From gnutls-devel at lists.gnutls.org Tue May 6 14:04:02 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 May 2025 12:04:02 +0000 Subject: [gnutls-devel] GnuTLS | I get an error with X25519. (#1705) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich Issue #1705: https://gitlab.com/gnutls/gnutls/-/issues/1705 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1705 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri May 9 16:09:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 May 2025 14:09:21 +0000 Subject: [gnutls-devel] GnuTLS | DTLS Handshake Failure: Error in the push/pull function during communication over UDP on port 12345 (#1707) References: Message-ID: Jennifer-first created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1707 ## Description of problem: I am attempting to establish a DTLS connection over UDP between a client and server using GnuTLS. The client successfully sends a message to the server, and the server receives and prints "Hello, server!". However, when attempting to send additional data after this initial message, the DTLS handshake fails with the following errors: Client Side: Fatal error: Error in the push function Could not connect to 127.0.0.1:12345: Connection refused Server Side: DTLS Handshake failed: Error in the pull function. I have verified that the server listens on port 12345. I checked for firewall or network issues that could block UDP communication. I attempted to modify the MTU settings in the GnuTLS session. I also tried running the server without using the certificates to isolate the problem. ## Version of gnutls used: gnutls 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * server:gcc dtls_server.c -o dtls_server $(pkg-config --cflags --libs gnutls) * server:./dtls_server * client:gnutls-cli --udp --port 12345 127.0.0.1 --insecure ## Actual results: -port 12345 127.0.0.1 --insecure Processed 0 CA certificate(s). Resolving '127.0.0.1:12345'... Connecting to '127.0.0.1:12345'... *** Fatal error: Error in the push function. Could not connect to 127.0.0.1:12345: Connection refused Listening on UDP port 12345... Received initial packet from client 127.0.0.1:53900 DTLS Handshake failed: Error in the pull function. ## Expected results: DTLS Handshake succeeded! [26973.zip](/uploads/9e3af574dd8190fcd80e845b1c43b47b/26973.zip) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1707 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 10 10:17:38 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 May 2025 08:17:38 +0000 Subject: [gnutls-devel] GnuTLS | TLS Handshake Fails with "expired.badssl.com": Fatal Alert [40] (GnuTLS v3.7.3) (#1708) References: Message-ID: Jennifer-first created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1708 ## Description of problem: When connecting to `expired.badssl.com` using `gnutls-cli`, the handshake fails with a fatal TLS alert (alert code [40]) and the connection is aborted. The goal was to reproduce an SSL error scenario, and the observed behavior may indicate either expected behavior or unexpected handling by GnuTLS.Attached is my running script.[test.py](/uploads/6caa057315fd74924dcddd36314b3c70/test.py) ## Version of gnutls used: gnutls 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * python3 test.py ## Actual results: python3 test.py STDOUT: Processed 146 CA certificate(s). Resolving 'expired.badssl.com:443'... Connecting to '104.154.89.105:443'... *** Received alert [40]: Handshake failed STDERR: *** Fatal error: A TLS fatal alert has been received. ? REPRODUCTION SUCCESSFUL: SSL error observed. ## Expected results: The connection should fail gracefully due to the expired certificate, but it is unclear whether the fatal alert [40] is expected or if GnuTLS should produce a more descriptive error (e.g., "certificate expired"). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 12 09:16:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 May 2025 07:16:16 +0000 Subject: [gnutls-devel] =?utf-8?q?GnuTLS_=7C_gnutls-cli_returns_vague_err?= =?utf-8?q?or_message_when_using_invalid_SNI_=E2=80=94_only_shows_=22Error?= =?utf-8?q?_in_the_certificate=22_=28=231709=29?= References: Message-ID: Jennifer-first created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1709 ## Description of problem: ## Version of gnutls used: ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) ## How reproducible: Steps to Reproduce: * one * two * three ## Actual results: ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1709 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 12 16:10:33 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 May 2025 14:10:33 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Closes: #1423 Signed-off-by: Zoltan Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 12 16:10:27 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 May 2025 14:10:27 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) In-Reply-To: References: Message-ID: Reassigned merge request 1950 https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 12 17:24:39 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 May 2025 15:24:39 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 14:13:06 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 12:13:06 +0000 Subject: [gnutls-devel] GnuTLS | Ambiguous error when using --disable-sni with mismatched hostnames (#1709) In-Reply-To: References: Message-ID: Issue was closed by Alicja Kario (@mention me if you need reply) Issue #1709: https://gitlab.com/gnutls/gnutls/-/issues/1709 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1709 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 14:13:06 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 12:13:06 +0000 Subject: [gnutls-devel] GnuTLS | Ambiguous error when using --disable-sni with mismatched hostnames (#1709) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/issues/1709#note_2501149345 The connection fails with this error message because _the server_ is sending that alert (internal error) to the client, and the client is dutifully reporting it to the user. There is nothing to fix here. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1709#note_2501149345 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 14:13:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 12:13:01 +0000 Subject: [gnutls-devel] GnuTLS | TLS Handshake Fails with "expired.badssl.com": Fatal Alert [40] (GnuTLS v3.7.3) (#1708) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1708: https://gitlab.com/gnutls/gnutls/-/issues/1708 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1708 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 14:13:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 12:13:03 +0000 Subject: [gnutls-devel] GnuTLS | TLS Handshake Fails with "expired.badssl.com": Fatal Alert [40] (GnuTLS v3.7.3) (#1708) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1708#note_2501149187 It looks like you're forcing TLS 1.3 and expired.badssl.com does not support it. In that case, receiving back an alert from the server is totally expected, the reason for the failure is it doesn't speak TLS 1.3, and that ain't something that gnutls can do anything about or even has any insight inty. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1708#note_2501149187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 16:31:06 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 14:31:06 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/aarch64/hmac-sha-aarch64.c: Add gnutls_free() to avoid memory leak (!1951) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1951 Project:Branches: JiashengJiang/gnutls:patch1 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/aarch64/hmac-sha-aarch64.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free ctx if _hmac_ctx_init() fails to avoid memory leak. Fixes: d92c73de3 ("Added HMAC-SHA* optimizations for aarch64") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1951 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 16:31:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 14:31:14 +0000 Subject: [gnutls-devel] GnuTLS | Support specifying groups to send in key_share extension (#1710) References: Message-ID: Alicja Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1710 When using `gnutls-3.8.9-9.el10`, with crypto-policies including both PQC and classical crypto key exchange groups (e.g. `GROUP-X25519-MLKEM768:GROUP-SECP256R1-MLKEM768:GROUP-SECP384R1-MLKEM1024:GROUP-X25519:GROUP-SECP256R1`) then gnutls will send key shares for the `X25519-MLKEM768` and `SECP256R1` groups. There is no way to override the behaviour (either to send multiple PQC key_shares, or to send the X25519 key share instead of the `SECP256R1` one). Please add a configuration mechanism that allows the user to specify which groups should be included in key_share extension. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1710 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 16:49:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 14:49:03 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/x86/hmac-x86-ssse3.c: Add gnutls_free() to avoid memory leak (!1952) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1952 Project:Branches: JiashengJiang/gnutls:patch2 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/x86/hmac-x86-ssse3.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free ctx if _hmac_ctx_init() fails to avoid memory leak. Fixes: cbb9b17ff ("Added Appro's SSSE3 SHA implementations") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1952 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 16:52:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 14:52:35 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/x86/hmac-padlock.c: Add gnutls_free() to avoid memory leak (!1953) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1953 Project:Branches: JiashengJiang/gnutls:patch3 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/x86/hmac-padlock.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free ctx if _hmac_ctx_init() fails to avoid memory leak. Fixes: 38a089b67 ("Updates for padlock hashes in C7 nano. Requires a part of nettle to be included.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1953 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 17:56:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 15:56:54 +0000 Subject: [gnutls-devel] GnuTLS | lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak (!1954) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1954 Project:Branches: JiashengJiang/gnutls:patch4 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak. Fixes: 2bd323f72 ("Added new API to handle X.509 extensions.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1954 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 19:25:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 17:25:54 +0000 Subject: [gnutls-devel] GnuTLS | lib/hello_ext.c: Add gnutls_free() to avoid memory leak (!1955) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1955 Project:Branches: JiashengJiang/gnutls:patch5 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/hello_ext.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak. Fixes: 5bba569b4 ("gnutls_session_ext_register: keep track of extension name") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1955 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 13 19:51:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 May 2025 17:51:13 +0000 Subject: [gnutls-devel] GnuTLS | lib/ext/srp.c: Add gnutls_free() to avoid memory leak (!1956) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1956 Project:Branches: JiashengJiang/gnutls:patch6 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/ext/srp.c: Add gnutls_free() to avoid memory leak Add gnutls_free() to free priv->username if the allocation of priv->password fails to avoid memory leak. Moreover, replace "return" with "goto" to avoid memory leak. Fixes: a1a154223 ("Fixes and memory leak elimination in SRP authentication.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1956 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 14 09:51:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 May 2025 07:51:29 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) In-Reply-To: References: Message-ID: Merge request !1950 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 14 09:52:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 May 2025 07:52:37 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950#note_2503119174 Thank you; it looks great! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950#note_2503119174 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed May 14 10:27:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 May 2025 08:27:28 +0000 Subject: [gnutls-devel] GnuTLS | Add configuration option for certificate compression algorithms (!1950) In-Reply-To: References: Message-ID: Merge request !1950 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel2 to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1950 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 15 07:17:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 May 2025 05:17:51 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711) References: Message-ID: Jennifer-first created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1711 ## Description of problem: During testing of GnuTLS certificate verification, we observed that gnutls-cli accepts a server certificate whose Common Name (CN) does not match the hostname of the server it connects to (localhost). This may allow a Man-in-the-Middle (MitM) attack if hostname verification is improperly implemented or omitted.[deepseek.py](/uploads/932d7a897a12f310fb2e45e8be4d59f0/deepseek.py) ## Version of gnutls used: gnutls 3.7.3 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: Steps to Reproduce: * one:python3 deepseek.py ## Actual results: The connection succeeds and the certificate is accepted, even though the Common Name does not match the hostname. This behavior may indicate that hostname verification is either missing or not enabled by default. ![image](/uploads/f0bc9d81c4a82db00bc1d51846424854/image.png) ## Expected results: GnuTLS should reject the certificate because the CN in the server certificate (WrongServer) does not match the target hostname (localhost). -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 15 10:52:43 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 May 2025 08:52:43 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1711: https://gitlab.com/gnutls/gnutls/-/issues/1711 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 15 10:52:44 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 May 2025 08:52:44 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506061901 > This may allow a Man-in-the-Middle (MitM) attack if hostname verification is improperly implemented or omitted. Were the reality any bit as apocalyptic as you paint it, you should've then marked the report as security sensitive. > deepseek.py This is not the first time when your alleged reproducer is a python script that's effectively just a series of subprocess.run() invocations. Just write shell scripts. > The connection succeeds and the certificate is accepted No, it just plain does not. The connection fails with ``` - Status: The certificate is NOT trusted. The signature in the certificate is invalid. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. * Received alert '42': Certificate is bad. Error in handshake: A TLS fatal alert has been received. ``` Tested on RHEL 8, RHEL 9, RHEL 10, Fedora 42, Ubuntu 24.04 (gnutls 3.8.3) and Ubuntu 22.04 (gnutls 3.7.3), which is three years old at this point. Why are you looking for `Verification failed` is beyond me. Why are you looking for it in stdout instead of stderr is beyond me. Why do you jump to conclusions that the connection has been established is beyond me. And if your report and/or your alleged reproducer has been generated by an LLM, in full or in part, please just stop doing whatever you're doing and never do that again. This is not your first frivolous report. Please kindly abstain from reporting non-issues. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506061901 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 15 12:45:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 May 2025 10:45:23 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711) In-Reply-To: References: Message-ID: Simon Josefsson commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506423768 Indeed this looks like AI slop -- I reported the user as sending 'spam' with a comment this is AI slop, I'm not sure GitLab.Com cares about this abuse or not but maybe they should. This wastes real engineering time, thanks for a good reply! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506423768 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu May 15 13:31:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 May 2025 11:31:05 +0000 Subject: [gnutls-devel] GnuTLS | Support specifying groups to send in key_share extension (#1710) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1710#note_2506541296 I think the current behavior, that is to pick 2 or 3 from each "class" of crypto algorithms (EC, DH, RSA, or PQ/T), is sufficient for now, and adding flexibility of choosing key_share algorithms in parallel with supported_groups would complicate the configuration. Could you perhaps provide a rationale, why we need the further flexibility? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1710#note_2506541296 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 15:35:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 13:35:28 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/x86/sha-padlock.c: Free ctx on error to avoid memory leak (!1957) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1957 Project:Branches: JiashengJiang/gnutls:patch7 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/x86/sha-padlock.c: Free ctx on error to avoid memory leak Call gnutls_free() to release ctx if _ctx_init() fails, preventing a memory leak. Fixes: 38a089b67 ("Updates for padlock hashes in C7 nano. Requires a part of nettle to be included.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1957 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 15:56:41 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 13:56:41 +0000 Subject: [gnutls-devel] GnuTLS | tests/x509-cert-callback-ocsp.c: Free p and certs on error to avoid memory leak (!1958) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1958 Project:Branches: JiashengJiang/gnutls:patch8 to gnutls/gnutls:master Author: Jiasheng Jiang * tests/x509-cert-callback-ocsp.c: Free p and certs on error to avoid memory leak Call gnutls_free() to release p and certs on error, preventing a memory leak. Fixes: db486d97c ("tests: enhanced OCSP tests") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1958 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 16:00:38 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 14:00:38 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/x86/sha-x86-ssse3.c: Free ctx on error to avoid memory leak (!1959) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1959 Project:Branches: JiashengJiang/gnutls:patch9 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/x86/sha-x86-ssse3.c: Free ctx on error to avoid memory leak Call gnutls_free() to release ctx if _ctx_init() fails, preventing a memory leak. Fixes: cbb9b17ff ("Added Appro's SSSE3 SHA implementations") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1959 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 16:21:49 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 14:21:49 +0000 Subject: [gnutls-devel] GnuTLS | tests/x509-cert-callback.c: Free p and certs on error to avoid memory leak (!1960) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1960 Project:Branches: JiashengJiang/gnutls:patch10 to gnutls/gnutls:master Author: Jiasheng Jiang * tests/x509-cert-callback.c: Free p and certs on error to avoid memory leak Call gnutls_free() to release p and certs on error, preventing a memory leak. Fixes: ed02ed050 ("tests: added check with X.509 certificates and callbacks") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 16:23:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 14:23:40 +0000 Subject: [gnutls-devel] GnuTLS | lib/accelerated/x86/sha-x86-ssse3.c: Free ctx on error to avoid memory leak (!1961) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1961 Project:Branches: JiashengJiang/gnutls:patch11 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/accelerated/x86/sha-x86-ssse3.c: Free ctx on error to avoid memory leak Call gnutls_free() to release ctx if _ctx_init() fails, preventing a memory leak. Fixes: 0be469e51 ("Imported Andy Polyakov's implementations for SHA* in aarch64") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1961 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 16:29:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 14:29:40 +0000 Subject: [gnutls-devel] GnuTLS | lib/pk.c: Free tmp_output on error to avoid memory leak (!1962) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1962 Project:Branches: JiashengJiang/gnutls:patch12 to gnutls/gnutls:master Author: Jiasheng Jiang * lib/pk.c: Free tmp_output on error to avoid memory leak Call gnutls_free() to release tmp_output if asn1_der_coding() fails, preventing memory leak. Fixes: 6f9bfaac9 ("Use the PKCS #1 1.5 encoding provided by nettle (2.5) for encryption and signatures.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1962 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat May 17 16:33:43 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 May 2025 14:33:43 +0000 Subject: [gnutls-devel] GnuTLS | src/danetool.c: Free str on error to avoid memory leak (!1963) References: Message-ID: Jiasheng Jiang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1963 Project:Branches: JiashengJiang/gnutls:patch13 to gnutls/gnutls:master Author: Jiasheng Jiang * src/danetool.c: Free str on error to avoid memory leak Call gnutls_free() to release str if gnutls_hex_encode() fails, preventing memory leak. Fixes: ead5d40a4 ("danetool: added option to print the raw entries.") Signed-off-by: JiashengJiang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1963 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon May 19 07:50:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 May 2025 05:50:53 +0000 Subject: [gnutls-devel] GnuTLS | scripts: Use /usr/bin/env for more portable shebangs. (!1964) References: Message-ID: Maxim Cournoyer created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1964 Project:Branches: apteryks/gnutls:portability-improvements to gnutls/gnutls:master Author: Maxim Cournoyer This is the same as https://gitlab.com/gnutls/gnutls/-/merge_requests/1931 (now closed), rebased and with the `guix.scm` file addition dropped (I may submit it for consideration separately). * tests: Remove dependency on `which' command. * tests: Lookup softhsm tools from PATH. * bootstrap: Invoke gnulib-tool script via 'sh'. * Makefile.am: Hint at libdane requirement for distcheck target. * scripts: Use /usr/bin/env for more portable shebangs. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [x] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1964 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue May 20 10:10:14 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 May 2025 08:10:14 +0000 Subject: [gnutls-devel] GnuTLS | scripts: Use /usr/bin/env for more portable shebangs. (!1964) In-Reply-To: References: Message-ID: Merge request !1964 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1964 Project:Branches: apteryks/gnutls:portability-improvements to gnutls/gnutls:master Author: Maxim Cournoyer Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: