From gnutls-devel at lists.gnutls.org Sat Feb 1 22:17:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:17:09 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) References: Message-ID: Andrew Hamilton created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 Project:Branches: adhamilt/libtasn1:testCoverageBumpv2 to gnutls/libtasn1:master Author: Andrew Hamilton 1. tests/ : Improve test coverage of libtasn1 executables asn1Decoding.c, asn1Parser.c, and asn1Coding.c. With the test additions, the following change in code coverage was observed: (before): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.4 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 38.2 % | | libtasn1/libtasn1/src/gl | 0.0 % | | /usr/include | 100.0 % | (after): | Directory | Line Coverage | | ------ | ------ | | libtasn1/fuzz | 80.0 % | | libtasn1/lib | 85.6 % | | libtasn1/libtasn1/lib/gl | 100.0 % | | libtasn1/libtasn1/src | 86.8 % | | libtasn1/libtasn1/src/gl | 100.0 % | | /usr/include | 100.0 % | 2. asn1Decoding.c: Made the following corrections observed during test development: - Removed a stray / unused "c" option from the short option list. - Ensure tmplen is initialized prior to use in all possible error paths. - Ensure realloc is not called with a zero length when the debug option is set and an empty input is provided - realloc with size zero appears to have undefined behavior per the function definition. ## Checklist * [X] Code modified for feature * [X] Test suite updated with functionality tests * [X] Test suite updated with negative tests * [ ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:18:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:18:55 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 1 22:29:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 01 Feb 2025 21:29:02 +0000 Subject: [gnutls-devel] libtasn1 | Draft: tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as draft -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Feb 2 16:53:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 02 Feb 2025 15:53:31 +0000 Subject: [gnutls-devel] libtasn1 | tests / asn1Decoding.c: Improve test coverage and Fix asn1Decoding Issues (!116) In-Reply-To: References: Message-ID: Andrew Hamilton marked merge request !116 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/116 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:26:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:26:54 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1653 On Fedora gnutls-3.8.8-3.fc41 and/or master (2b8c3e4c), I can't seem to generate a PKCS#8 RSA-OAEP key without going into FIPS mode or going beyond certtool. * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> raw RSA key with no OAEP parameters encoded * `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -> same, raw RSA key but * `env GNUTLS_FORCE_FIPS_MODE=1 certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> `:rsaesOaep` OID key with `:1.3.6.1.4.1.2312.18.8.1` validation params present despite * `env GNUTLS_FORCE_FIPS_MODE=1 build/src/certtool --generate-privkey --key-type rsa-oaep --outfile oaep --provable` -> `The --provable parameter can only be used with RSA and DSA keys.` That doesn't look right to me at all, I'd rather expect all of the above to produce `:rsaesOaep`-tagged keys and `--provable` not tell me I cannot generate provable keys when I actually can. My current workaround is to generate regular RSA keys, import and `gnutls_x509_spki_set_rsa_oaep_params()` them into OAEP keys with the parameters I need. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 10:28:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 09:28:00 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 >From my brief exploration of the code, I couldn't find why the FIPS and non-FIPS results differ, but here are two ltrace snippets that might be of interest: non-FIPS: ``` gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55a8a382ff30, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55a8a3830150, 0x55a8a3813510, 2, 0x55a8a3813a50) = 2 gnutls_x509_privkey_verify_params(0x55a8a382ff30, 0x55a8a3830140, 0x55adf9093df0, 4) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55a8a382ff30, 0x7ffe74f64bf0, 0x55a8a382ff30, 7) = 13 gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST fwrite("Public Key Info:\n", 1, 17, 0x55a8a382f450) = 17 ``` FIPS: ``` gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffce # <- GNUTLS_E_INVALID_REQUEST gnutls_x509_privkey_generate2(0x55ce108b3200, 13, 3072, 0) = 0 gnutls_x509_spki_deinit(0x55ce108b3420, 0x55ce108811b0, 2, 0x55ce108810f0) = 2 gnutls_x509_privkey_verify_params(0x55ce108b3200, 0x55ce108b3410, 0x55cb4c6b1873, 5) = 0 gnutls_x509_privkey_get_pk_algorithm(0x55ce108b3200, 0x7ffc1fb6c220, 0x55ce108b3200, 7) = 13 gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffcd # <- GNUTLS_E_SHORT_MEMORY_BUFFER, suggesting key->params.seed_size is set fwrite("Assuming --pkcs8 is given; prova"..., 1, 87, 0x7fdc0c9f74e0) = 87 fwrite("Public Key Info:\n", 1, 17, 0x55ce108a3010) = 17 ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 14:13:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 13:13:48 +0000 Subject: [gnutls-devel] GnuTLS | TAG check for extensions (#1652) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 @dulanshuangqiao Thank you for the report. Could you please provide a reproducer for this issue? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1652#note_2330125310 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 4 20:59:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 04 Feb 2025 19:59:59 +0000 Subject: [gnutls-devel] GnuTLS | Draft: add cmake (!1908) In-Reply-To: References: Message-ID: Merge request !1908 was closed by Tal Regev Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 Project:Branches: tal.regev/gnutls:TalR/cmake to gnutls/gnutls:master Author: Tal Regev Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1908 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:09:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:09:57 +0000 Subject: [gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 > `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -\> same, raw RSA key The `--p8` in this command line expands to `--p8-info`, as the abbreviation is [unique](https://www.gnu.org/software/libc/manual/html_node/Getopt-Long-Options.html), which doesn't change the key generation behavior. The correct command line is: `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --pkcs8 --empty-password` That said, that should be the default behavior; currently it's not because of a missing key type check in `switch_to_pkcs8_when_needed` in src/certtool-common.h. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2331596970 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 5 09:46:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 05 Feb 2025 08:46:22 +0000 Subject: [gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656) References: Message-ID: Xi Ruoyao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1656 ## Description of problem: We have such a p11 object which is converted from Mozilla certificate data: ``` [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" class: x-certificate-extension object-id: 2.5.29.37 value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01" modifiable: false -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad2 6jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABF HrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJ xDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPM wsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7 NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySk cQIDAQAB -----END PUBLIC KEY----- [p11-kit-object-v1] label: "Entrust Root Certification Authority - G2" trusted: true nss-mozilla-ca-policy: true modifiable: false nss-server-distrust-after: "241130235959Z" nss-email-distrust-after: "%00" -----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g== -----END CERTIFICATE----- ``` Note that the certificate has a `nss-server-distrust-after` field. But when trying a website using this root CA with `gnutls-cli www.fidelity.com -d9999`: ``` |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<2>| get_distrust_after: did not find cert, using issuer DN + serial, using DN only |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4861 |<2>| p11: No login requested. |<2>| check_found_cert: cert doesn't match the expected |<3>| ASSERT: pkcs11.c[find_cert_cb]:4272 |<3>| ASSERT: pkcs11.c[find_cert_cb]:4083 |<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4876 |<2>| get_distrust_after: did not find any cert ``` So it seems GnuTLS has not really found the field. ## Version of gnutls used: 3.8.8 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Originally found on Beyond Linux From Scratch, same result on Fedora Rawhide ## How reproducible: See above. ## Actual results: GnuTLS accept the certificate (the behavior is correct) but the debug info shows the `nss-server-distrust-after` field isn't found at all. ## Expected results: GnuTLS still accept the certificate, but after comparing the `nss-server-distrust-after` field. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: