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: loqs commented: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338834634 Have you looked at https://gitlab.com/gnutls/gnutls/-/issues/1043? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338834634 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:29:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 15:29:51 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338836774 Alright, I can reproduce the `make distcheck` issue when this change is applied now. It looks like this: ``` make[4]: Entering directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' CC errcodes.o CC common.o CC printlist.o CC alert-printlist.o CCLD errcodes CCLD alert-printlist CCLD printlist ./errcodes > error_codes.texi-tmp ./alert-printlist > alerts.texi-tmp ./printlist > algorithms.texi-tmp mv -f error_codes.texi-tmp error_codes.texi mv -f alerts.texi-tmp alerts.texi mv -f algorithms.texi-tmp algorithms.texi MAKEINFO ../../../doc/gnutls.info mkdir: cannot create directory '.am14182': Permission denied could not open ../../../doc/gnutls.texi: No such file or directory /bin/sh: line 17: cd: ../../../doc: No such file or directory make[4]: *** [Makefile:5435: ../../../doc/gnutls.info] Error 1 make[4]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' make[3]: *** [Makefile:5644: all-recursive] Error 1 make[3]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' make[2]: *** [Makefile:2926: all-recursive] Error 1 make[2]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub' make[1]: *** [Makefile:2851: all] Error 2 make[1]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub' make: *** [Makefile:3145: distcheck] Error 1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338836774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 20:06:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 19:06:25 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: Maciej S_ Szmigiero commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338878008 Seems like a good starting point, thanks for bringing that issue to my attention. However, it looks like #1043 is specifically about updating CRYPTOGAMS code (which might make that code CET-compatible), while my point here is to track *all* effort to make the GnuTLS library CET-compatible. Which may or may not require additional work over just updating the CRYPTOGAMS code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338878008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 23:57:56 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 22:57:56 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:10:33 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:10:33 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338950446 LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338950446 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:10:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:10:55 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Merge request !1930 was approved by Ajit Singh Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Ajit Singh -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:13:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:13:47 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338952002 The Fedora CI failure looks unrelated: ``` Uploading artifacts... ./*.log: found 1 matching artifact files and directories ./**/*.log: found 728 matching artifact files and directories WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/9084451680/artifacts?artifact_format=zip&artifact_type=archive&expire_in=1+week new-url=https://gitlab.com WARNING: Retrying... context=artifacts-uploader error=request redirected Uploading artifacts as "archive" to coordinator... 201 Created id=9084451680 responseStatus=201 Created token=glcbt-66 Cleaning up project directory and file based variables 00:00 ERROR: Job failed: exit code 1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338952002 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:24:18 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:24:18 +0000 Subject: [gnutls-devel] GnuTLS | Makefile.am: error if libdane missing on make dist (!1903) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1903#note_2338956863 > @echo "******************************************************************************************" > > dist-hook: > +if !ENABLE_DANE It's `--enable-libdane`; which I've added to the distcheck configure flags here: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931/diffs?commit_id=23b0dbe59972aa3f233d2fd6ea2cbe7524ba91b1 But as you noted, it already defaults to 'yes' and just warns when not found currently, so I guess this warning should be promoted to an error as Daiki wrote. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1903#note_2338956863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 02:38:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 01:38:14 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338976974 Thank you for the prompt review, @peonix. I also added some test for that; could you have a quick look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338976974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:24:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:24:08 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338994483 Looks good! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338994483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:30:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:30:14 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Merge request !1930 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Ajit Singh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:30:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:30:15 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1930 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1930) Issue #1660: https://gitlab.com/gnutls/gnutls/-/issues/1660 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 05:07:42 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 04:07:42 +0000 Subject: [gnutls-devel] GnuTLS | Parallel build failures in doc: mv: cannot stat '.deps/common.Tpo': No such file or directory (#1635) In-Reply-To: References: Message-ID: Issue was reopened by Maxim Cournoyer Issue 1635: https://gitlab.com/gnutls/gnutls/-/issues/1635 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 05:55:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 04:55:36 +0000 Subject: [gnutls-devel] GnuTLS | Warnings when building documentation during make distcheck (#464) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/issues/464#note_2339070134 It seems these warnings are now errors using GCC 14: ``` Creating documentation for gnutls_ocsp_req_deinit... error: 574: Cannot understand prototype: 'typedef struct gnutls_pcert_st gnutls_pubkey_t pubkey; ' ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/464#note_2339070134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 07:59:39 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 06:59:39 +0000 Subject: [gnutls-devel] GnuTLS | fips: perform only signature PCT for all RSA algorithms (!1932) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 Project:Branches: dueno/gnutls:wip/dueno/certtool-without-pkcs1 to gnutls/gnutls:master Author: Daiki Ueno * tests: do not assume RSAES-PKCS1-v1_5 is enabled in system config Signed-off-by: Alexander Sosedkin Signed-off-by: Daiki Ueno * fips: perform only signature PCT for all RSA algorithms FIPS 140-3 IG 10.3.A states that having a signature PCT also covers key transport for RSA. Therefore, this consolidate all code paths for RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT. Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 11:22:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 10:22:09 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2339498058 While I welcome the portability changes, -1 on guix.scm. The problem with guix.scm/shell.nix/... is that these quickly go out of date unless the most active maintainers use them once per release or more frequently. At the very minimum, there must be a CI job exercising it, burning CI minutes, and then somebody also has to keep it up to date. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2339498058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 12:50:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 11:50:37 +0000 Subject: [gnutls-devel] GnuTLS | Bug Connecting to a TLS1.3 Only Server (#1637) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1637#note_2339674758 I believe this is the same issue as #1660. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1637#note_2339674758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 13:14:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 12:14:21 +0000 Subject: [gnutls-devel] GnuTLS | doc: Fix races in a parallel build, take 2. (!1933) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1933 Project:Branches: apteryks/gnutls:fix-doc-parallel-build to gnutls/gnutls:master Author: Maxim Cournoyer doc: Fix races in a parallel build, take 2. This is an alternative solution to that originally made in commit 8daba130c (now reverted), that doesn't break 'make distcheck'. * doc/Makefile.am (error_codes.texi, algorithms.texi, alerts.texi): Group as a single grouped target. Document. Fixes: ~~ Partially re-apply "doc: Fix races in a parallel build." This partially reverts commit 5300a8683d937ccf09ed01170d3bcb93d97ed605, reinstating just the MKDIR_P change, which is a good one. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 13:17:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 12:17:37 +0000 Subject: [gnutls-devel] GnuTLS | doc: Fix races in a parallel build, take 2. (!1933) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1933#note_2339722759 Tested using the Guix environment from: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931, like so: ``` $ guix shell --pure $ git clean -xfdd -- doc && ./bootstrap && ./configure && make distcheck -j32 V=1 XFAIL_TESTS=certtool-pkcs11.sh ``` The certtool-pkcs11.sh currently fails in such environment, see: https://gitlab.com/gnutls/gnutls/-/issues/1661 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1933#note_2339722759 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 14:47:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 13:47:32 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2339916587 Hello! Considering the Debian/Fedora requirements listed in README.md were last touched in 2022, the value/maintenance cost ratio seems high to me, especially since it can be used on any GNU/Linux systems. For what it's worth, I'd also be happy to be poked if an issue ever gets reported against that `guix.scm` file here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2339916587 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 04:54:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 Feb 2025 03:54:14 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify self-tests for RSA algorithms (!1932) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932#note_2341019857 This grafts RSA part of !1907. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932#note_2341019857 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 12:59:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 Feb 2025 11:59:53 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate test improvements (!1934) References: Message-ID: Franti?ek Kren?elok created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 Project:Branches: FrantisekKrenzelok/gnutls:ktls-keyupdate-support to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok * kTLS: keyupdate test improvements - ktls_utils.h has helper funtion to create standard sockets required for ktls support testing. - key_update test for kTLS is now a flavourt of the tls13/key_update test instead of being standalone(broadens the testing cases). - gnutls_ktls.c now uses the aformentioned ktls_utils.h ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 12:59:52 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 Feb 2025 11:59:52 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate test improvements (!1934) In-Reply-To: References: Message-ID: Reassigned merge request 1934 https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 Franti?ek Kren?elok was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 13:00:27 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 Feb 2025 12:00:27 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Franti?ek Kren?elok marked merge request !1934 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 11 15:08:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 11 Feb 2025 14:08:17 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 05:53:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 04:53:28 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify self-tests for RSA algorithms (!1932) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 05:53:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 04:53:36 +0000 Subject: [gnutls-devel] GnuTLS | fips: simplify self-tests for RSA algorithms (!1932) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 11:44:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 10:44:21 +0000 Subject: [gnutls-devel] GnuTLS | fips: adjust RSA self-tests after PKCS#1 v1.5 padding is no longer acceptable (!1932) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932#note_2343936241 Looks fine to me, assuming the answer to [is it enough to have only PSS KAT test](https://gitlab.com/gnutls/gnutls/-/merge_requests/1907#note_2296471660) is a yes. Also, on the PCTs, IG 10.3.A opens up with some strictness > if at the time a PCT on a key pair is performed > it is known whether the keys will be used in a key agreement scheme, > digital signature algorithm or to perform a key transport, > then the PCT shall be performed consistent with the intended use of the keys > (i.e., TE10.35.01 for key transport, TE10.35.02 1 for signatures, > or TE10.35.03 2 for key agreement), > even if the underlying standard does not require a PCT only to immediately follow up with with the following *any*: > 3. If at the time when the PCT is performed the keys? intended usage is not known, > then *any* of the three PCTs described in > AS10.35 shall be performed on this key pair. That sharp turn of a rollercoaster simultaneously 1. reads like we can skip testing both in pct_test(GNUTLS_PK_RSA) and 2. makes me uneasy about actually doing that due its narrative structure =) Of course, I'm no FIPS lawyer. =/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932#note_2343936241 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 14:14:20 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 13:14:20 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Segmentation fault following `read_from_session_record_port`, calling `scm_to_bool` with an invalid value (#29) References: Message-ID: Christopher Baines created an issue: https://gitlab.com/gnutls/guile/-/issues/29 I'm seeing Guile segfault, I think while trying to print an exception that originates from Guile GnuTLS. `read_from_session_record_port` is calling `scm_to_bool` with an invalid value. Maybe `scm_is_true` should be used instead of `scm_to_bool`? I presume there's some underlying problem that would still exist though. ``` #0 iprin1 (exp=0x0, port=# 7fcd84fcc580>, pstate=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:628 #1 0x00007fcf3ecc907a in scm_iprin1 (exp=, port=, pstate=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:561 #2 0x00007fcf3ecc94ff in scm_iprlist (hdr=hdr at entry=0x7fcf3ed19af0 "(", exp=exp at entry=0x7fcefc3777d0, tlr=tlr at entry=41, port=port at entry=# 7fcd84fcc580>, pstate=pstate at entry=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:1019 #3 0x00007fcf3ecc7f72 in iprin1 (exp=0x7fcefc3777d0, port=# 7fcd84fcc580>, pstate=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:653 #4 0x00007fcf3ecc907a in scm_iprin1 (exp=, port=, pstate=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:561 #5 0x00007fcf3ecc928c in scm_prin1 (exp=0x7fcefc3777d0, port=, writingp=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:840 #6 0x00007fcf3ecc93a2 in scm_write (obj=0x7fcefc3777d0, port=0x7fcd84fcc3e0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:1099 #7 0x00007fcf3ecf473f in vm_regular_engine (thread=0x7fcf32d4a6c0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm-engine.c:972 #8 0x00007fcf3ed02445 in scm_call_n (proc=, argv=, nargs=2) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm.c:1616 #9 0x00007fcf3ec6b71a in scm_call_2 (proc=, arg1=, arg2=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/eval.c:503 #10 0x00007fcf3ecc8f29 in iprin1 (exp=0x7fcedc18db40, port=# 7fcd84fcc580>, pstate=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:645 #11 0x00007fcf3ecc907a in scm_iprin1 (exp=, port=, pstate=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:561 #12 0x00007fcf3ecc94ff in scm_iprlist (hdr=hdr at entry=0x7fcf3ed19af0 "(", exp=0x7fcefc377420, exp at entry=0x7fcefc377480, tlr=tlr at entry=41, port=port at entry=# 7fcd84fcc580>, pstate=pstate at entry=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:1019 #13 0x00007fcf3ecc7f72 in iprin1 (exp=0x7fcefc377480, port=# 7fcd84fcc580>, pstate=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:653 #14 0x00007fcf3ecc907a in scm_iprin1 (exp=, port=, pstate=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:561 #15 0x00007fcf3ecc928c in scm_prin1 (exp=0x7fcefc377480, port=, writingp=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:840 #16 0x00007fcf3ecc93a2 in scm_write (obj=0x7fcefc377480, port=0x7fcd84fcc500) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:1099 #17 0x00007fcf3ecf473f in vm_regular_engine (thread=0x7fcf32d4a6c0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm-engine.c:972 #18 0x00007fcf3ed02445 in scm_call_n (proc=, argv=, nargs=2) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm.c:1616 --Type for more, q to quit, c to continue without paging-- #19 0x00007fcf3ec6b71a in scm_call_2 (proc=, arg1=, arg2=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/eval.c:503 #20 0x00007fcf3ecc8f29 in iprin1 (exp=0x7fcedc190ea0, port=# 7fcd84fcc580>, pstate=0x7fcf32ba2e08) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:645 #21 0x00007fcf3ecc907a in scm_iprin1 (exp=, port=, pstate=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:561 #22 0x00007fcf3ecc924d in scm_prin1 (exp=0x7fcedc190ea0, port=# 7fcd84fcc580>, writingp=1) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:840 #23 0x00007fcf3ecc93a2 in scm_write (obj=0x7fcedc190ea0, port=# 7fcd84fcc580>) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/print.c:1099 #24 0x00007fcf3ecf473f in vm_regular_engine (thread=0x7fcf32d4a6c0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm-engine.c:972 #25 0x00007fcf3ed02445 in scm_call_n (proc=, argv=, nargs=5) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/vm.c:1616 #26 0x00007fcf3ec6fff9 in scm_apply_0 (proc=#, args=()) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/eval.c:603 #27 0x00007fcf3ecf232d in scm_throw (key=wrong-type-arg, args=0x7fcefc3776b0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/throw.c:262 #28 0x00007fcf3ecf2349 in scm_ithrow (key=, args=, no_return=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/throw.c:457 #29 0x00007fcf3ec6cee5 in scm_error_scm (key=key at entry=wrong-type-arg, subr=, message=message at entry="Wrong type: ~S", args=args at entry=0x7fcefc3777d0, data=data at entry=0x7fcefc3777e0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/error.c:90 #30 0x00007fcf3ec6cf40 in scm_error (key=wrong-type-arg, subr=subr at entry=0x0, message=, args=0x7fcefc3777d0, rest=rest at entry=0x7fcefc3777e0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/error.c:62 #31 0x00007fcf3ec6e0ca in scm_wrong_type_arg (subr=0x0, pos=0, bad_value=0x0) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/error.c:247 #32 0x00007fcf3ec64620 in scm_to_bool (x=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/boolean.c:100 #33 scm_to_bool (x=) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/boolean.c:93 #34 0x00007fcf3011ab8a in read_from_session_record_port (port=, dst=, start=, count=1024) at core.c:1124 #35 0x00007fcf3ecbfe0c in trampoline_to_c_read (port=# 7fcefc4e1e00>, dst="#" = {...}, start=0, count=1024) at /tmp/guix-build-guile-next-3.0.10-0.5d3f561.drv-0/source/libguile/ports.c:266 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/29 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 17:33:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 16:33:50 +0000 Subject: [gnutls-devel] GnuTLS | Need TLS 1.3 support for Echo server with anonymous authentication (#1663) References: Message-ID: sroy9gmu created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1663 I have been trying to implement a simple echo server with anonymous authentication. Server code used is: https://gitlab.com/gnutls/gnutls/-/blob/5c1a38f7e6943cb21cbca4d220beb93cbf57397f/doc/examples/ex-serv-anon.c Client code is: https://gitlab.com/gnutls/gnutls/-/blob/5c1a38f7e6943cb21cbca4d220beb93cbf57397f/doc/examples/ex-client-anon.c. I am unable to implement it using TLS 1.3 version, currently it executes TLS 1.2 version which is an older standard. Is there any way I can change the protocol version for this implementation? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1663 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 12 21:03:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 20:03:34 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2345026954 Hello, I have backported the fix to 3.7.x. Due to the be big code-reformattting this was rather cumbersome. I would appreciate a second pair eyes. [65-x509-optimize-name-constraints-processing.patch](/uploads/7fa0578c045f7179698b747ef8e1997e/65-x509-optimize-name-constraints-processing.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2345026954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 00:58:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 23:58:09 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.9 (Nov 5, 2024?Jan 5, 2025) ( https://gitlab.com/gnutls/gnutls/-/milestones/47 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 00:58:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 12 Feb 2025 23:58:16 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 01:00:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 00:00:10 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.10 (Feb 7, 2025?Apr 7, 2025) ( https://gitlab.com/gnutls/gnutls/-/milestones/48 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 08:30:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 07:30:48 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2345687023 Looks fine to me! I've been independently doing the same for 3.6 yesterday, and also struggled with the same reformatting change. If you'd like to return the favour, cross-check patches or their application results, here it is: [gnutls-3.6.16-CVE-2024-12243.patch](/uploads/d316e52b4ce196030ef0c3f1a49f32bd/gnutls-3.6.16-CVE-2024-12243.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2345687023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 09:29:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 08:29:16 +0000 Subject: [gnutls-devel] GnuTLS | Handle "early_data" extension in NewSessionTicket (#1664) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1664 The fix for #1619 revealed that we don't handle "early_data" extension in NewSessionTicket message and thus there is no way for the client to know the maximum early data size. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1664 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 12:34:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 11:34:10 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Segmentation fault following `read_from_session_record_port`, calling `scm_to_bool` with an invalid value (#29) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/guile/-/issues/29#note_2346234858 Can you trigger this in any simple way? The backtrace is beyond what I'm able to do anything with, so I'm hoping you can continue to see if there is some code change you can think of to improve things. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/29#note_2346234858 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 14:46:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 13:46:03 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Segmentation fault following `read_from_session_record_port`, calling `scm_to_bool` with an invalid value (#29) In-Reply-To: References: Message-ID: Christopher Baines commented: https://gitlab.com/gnutls/guile/-/issues/29#note_2346503133 I don't know how to reproduce this unfortunately. As I say, using `scm_is_true` rather than `scm_to_bool` should avoid Guile segfaulting, which might in turn reveal more about the context for this issue if it happens again. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/29#note_2346503133 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 22:19:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 21:19:48 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Segmentation fault following `read_from_session_record_port`, calling `scm_to_bool` with an invalid value (#29) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/guile/-/issues/29#note_2347328762 Which guile version are you using? There is some code that is enabled for guile before 2.2, I wonder if that is ever used in practice today? Should we drop that? Maybe it will lower code complexity. I'm trying to understand the code here. Isn't this just the case where the scm_to_gnutls_session() returns NULL, which isn't all that an invalid situation if a connection was lost or something? Then the code fails like this, but I think it should just ignore things and treat it as a gone session instead. I'm just speculating here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/29#note_2347328762 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 13 22:34:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 13 Feb 2025 21:34:51 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: loqs commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2347342677 If you disable the assembly code does the generated library not support both `IBT` and `SHSTK`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2347342677 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 02:01:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 01:01:00 +0000 Subject: [gnutls-devel] GnuTLS | Support seed-only private keys for ML-DSA/ML-KEM (#1665) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1665 After a [discussion](https://mailarchive.ietf.org/arch/msg/spasm/vaAKtzW3BVHN8cm_JbwIaX-ypms/) in the IETF LAMPS working group, the current consensus is to only support seed-only private keys for ML-DSA and ML-KEM, though GnuTLS currently only support expanded private keys. We may, at least optionally, want to support the seed-only format for private keys. At the library API level, there is an existing mechanism used for provable key generation for RSA: - `gnutls_privkey_generate2` with `GNUTLS_KEYGEN_SEED` parameter to generate a private key from/through a seed - `gnutls_privkey_get_seed` to retrieve the seed to generate a private key As for the file format, when writing a private key, we probably should use the seed-only format by default specified in [section 6](https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-07.html#name-private-key-format) of draft-ietf-lamps-dilithium-certificates-07. When reading, on the other hand, we may also support a expanded-only format which I would propose as signified by the presence of a "publicKey" field in a OneAsymmetricKey structure (with the "version" field set to 1), so it is mutually exclusive with the seed-only format. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1665 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 02:23:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 01:23:24 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2347549018 Depending on your use-case, it might be an option to build GnuTLS with `--disable-hardware-acceleration`, relying on the optimizations provided by Nettle. You could check the performance difference with: ```console # with Nettle assembly GNUTLS_CPUID_OVERRIDE=0x1 src/gnutls-cli --benchmark-ciphers Checking AEAD ciphers, payload size: 16384 AES-128-GCM 3.58 GB/sec AES-128-CCM 1.42 GB/sec CHACHA20-POLY1305 0.63 GB/sec [...] # with OpenSSL assembly env -u GNUTLS_CPUID_OVERRIDE src/gnutls-cli --benchmark-ciphers Checking AEAD ciphers, payload size: 16384 AES-128-GCM 7.79 GB/sec AES-128-CCM 1.44 GB/sec CHACHA20-POLY1305 0.63 GB/sec [...] ``` On a decent x86_64 machine, you will observe visible differences, e.g., in AES-128-GCM test, though they are not an order of magnitude these days. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2347549018 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 07:59:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 06:59:40 +0000 Subject: [gnutls-devel] GnuTLS | Need TLS 1.3 support for Echo server with anonymous authentication (#1663) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1663#note_2347904301 Anonymous authentication is [deprecated](https://www.rfc-editor.org/rfc/rfc8446#appendix-C.5) in TLS 1.3; you would need to use other means, such as raw public keys. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1663#note_2347904301 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 08:51:19 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 07:51:19 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) In-Reply-To: References: Message-ID: Merge request !7 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/7 Project:Branches: apteryks/cligen:usr-bin-env-shebangs to gnutls/cligen:main Author: Maxim Cournoyer Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 08:53:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 07:53:17 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) In-Reply-To: References: Message-ID: Merge request !7 was unapproved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/cligen/-/merge_requests/7 Project:Branches: apteryks/cligen:usr-bin-env-shebangs to gnutls/cligen:main Author: Maxim Cournoyer Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 08:56:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 07:56:57 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2347970478 Usually I would rather avoid `#!/usr/bin/env interpreter`, for the reasons described at https://blogs.gnome.org/mcatanzaro/2018/02/16/on-python-shebangs/, but it might not apply to this case as those scripts are only used at build time. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2347970478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 09:43:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 08:43:28 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Merge request !1934 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 Project:Branches: FrantisekKrenzelok/gnutls:ktls-keyupdate-support to gnutls/gnutls:master Author: Franti?ek Kren?elok Assignee: Franti?ek Kren?elok Reviewer: Daiki Ueno -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 09:43:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 08:43:28 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on tests/tls13/key_update.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2348046533 > + > +/* ktls needs to use real sockets */ > +int FD[2]; Can this be moved to `RUN` as a local variable (and pass it as an argument to `create_sockets` and `close_sockets`)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 09:43:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 08:43:29 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2348046560 Looks good to me, except one minor nit. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2348046560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 18:15:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 17:15:53 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2349038560 Indeed, the last paragraph says it's fine for build time usage, which it is. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2349038560 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 18:17:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 17:17:14 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2349041520 The post also completely ignores the existence of non-FHS distributions, where /usr/bin/python3 would not exist and be found via other means (typically from PATH, so env makes sense there). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/7#note_2349041520 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 19:24:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 18:24:23 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349175593 Could you add some docs about what kernel version is needed? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349175593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 19:43:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 18:43:25 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2349198539 In case somebody lands here looking for backports of "x509: optimize name constraints processing", there's a couple of them shared in the [issue thread](https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2345026954). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2349198539 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 14 23:40:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 14 Feb 2025 22:40:24 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: loqs commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2349438277 Would KTLS be another option that retains CET support? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2349438277 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 02:35:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Feb 2025 01:35:57 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 Project:Branches: dueno/gnutls:wip/dueno/minor-fixes to gnutls/gnutls:master Author: Daiki Ueno * tests: make pqc-hybrid-kx.sh work when system time set beyond 2038 Signed-off-by: Daiki Ueno * build: fix SONAME detection when linking failed When linking to a shared library fails, the previous check defined the _LIBRARY_SONAME macro to "none", instead of leaving it undefined. Signed-off-by: Daiki Ueno ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 15:53:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Feb 2025 14:53:08 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2349709875 This is more involved than the changes for 3.7, due to the gnulib changes [INT_(MULTIPLY|ADD)_OK missing, replaced by coding using _OVERFLOW], ditto for _gnutls_reallocarray. I assume you got these pieces right. Apart from that it looks good to me and the obvious checks, (certtool -i and -e with the cert in this report) show the fix working. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2349709875 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 17:41:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Feb 2025 16:41:10 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349735328 Good point will do -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349735328 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 15 17:41:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 15 Feb 2025 16:41:50 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Franti?ek Kren?elok commented on a discussion on tests/tls13/key_update.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349735475 > +#define CHECK_KTLS_ENABLED(session) \ > + switch (gnutls_transport_is_ktls_enabled(session)) { \ > + case GNUTLS_KTLS_RECV: \ > + fail("kTLS: Only recv support is initiated\n"); \ > + break; \ > + case GNUTLS_KTLS_SEND: \ > + fail("kTLS: Only send support is initiated\n"); \ > + break; \ > + case GNUTLS_KTLS_DUPLEX: \ > + break; \ > + default: \ > + fail("kTLS: dissabled\n"); \ > + } > + > +/* ktls needs to use real sockets */ > +int FD[2]; Yeah was thinking the same. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934#note_2349735475 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 01:19:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 00:19:55 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 Project:Branches: dueno/gnutls:wip/dueno/nst-extensions to gnutls/gnutls:master Author: Daiki Ueno * tests: add basic tests for 0-RTT with gnutls-serv and gnutls-cli * cli: preserve negotiated max_early_data_size across resumption * serv: fix detection of early data reception Upon success, gnutls_record_recv_early_data returns the amount of data received, so the application should treat positive numbers as an indication of early data reception. * gnutls_record_set_max_early_data_size: make it callable from client Since commit 9a7ce5a74cbef069394f677c0c79af2c876546db, max_early_data_size is initialized as 0 on the client side, and set only after receiving NewSessionTicket. There are, however, no ways to preserve the max_early_data_size value across multiple calls to gnutls_init. This patch allows the client to set the negotiated max_early_data_size in the second session, through gnutls_record_set_max_early_data_size. Fixes: #1664 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [x] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 01:23:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 00:23:34 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2349822090 @valdaarhun would you mind taking a look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2349822090 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 04:18:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 03:18:34 +0000 Subject: [gnutls-devel] GnuTLS | Need TLS 1.3 support for Echo server with anonymous authentication (#1663) In-Reply-To: References: Message-ID: sroy9gmu commented: https://gitlab.com/gnutls/gnutls/-/issues/1663#note_2349847425 Thank you for the clarification. I tried the echo server-client example using PSK authentication, and it showed TLS 1.3 support in its output. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1663#note_2349847425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 04:18:33 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 03:18:33 +0000 Subject: [gnutls-devel] GnuTLS | Need TLS 1.3 support for Echo server with anonymous authentication (#1663) In-Reply-To: References: Message-ID: Issue was closed by sroy9gmu Issue #1663: https://gitlab.com/gnutls/gnutls/-/issues/1663 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1663 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 16:32:44 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 15:32:44 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2349992954 Hi, sure thing. Let me take a look at it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2349992954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 20:54:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 19:54:53 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 was reviewed by Sahil Siddiq -- Sahil Siddiq commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2350107420 >From the description above: ``` max_early_data_size is initialized as 0 on the client side, and set only after receiving NewSessionTicket. There are, however, no ways to preserve the max_early_data_size value across multiple calls to gnutls_init. ``` Based on what I have understood, `max_early_data_size` is set for the first time when the client receives NewSessionTicket during the second session. `gnutls_record_set_max_early_data_size` is then used to persist this value so that the client retains this without having to receive another session ticket in subsequent sessions. Is my understanding correct? I tried running the test on my machine. It fails when trying to reconnect to the server. Here's the output: ``` reserved port 53868 Echo Server listening on IPv4 0.0.0.0 port 53868...done Echo Server listening on IPv6 :: port 53868...done error sending early data Error in handshake: The TLS connection was non-properly terminated. Processed 1 CA certificate(s). Resolving 'localhost:53868'... Connecting to '::1:53868'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=GnuTLS Test CA', serial 0x53662b3911be18cb, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2014-05-04 11:57:46 UTC', expires `9999-12-31 23:59:59 UTC', pin-sha256="3BRRBzy9UTnQoTsZrEiVZm9GKvX1V946kDNinW6F2L4=" Public Key ID: sha1:bef600c6246b60eab5f813c9a5d5e0c929d5d733 sha256:dc1451073cbd5139d0a13b19ac4895666f462af5f557de3a9033629d6e85d8be Public Key PIN: pin-sha256:3BRRBzy9UTnQoTsZrEiVZm9GKvX1V946kDNinW6F2L4= - Status: The certificate is trusted. - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) - Session ID: 93:44:5A:90:69:E2:D3:1E:44:21:4D:47:CE:34:77:65:13:FB:72:81:DC:21:29:E3:51:97:B1:CC:16:5C:F3:52 - Options: - Handshake was completed - Disconnecting - Connecting again- trying to resume previous session Resolving 'localhost:53868'... Connecting to '::1:53868'... Failure: failed to communicate with the server Exiting via signal 15 unreserved port 53868 FAIL gnutls-cli-earlydata.sh (exit status: 1) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 21:06:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 20:06:01 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 was reviewed by Sahil Siddiq -- Sahil Siddiq started a new discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2350109730 > ((gnutls_session_get_flags(hd->session) & > GNUTLS_SFLAGS_SESSION_TICKET))) { > + max_early_data_size = The value of `max_early_data_size` is set here in the session due to the [call](https://gitlab.com/gnutls/gnutls/-/blob/master/src/cli.c#L1004) to gnutls_session_get_data2(). `max_early_data_size` and `hd` are then passed to socket_open_int() which in turn calls gnutls_record_set_max_early_data_size(). In the implementation of gnutls_record_set_max_early_data_size(), we are simply setting `session->security_parameters.max_early_data_size` to "size". Given that "size" originally came from the same session parameter in gnutls_record_get_max_early_data_size(), this call isn't required in socket.c, right? -- Sahil Siddiq started a new discussion on src/socket.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2350109732 > if (hd->session) { > if (hd->edata.data) { > + ret = gnutls_record_set_max_early_data_size( `hd->session->security_parameters.max_early_data_size` should already by set to `max_early_data_size` due to the call to gnutls_session_get_data2() in cli.c -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 23:19:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 22:19:28 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: Maciej S_ Szmigiero commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2350140436 With `--disable-hardware-acceleration` GnuTLS libraries seem to retain their CET markings indeed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2350140436 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 16 23:50:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 16 Feb 2025 22:50:51 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2350146964 > GNUTLS_TLS1_3) || > ((gnutls_session_get_flags(hd->session) & > GNUTLS_SFLAGS_SESSION_TICKET))) { > + max_early_data_size = The problem is that the data (session ticket) retrieved with `gnutls_session_get_data2` can only be decrypted by the server and from anyone else (including the client), it looks like an opaque blob. We could store max_early_data_size as a metadata along with the session ticket to eliminate the need of calling get/set_max_early_data, though I guess it would be a non-trivial change. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2350146964 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 03:10:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 02:10:53 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2350241451 That would also be an option, as long as TLS performance is concerned. In any case, considering the maintenance state and licensing concerns, I guess we should slowly move away from CRYPTOGAMS and focus on improving optimizations in Nettle. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2350241451 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 04:29:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 03:29:14 +0000 Subject: [gnutls-devel] GnuTLS | Certificate Validation Differences (#1631) In-Reply-To: References: Message-ID: dulanshuangqiao commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1631#note_2350385210 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1631#note_2350385210 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 04:30:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 03:30:13 +0000 Subject: [gnutls-devel] GnuTLS | SKI extension with empty values are valid (#1621) In-Reply-To: References: Message-ID: dulanshuangqiao commented: https://gitlab.com/gnutls/gnutls/-/issues/1621#note_2350387729 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1621#note_2350387729 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 04:30:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 03:30:24 +0000 Subject: [gnutls-devel] GnuTLS | The Extended Key Usage extension should be invalid (#1624) In-Reply-To: References: Message-ID: dulanshuangqiao commented: https://gitlab.com/gnutls/gnutls/-/issues/1624#note_2350387894 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1624#note_2350387894 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 04:29:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 03:29:57 +0000 Subject: [gnutls-devel] GnuTLS | Verify command error output (#1617) In-Reply-To: References: Message-ID: dulanshuangqiao commented: https://gitlab.com/gnutls/gnutls/-/issues/1617#note_2350387529 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1617#note_2350387529 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 09:14:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 08:14:58 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: dulanshuangqiao commented: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2350666924 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2350666924 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 09:15:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 08:15:40 +0000 Subject: [gnutls-devel] GnuTLS | Invalid certificate policy extension (#1623) In-Reply-To: References: Message-ID: dulanshuangqiao commented: https://gitlab.com/gnutls/gnutls/-/issues/1623#note_2350667999 There is no staff to handle this report for a long time.This is very important for my work. Can I continue to deal with this problem? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1623#note_2350667999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 12:03:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 11:03:12 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2351062385 Glad to hear that, and thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2351062385 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 20:59:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 19:59:58 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352297895 Apologies. I missed applying some of the commits in my branch. The test works after applying all 4 commits. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352297895 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 21:04:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 20:04:10 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352304633 > GNUTLS_TLS1_3) || > ((gnutls_session_get_flags(hd->session) & > GNUTLS_SFLAGS_SESSION_TICKET))) { > + max_early_data_size = Understood. My primary concern with this change is allowing the client to use gnutls_record_set_max_early_data_size(). If someone inadvertently uses this function when writing a client application, it might introduce a bug since it'll now be possible to hard code this value in the client. How about printing a warning if this is called by a client? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352304633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 21:15:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 20:15:03 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion on src/socket.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352325732 > > if (hd->session) { > if (hd->edata.data) { > + ret = gnutls_record_set_max_early_data_size( Sorry, ignore this comment. I missed the call to `init_tls_session` in socket.c -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352325732 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 17 21:24:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 20:24:49 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352344527 One nitpick - the description of [gnutls_record_recv_early_data()](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/record.c#L2231) should be modified as shown: ```diff + * Returns: The number of bytes received and zero when early data - * Returns: The number of bytes received when early data * reading is complete. A negative error code is returned in case of ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352344527 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 00:04:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 23:04:13 +0000 Subject: [gnutls-devel] GnuTLS | Draft: kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: All discussions on merge request !1934 were resolved by Franti?ek Kren?elok https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 00:06:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 17 Feb 2025 23:06:08 +0000 Subject: [gnutls-devel] GnuTLS | kTLS: keyupdate refresh (!1934) In-Reply-To: References: Message-ID: Franti?ek Kren?elok marked merge request !1934 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 02:05:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 01:05:08 +0000 Subject: [gnutls-devel] GnuTLS | Store extension data alongside session ticket (#1667) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1667 `gnutls_session_get_data*` and `gnutls_session_set_data*` currently only deal with the bare session tickets, meaning that any metadata associated with it (e.g., max_early_data_size) needs to be manually preserved (see !1936). As this is cumbersome and error-prone, maybe we could store the entire [NewSessionTicket](https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1) message instead. A tricky thing is that the format of the NST message is [different](https://www.rfc-editor.org/rfc/rfc5077#section-3.3) in TLS 1.2 and TLS 1.3, maybe we could use TLS 1.3 version as it is more expressive. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1667 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 02:06:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 01:06:10 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352717824 > GNUTLS_TLS1_3) || > ((gnutls_session_get_flags(hd->session) & > GNUTLS_SFLAGS_SESSION_TICKET))) { > + max_early_data_size = That makes sense, I'll add a debug logging there. As for storing the extension data, I've filed #1667. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2352717824 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 08:00:44 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 07:00:44 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2352926410 Thanks both, looks good to me as well. Would it be possible to have an MR filed against gnutls_3_7_x branch at least, so we may eventually create a 3.7.12 release? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2352926410 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 12:59:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 11:59:47 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2353473998 Looks good to me. @dueno is this ready to be merged now? I added a review comment about dropping comments, I didn't understand that. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2353473998 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 13:22:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 12:22:40 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) In-Reply-To: References: Message-ID: Alexander Sosedkin and Zolt?n Fridrich were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 14:22:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 13:22:15 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2353643010 We probably should store the whole NST Handshake protocol message on the disk: while it's early_data now, there's work on tls_flags extension now, so there may be additional changes still?having it all as opaque blobs written to disk will make it more future prof... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2353643010 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:05:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:05:59 +0000 Subject: [gnutls-devel] web-pages | Lulu links are broken (#7) References: Message-ID: Zolt?n Fridrich created an issue: https://gitlab.com/gnutls/web-pages/-/issues/7 The links on the documentation page\[1\] to Lulu are broken. The book is still online for the 3.4 version on Lulu. \[1\] https://www.gnutls.org/documentation.html -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/7 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:28:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:28:21 +0000 Subject: [gnutls-devel] web-pages | Fix lulu links (!15) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/web-pages/-/merge_requests/15 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Closes #7 Signed-off-by: Zoltan Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/15 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:28:19 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:28:19 +0000 Subject: [gnutls-devel] web-pages | Fix lulu links (!15) In-Reply-To: References: Message-ID: Reassigned merge request 15 https://gitlab.com/gnutls/web-pages/-/merge_requests/15 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/15 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:29:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:29:35 +0000 Subject: [gnutls-devel] web-pages | Fix lulu links (!15) In-Reply-To: References: Message-ID: Merge request !15 was merged Merge request URL: https://gitlab.com/gnutls/web-pages/-/merge_requests/15 Project:Branches: ZoltanFridrich/gnutls-web-pages:zfridric_devel to gnutls/web-pages:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/merge_requests/15 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:29:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:29:36 +0000 Subject: [gnutls-devel] web-pages | Lulu links are broken (#7) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich with merge request !15 (https://gitlab.com/gnutls/web-pages/-/merge_requests/15) Issue #7: https://gitlab.com/gnutls/web-pages/-/issues/7 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/web-pages/-/issues/7 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:43:52 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:43:52 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935#note_2354182923 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935#note_2354182923 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 17:43:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 16:43:45 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) In-Reply-To: References: Message-ID: Merge request !1935 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 Project:Branches: dueno/gnutls:wip/dueno/minor-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 19:12:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 18:12:12 +0000 Subject: [gnutls-devel] GnuTLS | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#1553) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2354354491 I can put it on my TODO list but am unlikely to find time for this earlier than on Saturday or Sunday. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2354354491 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 23:28:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 22:28:30 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Tim Kosse commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2354661444 I'm sorry if this may be unrelated, but looking at the patches, seeing _asn1_find_up as culprit reminded me of an obscure issue I observed a few times a couple of years ago: There were a handful of Windows systems that, for reasons unknown, have an abnormal CRL in the system trust store that is megabytes in size, to the effect that calling GnuTLS's gnutls_certificate_set_x509_system_trust takes a few minutes to complete. If I remember correctly, _asn1_find_up was in the hot path in a profile I received. The workaround back then was to reset the system trust store to its default contents. Would anyone of you happen to know if this issue could possibly affect the CRL parsing in GnuTLS as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2354661444 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 18 23:45:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 18 Feb 2025 22:45:32 +0000 Subject: [gnutls-devel] libtasn1 | Time to parse a few entries and a lot of entries is not linear (#51) In-Reply-To: References: Message-ID: Tim Kosse commented: https://gitlab.com/gnutls/libtasn1/-/issues/51#note_2354674501 I just saw your issue after having commented on https://gitlab.com/gnutls/libtasn1/-/issues/52 how that issue might also affect CRL parsing. Could you please try 4.20 and report your findings, and if it's still slow, attach a CRL exhibiting the slowness? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/51#note_2354674501 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 08:00:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 07:00:57 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2357713232 Yes, I think this is ready. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2357713232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 09:02:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 08:02:16 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) In-Reply-To: References: Message-ID: Merge request !1935 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 Project:Branches: dueno/gnutls:wip/dueno/minor-fixes to gnutls/gnutls:master Author: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 09:02:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 08:02:07 +0000 Subject: [gnutls-devel] GnuTLS | build: fix SONAME detection when linking failed (!1935) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935#note_2357797258 Thanks for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1935#note_2357797258 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 09:55:39 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 08:55:39 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2357888864 Okay -- good. Did you see my comment about removing the comments about ABI break for the duplicated struct? Was there any reason to remove these? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2357888864 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 13:04:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 12:04:21 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2358283330 Sorry Simon, I couldn't find your comment; where did you put it? My rationale for removing the code comment is that, there are no duplicated structs anymore. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2358283330 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 16:22:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 15:22:32 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2358741559 I put it here: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113/diffs#note_2358283330 Can never make up my mind of these kind of inline code review comments are workable or not... Hmm. Doesn't `asn1_static_node_st` have to match the struct in `int.h`? I see they diverged already. So maybe you are right that these doesn't have to be synced any longer?! This happened in 2012 with the addition of `name_hash` so it seems we should have noticed any real problem because of the divergence already? I didn't analyze this fully... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2358741559 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 17:59:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 16:59:59 +0000 Subject: [gnutls-devel] GnuTLS | SRP authentication disabled by default in 3.8.4+ (#1668) References: Message-ID: Robin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1668 ## Description of problem: It seems that the SRP auth is disabled by default in 3.8.4 and later, is this wanted ? I did not find any information on this in the documentation. I tried to compile from the sources downloaded on the website (3.8.9) but I get a compile error if using the `--enable-srp-authentication` but compilation works on master with the same flag. ``` In file included from ./str.h:28, from ./auth.h:26, from auth/srp_kx.h:26, from srp.c:24: ./gnutls_int.h:490:9: error: unknown type name 'gnutls_buffer_st' 490 | gnutls_buffer_st data; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1215:9: error: unknown type name 'gnutls_buffer_st' 1215 | gnutls_buffer_st | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1301:9: error: unknown type name 'gnutls_buffer_st' 1301 | gnutls_buffer_st early_data_presend_buffer; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1305:9: error: unknown type name 'gnutls_buffer_st' 1305 | gnutls_buffer_st record_key_update_buffer; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1306:9: error: unknown type name 'gnutls_buffer_st' 1306 | gnutls_buffer_st record_presend_buffer; /* holds cached data | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1312:9: error: unknown type name 'gnutls_buffer_st' 1312 | gnutls_buffer_st reauth_buffer; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1468:9: error: unknown type name 'gnutls_buffer_st' 1468 | gnutls_buffer_st post_handshake_hash_buffer; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1546:9: error: unknown type name 'gnutls_buffer_st' 1546 | gnutls_buffer_st full_client_hello; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1550:9: error: unknown type name 'gnutls_buffer_st' 1550 | gnutls_buffer_st hb_local_data; | ^~~~~~~~~~~~~~~~ ./gnutls_int.h:1551:9: error: unknown type name 'gnutls_buffer_st' 1551 | gnutls_buffer_st hb_remote_data; | ^~~~~~~~~~~~~~~~ In file included from ./gnutls_int.h:1741: ./algorithms.h:233:37: error: unknown type name 'gnutls_buffer_st'; did you mean 'gnutls_buffer_t'? 233 | gnutls_buffer_st *cdata, | ^~~~~~~~~~~~~~~~ | gnutls_buffer_t ./algorithms.h:340:1: error: unknown type name 'mod_auth_st' 340 | mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm); | ^~~~~~~~~~~ ``` ## Version of gnutls used: 3.8.4, 3.8.9, master ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) - Homebrew - MacPorts - Source tarball ## How reproducible: Steps to Reproduce: - linking with a 3.8+ GnuTLS on mac (homebrew, MacPorts) or 3.8+ compiled with default configure script on linux - call `gnutls_srp_allocate_server_credentials` func in a program. ## Actual results: An error: ``` An unimplemented or disabled feature has been requested. ``` ## Expected results: No error -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1668 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 18:03:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 17:03:37 +0000 Subject: [gnutls-devel] GnuTLS | SRP authentication disabled by default in 3.8.4+ (#1668) In-Reply-To: References: Message-ID: Robin commented: https://gitlab.com/gnutls/gnutls/-/issues/1668#note_2359024005 Ok, after digging a bit more I found [this comit](a21e89edacfe4ec3c501b030fff59c11fd20dcf0) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1668#note_2359024005 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 18:04:27 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 17:04:27 +0000 Subject: [gnutls-devel] GnuTLS | SRP authentication disabled by default in 3.8.4+ (#1668) In-Reply-To: References: Message-ID: Issue was closed by Robin Issue #1668: https://gitlab.com/gnutls/gnutls/-/issues/1668 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1668 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 20 23:31:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 20 Feb 2025 22:31:32 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2359456420 > Can never make up my mind of these kind of inline code review comments are workable or not... I still can't see your comment; perhaps it might be marked as "Pending"? Such comments are only published after you submit the [review](https://docs.gitlab.com/user/project/merge_requests/reviews/#submit-a-review) with the "Finish review" button below the page. > Hmm. Doesn't `asn1_static_node_st` have to match the struct in `int.h`? I don't think it's relevant here; while it has a similar name, it is used for different purposes and there is an explicit conversion function (`asn1_array2tree`). The removed duplicated struct I meant is f21ac35f6ea131cef3ce3636aa6da7851c81762b (`node_asn_struct`, the previous name of `asn1_node_st`). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2359456420 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 11:11:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Feb 2025 10:11:47 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Simon Josefsson commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2360170311 You were right - I didn't click 'Finish review'. I dropped it now since we already discuss it here :smile: Okay I think we are good to go, I'll try to merge. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113#note_2360170311 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 11:12:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Feb 2025 10:12:01 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Merge request !113 was set to auto-merge by Simon Josefsson Merge request url: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113 Project:Branches: dueno/libtasn1:wip/minor-fixes to gnutls/libtasn1:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 11:12:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Feb 2025 10:12:30 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: All discussions on merge request !113 were resolved by Simon Josefsson https://gitlab.com/gnutls/libtasn1/-/merge_requests/113 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 21 11:12:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 21 Feb 2025 10:12:32 +0000 Subject: [gnutls-devel] libtasn1 | Minor fixes for code readability (!113) In-Reply-To: References: Message-ID: Merge request !113 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113 Project:Branches: dueno/libtasn1:wip/minor-fixes to gnutls/libtasn1:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 22 11:47:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 22 Feb 2025 10:47:57 +0000 Subject: [gnutls-devel] GnuTLS | Improve 0-RTT handling in gnutls-serv/gnutls-cli (!1936) In-Reply-To: References: Message-ID: Sahil Siddiq commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2362366967 > GNUTLS_TLS1_3) || > ((gnutls_session_get_flags(hd->session) & > GNUTLS_SFLAGS_SESSION_TICKET))) { > + max_early_data_size = Sounds good to me :) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936#note_2362366967 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 22 15:24:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 22 Feb 2025 14:24:49 +0000 Subject: [gnutls-devel] GnuTLS | Backport fix CVE-2024-12243 to 3.7.x branch (!1937) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1937 Project:Branches: ametzler/gnutls:tmp-ametzler-3.7.x-CVE-2024-12243 to gnutls/gnutls:gnutls_3_7_x Author: Andreas Metzler As per https://gitlab.com/gnutls/gnutls/-/issues/1553#note_2352926410 Fixes #1553 for 3.7.x ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1937 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 22 15:25:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 22 Feb 2025 14:25:48 +0000 Subject: [gnutls-devel] GnuTLS | Backport fix CVE-2024-12243 to 3.7.x branch (!1937) In-Reply-To: References: Message-ID: Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1937#note_2362443947 The CI errors are not caused by the changes, head of gnutls_3_7_x throws the same errors. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1937#note_2362443947 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 22 15:40:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 22 Feb 2025 14:40:00 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Use cross-CPP for cross-build (!32) References: Message-ID: Andreas Metzler created a merge request: https://gitlab.com/gnutls/guile/-/merge_requests/32 Branches: tmp-2025-fix-crossbuild to master Author: Andreas Metzler Quoting Helmut Grohne on https://bugs.debian.org/1098407 > guile-gnutls fails to cross build from source, because it uses the build > architecture cpp via guile-snarf. While configure correctly detects the > host one, it is not communicated to guile-snarf and thus it ends up > using the wrong one. I'm attaching a patch for your convenience. I have no idea about the CI errors (except for the copyright-year warning) I cannot see how they could be related to this change and do not see a testsuite error locally. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/merge_requests/32 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 09:26:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Feb 2025 08:26:57 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS Verification Error (#1669) References: Message-ID: dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1669 ## Description of problem: GnuTLS incorrectly passed the certificate validation, which is different from the validation results of OpenSSL and WolfSSL, and violates RFC5280. The test case I provided includes the CRLDistributionPoints extension, but the extension value is empty RFC5280 mentions: When a conforming CA includes a CRLDistributionPoints extension in a certificate, it MUST include at least one DistributionPoint that points to a CRL that covers the certificate for all reasons. ## Version of gnutls used: gnutls-cli 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * one certtool --verify --load-ca-certificate RootCA.pem --infile Cert1732784533877D1.pem ## Actual results: Chain verification output: Verified. The certificate is trusted. ## Expected results: Chain verification output: Not verified. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1669 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 13:55:19 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Feb 2025 12:55:19 +0000 Subject: [gnutls-devel] GnuTLS | Backport fix CVE-2024-12243 to 3.7.x branch (!1937) In-Reply-To: References: Message-ID: Merge request !1937 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1937 Project:Branches: ametzler/gnutls:tmp-ametzler-3.7.x-CVE-2024-12243 to gnutls/gnutls:gnutls_3_7_x Author: Andreas Metzler Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 25 14:08:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 25 Feb 2025 13:08:59 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS Verification Error (#1669) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1669#note_2365921999 Good to know, doesn't sound high priority to me. > gnutls-cli 3.7.3 Would be nice to verify it's also the case with a fresh 3.8 compiled with `--strict-x509`. If so, gating the fix for it behind `--strict-x509` might be an option. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1669#note_2365921999 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 27 17:49:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 27 Feb 2025 16:49:34 +0000 Subject: [gnutls-devel] Guile-GnuTLS | Bindings for gnutls_x509_crt_get_dn_by_oid and gnutls_x509_crt_get_issuer_dn_by_oid ? (#30) References: Message-ID: Dariqq created an issue: https://gitlab.com/gnutls/guile/-/issues/30 Hello, Currently i am facing the problem that I'd like to get only the CN part of a certificate's issuer/subject without having to parse a full DN manually. The functions `x509-certificate-dn` and `x509-certificate-issuer-dn` already exist, but they return the full DN. There are `x509-certificate-dn-oid` and `x509-certificate-issuer-dn-oid` which return the OID at an index but not the content. There is also `set-x509-certificate-dn-by-oid!`, to set! a value by OID but not a way to get a value by OID, which seems a bit weird. Thanks. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/30 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 15:31:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 Feb 2025 14:31:08 +0000 Subject: [gnutls-devel] Guile-GnuTLS | gnutls-sign-algorithm-enum is missing a lot of values (#31) References: Message-ID: Dariqq created an issue: https://gitlab.com/gnutls/guile/-/issues/31 Hello, I am trying to manually verify a certificates signature. When I try to get the algorithm with `(x509-certificate-signature-algorithm cert)` i get `#f`. Using ```sh openssl x509 -in cert.pem --text | grep 'Signature Algorithm' Signature Algorithm: ecdsa-with-SHA256 ``` however it seems that the algorithm is `ecdsa-with-SHA256` which i guess should map to `GNUTLS_SIGN_ECDSA_SHA256` of `gnutls_sign_algorithm_t`. Investigating more deeply I noticed many #f entries in the list of sign algorithms: here is the output of `(sign-algorithm-list)` It seems many elements are nowhere to be found. ``` ,pp (sign-algorithm-list) $3 = (# # # # # # # # # # # #f #f #f # # # #f #f #f #f #f #f #f #f #f #f #f #f #f # # #f # # # #f #f # # # #f #f #f #f #f #f #f) ``` The length almost matches the enum in gnutls.h only GNUTLS_SIGN_UNKNOWN is missing. Doing anything with `sign-algorithm/unknown` segfaults guile. I havent checked the other enums in gnutls/gnutls.h but it could be possible that others may be incomplete as well. Version: guile-gnutls 4.0.0 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/31 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 28 16:34:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 28 Feb 2025 15:34:10 +0000 Subject: [gnutls-devel] Guile-GnuTLS | gnutls-sign-algorithm-enum is missing a lot of values (#31) In-Reply-To: References: Message-ID: Dariqq commented: https://gitlab.com/gnutls/guile/-/issues/31#note_2373023357 The segault printing `sign-algorithm/unknown` happens at `sign_algorithm_print` in `guile/src/enum-map.i.c:1029` Trying to apply `sign-algorithm->string` yields an exception `In procedure scm_from_stringn: NULL string pointer` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/guile/-/issues/31#note_2373023357 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: