From gnutls-devel at lists.gnutls.org Sat Feb 1 22:17:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:17:09 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) References: Message-ID: Andrew Hamilton created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 Project:Branches: adhamilt/libtasn1:testCoverageBumpv2 to gnutls/libtasn1:master Author: Andrew Hamilton 1. tests/ : Improve test coverage of libtasn1 executables asn1Decoding.c, asn1Parser.c, and asn1Coding.c. With the test additions, the following change in code coverage was observed: (before): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.4 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 38.2 % | | libtasn1/libtasn1/src/gl | 0.0 % | | /usr/include | 100.0 % | (after): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.6 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 86.8 % | | libtasn1/libtasn1/src/gl | 100.0 % | | /usr/include | 100.0 % | 2. asn1Decoding.c: Made the following corrections observed during test development: - Removed a stray / unused "c" option from the short option list. - Ensure tmplen is initialized prior to use in all possible error paths. - Ensure realloc is not called with a zero length when the debug option is set and an empty input is provided - realloc with size zero appears to have undefined behavior per the function definition. ## Checklist * [X] Code modified for feature * [X] Test suite updated with functionality tests * [X] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:18:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:18:55 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:29:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:29:02 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 16:53:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 02 Feb 2025 15:53:31 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:26:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:26:54 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1653 On Fedora gnutls-3.8.8-3.fc41 and/or master (2b8c3e4c), I can't seem to generate a PKCS#8 RSA-OAEP key without going into FIPS mode or going beyond certtool. * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> raw RSA key with no OAEP parameters encoded * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -> same, raw RSA key but * `env GNUTLS_FORCE_FIPS_MODE=1 certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> `:rsaesOaep` OID key with `:1.3.6.1.4.1.2312.18.8.1` validation params present despite * `env GNUTLS_FORCE_FIPS_MODE=1 build/src/certtool --generate-privkey --key-type rsa-oaep --outfile oaep --provable` -> `The --provable parameter can only be used with RSA and DSA keys.` That doesn't look right to me at all, I'd rather expect all of the above to produce `:rsaesOaep`-tagged keys and `--provable` not tell me I cannot generate provable keys when I actually can. My current workaround is to generate regular RSA keys, import and `gnutls_x509_spki_set_rsa_oaep_params()` them into OAEP keys with the parameters I need. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:28:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:28:00 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 >From my brief exploration of the code, I couldn't find why the FIPS and non-FIPS results differ, but here are two ltrace snippets that might be of interest: non-FIPS: ``` gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55a8a382ff30, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55a8a3830150, 0x55a8a3813510, 2, 0x55a8a3813a50) = 2 gnutls_x509_privkey_verify_params(0x55a8a382ff30, 0x55a8a3830140, 0x55adf9093df0, 4) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55a8a382ff30, 0x7ffe74f64bf0, 0x55a8a382ff30, 7) = 13 gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST fwrite("Public Key Info:\n", 1, 17, 0x55a8a382f450) = 17 ``` FIPS: ``` gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55ce108b3200, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55ce108b3420, 0x55ce108811b0, 2, 0x55ce108810f0) = 2 gnutls_x509_privkey_verify_params(0x55ce108b3200, 0x55ce108b3410, 0x55cb4c6b1873, 5) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55ce108b3200, 0x7ffc1fb6c220, 0x55ce108b3200, 7) = 13 gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffcd # <- GNUTLS_E_SHORT_MEMORY_BUFFER, suggesting key->params.seed_size is set fwrite("Assuming --pkcs8 is given; prova"..., 1, 87, 0x7fdc0c9f74e0) = 87 fwrite("Public Key Info:\n", 1, 17, 0x55ce108a3010) = 17 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 14:13:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 13:13:48 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 @dulanshuangqiao Thank you for the report. Could you please provide a reproducer for this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 20:59:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 19:59:59 +0000 Subject: [gnutls-devel] GnuTLS | Draft: add cmake (!1908) In-Reply-To: References: Message-ID: Merge request !1908 was closed by Tal Regev Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 Project:Branches: tal.regev/gnutls:TalR/cmake to gnutls/gnutls:master Author: Tal Regev Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:09:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:09:57 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 > `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -\> same, raw RSA key The `--p8` in this command line expands to `--p8-info`, as the abbreviation is [unique](https://www.gnu.org/software/libc/manual/html_node/Getopt-Long-Options.html), which doesn't change the key generation behavior. The correct command line is: `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --pkcs8 --empty-password` That said, that should be the default behavior; currently it's not because of a missing key type check in `switch_to_pkcs8_when_needed` in src/certtool-common.h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:46:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:46:22 +0000 Subject: [gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656) References: Message-ID: Xi Ruoyao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1656 ## Description of problem: We have such a p11 object which is converted from Mozilla certificate data: ``` [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" class: x-certificate-extension object-id: 2.5.29.37 value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01" modifiable: false -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad2 6jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABF HrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJ xDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPM wsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7 NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySk cQIDAQAB -----END PUBLIC KEY----- [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" trusted: true nss-mozilla-ca-policy: true modifiable: false nss-server-distrust-after: "241130235959Z" nss-email-distrust-after: "%00" -----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g== -----END CERTIFICATE----- ``` Note that the certificate has a `nss-server-distrust-after` field. But when trying a website using this root CA with `gnutls-cli www.fidelity.com -d9999`: ``` |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<2>| get_distrust_after: did not find cert, using issuer DN + serial, using DN only |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4861 |<2>| p11: No login requested. |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4876 |<2>| get_distrust_after: did not find any cert ``` So it seems GnuTLS has not really found the field. ## Version of gnutls used: 3.8.8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Originally found on Beyond Linux From Scratch, same result on Fedora Rawhide ## How reproducible: See above. ## Actual results: GnuTLS accept the certificate (the behavior is correct) but the debug info shows the `nss-server-distrust-after` field isn't found at all. ## Expected results: GnuTLS still accept the certificate, but after comparing the `nss-server-distrust-after` field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 01:35:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 00:35:07 +0000 Subject: [gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656) In-Reply-To: References: Message-ID: Xi Ruoyao commented: https://gitlab.com/gnutls/gnutls/-/issues/1656#note_2333385533 Now fidelity.com has changed the certificate, it's better to use ustreas.gov as an example (hope it won't switch the certificate before we can do the diagnostic...) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656#note_2333385533 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 16:51:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 15:51:51 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2334748932 I am hoping version 4.20.0 resolve this, so I'm making this bug report public and closing it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2334748932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 6 16:51:52 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 15:51:52 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson Issue #52: https://gitlab.com/gnutls/libtasn1/-/issues/52 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 00:14:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 06 Feb 2025 23:14:08 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) References: Message-ID: Maciej S_ Szmigiero created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1658 ## Description of the feature: The built `libgnutls.so.30.40.2` library lacks CET/shadow stack markings: ``` $ readelf -n /usr/lib64/libgnutls.so.30.40.2 | grep -a SHSTK (empty) ``` Now that shadow stack-enabled CPUs are getting more common each program which links to `libgnutls` cannot benefit from shadow stack enforcement, since such enforcement requires that *all* of its library dependencies carry appropriate markings. Tested on a distribution which enables `-fcf-protection` by default in GCC (Gentoo). This causes most of other libraries to get build with proper CET support. I think the most likely reason that `libgnutls` is missing CET markings is that assembly source files in `lib/accelerated/x86/elf` are missing them. ## Is this feature implemented in other libraries (and which) OpenSSL 3 has proper CET support: ``` $ readelf -n /usr/lib64/libssl.so.3 | grep -a SHSTK Properties: x86 feature: IBT, SHSTK ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:28 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !1928 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:40 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Zolt?n Fridrich was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 06:24:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 05:24:48 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 08:36:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 07:36:25 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:07:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 08:07:48 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 09:08:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 08:08:05 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2336092674 Looks good. No mistakes found. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928#note_2336092674 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:02:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:02:14 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.9 (!1928) In-Reply-To: References: Message-ID: Merge request !1928 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 Project:Branches: dueno/gnutls:wip/dueno/release-3.8.9 to gnutls/gnutls:master Author: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:02:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:02:14 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1928 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1928) Issue #1653: https://gitlab.com/gnutls/gnutls/-/issues/1653 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:38:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:38:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Andreas Stieger commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336379502 Thank. The "uses 100% of CPU" part of this issue should be treated with a grain of salt. This is simply the machine attempting to solve a single-threaded while not limited by IO. You actually *want* it to do it as fast as possible, that is not a security issue in itself. The part where the scaling factor is undesirable, however, is. Do you agree with CVSS v3.1 base [3.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)?](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336379502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:47:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:47:07 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336395888 Yeah I think the severity of this problem is low. I agree that it is the scaling factor that is the real concern. Re CVSS I think it is really complicated topic, but shouldn't Attack Complexity be Low? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336395888 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:51:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:51:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Andreas Stieger commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336406135 I believe you could argue for both: `AC:L` because it seems straightforward to generate such a certificate. But also `AC:H` as you would need to get the application to process it. So the adversary would need to control one party (or be MITM), or the client needs to connect to peers based on the adversary input, or the client routinely connects to new peers, some of which turn out present specially crafted certificates. What do you think? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336406135 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 10:58:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 09:58:15 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336419873 I suppose you picking AC:H results in a more appropriate resulting security base score overall, and now we even have some documented justification for using AC:H (which people may disagree with, but things are what they are), so +1 from me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336419873 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 11:33:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 10:33:59 +0000 Subject: [gnutls-devel] libtasn1 | Parsing a certificate containing numerous names or name constraints leads to a DoS attack (#52) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336491914 ... or an adversary client sends a specially crafted client certificate to a server that's configured to accept them. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/52#note_2336491914 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 14:09:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 13:09:14 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: dulanshuangqiao commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2336764264 I use this program to call the relevant API to convert der to pem format [DtoP.c](/uploads/8637353e989cd4f9e4d590197c73ccf4/DtoP.c) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2336764264 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 7 23:43:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 22:43:34 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2337858357 Sorry @apteryks, we'll have to revert this change, at least the removal of `$(srcdir)/` part, because that causes a rebuild of .info files at `make distcheck`, which does VPATH build outside a read-only tree and leads to a permission error. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2337858357 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 00:01:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 07 Feb 2025 23:01:02 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno * Revert "doc: Fix races in a parallel build." This reverts commit 8daba130cc0c4100186af0b61bc3e65d54a46727, which turned out to cause a rebuild of .info files at "make distcheck" in a read-only srcdir. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 01:08:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 00:08:37 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929#note_2337901397 As this is just a revert commit (and a release blocker), I'm merging it without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929#note_2337901397 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 01:08:41 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 00:08:41 +0000 Subject: [gnutls-devel] GnuTLS | Revert "doc: Fix races in a parallel build." (!1929) In-Reply-To: References: Message-ID: Merge request !1929 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 05:39:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 04:39:47 +0000 Subject: [gnutls-devel] GnuTLS | Unblock 3.8.9 release (!1929) In-Reply-To: References: Message-ID: Merge request !1929 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 Project:Branches: dueno/gnutls:wip/dueno/revert-parallel-doc to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 09:49:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 08:49:45 +0000 Subject: [gnutls-devel] GnuTLS | CI: run doc-dist.Fedora with a regular user (#1659) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1659 The doc-dist.Fedora target ensures that `make distcheck` can create a distribution tarball. However, as the CI runs as the root user, it currently bypasses the permission checks enforced by Automake, e.g., to not pollute srcdir, it removes writable bit from the permissions of srcdir. To detect such issues early, it would be nice to run this CI target as a regular user. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:34:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:34:58 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338489180 ah, sorry for not catching this. I'll try to reproduce locally and see if I can resolve that problem. Thanks for the heads-up! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338489180 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:49:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:49:24 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338517686 Is this the issue you were seeing in `make distcheck` ? ``` make[3]: Entering directory '/home/maxim/src/gnutls/doc/manpages' make distdir-am make[4]: Entering directory '/home/maxim/src/gnutls/doc/manpages' cp: cannot stat './dane_cert_type_name.3': No such file or directory make[4]: *** [Makefile:3643: distdir-am] Error 1 make[4]: Leaving directory '/home/maxim/src/gnutls/doc/manpages' make[3]: *** [Makefile:3640: distdir] Error 2 make[3]: Leaving directory '/home/maxim/src/gnutls/doc/manpages' make[2]: *** [Makefile:2983: distdir-am] Error 1 make[2]: Leaving directory '/home/maxim/src/gnutls' make[1]: *** [Makefile:2977: distdir] Error 2 make[1]: Leaving directory '/home/maxim/src/gnutls' make: *** [Makefile:3085: dist] Error 2 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338517686 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:53:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:53:04 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338522302 It's not really that I removed `$(srcdir)`, but that I made the targets depend on other targets (instead of re-invoking make in the recipe, which is racy). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338522302 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 13:58:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 12:58:49 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338529796 Nevermind, that seems to be because of: ``` Creating man pages for socket.h.../bin/sh: ../../doc/scripts/getfuncs.pl: /usr/bin/perl: bad interpreter: No such file or directory ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338529796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 14:33:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 13:33:09 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338541157 That's fixed on my side, but still getting: ``` [...] make distdir-am make[4]: Entering directory '/home/maxim/src/gnutls/doc/manpages' cp: cannot stat './dane_cert_type_name.3': No such file or directory ``` How are these supposed to come into existence? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338541157 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 15:13:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 14:13:24 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338547218 OK, I think it's from the `stamp_mans`, which had failed due to the perl error above but still stamped the file apparently. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338547218 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 8 22:20:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 21:20:36 +0000 Subject: [gnutls-devel] libtasn1 | fix memleaks in asn1_array2tree, free the unused child (!62) In-Reply-To: References: Message-ID: Andrew Hamilton commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/62#note_2338635132 I was looking into a failure on oss-fuzz related to a memory leak and found that I think this is the same issue. Here is how I was able to reproduce the issue: Download reproducer from oss fuzz: https://oss-fuzz.com/download?testcase_id=5118451781206016 Install CLANG (I used clang-19 on Debian) export CC=clang-19 export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" export CFLAGS="$CFLAGS -fsanitize=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,unsigned-integer-overflow,vla-bound,vptr -fno-sanitize-recover=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr" ./configure --enable-fuzzing --disable-doc --disable-gcc-warnings make clean make -j$(nproc) cd fuzz UBSAN_OPTIONS=print_stacktrace=1 ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-19/bin/llvm-symbolizer /libtasn1_array2tree_fuzzer < /libtasn1/clusterfuzz-testcase-minimized-libtasn1_array2tree_fuzzer-5118451781206016 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/62#note_2338635132 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 00:10:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 08 Feb 2025 23:10:48 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1660 RFC 8446 allows only limited [changes](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2) to the second Client Hello to the first one, though after !1737 the extensions are shuffled, leading to a connectivity issue: https://github.com/luakit/luakit/issues/1101 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 02:37:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 01:37:35 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno * handshake: only shuffle extensions in the first Client Hello RFC 8446 section 4.1.2 states that the second Client Hello after HRR should preserve the same content as the first Client Hello with limited exceptions. Since GnuTLS 3.8.5, however, the library started shuffling the order of extensions for privacy reasons and that didn't comply with the RFC, leading to a connectivity issue against the server configuration with a stricter check on that. Fixes: #1660 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:46:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:46:04 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931 Project:Branches: apteryks/gnutls:add-guix-scm-file-and-related-improvements to gnutls/gnutls:master Author: Maxim Cournoyer This makes it easier to build on Guix System or other non File-Hierarchy-Standard distributions (e.g. NixOS). It also add a `guix.scm` file which can be used to enter a complete development environment with just `guix shell`. The build environment of GnuTLS is complex enough that this should help when wanting to run for example `make distcheck`, as I need to do to investigate a fix for https://gitlab.com/gnutls/gnutls/-/merge_requests/1911, now reverted. * tests: Remove dependency on `which' command. A POSIX equivalent (command) works just as well. * tests/pkcs11-tool.sh: Replace 'which' invocations with 'command'. * tests/tpm2.sh: Likewise. * tests/tpmtool_test.sh: Likewise. * tests: Lookup softhsm tools from PATH. This is more portable, e.g. on non-FHS systems. * tests/testpkcs11.softhsm (init_card): Use POSIX's 'command' to test if softhsm2-util or softhsm is available from PATH. tests: Check softhsm2-util from PATH. * tests/pkcs11/softhsm.h (softhsm_bin): Check from PATH. * bootstrap: Invoke gnulib-tool script via 'sh'. This is to workaround the lack /bin/sh on non-FHS systems such as Guix. * guix.scm: New file. This is to make bootstrapping a complete development environment easier, along other Guix-provided perks such as build isolation and reproducibility tooling, etc. * README.md: Document. * guix.scm: New file. * Makefile.am (EXTRA_DIST): Register it. * Makefile.am: Hint at libdane requirement for distcheck target. * scripts: Use /usr/bin/env for more portable shebangs. Lookup perl from PATH instead of from its fixed expected location, which may not exist on non-FHS systems like Guix System and NixOS. * doc/scripts/gdoc: Adjust shebang to use /usr/bin/env. * doc/scripts/getfuncs.pl: Likewise. ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:51:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:51:31 +0000 Subject: [gnutls-devel] cligen | Use 'env' in script shebangs. (!7) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/cligen/-/merge_requests/7 Project:Branches: apteryks/cligen:usr-bin-env-shebangs to gnutls/cligen:main Author: Maxim Cournoyer This is more portable, e.g. on non-FHS systems. * cli-codegen.py: Use env in script shebang. * cli-docgen.py: Likewise. Signed-off-by: Maxim Cournoyer -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/cligen/-/merge_requests/7 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 14:52:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 13:52:34 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338817812 Related: https://gitlab.com/gnutls/cligen/-/merge_requests/7 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338817812 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:51:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 14:51:50 +0000 Subject: [gnutls-devel] GnuTLS | certtool-pkcs11 test fails (#1661) References: Message-ID: Maxim Cournoyer created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1661 ## Description of problem: When running `make check`, the certtool-pkcs11 test fails consistently. ## Version of gnutls used: Using the current latest commit (477a73324) of the master branch, 3.8.9. ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) N/A. ## How reproducible: Simply by running the test suite. Steps to Reproduce: Using Guix (with the guix.scm file available from https://gitlab.com/gnutls/gnutls/-/merge_requests/1931) * enter dev environment with `guix shell --pure` * run `sh bootstrap --no-git --gnulib-srcdir=gnulib --skip-po` * run `./configure --with-brotli=link --with-zlib=link --with-zstd=link` * run `make -j$(nproc) * run `make check -j$(nproc) ## Actual results: ``` ============================================================================ Testsuite summary for GnuTLS 3.8.9 ============================================================================ # TOTAL: 501 # PASS: 455 # SKIP: 45 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 ============================================================================ See tests/test-suite.log ``` >From test-suite.log, the failure is: ``` FAIL: certtool-pkcs11 ===================== Testing PKCS11 verification * Initializing smart card... ok * Token: Could not find generated token check verify-pkcs11.debug for additional debugging information tail: cannot open 'verify-pkcs11.debug' for reading: No such file or directory FAIL certtool-pkcs11.sh (exit status: 1) ``` ## Expected results: All tests passing. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1661 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 15:56:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 14:56:45 +0000 Subject: [gnutls-devel] GnuTLS | Build failure when building from git (#1633) In-Reply-To: References: Message-ID: Issue was closed by Maxim Cournoyer Issue #1633: https://gitlab.com/gnutls/gnutls/-/issues/1633 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1633 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:19:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 15:19:05 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: loqs commented: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338834634 Have you looked at https://gitlab.com/gnutls/gnutls/-/issues/1043? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338834634 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 16:29:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 15:29:51 +0000 Subject: [gnutls-devel] GnuTLS | doc: Avoid failures in a parallel build. (!1911) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338836774 Alright, I can reproduce the `make distcheck` issue when this change is applied now. It looks like this: ``` make[4]: Entering directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' CC errcodes.o CC common.o CC printlist.o CC alert-printlist.o CCLD errcodes CCLD alert-printlist CCLD printlist ./errcodes > error_codes.texi-tmp ./alert-printlist > alerts.texi-tmp ./printlist > algorithms.texi-tmp mv -f error_codes.texi-tmp error_codes.texi mv -f alerts.texi-tmp alerts.texi mv -f algorithms.texi-tmp algorithms.texi MAKEINFO ../../../doc/gnutls.info mkdir: cannot create directory '.am14182': Permission denied could not open ../../../doc/gnutls.texi: No such file or directory /bin/sh: line 17: cd: ../../../doc: No such file or directory make[4]: *** [Makefile:5435: ../../../doc/gnutls.info] Error 1 make[4]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' make[3]: *** [Makefile:5644: all-recursive] Error 1 make[3]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub/doc' make[2]: *** [Makefile:2926: all-recursive] Error 1 make[2]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub' make[1]: *** [Makefile:2851: all] Error 2 make[1]: Leaving directory '/home/maxim/src/gnutls/gnutls-3.8.9/_build/sub' make: *** [Makefile:3145: distcheck] Error 1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1911#note_2338836774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 20:06:25 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 19:06:25 +0000 Subject: [gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658) In-Reply-To: References: Message-ID: Maciej S_ Szmigiero commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338878008 Seems like a good starting point, thanks for bringing that issue to my attention. However, it looks like #1043 is specifically about updating CRYPTOGAMS code (which might make that code CET-compatible), while my point here is to track *all* effort to make the GnuTLS library CET-compatible. Which may or may not require additional work over just updating the CRYPTOGAMS code. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658#note_2338878008 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 9 23:57:56 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 09 Feb 2025 22:57:56 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:10:33 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:10:33 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338950446 LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338950446 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:10:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:10:55 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Merge request !1930 was approved by Ajit Singh Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Ajit Singh -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:13:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:13:47 +0000 Subject: [gnutls-devel] GnuTLS | Various improvements leading to more easily build with GNU Guix (!1931) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338952002 The Fedora CI failure looks unrelated: ``` Uploading artifacts... ./*.log: found 1 matching artifact files and directories ./**/*.log: found 728 matching artifact files and directories WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/9084451680/artifacts?artifact_format=zip&artifact_type=archive&expire_in=1+week new-url=https://gitlab.com WARNING: Retrying... context=artifacts-uploader error=request redirected Uploading artifacts as "archive" to coordinator... 201 Created id=9084451680 responseStatus=201 Created token=glcbt-66 Cleaning up project directory and file based variables 00:00 ERROR: Job failed: exit code 1 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931#note_2338952002 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 01:24:18 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 00:24:18 +0000 Subject: [gnutls-devel] GnuTLS | Makefile.am: error if libdane missing on make dist (!1903) In-Reply-To: References: Message-ID: Maxim Cournoyer commented on a discussion on Makefile.am: https://gitlab.com/gnutls/gnutls/-/merge_requests/1903#note_2338956863 > @echo "******************************************************************************************" > > dist-hook: > +if !ENABLE_DANE It's `--enable-libdane`; which I've added to the distcheck configure flags here: https://gitlab.com/gnutls/gnutls/-/merge_requests/1931/diffs?commit_id=23b0dbe59972aa3f233d2fd6ea2cbe7524ba91b1 But as you noted, it already defaults to 'yes' and just warns when not found currently, so I guess this warning should be promoted to an error as Daiki wrote. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1903#note_2338956863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 02:38:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 01:38:14 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338976974 Thank you for the prompt review, @peonix. I also added some test for that; could you have a quick look? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338976974 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:24:08 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:24:08 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Ajit Singh commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338994483 Looks good! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930#note_2338994483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:30:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:30:14 +0000 Subject: [gnutls-devel] GnuTLS | handshake: only shuffle extensions in the first Client Hello (!1930) In-Reply-To: References: Message-ID: Merge request !1930 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Project:Branches: dueno/gnutls:wip/dueno/no-shuffle-extensions to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Ajit Singh -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 03:30:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 02:30:15 +0000 Subject: [gnutls-devel] GnuTLS | Extension order changes after HRR (#1660) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !1930 (https://gitlab.com/gnutls/gnutls/-/merge_requests/1930) Issue #1660: https://gitlab.com/gnutls/gnutls/-/issues/1660 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1660 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 05:07:42 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 04:07:42 +0000 Subject: [gnutls-devel] GnuTLS | Parallel build failures in doc: mv: cannot stat '.deps/common.Tpo': No such file or directory (#1635) In-Reply-To: References: Message-ID: Issue was reopened by Maxim Cournoyer Issue 1635: https://gitlab.com/gnutls/gnutls/-/issues/1635 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1635 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 05:55:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 04:55:36 +0000 Subject: [gnutls-devel] GnuTLS | Warnings when building documentation during make distcheck (#464) In-Reply-To: References: Message-ID: Maxim Cournoyer commented: https://gitlab.com/gnutls/gnutls/-/issues/464#note_2339070134 It seems these warnings are now errors using GCC 14: ``` Creating documentation for gnutls_ocsp_req_deinit... error: 574: Cannot understand prototype: 'typedef struct gnutls_pcert_st gnutls_pubkey_t pubkey; ' ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/464#note_2339070134 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 10 07:59:39 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 10 Feb 2025 06:59:39 +0000 Subject: [gnutls-devel] GnuTLS | fips: perform only signature PCT for all RSA algorithms (!1932) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 Project:Branches: dueno/gnutls:wip/dueno/certtool-without-pkcs1 to gnutls/gnutls:master Author: Daiki Ueno * tests: do not assume RSAES-PKCS1-v1_5 is enabled in system config Signed-off-by: Alexander Sosedkin Signed-off-by: Daiki Ueno * fips: perform only signature PCT for all RSA algorithms FIPS 140-3 IG 10.3.A states that having a signature PCT also covers key transport for RSA. Therefore, this consolidate all code paths for RSA, RSA-PSS, and RSA-OAEP to exercise a signature PCT. Signed-off-by: Daiki Ueno ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: