From gnutls-devel at lists.gnutls.org Wed Oct 1 06:58:48 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Oct 2025 04:58:48 +0000 Subject: [gnutls-devel] GnuTLS | ktls: Expose gnutls_ktls_send_handshake_msg (!2022) References: Message-ID: Alistair Francis created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2022 Project:Branches: alistair23/gnutls:alistair/ktls-msg to gnutls/gnutls:master Author: Alistair Francis The gnutls_ktls_send_handshake_msg() is used as the handshake read function when using kTLS. We also need to use the function in ktls-utis when handling a KeyUpdate with tlshd, so let's expose the function publicly so ktls-utils can set it with gnutls_handshake_set_read_function(). ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [X] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [X] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2022 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 2 01:04:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 01 Oct 2025 23:04:34 +0000 Subject: [gnutls-devel] GnuTLS | certtool says 'warning: signed using a broken signature algorithm that can be forged.' on cert signed with ML-DSA-44 (#1743) References: Message-ID: Stefan Berger created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1743 ## Description of problem: I modified swtpm EK certificate creation code to allow for a CA that has an ML-DSA-44 (or -87) signing key. It looked like the only choice for a hash algorithm was SHAKE-256. The created certificate shows a warning : ``` $ certtool --inder --infile /tmp/ek-secp384r1.crt -i [...] Signature Algorithm: ML-DSA-87 warning: signed using a broken signature algorithm that can be forged. Signature: [...] ``` My guess is it has something to do with slevel = _INSECURE here: ``` 484 if (se->hash != GNUTLS_DIG_UNKNOWN && (gdb) print *se $1 = {name = 0x7ffff7dd90b3 "ML-DSA-87", oid = 0x7ffff7dd90bd "2.16.840.1.101.3.4.3.19", id = GNUTLS_SIGN_MLDSA87, pk = GNUTLS_PK_MLDSA87, hash = GNUTLS_DIG_SHAKE_256, priv_pk = GNUTLS_PK_UNKNOWN, cert_pk = GNUTLS_PK_UNKNOWN, flags = 5, curve = GNUTLS_ECC_CURVE_INVALID, aid = { id = "\t\006", tls_sem = 4 '\004'}, slevel = _INSECURE, hash_output_size = 256} ``` Which part is 'insecure'? ## Version of gnutls used: gnutls-3.8.10-1.fc42.x86_64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora 42 ## How reproducible: Here's the base64 encoded cert: ``` MIIT3TCCAbSgAwIBAgIJAP2qqFDaISdNMAsGCWCGSAFlAwQDEzAYMRYwFAYDVQQDEw1zd3RwbS1s b2NhbGNhMCAXDTI1MTAwMTIyNTkwNVoYDzk5OTkxMjMxMjM1OTU5WjASMRAwDgYDVQQDEwd1bmtu b3duMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuKwHRDSlJUcegInn8iu8mWVIF8BKIJq3UANssftS ryorhfoMDxTBM+vwFGZSRGCDwhObGeOW8UOZS4et+kAnNkzvT9yWv61PXfEPjWEalE+2espvwMU9 dJhQd2aaqcs2o4HMMIHJMBAGA1UdJQQJMAcGBWeBBQgBMFIGA1UdEQEB/wRIMEakRDBCMRYwFAYF Z4EFAgEMC2lkOjAwMDAxMDE0MRAwDgYFZ4EFAgIMBXN3dHBtMRYwFAYFZ4EFAgMMC2lkOjIwMjQw MTI1MAwGA1UdEwEB/wQCMAAwIgYDVR0JBBswGTAXBgVngQUCEDEOMAwMAzIuMAIBAAICALcwHwYD VR0jBBgwFoAULyUrqYRv9I44sIyh4eww3rZAi5YwDgYDVR0PAQH/BAQDAgMIMAsGCWCGSAFlAwQD EwOCEhQAFlqS+YIw2ezNE+JUGm1eOMGGHeDGq8ifz2QPspzEZywUJ1BnbEhVbW6IiS/XSeo7Pc7E Cgcba5cxqa2OHKn1ZWUENFGlt7BIuz2YhXwBrzPSaYuzgXnKFPovwXFry4Uz5Oi3fbRhT7hJKNdt VvGM5cBRU+L86IjeYPv7PQSh/oX6mgi1Cwg/Ti6DkTQQMuUsBnRxBuFvlZp5XtlQA+PgmvYaVIAI N6gsYmbmJxCHrubm+YJ3tjr0VZUmMBfiHJzmxb+gB5ZLeQE+2zykp0TvF3cNv1cODr4dCJw9L8bs tyqmdp8j3BHs0mA5sIagqsFMz3ZOaFcvk1GZkQKQpqhEEVWuaVBuBUx8iBDkKzy76Y7AwuSU64Lo 10fhayXZDlua4Nb0uED8K6lT7PNw2bIl3tR6TRLUo3+liMe/rQ4V7oIkAPy8rsg8NaVvZDLX8STW InTO7SnQI4ekQqOL8hy+gUYQlA5bAgpa4tZqWeE2KMRI+9utSekDq5Fzkq5KgLVlxQyBmsjV1uGy eswOl3IpOxUE6lTZucEZADkjOuoKYXgfmJNJLdo/hUPBjQebfupgzuVCb/Tqy4V87IQw2IL/0xDN keJ3UdtGjHYY+Wd6ldGKyFU9Z20Hg4pGJ0rLhshVwHulA80zo4TkOOlXyY/XsBnrowGts9UwYXI2 CuA8D1C4yvR5A95JTaeLAkumrydYQxfX/QeAqR6qqJYLpU8lu2iRHYIdjXkM0Q6S6jseKU/2chp1 AnnIsZHFvjzF7loOJR7g4adOdI/pxSMo+OtbMkkPcAtkYNGhkZ0v+PC0PpN0npjzJ2xR9OAHo86k feuW1YZ7xz7raFT4EvXVivNdKWeESkDcgQXARN8btTBaeTaf8bc+ahUBYwvjfFb2i10bxx3brn1W alJ3ZpuqZp8zeEfebJfiY2gv/45GR3COZyJXc+8MdNN/rUDLlDIwyISIg7F6lcwalr42HWvI+ltb hMrOZEnbxT1V+v95Ob2qlm/IAwfjX9KyEsjz7q7bFDLbU13jQ9DD34UG2Y0r/8mtZBc3O53NHjV/ S3fC9g3el35voVsmoQelC+AcWJxUJXBOBYzvvGL1O+NVA4llsPxILHvo+wS3ep2ytq7ScH8hT+uI OjLf8yWDqjSSJJCHf7tYFV92uYlxbJAONDi4M/BWU+/tOr3E1A16XpUOco3xWXrMRvxCjqCucpxL 4BZoSd+1GHmQZPGaxaItMS/tZJT0EH+ivS1jxfP8glRkF/6ZWCpNTkzPaX+jQBjJNqu3plsz1mg0 SrUffMKjEMxAQ62tDAbVXbzKtS1/IwnBfAuhwAHZQKwOkb/gBN+eoz7/zmsELjDt593wifmSC53W psztyiTRMmaDQlLIpIUUT65bGkDW20IrOlJca7GUoP1Nufek+s0IkPO8Y85BPjLN49GAIlTrVnST dLmeePKFNyvN8lvttUSBSHNf1FaQYv3GvsbjweNteNGnxptvuCQeIBjf1d5n1EwESFkOFnPhqIk3 H0ZZOE85RdJEGZfyyS4XLC8Tao7JuGtm2P/lCDs7ms8g8MsXehmmJqgOEZHtFz8c4EAiDJiB4QwY MKEbA5HKodEXKkVuNPthiRHrQHJ7K3++wRk9ZFKhwryEt8o+itTG78Shu1CV9p4zDoCn/MHBLrGA j8QYgleGyagub82q3RGl4X8Tm/IWM5u/66jRPXHPl+id1krQGPE1lqiYlVY9+WiDWkWPLlXj/pOI OtkUo4v9s8riBiqKJ4iumiuq895x/n2I6QOmNhjPQ5ExjyAM5f/GMuz0YMAzlYgNk54A/BRkYgLn dbajtxbmFgS/AkQRrvdzQbB8KSsEGxED5pYb3c0kubX7xC/jPSFG2VF/ZJ6XjYRiqCqVMwggoPUV M6HtwFMDBMa0J5pnLH8vn5MhDg4yqD+cceLQhLbymU7FPKI5ATwu81rXJx1wKguRPH+kSNhjzb0p G8g1fKwZ/0OSl/Vrl3lUYigFhh6K1Je6/2MVmax9/1w+uHiAbRoVim8Ot+v47ImsyC9AvCIbnHHQ 4EMYW1dmhwJFoaU+Wx/6s6qA4FYNDHmzZlTjRrLQL8smcz0dwvwfaFR6itwD2VgY7hBp4ZW36os9 Pxn11mZ5PY9qYAx6XndnBzkw6fPQtnAdj+cF1OgkE7/IiXLTYvEMMLne5r78PIhF7qQ9LzAsOSH1 cwdyVeMb9kvxZPazzcdtPYm2jgf4V0DDv4NtX/uxeOQ9m9/rOBNhbVlqOZL7e89tBtxoh8+0ZHes OcI8nuhhwu7TZW8mDUNnDzMHbU+64+SxSkkJJbaHH5rGy8E2P4vlYPPL/XVHi6qYOdXoVOOFm6Dc ovDBtGFszH3kuOgrK/y5ZTXj+bMHGKTsy4KMOcHJ9W8I/tcR00iaZrhjG/jzsSEcPbyKhuVxnRRy qZdSI6rTx+NLtx40X+2ad6jW28FUpaeYRwbC2tTttR1vC0DrzHt3xHJGC3a4e93YvqJPydTqrWGX 6Bn/nXPS/UlHIvHGEHXI9V8+05LqJbeIa/i7nnejOZa+dYm5wV9Az1cXdjaKsNcDmLECsbfIXHJq lItN+oRxqWKlBlQyeF9XRxz7B7xBz+aMKGCxhEYuEImIS8B5Jj1fFuxrYUEcFWvX1ZekGeRTiaPk UXhXWz+0OtidboBiPKCoGgm7bWV42UY/V4MwJfXBijZPHyjdq/iDrD0H1J0wb2C3CSPZf/nmh2sW r7yBfRU3q43WDszNarOIe6IO19RngfCnIjFX8L6GPeUiHOUdsEFUjNQUACo/ihwsRx3GARrtEZ/D Ewqv1Az0RzAaeZW1h2036nW6pjGMAjonLLZozHbYSzEsUElDwVtQmIaeyS5ODux6DrhnkMYeWhrY AY63CeVSKNh9XAeSqIsUDLrZ6A0DNXZF6a2hAWIEiCuLEuUUsEZBMc3IvMoHtCe0GZXX7e05kTcQ FNFJK2DKbwvA+iqPA6hxS/yXnGe84/Ts3tOyB5eDvGodSrwxzfvnsr613FfsYYb9UDGyDGSNcIQl 4oPqesYn3hVvU7a2Ad5NUWacX3cuBkCVucRdkH6Eu8vzezB5Y27mMdSs77hqeV4N1wcibThrhqFh ZbDMZsMjXuvdRJZqAd6droHgh4cma0drbmjNYLGDe0ivejYc65ZIP6YTDXpuJ+22Zo0hH+2twDhf hyK8m+iy9iU31mxWsNFl1BnsWtur5ay9Fi/YYj8GVKE77Sh+97PPCh4EOxHaELGEYCOJ3AQnxYIF j6cqEA8rrCNdsyJWna4jqUu5Q79Q3rjkdsbqsJGF0YVhVypiHNnYSCmrVBSLXbZm0SXWBYfrsuvg dCMlgS2skJym3rmus7cTQ6P+3jVdwwjspQydGGowWWgF/UT0U8Ss+4tl+7YHPlHn8cdy5yazJXNO ujhhBanP7rN5NHXs9uZfTnn7FiGfYfEloSzNxDIhfgudkNcgUfsZG/j+2nyxSpKfCQGTyTHla1Zr RoaAvW1AT3nAOTUfr+mnuH0r0BrDyIkzp7LHeMKhfdHNU44k9ABQt97oP7eyFkzBb/SMkBZ1fKtP ASHmOO+JFrHaNDNssPIhoASF7rlzM4YxxJ2SXmSujCXCpqc3w8+3N1caf9fq7CVheJNyRLFgqPef 5bWQs1Kh8whbOwsVEPg95TnJM0SOoF7Bvzpskvmph82chI6W18PaecgG8lgkqXluHYV4EXkRKhcu VVU8Y5PillU2FSkmOxuQp9+h1DfkgpeKZMroWev7vAH5+0ltb635hZctFJxwp0sqgSRO6ufjnlhF erk6C6H/xR5PhTPyRks8qHJUSBHSo0v2m+7gxIh/aSganqS+0nDoXTZKw/lQDBANWY44xwvy8HJ+ grTDVCkJAFqitJWB5M/yyqG1h0LjU6X8yN432fjMml3+X1METCDVeOA6DBx+Y7awJWXHuCAaHOwb Fu7wPWpshP7Fz+Qg0K+OZf0ek7s69bEFxDGVw+FzVo9EdEIsRD6vsni3UPB8xUiMnba4vPmyRHPH DO8GD/0HI6ZBRBXmTObGjXiOsi5Rh2CDVA3tSRR5FlarLcyx/vQZB/1pRezhHyDu/HM0dqKBvyEj naFbO6+p3DDB7V96NMqL3PpwAZw6RGxfPjJMN3uS109D1kyVkTN3c8vLLn0qepLYGEsuAV4zrVxE U2HHNPAlD4QB4cBTxS0YjrlScYUoLhOTkXXe9pAUR6XgvBNlkzEqFbHPfR60QgYfRXoUJ7vJ5yQx fe5p83p+i+xWNYKLfP5Zidmz0aKnLYtfA0gJXwuEcLE1sE92R7esIMNkygNHNfK3sWlzfMajPwPC vIJ+pc6mGVgnacxI6TTZnuqRXEbTJPBYf5qF/h9hBK8K14qrf9/Jp7Ii8jA2V0bhm7i/RWsl/+3W hM6jRUBiTw0WM2MqaMFhP5bR8ocDrjVAOjaf+N3230yFgABRxAaCaxOGDHLaxFr0ypP7OindrOkq +72QZFrRJJUDP7ahf6pNS8z0FCstEPYhaChZZ0bk497MTqzDtuugPyiMApMXLvExS71j+WPDofwa W8k9ZPF2iB+uj50nkYRtK3vxIt8+qPuxCcQqruQJXWBhQj3X2gep2JO2fvIth5RiQ0c52yLvviBo oTpXyESZZsVBfhgNx2JWfXjmQeADZsGl4ilKqa/OM7xwSqqJzGkyd26h8v8lH/QgRIJeNssUHIsO dVi5hc5/Hm8c7XXHr1199oHexRT7pPb3g8l2W5xpmpDFWMd/rIOO9tm7nfnUP2jr55yGmuWPMIWq Ybfnn/Ha8wAHGlaA7R1cpgGkrxG5en5mL0BiHlW7gRTEo4YmcbDnb2gIwlTzyEFJ5VKVPX2bzLpG Bez5wKzuy79AQMFB9PYecBlkel6nzwijrXGMT+TfAFVMFQAL96BHhO05PRj7yfnWabwXHceRktUR XvSK+llNRNfrM/dnRfLF1T//CmOWooBfDocDjuVemRSyVtZJJ6z01b30zPBmPSbosDK+aDsSLuaL spm9jeXsYbv2wxjG9dk8Hac7MFPMwmO6llV6VMJgsTVEksLDATI7eVVcjTEjWiTDO1UfG3n8mfPk S6ZjIJUN+AlVTPVl7FI8sOj8Tkc8Li2pVubu4krnlJnYQiISLd4rvM+Ws76JaMOLaiLDCZPcIl2i zDGgXojMgcifbt+WUy+dwgvOdmXw5GesUssP4Jxph1c4fT0TCBrhqgdfqCUiZfFWnK6v7sc4o4L4 +31Rqq5HRGkZ4IBrgsYypsBtHcisZZavwUbGJtBj+pQWEtOr9H6dKeONf5NMrTIQBwe56kIRoyJa On5SjKk3ijlgNLuR5rcb7LxQxlDeQysy6wg/wKRO4hwVdF5V+NTkw2DcYiB26Ue1RYQRlo6aD44r 0d2b866+k+jN0qndBjFpYvQwKK1sv7hnv5jaRWc0Qtp252o7wsoOpDC12yaJx4f/7ALDg67ch+Om Aj2BitUMzZSd05yXlQi6xn5wgVWESFkysYnxsxYFLo1X+rNTUG87CziguuSfgihDKeU2ilsxQa6W C7KKMj8TEuEl9Gz2xHLd4Hddw5N0IVFv0bWrHtEtJOujl0RAYu0JpngPcUylunIvqoXps11zU4Dt slBuFiaF0WFnlGWHjyb0zE0VUL6EKYFmNxCrVDHMjCTlRZISJw8dli5CE5XRNq9d5sDQG3yW4aF0 NaMB3y0YRxGj1je6oJAbpcq6hL6kXXRj3i+XrjzPO24E9lgX6/raGxk+9OyWGB9JFYKmji7b/60F +Uu3EHeKMlXcBhGRVGc4+OYWiu12gXNnbSE85u/LnTNIPh1lUKY24vCmItJmWJCfKgj3G7l1tcT/ MUakK1PFFZsK4AawfuHzB9Hq0ir+2B63vT79Engi9xLBfiV5CDVmTZl0sJtN/sFjbxsMSNZkjWHo fRlCMli6RFajd+GOkGszNdpRKHHGLlvfwt9TeMEBNeNrViYQc5hbL+tp5eIPj5D1tYEWE7VD+Evo H44mHb9YFXyfZe9cwvLetjtBBmnkKBMueNPNwcRetqre5xkBTIbuRhi8j1mo/9FSd4DE2fEPEiUn j6Xz+ViXmKO2ztnjGifg8fMNcYH1Glo4i46509r+HSxHcXOLmrvW/QAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAGDhYbHyEoMg== ``` ## Expected results: It shouldn't display the warning. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 2 17:16:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Oct 2025 15:16:57 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2023) References: Message-ID: Samuel Zeter created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023 Project:Branches: szeter/gnutls:fix-prvk-pkcs8 to gnutls/gnutls:master Author: Samuel Zeter * x509: Remove extraneous asn1_delete No need for deletion given we already call asn1_delete_structure2. Signed-off-by: Samuel Zeter ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 2 17:45:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 02 Oct 2025 15:45:58 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli reports bad values for the "Ephemeral EC Diffie-Hellman parameters" with hybrid ML-KEM (#1725) In-Reply-To: References: Message-ID: Samuel Zeter commented: https://gitlab.com/gnutls/gnutls/-/issues/1725#note_2794028032 I tried to reproduce this issue but got stuck trying with the handshake. I built gnutls with leancrypto, but not sure of what gnutls-serv options I should be putting as `./gnutls-serv --http --priority "NORMAL:+GROUP-X25519-MLKEM768" -g` didn't work. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1725#note_2794028032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 09:59:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 07:59:17 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2023) In-Reply-To: References: Message-ID: Merge request !2023 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023 Project:Branches: szeter/gnutls:fix-prvk-pkcs8 to gnutls/gnutls:master Author: Samuel Zeter Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 09:59:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 07:59:29 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2023) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023#note_2795386431 LGTM, thank you for spotting this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023#note_2795386431 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 10:44:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 08:44:53 +0000 Subject: [gnutls-devel] GnuTLS | record: Allow setting/restoring all record state (!1968) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2795477609 As for this and other MRs (!2021 and !2022), to get them merged I would probably need to have a better understanding of how NVMe-TCP works through ktls-utils. Would it be possible for you to point me to any design document or implementation? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2795477609 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 11:42:33 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 09:42:33 +0000 Subject: [gnutls-devel] GnuTLS | certtool says 'warning: signed using a broken signature algorithm that can be forged.' on cert signed with ML-DSA-44 or -87 (#1743) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1743#note_2795629985 I suspect this is an issue in the crypto-policies package in Fedora 42, as we had a similar [issue](https://issues.redhat.com/browse/RHEL-107471) on RHEL-10. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1743#note_2795629985 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 12:37:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 10:37:17 +0000 Subject: [gnutls-devel] GnuTLS | record: Allow setting/restoring all record state (!1968) In-Reply-To: References: Message-ID: Alistair Francis commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2795758494 The ktls-utils (tlshd) patches have been submitted here: https://lore.kernel.org/kernel-tls-handshake/CAKmqyKNpFhPtM8HAkgRMKQA8_N7AgoeqaSTe2=0spPnb+Oz2ng at mail.gmail.com/T/#mb277f5c998282666d0f41cc02f4abf516fcc4e9c [Patch 8](https://lore.kernel.org/kernel-tls-handshake/CAKmqyKNpFhPtM8HAkgRMKQA8_N7AgoeqaSTe2=0spPnb+Oz2ng at mail.gmail.com/T/#m0997645cdedfaf832d02c91e05e47cfc64d8794a) is the main implementation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1968#note_2795758494 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 13:45:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 11:45:04 +0000 Subject: [gnutls-devel] GnuTLS | certtool says 'warning: signed using a broken signature algorithm that can be forged.' on cert signed with ML-DSA-44 or -87 (#1743) In-Reply-To: References: Message-ID: Stefan Berger commented: https://gitlab.com/gnutls/gnutls/-/issues/1743#note_2795893901 Yes, it looks like there's no entry with ML-DSA in secure-sig-for-cert in the gnutls.txt files. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1743#note_2795893901 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 3 13:45:03 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 03 Oct 2025 11:45:03 +0000 Subject: [gnutls-devel] GnuTLS | certtool says 'warning: signed using a broken signature algorithm that can be forged.' on cert signed with ML-DSA-44 or -87 (#1743) In-Reply-To: References: Message-ID: Issue was closed by Stefan Berger Issue #1743: https://gitlab.com/gnutls/gnutls/-/issues/1743 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1743 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 06:33:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 04:33:29 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2024) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024 Project:Branches: dueno/gnutls:wip/purdue-university1/gnutls-free to gnutls/gnutls:master Author: Daiki Ueno This is a clone of !2012 to pacify the CI. * lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() Replace free() with gnutls_free() for consistent memory deallocation. Fixes: 1421e31ff ("Added DRBG submitted to nettle in gnutls.") ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 06:33:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 04:33:50 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2012) In-Reply-To: References: Message-ID: All discussions on merge request !2012 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/2012 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 06:34:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 04:34:17 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2012) In-Reply-To: References: Message-ID: Merge request !2012 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2012 Project:Branches: purdue-university1/gnutls:patch30 to gnutls/gnutls:master Author: Jiasheng Jiang Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2012 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 06:34:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 04:34:23 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2012) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2012#note_2799864901 Cloned as !2024 for CI purposes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2012#note_2799864901 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:10:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:10:32 +0000 Subject: [gnutls-devel] GnuTLS | Instrument crypto-auditing probes (!2019) In-Reply-To: References: Message-ID: Daiki Ueno marked merge request !2019 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:32:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:32:24 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2024) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024#note_2800218158 Merging without approval, as the original MR has already reviewed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024#note_2800218158 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:32:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:32:30 +0000 Subject: [gnutls-devel] GnuTLS | lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free() (!2024) In-Reply-To: References: Message-ID: Merge request !2024 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024 Project:Branches: dueno/gnutls:wip/purdue-university1/gnutls-free to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2024 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:36:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:36:57 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2025) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025 Project:Branches: dueno/gnutls:wip/szeter/fix-prvk-pkcs8 to gnutls/gnutls:master Author: Daiki Ueno This is a clone of !2023, created to pacify the CI. * x509: Remove misleading comments These comments were originally from an old function called check_schema() which has since been removed. * x509: Remove extraneous asn1_delete No need for deletion given we already call asn1_delete_structure2. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:38:54 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:38:54 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2023) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023#note_2800235342 Cloned as !2025 for CI purposes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023#note_2800235342 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:38:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:38:55 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2023) In-Reply-To: References: Message-ID: Merge request !2023 was closed by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023 Project:Branches: szeter/gnutls:fix-prvk-pkcs8 to gnutls/gnutls:master Author: Samuel Zeter Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2023 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:45:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:45:22 +0000 Subject: [gnutls-devel] GnuTLS | Instrument crypto-auditing probes (!2019) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019#note_2800254230 Looks good. Haven't seen any mistakes -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019#note_2800254230 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 10:45:32 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 08:45:32 +0000 Subject: [gnutls-devel] GnuTLS | Instrument crypto-auditing probes (!2019) In-Reply-To: References: Message-ID: Merge request !2019 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019 Project:Branches: dueno/gnutls:wip/dueno/usdt2 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 12:59:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 10:59:13 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2025) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025#note_2800649588 Merging without approval, as the original MR has already been reviewed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025#note_2800649588 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 12:59:21 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 10:59:21 +0000 Subject: [gnutls-devel] GnuTLS | x509: Remove extraneous asn1_delete (!2025) In-Reply-To: References: Message-ID: Merge request !2025 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025 Project:Branches: dueno/gnutls:wip/szeter/fix-prvk-pkcs8 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2025 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 15:07:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 13:07:29 +0000 Subject: [gnutls-devel] GnuTLS | Instrument crypto-auditing probes (!2019) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019#note_2801137579 Thank you for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019#note_2801137579 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 6 15:07:46 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 13:07:46 +0000 Subject: [gnutls-devel] GnuTLS | Instrument crypto-auditing probes (!2019) In-Reply-To: References: Message-ID: Merge request !2019 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019 Project:Branches: dueno/gnutls:wip/dueno/usdt2 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2019 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 7 00:11:56 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 22:11:56 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493624 > + GNUTLS_HPKE_MODE_PSK, > + GNUTLS_HPKE_MODE_PSK_AUTH, > +} gnutls_hpke_mode_t; This enum is not used anywhere. Shall we drop it? -- Daiki Ueno started a new discussion on lib/nettle/hpke/hpke-hkdf.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493636 > +#include "hpke-internal.h" > + > +#include "ecc-internal.h" I haven't closely looked at this code, but it seems "ecc-internal.h" is only used for accessing `ecc->q`, so we can reuse it. I guess we could simply embed the [constants](https://www.rfc-editor.org/rfc/rfc9180.html#section-7.1.3) defined in the RFC instead. -- Daiki Ueno started a new discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493640 > +int gnutls_privkey_decap_with_psk(const gnutls_privkey_t skR, > + const gnutls_datum_t psk, > + const gnutls_pk_encapsulate_flags_t flags, We usually put the `flags` argument last. -- Daiki Ueno started a new discussion on lib/nettle/hpke/hpke-gmp.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493647 > + assert(n > 0); > + > + mp_get_memory_functions(&alloc_func, NULL, NULL); This probably interfere with the other parts of GnuTLS, as it also uses it. -- Daiki Ueno started a new discussion on lib/nettle/hpke/nettle-alloca.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493648 > +/* nettle-internal.h lib/nettle/int/nettle-internal.h has these definitions already. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 7 00:11:55 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 06 Oct 2025 22:11:55 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493655 Thank you for the update, @d-Dudas! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2802493655 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 7 09:42:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 07 Oct 2025 07:42:53 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2803293415 By the way, looking at the code, it feels to me that it might be easier/cleaner to implement HPKE using the cryptographic API of GnuTLS itself (or public API of Nettle) as a building block. Of course it would be a significant rewrite, so we can do that in a second iteration after merging this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2803293415 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 9 02:25:04 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Oct 2025 00:25:04 +0000 Subject: [gnutls-devel] GnuTLS | m4/hooks.m4: check defines DTrace compatible macros (!2026) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup to gnutls/gnutls:master Author: Daiki Ueno This fixes a compilation error on macOS, as well as a couple of minor build issues. * configure: fix faketime detection This fixes the cache variable name (gnutls_cv_prog_faketime_works, not gnutls_cv_faketime_works), and avoids extraneous output from the configure. * po: ignore new files introduced by gettext * m4/hooks.m4: check defines DTrace compatible macros On macOS, defines a different interface than on GNU/Linux. Check if DTRACE_PROBE* macros are actually usable. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 9 07:04:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 09 Oct 2025 05:04:13 +0000 Subject: [gnutls-devel] GnuTLS | lib/kx: Only report file open error if there is an error (!2027) References: Message-ID: Alistair Francis created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027 Project:Branches: alistair23/gnutls:alistair/keylog-log to gnutls/gnutls:master Author: Alistair Francis Previously all attempts to open a `SSLKEYLOGFILE` would result in a "unable to open keylog file" regardless of if the file was opened or not. Instead let's only report the issue if the file fails to open. ## Checklist * [X] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 11:32:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 09:32:17 +0000 Subject: [gnutls-devel] GnuTLS | Confusing documentation for service parameter in `gnutls_verify_stored_pubkey` (#1744) References: Message-ID: Dariqq created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1744 Hello ## Description of problem: I was looking into using ` gnutls_verify_stored_pubkey` and `gnutls_store_pubkey` for tofu verification. The documentation I could find for the `service` parameter is a bit confusing whether it should be the service name or the port number - The client example at https://www.gnutls.org/manual/html_node/Client-example-with-SSH_002dstyle-certificate-verification.html uses "https" - The function reference in the manual at https://www.gnutls.org/manual/html_node/Certificate-verification.html says ``` > service: non-NULL if this key is specific to a service (e.g. http) [...] > The service field if non-NULL should be a port number ``` The first part suggests that it should be the service name while the second one advises one to use the port number. Running `gnutls-cli --tofu gnutls.org` and saving the cert it got saved as "https" and not "443". >From what I can see the default `verify_pubkey` and `parse_line` functions just use `strcmp` (special casing `"*"`) so it should not matter as long as I am consistent with always using either the port or service name. Thanks. ## Version of gnutls used: online manual is version 3.8.10 gnutls-cli version 3.8.10 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1744 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 13:56:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 11:56:16 +0000 Subject: [gnutls-devel] GnuTLS | lib/kx: Only report file open error if there is an error (!2027) In-Reply-To: References: Message-ID: Merge request !2027 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027 Project:Branches: alistair23/gnutls:alistair/keylog-log to gnutls/gnutls:master Author: Alistair Francis Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 13:58:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 11:58:47 +0000 Subject: [gnutls-devel] GnuTLS | lib/kx: Only report file open error if there is an error (!2027) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027#note_2812889392 Thank you, LGTM; it was embarrassing, though it doesn't affect anything other than the debug log :-) Will pick it in the next release anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027#note_2812889392 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 13:58:56 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 11:58:56 +0000 Subject: [gnutls-devel] GnuTLS | lib/kx: Only report file open error if there is an error (!2027) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.11 (Jul 8, 2025?Sep 30, 2025) ( https://gitlab.com/gnutls/gnutls/-/milestones/49 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2027 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 14:37:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 12:37:13 +0000 Subject: [gnutls-devel] GnuTLS | m4/hooks.m4: check defines DTrace compatible macros (!2026) In-Reply-To: References: Message-ID: Merge request !2026 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 10 14:37:24 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 12:37:24 +0000 Subject: [gnutls-devel] GnuTLS | m4/hooks.m4: check defines DTrace compatible macros (!2026) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026#note_2812985308 Look fine to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026#note_2812985308 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 11 01:33:50 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 23:33:50 +0000 Subject: [gnutls-devel] GnuTLS | m4/hooks.m4: check defines DTrace compatible macros (!2026) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026#note_2814216004 Thank you for the review. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026#note_2814216004 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 11 01:34:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 10 Oct 2025 23:34:00 +0000 Subject: [gnutls-devel] GnuTLS | m4/hooks.m4: check defines DTrace compatible macros (!2026) In-Reply-To: References: Message-ID: Merge request !2026 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2026 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:27:43 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:27:43 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion on lib/includes/gnutls/gnutls.h.in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420095 > > +/** > + * gnutls_hpke_mode_t: > + * @GNUTLS_HPKE_MODE_BASE: Base mode, no authentication. > + * @GNUTLS_HPKE_MODE_AUTH: Authenticated mode, using a public key. > + * @GNUTLS_HPKE_MODE_PSK: Pre-shared key mode, using a symmetric key. > + * @GNUTLS_HPKE_MODE_PSK_AUTH: Pre-shared key authenticated mode, using a symmetric key and a public key. > + * > + * Enumeration of HPKE modes as specified in RFC9180. > + */ > +typedef enum { > + GNUTLS_HPKE_MODE_BASE, > + GNUTLS_HPKE_MODE_AUTH, > + GNUTLS_HPKE_MODE_PSK, > + GNUTLS_HPKE_MODE_PSK_AUTH, > +} gnutls_hpke_mode_t; Removed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420095 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:29:27 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:29:27 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion on lib/nettle/hpke/hpke-hkdf.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420637 > + > + You should have received copies of the GNU General Public License and > + the GNU Lesser General Public License along with this program. If > + not, see http://www.gnu.org/licenses/. > +*/ > + > +#if HAVE_CONFIG_H > +#include "config.h" > +#endif > + > +#include > + > +#include > +#include "hpke-internal.h" > + > +#include "ecc-internal.h" Removed the include, added P-256, P-384 and P-521 constants from RFC9180. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420637 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:30:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:30:01 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion on lib/nettle/hpke/hpke-gmp.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420770 > + > +#if HAVE_CONFIG_H > +#include "config.h" > +#endif > + > +#include > +#include > + > +#include "hpke-gmp.h" > + > +void *hpke_gmp_alloc(size_t n) > +{ > + void *(*alloc_func)(size_t); > + assert(n > 0); > + > + mp_get_memory_functions(&alloc_func, NULL, NULL); Removed these functions. Used gnutls_(malloc/free) instead. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420770 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:30:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:30:22 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion on lib/nettle/hpke/nettle-alloca.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420910 > +/* nettle-internal.h Removed new file. Using lib/nettle/int/nettle-internal.h instead. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815420910 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:40:16 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:40:16 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion on lib/includes/gnutls/abstract.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815425096 > + gnutls_datum_t *key, gnutls_datum_t *shared_secret); > + > +int gnutls_privkey_decap(const gnutls_privkey_t skR, > + const gnutls_pk_encapsulate_flags_t flags, > + const gnutls_datum_t key, > + gnutls_datum_t *shared_secret); > + > +int gnutls_privkey_encap_with_psk(const gnutls_pubkey_t pkR, > + const gnutls_datum_t psk, > + const gnutls_pk_encapsulate_flags_t flags, > + gnutls_datum_t *key, > + gnutls_datum_t *shared_secret); > + > +int gnutls_privkey_decap_with_psk(const gnutls_privkey_t skR, > + const gnutls_datum_t psk, > + const gnutls_pk_encapsulate_flags_t flags, Updated. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815425096 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:40:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:40:17 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: All discussions on merge request !1976 were resolved by David Dudas https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:41:46 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:41:46 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: David Dudas commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815425443 I think I would try to do that in a second iteration after merging this. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976#note_2815425443 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 12 18:41:58 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 12 Oct 2025 16:41:58 +0000 Subject: [gnutls-devel] GnuTLS | Expose HPKE through abstract key API [BASE+PSK] (!1976) In-Reply-To: References: Message-ID: All discussions on merge request !1976 were resolved by David Dudas https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1976 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 14 07:59:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Oct 2025 05:59:45 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup2 to gnutls/gnutls:master Author: Daiki Ueno Approvers: Tom?? Mr?z, Tom, Tim R?hsen, Ajit Singh, GnuTLS devel mailing list, Anderson Sasaki, Franti?ek Kren?elok, Alicja Kario (@mention me if you need reply), civodul, Alexander Sosedkin, George Pantelakis, Niels M?ller, Zolt?n Fridrich, Sahana Prasad, Dmitry Baryshkov, Stephan Mueller, Ander Juaristi, GnuTLS bot, Nikos Mavrogiannopoulos, Airtower, Andreas Metzler and Simon Josefsson * audit: wrap crau interface and expose it partly as public API This adds 3 new functions: gnutls_audit_push_context, gnutls_audit_pop_context, and gnutls_audit_current_context, which would be useful when the applications define their own crypto-auditing probe points. * configure: disable crypto-auditing support by default ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 14 08:26:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Oct 2025 06:26:01 +0000 Subject: [gnutls-devel] GnuTLS | Certificate with duplicates in the chain is rejected (#1741) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1741#note_2818827425 Sorry for the delay. I tried it with 3.8.9 (on Debian) and 3.8.10 (on Fedora), but couldn't reproduce; perhaps the server changed the configuration? Do you still have the chain saved with `--save-cert`? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1741#note_2818827425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 14 09:11:34 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Oct 2025 07:11:34 +0000 Subject: [gnutls-devel] GnuTLS | Inconsistent subject name processing results (#1740) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1740#note_2818909523 Thank you for the report. What I see in your provided examples are: - For GnuTLS, you extract DN with `gnutls_x509_crt_get_dn` and compare it with `strcmp` - For OpenSSL, you use `X509_NAME_cmp` which compares DNs in a case-insensitive manner Is this a request to add a similar function to `X509_NAME_cmp` in GnuTLS, or do you actually see any inconsistent matching behavior? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1740#note_2818909523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 14 18:16:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Oct 2025 16:16:09 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) References: Message-ID: Samuel Zeter created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029 Project:Branches: szeter/gnutls:Wunterminated-string-initialization to gnutls/gnutls:master Author: Samuel Zeter Approvers: Nikos Mavrogiannopoulos, Tom, Ander Juaristi, Andreas Metzler, Airtower, Alicja Kario (@mention me if you need reply), Ajit Singh, Anderson Sasaki, Tom?? Mr?z, Tim R?hsen, Franti?ek Kren?elok, civodul, GnuTLS devel mailing list, George Pantelakis, Niels M?ller, Sahana Prasad, Dmitry Baryshkov, Zolt?n Fridrich, Alexander Sosedkin, Simon Josefsson, Stephan Mueller, GnuTLS bot and Daiki Ueno * lib: Fix Wunterminated-string-initialization warnings Building on a newer gcc version (15) results in the following warnings: status_request.c: In function 'client_send': status_request.c:71:33: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (6 chars into 5 available) [-Wunterminated-string-initialization] 71 | const uint8_t data[5] = "\x01\x00\x00\x00\x00"; | ^~~~~~~~~~~~~~~~~~~~~~ x86-common.c: In function 'check_phe_partial': x86-common.c:342:31: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (65 chars into 64 available) [-Wunterminated-string-initialization] 342 | const char text[64] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Samuel Zeter ## Checklist * [x ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 14 23:17:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 14 Oct 2025 21:17:31 +0000 Subject: [gnutls-devel] GnuTLS | Certificate with duplicates in the chain is rejected (#1741) In-Reply-To: References: Message-ID: Sergey commented: https://gitlab.com/gnutls/gnutls/-/issues/1741#note_2821031626 Yes, the certificate was fixed in the meantime. I think i have found the certificate from the time the error happened. [aa.crt](/uploads/3d98dfc340533795a3c39df03935fa99/aa.crt) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1741#note_2821031626 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 02:41:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 00:41:40 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2029 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/accelerated/x86/x86-common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2821357418 > - const char text[64] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" > - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; > + const char text[64] __attribute__((nonstring)) = I have a slight concern on assuming `__attribute__((nonstring))` is always available; a more portable way to do this is to include "attribute.h" and use `ATTRIBUTE_NONSTRING`. However, in this use-case, I would rather write: ```c const char text[SHA1_BLOCK_SIZE + 1/*NUL*/] = "..."; ``` as the `padlock_sha1_blocks` below only takes 64 bytes from the input as commented. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 02:41:46 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 00:41:46 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2821357426 Thank you. I suppose you would notice a few more if you configure with `--enable-fips140-mode` and compile the tests as well. Would you like to fix those as well? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2821357426 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 02:41:40 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 00:41:40 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) In-Reply-To: References: Message-ID: Merge request !2029 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029 Project:Branches: szeter/gnutls:Wunterminated-string-initialization to gnutls/gnutls:master Author: Samuel Zeter Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 08:04:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 06:04:12 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) References: Message-ID: ?scar Garc?a Amor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1746 ## Description of problem: TLS handshake fails when connecting to specific HTTPS servers after upgrading OpenSSL from 3.5.4 to 3.6.0. It is definitely a problem caused by updating OpenSSL to 3.6.0 because if you roll back to 3.5.4, everything works again. This was initially detected in WebKit applications, so there [is a related bug in Bugzilla](https://bugs.webkit.org/show_bug.cgi?id=300584). ## Version of gnutls used: 3.8.10 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Arch Linux ## How reproducible: 1. Use Arch Linux (up to date as of October 2025). 2. Ensure OpenSSL 3.6.0 is installed. 3. Install and configure nginx with a simple self-signed TLS certificate. 4. Launch any GnuTLS client such Epiphany, wget or aria2. 5. Open https://localhost/. ## Actual results: Epiphany shows an SSL/TLS error 'Peer failed to perform TLS handshake: Error decoding the received TLS packet.' In wget or aria2 similar error 'GnuTLS: Error decoding the received TLS packet'. ## Expected results: Everything should work fine, regardless of the version of OpenSSL installed. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 08:25:01 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 06:25:01 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: ?scar Garc?a Amor commented: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2821663390 I have [replicated this bug in OpenSSL](https://github.com/openssl/openssl/issues/28902) so that we are all aware that it happens. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2821663390 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 11:39:41 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 09:39:41 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2822165107 Could I ask for a packet capture of the connection? Preferably with session key logging? (SSLKEYLOGFILE set: https://www.gnutls.org/manual/html_node/Debugging-and-auditing.html ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2822165107 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 16:14:23 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 14:14:23 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: ?scar Garc?a Amor commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2822959994 @tomato42 If you want, I can give you the server URL (it's exposed to the internet) so you can test it directly. Let me know where to send it to you ?privately? because it's a very modest server and I don't want to advertise it too much. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2822959994 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 16:38:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 14:38:57 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823047593 hkario at redhat.com and please CC also dueno at redhat.com -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823047593 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 17:08:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 15:08:05 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: ?scar Garc?a Amor commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823148960 Done, let me know if there's anything else I can do. And forgive me for getting lost in translation in mail and using ?screenshot? instead of ?capture?. It's my habit of running everything through the spell checker. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823148960 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 17:17:45 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 15:17:45 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823185375 Thank you! OK, so it looks like the server is using OCSP stapling, but then it sends `status_request` extension for all the certificates in the chain, while including actual OCSP response only for the first one... As we can read in https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.1 and then in https://datatracker.ietf.org/doc/html/rfc6066#page-15 the `OCSPResponse` object MUST NOT be empty (it needs to have length of at least 1: ``` opaque OCSPResponse<1..2^24-1>; ``` That means that the server is behaving incorrectly. Could you share details how you configured OCSP stapling in it? I wonder if it's a bug in OpenSSL or in nginx... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823185375 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 17:32:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 15:32:00 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: ?scar Garc?a Amor commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823245042 I have emailed you the complete configuration, but for the record, the configuration is similar to [the one recommended by Mozilla here](https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&guideline=5.7). The OCP stapling part simply has this: ``` # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823245042 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 17:33:59 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 15:33:59 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Michael Catanzaro commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823252063 Based on https://github.com/openssl/openssl/issues/28902#issuecomment-3407052303 I think we can close this and continue in the OpenSSL issue report. Thank you for the diagnosis! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823252063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 17:55:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 15:55:31 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823312584 yes, that configuration doesn't look off, so it very much looks like an OpenSSL/nginx issue -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823312584 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 15 20:18:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 15 Oct 2025 18:18:09 +0000 Subject: [gnutls-devel] GnuTLS | ECDSA private key generation misencodes keys, should have fixed private d value length (#1747) References: Message-ID: Hanno B?ck created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1747 ECDSA private key values should be stored in a bytestring of fixed-length with the size of the modulus (see RFC 5915 [1]). This also mitigates possible sidechannels that may leak information about leading zeros when loading a private key (see also [2]). It appears gnutls encodes the private d value with an additional zero if the upmost bit of the d value is set (~1/2 of keys). It encodes d with a byte too small if the top 9 bits are zero. (happens in 1/512 of keys). To test, generate a large number of ecdsa keys: ``` for x in $(seq 1 1000); do certtool --generate-privkey --outfile $x.key --key-type ecdsa --outder; done ``` Given the fixed-size encoding, all private keys with the same curve should have the same size, but they differ. Some are 121 bytes (correctly encoded), some 122 bytes, some (few) 120 bytes. Here's a python script that checks if ECDSA's d has the correct encoding size: https://github.com/hannob/tlshelpers/blob/main/checkkeyenc Given this can lead to a timing sidechannel leaking (very limited) information about the private key, one may see this as a security issue. However, the risk is very low and probably not practically relevant, as the information that can be leaked is extremely limited. [1] https://www.rfc-editor.org/rfc/rfc5915.html#section-3 [2] https://seclists.org/oss-sec/2025/q4/38 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 16 13:55:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Oct 2025 11:55:30 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1746: https://gitlab.com/gnutls/gnutls/-/issues/1746 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 16 13:55:31 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Oct 2025 11:55:31 +0000 Subject: [gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2825640863 Closing, thank you everyone for looking into it! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2825640863 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 16 19:30:09 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Oct 2025 17:30:09 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) In-Reply-To: References: Message-ID: Samuel Zeter commented on a discussion on lib/accelerated/x86/x86-common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2826791201 > > static int check_phe_partial(void) > { > - const char text[64] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" > - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; > + const char text[64] __attribute__((nonstring)) = ok i will amend this. I went through several iterations trying to find the best approach. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2826791201 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 16 19:30:20 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 16 Oct 2025 17:30:20 +0000 Subject: [gnutls-devel] GnuTLS | lib: Fix Wunterminated-string-initialization warnings (!2029) In-Reply-To: References: Message-ID: Samuel Zeter commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2826791598 I'll take a look -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2029#note_2826791598 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 07:24:28 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 05:24:28 +0000 Subject: [gnutls-devel] GnuTLS | KTLS by default disabled. (#1748) References: Message-ID: akshainie playz created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1748 We are trying to use the KTLS feature on Ubuntu 22.04, which includes gnutls version 3.7.3 by default. However, the default package provided by the distribution has the ENABLE_KTLS flag disabled. It appears that the only way to enable it is by compiling gnutls with that flag. I would like to understand why this flag is disabled by default and why distributions do not enable it in their default packages. **This API gnutls_transport_is_ktls_enabled(gnutls_session_t**?_session_**); returning** **GNUTLS_E_UNIMPLEMENTED_FEATURE** -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1748 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 10:58:44 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 08:58:44 +0000 Subject: [gnutls-devel] GnuTLS | Parsing of BIT STRING encoded EdDSA key fails in _gnutls_x509_decode_string (#1749) References: Message-ID: Conor Tull created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1749 I've been investigating the EdDSA key import logic and found an issue with parsing BIT STRING encoded keys. Commit [70f81c85](https://gitlab.com/gnutls/gnutls/-/commit/70f81c857#f61d05c822a5dd50f9a59201f798412ccde1a955_536_559) claims to add support for this, but it seems to fail in practice (never tested). When gnutls_pubkey_import_ecc_eddsa receives a BIT STRING, it correctly identifies it and calls \_gnutls_x509_decode_string. However, that helper function fails with ASN1_VALUE_NOT_VALID. I traced this with GDB and the failure is coming from libtasn1 at decoding.c:2136. It seems the ETYPE_IS_STRING macro check in libtasn1 doesn't consider ASN1_ETYPE_BIT_STRING to be a valid string (because of \[this\](because of https://gitlab.com/gnutls/libtasn1/-/blob/master/lib/int.h#L98)) , so it rejects it. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1749 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 14:23:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 12:23:22 +0000 Subject: [gnutls-devel] GnuTLS | KTLS by default disabled. (#1748) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1748#note_2828440011 The primary reason is that TLS rekeying, which we consider critical, is only implemented in Linux 6.15+; otherwise I would say the functionality is well tested and safe to use, if your TLS sessions do not live longer than the rekeying threshold. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1748#note_2828440011 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 14:58:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 12:58:35 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2828522380 OK with the code changes. A bit sad that we need the new API and share the stack, i.e. we can't have users of gnutls maintain its own context stack that gnutls would then somehow autouse as parents. Not that I see a sane way to do it though. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2828522380 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 14:58:35 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 12:58:35 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Merge request !2028 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup2 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 17 15:06:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 17 Oct 2025 13:06:57 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 was reviewed by Alexander Sosedkin -- Alexander Sosedkin started a new discussion on devel/symbols.last: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2828522358 > GNUTLS_3_8_4 at GNUTLS_3_8_4 > GNUTLS_3_8_6 at GNUTLS_3_8_6 > -GNUTLS_3_8_10 at GNUTLS_3_8_10 I don't understand changes to symbols.last and how are they related to this MR. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 18 04:34:30 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Oct 2025 02:34:30 +0000 Subject: [gnutls-devel] GnuTLS | Does GnuTLS have commands for CRL format conversion? (#1750) References: Message-ID: One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1750 Hello developers, could you please tell me if GnuTLS has commands for CRL format conversion (converting CRLs from PEM to DER format, or from DER to PEM format)? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 18 08:10:05 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Oct 2025 06:10:05 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion on devel/symbols.last: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2829870730 > GNUTLS_3_8_2 at GNUTLS_3_8_2 > GNUTLS_3_8_4 at GNUTLS_3_8_4 > GNUTLS_3_8_6 at GNUTLS_3_8_6 > -GNUTLS_3_8_10 at GNUTLS_3_8_10 I suppose the previous change to symbol.last was done manually, and this time I used `make files-update`, which caused those changes. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2829870730 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 18 08:10:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Oct 2025 06:10:15 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2829870785 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028#note_2829870785 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 18 08:10:22 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Oct 2025 06:10:22 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: Merge request !2028 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 Project:Branches: dueno/gnutls:wip/dueno/usdt-followup2 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Oct 18 08:10:07 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 18 Oct 2025 06:10:07 +0000 Subject: [gnutls-devel] GnuTLS | audit: wrap crau interface and expose it partly as public API (!2028) In-Reply-To: References: Message-ID: All discussions on merge request !2028 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2028 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 19 19:35:52 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 Oct 2025 17:35:52 +0000 Subject: [gnutls-devel] GnuTLS | tpmtool --outfile fails due to password handling (#1752) References: Message-ID: Jeremy Jackson created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1752 ## Description of problem: tpmtool -d 9999 --generate-rsa --bits 2048 --outfile /tmp/foo.tpm --srk-well-known Fails is you press enter for an empty key password: Setting log level to 9999 Enter key password: |<3>| ASSERT: ../../lib/tpm.c[gnutls_tpm_privkey_generate]:1434 |<2>| TPM (tpm) error: Authentication failed (1) gnutls_tpm_privkey_generate: Error in provided SRK password for TPM. It also fails if you type a password. ## Version of gnutls used: 3.8.9-3 (Debian) recompiled for TPM support ## Expected results: If patched to skip code that uses a password (when there is none), it works: in lib/tmp.c around line 1402: /* set the password of the actual key */ if (key_password && strlen(key_password) > 0) { gnutls_datum_t pout; char *password = NULL; -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1752 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Oct 19 19:51:46 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 19 Oct 2025 17:51:46 +0000 Subject: [gnutls-devel] GnuTLS | tpmtool --register fails if username contains a backslash (#1753) References: Message-ID: Jeremy Jackson created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1753 ## Description of problem: On a Samba AD Domain Controller, usernames take the format DOMAIN\username and this seems to confuse tpmtool. It never tries to load user.data from ~/.trousers but instead tries various system locations in /run/ /var/run /usr/lib /usr/local/lib etc. There is a workaround by setting an environment variable: export TSS_USER_PS_FILE="/path/to/my/custom_user.data" ## Version of gnutls used: 3.8.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Debian ## How reproducible: Consistent. Steps to Reproduce: * login as a user with DOMAIN\ in username * use commands like --list that need to search user.data * only outputs then quits: gnutls_tpm_get_registered: TPM error. ## Actual results: gnutls_tpm_get_registered: TPM error. ## Expected results: Command completion, key listing, etc. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1753 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:02:10 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:02:10 +0000 Subject: [gnutls-devel] GnuTLS | x509: encode ECDSA private key in fixed length (!2030) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030 Project:Branches: dueno/gnutls:wip/dueno/ecc-privkey to gnutls/gnutls:master Author: Daiki Ueno * x509: encode ECDSA private key in fixed length RFC 5915 section 3 says that the privateKey field of ECPrivateKey structure should be fixed length, though the library encoded it in variable length, depending on the leading byte. This patch enforces that the field is always encoded in fixed length, as well as consolidates the code paths for EdDSA and X25519/X448 keys. Fixes: #1747 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:03:37 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:03:37 +0000 Subject: [gnutls-devel] GnuTLS | ECDSA private key generation misencodes keys, should have fixed private d value length (#1747) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1747#note_2830952319 Thank you for the report, @hanno! I've filed !2030 as a fix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1747#note_2830952319 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:03:47 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:03:47 +0000 Subject: [gnutls-devel] GnuTLS | ECDSA private key generation misencodes keys, should have fixed private d value length (#1747) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.11 (Jul 8, 2025?Sep 30, 2025) ( https://gitlab.com/gnutls/gnutls/-/milestones/49 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:07:06 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:07:06 +0000 Subject: [gnutls-devel] GnuTLS | Does GnuTLS have commands for CRL format conversion? (#1750) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1750#note_2830958472 To convert PEM encoded CRL to DER, use `certtool --crl-info --infile crl.pem --outder`. To convert DER encoded CRL to PEM, use `certtool --crl-info --infile crl.der --inder`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1750#note_2830958472 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:07:15 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:07:15 +0000 Subject: [gnutls-devel] GnuTLS | Does GnuTLS have commands for CRL format conversion? (#1750) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1750: https://gitlab.com/gnutls/gnutls/-/issues/1750 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1750 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Oct 20 10:36:41 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 20 Oct 2025 08:36:41 +0000 Subject: [gnutls-devel] GnuTLS | Parsing of BIT STRING encoded EdDSA key fails in _gnutls_x509_decode_string (#1749) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1749#note_2831050460 Thank you for the report, @ctull. Do you have a test data to reproduce this? If yes, would you mind attaching it here? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1749#note_2831050460 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 21 13:53:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Oct 2025 11:53:53 +0000 Subject: [gnutls-devel] GnuTLS | x509: encode ECDSA private key in fixed length (!2030) In-Reply-To: References: Message-ID: Merge request !2030 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030 Project:Branches: dueno/gnutls:wip/dueno/ecc-privkey to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 21 13:53:53 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Oct 2025 11:53:53 +0000 Subject: [gnutls-devel] GnuTLS | x509: encode ECDSA private key in fixed length (!2030) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030#note_2834384467 Looks good! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030#note_2834384467 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 21 14:08:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 21 Oct 2025 12:08:29 +0000 Subject: [gnutls-devel] GnuTLS | KTLS by default disabled. (#1748) In-Reply-To: References: Message-ID: Issue was closed by Zolt?n Fridrich Issue #1748: https://gitlab.com/gnutls/gnutls/-/issues/1748 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1748 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 22 13:01:20 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Oct 2025 11:01:20 +0000 Subject: [gnutls-devel] GnuTLS | ECDSA private key generation misencodes keys, should have fixed private d value length (#1747) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !2030 (https://gitlab.com/gnutls/gnutls/-/merge_requests/2030) Issue #1747: https://gitlab.com/gnutls/gnutls/-/issues/1747 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1747 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 22 13:01:20 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Oct 2025 11:01:20 +0000 Subject: [gnutls-devel] GnuTLS | x509: encode ECDSA private key in fixed length (!2030) In-Reply-To: References: Message-ID: Merge request !2030 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030 Project:Branches: dueno/gnutls:wip/dueno/ecc-privkey to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Oct 22 13:01:36 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 22 Oct 2025 11:01:36 +0000 Subject: [gnutls-devel] GnuTLS | x509: encode ECDSA private key in fixed length (!2030) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030#note_2837144006 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2030#note_2837144006 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Oct 23 08:55:00 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 23 Oct 2025 06:55:00 +0000 Subject: [gnutls-devel] GnuTLS | Compilation warnings and documentation generation failures in GnuTLS build (#1754) References: Message-ID: Karthik Das created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1754 ## Description of problem: GnuTLS compilation produces multiple warnings and documentation generation fails due to: Function prototype warnings: gnutls_audit_pop_context() and gnutls_audit_current_context() functions lack proper void parameter declarations, causing -Wstrict-prototypes warnings Documentation generation failures: Missing Doxygen parameter descriptions for gnutls_audit_* functions cause doc build to fail with "Function parameter 'context' not described" errors Static analyzer warnings: False positive null pointer dereference warnings in ocsp.c ## Version of gnutls used: commit eb3c9febfa9969792b8ac0ca56ee9fbd9b0bd7ee (HEAD -> master, origin/master, origin/HEAD) Merge: 714a830af 38c57f41f Author: Daiki Ueno Date: Wed Oct 22 20:01:17 2025 +0900 Merge branch 'wip/dueno/ecc-privkey' into 'master' x509: encode ECDSA private key in fixed length Closes #1747 See merge request gnutls/gnutls!2030 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) PRETTY_NAME="Ubuntu 22.04.5 LTS" NAME="Ubuntu" ## How reproducible: Clone the GnuTLS repository: git clone https://gitlab.com/gnutls/gnutls.git Run bootstrap script: ./bootstrap Configure the build: ./configure Attempt to compile: make -j$(nproc) Observe compilation warnings for function prototypes and documentation generation failures ## Actual results: Clean compilation without warnings and successful documentation generation ## Expected results: Multiple -Wstrict-prototypes warnings and documentation build failures -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1754 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 24 08:37:29 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Oct 2025 06:37:29 +0000 Subject: [gnutls-devel] GnuTLS | build: fix compiler warnings with -Wstrict-prototypes (!2031) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031 Project:Branches: dueno/gnutls:wip/dueno/strict-prototypes to gnutls/gnutls:master Author: Daiki Ueno * build: fix compiler warnings with -Wstrict-prototypes Fixes: #1754 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 24 08:39:17 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Oct 2025 06:39:17 +0000 Subject: [gnutls-devel] GnuTLS | Compilation warnings and documentation generation failures in GnuTLS build (#1754) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1754#note_2842158483 Good catch, @devkdas! I've filed !2031 to fix the warning, though I'd say the warning for ocsp.c is a false-positive; `resp` should be always set at that point and I can't reproduce it on my environment with GCC 15. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1754#note_2842158483 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Oct 24 18:22:57 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 24 Oct 2025 16:22:57 +0000 Subject: [gnutls-devel] GnuTLS | doc: discourage use of gnutls_malloc/gnutls_free by applications (!2032) References: Message-ID: Daniel P_ Berrang? created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2032 Project:Branches: berrange/gnutls:dep-malloc-free to gnutls/gnutls:master Author: Daniel P_ Berrang? * doc: discourage use of gnutls_malloc/gnutls_free by applications Version 3.3.0 turned gnutls_global_set_mem_functions() into a no-op, so the C library system allocator functions are guaranteed to always be used. For application code, this has turned gnutls_malloc & gnutls_free into a trivial indirection to the C library malloc / free functions. Unfortunately when an application is built with Control Flow Integrity enabled, use of gnutls_malloc / gnutls_free may result in termination of the program with SIGILL. We just hit this in QEMU, with our code crashing when QEMU is built with CFI when we call gnutls_free(). The problem can be seen standalone with the following example ``` $ cat g.c #include void foo() { gnutls_datum_t v; v.data = gnutls_malloc(10); gnutls_free(v.data); } int main(int argc, char **argv) { foo(); return 0; } $ clang -fsanitize=cfi-icall -flto -Wall -I /usr/include/gnutls -lgnutls -o g g.c $ ./g Illegal instruction (core dumped) ``` I've tested this on Fedora 42, but I would expect same results anywhere with modern enough clang to support CFI. In this initial patch I kept the references to gnutls_free/malloc as conditional recommendations depending on the apps need for back compat with 3.3.0, and didn't touch the example programs. The 3.3.0 release of gnutls was 11 years ago now though. Given that long timeframe, perhaps it is acceptable to entirely remove any reference to gnutls_free/malloc in the public API docs now ? Then likewise purge their usage in the example C programs too, with plain free/malloc used instead. Let me know if I should do that more comprehensive change.... ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2032 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 01:38:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 00:38:12 +0000 Subject: [gnutls-devel] GnuTLS | build: fix compiler warnings with -Wstrict-prototypes (!2031) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031#note_2848597933 This is a trivial change, merging without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031#note_2848597933 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 01:38:19 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 00:38:19 +0000 Subject: [gnutls-devel] GnuTLS | Compilation warnings and documentation generation failures in GnuTLS build (#1754) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !2031 (https://gitlab.com/gnutls/gnutls/-/merge_requests/2031) Issue #1754: https://gitlab.com/gnutls/gnutls/-/issues/1754 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1754 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 01:38:19 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 00:38:19 +0000 Subject: [gnutls-devel] GnuTLS | build: fix compiler warnings with -Wstrict-prototypes (!2031) In-Reply-To: References: Message-ID: Merge request !2031 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031 Project:Branches: dueno/gnutls:wip/dueno/strict-prototypes to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 05:31:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 04:31:12 +0000 Subject: [gnutls-devel] GnuTLS | Unable to use RSA key with OAEP metadata for signature (#1734) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1734: https://gitlab.com/gnutls/gnutls/-/issues/1734 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1734 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 05:31:13 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 04:31:13 +0000 Subject: [gnutls-devel] GnuTLS | Unable to use RSA key with OAEP metadata for signature (#1734) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1734#note_2848782878 Yes, Alexander's explanation is right. If you want to use the same RSA key for signing, you can either use the original (unrestricted) RSA key, or restrict it for a signing scheme, i.e., PSS. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1734#note_2848782878 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 07:32:51 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 06:32:51 +0000 Subject: [gnutls-devel] GnuTLS | Compilation warnings and documentation generation failures in GnuTLS build (#1754) In-Reply-To: References: Message-ID: Karthik Das commented: https://gitlab.com/gnutls/gnutls/-/issues/1754#note_2848916251 Thanks @dueno. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1754#note_2848916251 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Oct 28 07:33:12 2025 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 28 Oct 2025 06:33:12 +0000 Subject: [gnutls-devel] GnuTLS | build: fix compiler warnings with -Wstrict-prototypes (!2031) In-Reply-To: References: Message-ID: Karthik Das commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031#note_2848916563 Thanks @dueno. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2031#note_2848916563 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: