From gnutls-devel at lists.gnutls.org Mon Feb 2 12:55:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 02 Feb 2026 11:55:00 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails when using gettext (autopoint) v. 1.0 (#1792) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1792#note_3051405009 I admit I have been away from the gettext development for a long time, but that reminds me of https://lists.gnu.org/archive/html/bug-gettext/2013-07/msg00002.html and I suspect it might be fixed if autopoint used `func_trace_autoconf` instead of `func_trace_sed` for that. @bhaible What do you think? Given gettext 0.19 is already over a decade old, I guess we could simply drop the `m4_ifdef` anyway. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1792#note_3051405009 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 2 13:57:12 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 02 Feb 2026 12:57:12 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails when using gettext (autopoint) v. 1.0 (#1792) In-Reply-To: References: Message-ID: Bruno Haible commented: https://gitlab.com/gnutls/gnutls/-/issues/1792#note_3051633223 I would suggest to - either change that `0.19` to `0.19.6` and eliminate the m4_ifdef test, - or hide the m4_ifdef test from `autopoint`, similar to what is done in https://sources.debian.org/src/wget2/2.2.0+ds-3/debian/patches/configure-ac.patch -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1792#note_3051633223 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 3 05:34:03 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 03 Feb 2026 04:34:03 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: hide m4_ifdef from autopoint (!2061) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 Project:Branches: dueno/gnutls:wip/dueno/gettext-1.0 to gnutls/gnutls:master Author: Daiki Ueno * configure.ac: hide m4_ifdef from autopoint The recent version of autopoint warns about multiple invocation of AM_GNU_GETTEXT_REQUIRE_VERSION, without evaluating m4_ifdef. This obfuscates the first occurrence with a quote to work around that. Suggested by Bruno Haible. Fixes: #1792 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 3 17:10:07 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 03 Feb 2026 16:10:07 +0000 Subject: [gnutls-devel] GnuTLS | GOST crypto according to RFC9558 support (#1793) References: Message-ID: Igor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1793 Hello, dear colleagues! Are there any plans for support GOST2012 with elliptic curve id-tc26-gost-3410-2012-256-paramSet as discribed in RFC9558? There is the comment in lib/x509/key_encode.c: ```c /* For compatibility per R 1323565.1.023?2018 provide digest OID only * for GOST-2001 keys or GOST-2012 keys with CryptoPro curves. Do not * set this optional parameter for TC26 curves */ ``` But the document has been greatly updated and for now elliptic curves from TC26 are used, for example, in openssl. Or maybe this is a question of nettle software patching? Thank you in advence for your answer! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1793 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 3 18:29:17 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 03 Feb 2026 17:29:17 +0000 Subject: [gnutls-devel] GnuTLS | GOST crypto according to RFC9558 support (#1793) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/gnutls/-/issues/1793#note_3055511267 If we don't have support for it, I don't think it is useful to add now. X25519 is a good ECC curve, and working on adding old pre-PQ crypto now seems odd. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1793#note_3055511267 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 4 09:07:55 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 04 Feb 2026 08:07:55 +0000 Subject: [gnutls-devel] GnuTLS | GOST crypto according to RFC9558 support (#1793) In-Reply-To: References: Message-ID: Igor commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1793#note_3057004523 Thank you for reply, Simon! Ok, i got you. But i would like to ask you, is there any framework that halps to integrate new cryptos in your GNUTLS project? For example i know such project as ECCKiila for generating C-sources for openssl lib. And in case of GOST there is separate module known gost-engine. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1793#note_3057004523 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 05:08:42 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 04:08:42 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3059635620 LGTM! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3059635620 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 05:08:45 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 04:08:45 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) In-Reply-To: References: Message-ID: Merge request !2054 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054 Project:Branches: asosedkin/gnutls:testdane-stability to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 05:09:11 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 04:09:11 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails when using gettext (autopoint) v. 1.0 (#1792) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Jan 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1792 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 08:25:25 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 07:25:25 +0000 Subject: [gnutls-devel] GnuTLS | RFC 5280 compliance: GnuTLS accepts the CRL containing an OU field with the tag value of 0xFD. (#1794) References: Message-ID: One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1794 ## Description of problem: Hello developers, I have successfully parsed a CRL containing an OU field tagged 0xFD using GnuTLS. ## Version of gnutls used: GnuTLS 3.8.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: certtool --crl-info --inder --infile issuer_253_tag_ou.der ## Actual results: [issuer_253_tag_ou.der](/uploads/ae8a3d8e573973f89e8a4832508eb886/issuer_253_tag_ou.der) ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1794 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 12:49:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 11:49:26 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) In-Reply-To: References: Message-ID: Merge request !2054 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054 Project:Branches: asosedkin/gnutls:testdane-stability to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 14:52:25 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 13:52:25 +0000 Subject: [gnutls-devel] GnuTLS | RFC 5280 compliance: GnuTLS accepted the CRL file with an incorrect inner algorithm identifier. (#1795) References: Message-ID: One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1795 ## Description of problem: Hello developers, I successfully parsed a CRL file with an inner algorithm identifier of 1.2.840.98445.1.1.11 using GnuTLS, although GnuTLS did not display the specific information of the inner algorithm identifier in the parsing results. When Go parsed this CRL file, it displayed the error: "inner and outer signature algorithm identifiers don't match". ## Version of gnutls used: GnuTLS 3.8.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: certtool --crl-info --inder --infile crl_wrong_inner_signature_oid.der ## Actual results: [crl_wrong_inner_signature_oid.der](/uploads/28ee3b442af58491839a61c5dd69f71a/crl_wrong_inner_signature_oid.der) ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1795 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 18:39:22 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 17:39:22 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: hide m4_ifdef from autopoint (!2061) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Feb 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 18:40:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 17:40:39 +0000 Subject: [gnutls-devel] GnuTLS | can't send mlkem768x25519 and x25519 key shares together; would rather see both sent with x25519 value reused (#1763) In-Reply-To: References: Message-ID: Milestone removed -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 18:42:43 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 17:42:43 +0000 Subject: [gnutls-devel] GnuTLS | can't send mlkem768x25519 and x25519 key shares together; would rather see both sent with x25519 value reused (#1763) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.13 ( https://gitlab.com/gnutls/gnutls/-/milestones/51 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1763 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 19:43:31 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 18:43:31 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Release 3.8.12 (!2062) In-Reply-To: References: Message-ID: Daiki Ueno was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 5 19:43:34 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 05 Feb 2026 18:43:34 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Release 3.8.12 (!2062) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 Project:Branches: asosedkin/gnutls:wip/asosedkin/release-3.8.12 to gnutls/gnutls:master Author: Alexander Sosedkin Reviewer: Daiki Ueno * Release 3.8.12 * NEWS: mention 3.8.12 changes ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 10:56:51 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 09:56:51 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Release 3.8.12 (!2062) In-Reply-To: References: Message-ID: Merge request !2062 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 Project:Branches: asosedkin/gnutls:wip/asosedkin/release-3.8.12 to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewer: Daiki Ueno -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 10:57:20 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 09:57:20 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Release 3.8.12 (!2062) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062#note_3063785603 Speculatively approving, so you can create a release without me :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062#note_3063785603 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 11:25:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 10:25:00 +0000 Subject: [gnutls-devel] GnuTLS | p11tool stopped showing token (#1774) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Feb 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 11:25:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 10:25:47 +0000 Subject: [gnutls-devel] GnuTLS | `gnutls_hash_output(..., NULL)` leads to SIGSEGV (#1769) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Feb 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1769 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 14:54:49 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 13:54:49 +0000 Subject: [gnutls-devel] GnuTLS | RFC 5280 compliance: GnuTLSaccepts the Issuer field with invalid UTF-8 values. (#1796) References: Message-ID: One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1796 ## Description of problem: Hello developers, I have successfully parsed a CRL file with an invalid UTF-8 value in the Issuer field using GnuTLS.The 5th byte of the L (LocalityName) attribute in the Issuer field is 0xFF, and 0xFF is an illegal byte in UTF-8 encoding. ## Version of gnutls used: GnuTLS 3.8.9 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## How reproducible: certtool --crl-info --inder --infile crl_fuzz_L_field_0xFF.der ## Actual results: [crl_fuzz_L_field_0xFF.der](/uploads/8e4c4549d5954ef535a5c96023e3a638/crl_fuzz_L_field_0xFF.der) ## Expected results: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1796 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 16:09:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 15:09:09 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile: specify overlooked pkcs11-long-label dependencies (!2063) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063 Project:Branches: asosedkin/gnutls:pkcs11-long-label-dependencies to gnutls/gnutls:master Author: Alexander Sosedkin tests/Makefile: specify overlooked pkcs11-long-label dependencies I don't remember anyone complaining about them missing; still better have them, I guess. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:47:37 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:47:37 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update submodule (!2064) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2064 Project:Branches: asosedkin/gnutls:update-cligen to gnutls/gnutls:master Author: Alexander Sosedkin cligen: update submodule Picks https://gitlab.com/gnutls/cligen/-/merge_requests/6 and https://gitlab.com/gnutls/cligen/-/merge_requests/7 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:52:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:52:50 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: All discussions on merge request !2058 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:55:25 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:55:25 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3065088358 at least the ones mentioned in https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3031254571 are not addressed, but the ones that fixed look good, so, merging -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3065088358 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:55:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:55:26 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Merge request !2058 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 Project:Branches: dueno/gnutls:wip/dueno/gcc-analyzer-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewer: Alexander Sosedkin -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:55:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:55:26 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: All discussions on merge request !2058 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:55:45 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:55:45 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Feb 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 18:55:51 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 17:55:51 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Merge request !2058 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 Project:Branches: dueno/gnutls:wip/dueno/gcc-analyzer-fixes to gnutls/gnutls:master Author: Daiki Ueno Reviewer: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 19:00:03 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 18:00:03 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: hide m4_ifdef from autopoint (!2061) In-Reply-To: References: Message-ID: Merge request !2061 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 Project:Branches: dueno/gnutls:wip/dueno/gettext-1.0 to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 19:00:11 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 18:00:11 +0000 Subject: [gnutls-devel] GnuTLS | configure.ac: hide m4_ifdef from autopoint (!2061) In-Reply-To: References: Message-ID: Merge request !2061 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 Project:Branches: dueno/gnutls:wip/dueno/gettext-1.0 to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2061 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Feb 6 19:00:12 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 06 Feb 2026 18:00:12 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails when using gettext (autopoint) v. 1.0 (#1792) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin with merge request !2061 (https://gitlab.com/gnutls/gnutls/-/merge_requests/2061) Issue #1792: https://gitlab.com/gnutls/gnutls/-/issues/1792 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1792 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 7 02:28:13 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 07 Feb 2026 01:28:13 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile: specify overlooked pkcs11-long-label dependencies (!2063) In-Reply-To: References: Message-ID: Merge request !2063 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063 Project:Branches: asosedkin/gnutls:pkcs11-long-label-dependencies to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 7 02:28:21 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 07 Feb 2026 01:28:21 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile: specify overlooked pkcs11-long-label dependencies (!2063) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063#note_3065659370 Good catch! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063#note_3065659370 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 7 02:28:56 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 07 Feb 2026 01:28:56 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update submodule (!2064) In-Reply-To: References: Message-ID: Merge request !2064 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2064 Project:Branches: asosedkin/gnutls:update-cligen to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 07:16:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 06:16:00 +0000 Subject: [gnutls-devel] GnuTLS | tests/Makefile: specify overlooked pkcs11-long-label dependencies (!2063) In-Reply-To: References: Message-ID: Merge request !2063 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063 Project:Branches: asosedkin/gnutls:pkcs11-long-label-dependencies to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2063 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 07:16:28 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 06:16:28 +0000 Subject: [gnutls-devel] GnuTLS | cligen: update submodule (!2064) In-Reply-To: References: Message-ID: Merge request !2064 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2064 Project:Branches: asosedkin/gnutls:update-cligen to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2064 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 15:16:44 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 14:16:44 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.12 (!2062) In-Reply-To: References: Message-ID: Alexander Sosedkin marked merge request !2062 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 15:29:15 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 14:29:15 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds unavailable for v3.8.11 (#1768) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1768#note_3069489507 I've tried the suggestion above, and it turned out to be significantly harder than that, so, I'm afraid, this will have to be deferred for another release. Sorry. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1768#note_3069489507 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 15:29:28 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 14:29:28 +0000 Subject: [gnutls-devel] GnuTLS | Windows builds unavailable for v3.8.11 (#1768) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.13 ( https://gitlab.com/gnutls/gnutls/-/milestones/51 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1768 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 16:36:53 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 15:36:53 +0000 Subject: [gnutls-devel] GnuTLS | Release 3.8.12 (!2062) In-Reply-To: References: Message-ID: Merge request !2062 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 Project:Branches: asosedkin/gnutls:wip/asosedkin/release-3.8.12 to gnutls/gnutls:master Author: Alexander Sosedkin Reviewer: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2062 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 16:36:54 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 15:36:54 +0000 Subject: [gnutls-devel] GnuTLS | Security issue: NULL pointer dereference in PSK binder verification (gnutls 3.8.11) (#1790) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin with commit acf67a4a68bc6d9ab7b882469c67f6cf28db56a0 Issue #1790: https://gitlab.com/gnutls/gnutls/-/issues/1790 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1790 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 16:36:54 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 15:36:54 +0000 Subject: [gnutls-devel] GnuTLS | Verifying Certificates with large amout of name constraints and subject alternative names makes GnuTLS vulnerable to DoS attacks (#1773) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin with commit d6054f0016db05fb5c82177ddbd0a4e8331059a1 Issue #1773: https://gitlab.com/gnutls/gnutls/-/issues/1773 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1773 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 17:21:35 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 16:21:35 +0000 Subject: [gnutls-devel] GnuTLS | Buffer overflow in _gnutls_bin2hex() (#1786) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1786#note_3069867265 !2062 contains a fix. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1786#note_3069867265 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 17:22:21 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 16:22:21 +0000 Subject: [gnutls-devel] GnuTLS | Buffer overflow in _gnutls_bin2hex() (#1786) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1786: https://gitlab.com/gnutls/gnutls/-/issues/1786 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1786 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 17:22:33 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 16:22:33 +0000 Subject: [gnutls-devel] GnuTLS | Possible vulnerabilty via str_escape() in lib/x509/common.c (#1783) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1783: https://gitlab.com/gnutls/gnutls/-/issues/1783 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1783 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Feb 9 18:57:06 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 09 Feb 2026 17:57:06 +0000 Subject: [gnutls-devel] GnuTLS | devel/release-steps.md: extend (!2065) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065 Project:Branches: asosedkin/gnutls:update-release-steps to gnutls/gnutls:master Author: Alexander Sosedkin devel/release-steps.md: propose a few details in the wake of 3.8.12 release ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 10 13:16:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 10 Feb 2026 12:16:05 +0000 Subject: [gnutls-devel] GnuTLS | devel/release-steps.md: extend (!2065) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065#note_3072186373 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065#note_3072186373 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Feb 10 13:19:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 10 Feb 2026 12:19:50 +0000 Subject: [gnutls-devel] GnuTLS | devel/release-steps.md: extend (!2065) In-Reply-To: References: Message-ID: Merge request !2065 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065 Project:Branches: asosedkin/gnutls:update-release-steps to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 11 03:04:52 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 11 Feb 2026 02:04:52 +0000 Subject: [gnutls-devel] GnuTLS | devel/release-steps.md: extend (!2065) In-Reply-To: References: Message-ID: Daiki Ueno started a new discussion on devel/release-steps.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065#note_3074153290 > Create a detached GPG signature. > Upload zip and signature files to ftp.gnupg.org. > Do the same analogically for `mingw64/archive`. > +1. Reveal and close the security issues addressed in the release. > +1. Close the security fixes merge requests addressed in the release. > 1. Create and send announcement email based on previously sent email Might make sense to link to the actual mailing lists we send the announcement email? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2065#note_3074153290 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Feb 11 12:45:43 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 11 Feb 2026 11:45:43 +0000 Subject: [gnutls-devel] GnuTLS | stamp_error_codes missing from doc/Makefile.am EXTRA_DIST (#1797) References: Message-ID: Adam Sampson created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1797 Building gnutls 3.8.12 from the source tarball causes the `stamp_error_codes` rule in `doc/Makefile.am` to run. This isn't the intent, since the files it generates are shipped in the tarball (and it breaks crossbuilding because `errcodes` etc. aren't built for the build machine's architecture). Looking at the contents of the tarball, the `stamp_enums` and `stamp_functions` files are included, but `stamp_error_codes` isn't. This appears to be because 251ba80dde601b9e4f9bc7a860c72044034f95a6 added `stamp_error_codes` to `DISTCLEANFILES` but didn't add it to `EXTRA_DIST`. I guess it should be in `MAINTAINERCLEANFILES` too. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1797 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Feb 12 17:20:30 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 12 Feb 2026 16:20:30 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Single shot signing (!2066) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2066 Project:Branches: dueno/gnutls:wip/dueno/single-shot-signing to gnutls/gnutls:master Author: Daiki Ueno This makes the single-shot signing behavior (on the contrary to prehashed) the primary signing interface of crypto-backend. * pk: rely on single-shot signing behavior of crypto backend Now that hashing is done in crypto backend by default, stop doing that at the abstract key API level and just pass the original data to crypto backend. This also removes privkey_sign_and_hash_data as it would be identical to privkey_sign_raw_data. * pk, nettle: use and honor GNUTLS_PK_FLAG_PREHASHED This sets GNUTLS_PK_FLAG_PREHASHED to signing parameters where appropriate, and make the nettle crypto backend respect the flag. * crypto-backend: add GNUTLS_PK_FLAG_PREHASHED flag The flag indicates that the input to .sign and .verify backend functions are provided with hashed data, instead of the entire data. * algorithms: move no_prehashed flag from pubkey to sign That way we can add prehashed signing algorithms without adding the corresponding pubkey algorithms. * pk: move DigestInfo encoding into crypto backend Previously, the conversion of hash into PKCS#1 DigestInfo was done in the abstract key API. To give the crypto backend, such as nettle and PKCS#11, move the logic there. * pk: inline pk_hash_data This function is only used by privkey_sign_and_hash_data, where it provides a wrapper around _gnutls_hash_fast. Better inline it at the caller and avoid pre-allocation of the buffer. * nettle: fix comment indentation These were a left-over when we previously reformatted the code using GNU indent; clang-format doesn't take into account of comments. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2066 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 14 02:57:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 14 Feb 2026 01:57:23 +0000 Subject: [gnutls-devel] GnuTLS | Draft: Single shot signing (!2066) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2066#note_3083717011 I'm a bit busy this month, so deferring this to the next month. Here are some notes (for myself) to continue working on this: - The signing logic has actually 3 backends: X.509 (i.e., Nettle or the new pkcs11-provider), external callbacks, and the legacy PKCS#11 private key support. Currently all of them do "raw" signing with a given public key algorithm. To support single-shot signing, the latter two still need pre-hashing for backward compatibility - The low level signing functions (e.g., _gnutls_pk_sign) should take a signing algorithm instead of a public key algorithm to support single-shot operation naturally. Then we can remove `*_dig` fields in `gnutls_x509_spki_st` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2066#note_3083717011 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Feb 14 18:08:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 14 Feb 2026 17:08:39 +0000 Subject: [gnutls-devel] GnuTLS | PKCS#11 Auto-Initialization Not Working (#1798) References: Message-ID: Claudio Ferreira created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1798 ## Context This issue was discovered while investigating OpenConnect VPN client authentication failures with PKCS#11 tokens. **OpenConnect issue #835**: "GnuTLS backend does not initialize PKCS#11 modules" - URL: https://gitlab.com/openconnect/openconnect/-/issues/835 - OpenConnect maintainer (Dimitri Papadopoulos) suggested this is a GnuTLS bug - OpenConnect calls multiple `gnutls_pkcs11_*()` functions but auto-init doesn't trigger - Workaround being implemented in OpenConnect pending GnuTLS fix ## Summary GnuTLS 3.8.12 does not automatically initialize PKCS#11 modules when applications call `gnutls_pkcs11_*()` functions, despite documentation stating that `gnutls_pkcs11_init()` is called automatically since version 3.3.0. ## Environment - **GnuTLS**: 3.8.12-2 - **p11-kit**: 0.25.10 - **OS**: Debian GNU/Linux Sid - **Application**: OpenConnect 9.12 - **Token**: G&D StarSign CUT S (SafeSign IC driver) - **Certificate**: ICP-Brasil A3 ## Expected Behavior According to GnuTLS documentation: > Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly called. It is being called during the first request PKCS 11 operation. When an application calls `gnutls_pkcs11_*()` functions (e.g., when processing a PKCS#11 URI), GnuTLS should automatically initialize PKCS#11 modules. ## Actual Behavior PKCS#11 modules are **not** initialized automatically. Applications must explicitly call `gnutls_pkcs11_init()` or PKCS#11 operations fail silently. ## Reproduction ### Test Case 1: OpenConnect (Real-World Application) OpenConnect calls multiple `gnutls_pkcs11_*()` functions when processing PKCS#11 URIs, but PKCS#11 modules are never initialized. **Command:** ```bash export GNUTLS_DEBUG_LEVEL=3 openconnect --protocol=gp -c "pkcs11:token=MyToken" vpn.example.com ``` **Result WITHOUT explicit `gnutls_pkcs11_init()`:** ``` gnutls[2]: Enabled GnuTLS 3.8.12 logging... gnutls[2]: getrandom random generator was selected ... (zero PKCS#11-related messages) ... Valid client certificate is required Failed to complete authentication ``` No PKCS#11 initialization occurs, even though OpenConnect calls `gnutls_pkcs11_*()` functions. **Result WITH explicit `gnutls_pkcs11_init()`:** ``` gnutls[2]: Enabled GnuTLS 3.8.12 logging... gnutls[2]: Initializing all PKCS #11 modules gnutls[2]: p11: Initializing module: p11-kit-trust gnutls[2]: p11: Initializing module: safesign gnutls[2]: p11: Module safesign is initialized in a thread-safe mode PIN required for MyToken Enter PIN: ``` PKCS#11 modules are loaded and authentication succeeds. ### Test Case 2: Minimal Reproduction (Suggested) ```c #include #include #include int main(void) { int ret; // Initialize GnuTLS (but NOT PKCS#11) gnutls_global_init(); // Try to use PKCS#11 - should trigger auto-init according to docs gnutls_pkcs11_token_get_info( "pkcs11:token=MyToken", GNUTLS_PKCS11_TOKEN_LABEL, NULL, NULL ); // Check if PKCS#11 was initialized // Expected: modules loaded automatically // Actual: no initialization occurs gnutls_global_deinit(); return 0; } ``` **Expected**: First `gnutls_pkcs11_*()` call triggers automatic initialization. **Actual**: No initialization occurs, PKCS#11 operations fail. ## Analysis ### Code Flow in OpenConnect 1. `openconnect_init_ssl()` calls `gnutls_global_init()` only 2. Later, certificate loading code calls various `gnutls_pkcs11_*()` functions 3. These functions should trigger auto-initialization per documentation 4. But they don't - no PKCS#11 modules are loaded ### Which Functions Are Called OpenConnect calls (at minimum): - `gnutls_pkcs11_obj_*()` functions for certificate operations - `gnutls_pkcs11_privkey_*()` functions for private key operations - Other PKCS#11-related GnuTLS APIs These should qualify as "PKCS 11 operations" that trigger auto-init. ## Impact This affects any application that: 1. Calls `gnutls_global_init()` but not `gnutls_pkcs11_init()` 2. Relies on documented automatic PKCS#11 initialization 3. Uses PKCS#11 tokens for authentication Real-world affected applications: - OpenConnect VPN client - Potentially other VPN clients using GnuTLS - Any application following GnuTLS documentation ## Workaround Applications must explicitly call `gnutls_pkcs11_init()`: ```c int openconnect_init_ssl(void) { if (gnutls_global_init()) return -EIO; // Workaround for GnuTLS auto-init not working #if defined(HAVE_P11KIT) if (gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL) < 0) { // Handle error } #endif return 0; } ``` ## Questions 1. Is automatic PKCS#11 initialization still supposed to work in GnuTLS 3.8.x? 2. Which specific GnuTLS functions should trigger auto-initialization? 3. Is there a specific initialization order or condition required? 4. Should this be considered a regression or documentation issue? ## References - GnuTLS PKCS#11 docs: https://gnutls.org/manual/html_node/PKCS11-Initialization.html - OpenConnect issue #835: https://gitlab.com/openconnect/openconnect/-/issues/835 - RFC 7512 (PKCS#11 URI): https://tools.ietf.org/html/rfc7512 ## Related Issues - **GnuTLS #1784** - "SafeSign token compatibility: CKR_ARGUMENTS_BAD with threading flags" (January 2026) - URL: https://gitlab.com/gnutls/gnutls/-/issues/1784 - Our previous report about SafeSign driver rejecting PKCS#11 threading flags - Patch submitted to add fallback for `CKR_ARGUMENTS_BAD` with `flags=0` - This current issue is different but related: auto-initialization not working - **GnuTLS #1060** - "Uninitialized lock when using pkcs11 private key for signing" (August 2020) - URL: https://gitlab.com/gnutls/gnutls/-/issues/1060 - Similar symptom: "Thread locking error" in single-threaded application - Context: Lock not initialized when using PKCS#11 private key - May be related to PKCS#11 initialization issues ## Additional Information I can provide: - Complete debug logs (with `GNUTLS_DEBUG_LEVEL=9`) - Minimal test case if needed - Testing on different GnuTLS versions - p11-kit configuration details -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1798 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: