From gnutls-devel at lists.gnutls.org Mon Jan 5 17:05:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 05 Jan 2026 16:05:10 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: properly fall back to thread-unsafe module init (!2049) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049#note_2984249591 Changes look good. Approved. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049#note_2984249591 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 5 17:05:12 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 05 Jan 2026 16:05:12 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: properly fall back to thread-unsafe module init (!2049) In-Reply-To: References: Message-ID: Merge request !2049 was approved by Zolt?n Fridrich Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049 Project:Branches: dueno/gnutls:wip/dueno/pkcs11-thread-fixes to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 6 02:14:27 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Jan 2026 01:14:27 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: properly fall back to thread-unsafe module init (!2049) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049#note_2985123659 Thanks Zoltan for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049#note_2985123659 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 6 02:14:33 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Jan 2026 01:14:33 +0000 Subject: [gnutls-devel] GnuTLS | pkcs11: properly fall back to thread-unsafe module init (!2049) In-Reply-To: References: Message-ID: Merge request !2049 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049 Project:Branches: dueno/gnutls:wip/dueno/pkcs11-thread-fixes to gnutls/gnutls:master Author: Daiki Ueno Reviewers: Alexander Sosedkin and Zolt?n Fridrich -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2049 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 6 02:14:33 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Jan 2026 01:14:33 +0000 Subject: [gnutls-devel] GnuTLS | p11tool stopped showing token (#1774) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with merge request !2049 (https://gitlab.com/gnutls/gnutls/-/merge_requests/2049) Issue #1774: https://gitlab.com/gnutls/gnutls/-/issues/1774 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1774 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 6 02:17:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 06 Jan 2026 01:17:09 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_2985125359 @grey3228 Could you apply the indentation fix proposed at https://gitlab.com/grey3228/gnutls/-/jobs/12537214593#L56 ? Maybe you could do that by running devel/indent-gnutls if you have a decent version of clang-format. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_2985125359 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 7 22:02:15 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 07 Jan 2026 21:02:15 +0000 Subject: [gnutls-devel] libtasn1 | Fix for CVE-2025-13151 Buffer overflow (!121) References: Message-ID: Vijay Sarvepalli created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121 Project:Branches: sei-vsarvepalli/libtasn1:security_fix to gnutls/libtasn1:master Author: Vijay Sarvepalli Add a description of the new feature/bug fix. Reference any relevant bugs. ## Checklist * [ X ] Code modified for feature * [ O ] Test suite updated with functionality tests * [ O ] Test suite updated with negative tests * [ X ] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 8 14:55:58 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Jan 2026 13:55:58 +0000 Subject: [gnutls-devel] libtasn1 | Fix for CVE-2025-13151 Buffer overflow (!121) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121#note_2991871509 Thank you! Manually merged into v4.21.0 release -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121#note_2991871509 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 8 14:55:59 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Jan 2026 13:55:59 +0000 Subject: [gnutls-devel] libtasn1 | Fix for CVE-2025-13151 Buffer overflow (!121) In-Reply-To: References: Message-ID: Merge request !121 was closed by Simon Josefsson Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121 Project:Branches: sei-vsarvepalli/libtasn1:security_fix to gnutls/libtasn1:master Author: Vijay Sarvepalli Assignees: Reviewers: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 8 14:57:08 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Jan 2026 13:57:08 +0000 Subject: [gnutls-devel] libtasn1 | Ongoing security disclosure access (#56) In-Reply-To: References: Message-ID: Issue was closed by Simon Josefsson Issue #56: https://gitlab.com/gnutls/libtasn1/-/issues/56 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/56 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 8 14:57:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Jan 2026 13:57:10 +0000 Subject: [gnutls-devel] libtasn1 | Ongoing security disclosure access (#56) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/56#note_2991876487 Should be fixed now with v4.21.0, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/56#note_2991876487 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 8 14:57:58 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 08 Jan 2026 13:57:58 +0000 Subject: [gnutls-devel] libtasn1 | Tarball reproducibility bug (#54) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/54#note_2991879537 I made some changes for v4.21.0, let's see how it works out. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/54#note_2991879537 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 9 03:09:42 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Jan 2026 02:09:42 +0000 Subject: [gnutls-devel] libtasn1 | doc: add security advisory for CVE-2025-13151 (!122) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 Project:Branches: dueno/libtasn1:wip/advisory/cve-2025-13151 to gnutls/libtasn1:master Author: Daiki Ueno This adds a security advisory for CVE-2025-13151 under doc/. ## Checklist * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [x] Documentation updated ## Reviewer's checklist: * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent with other code * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 9 03:11:14 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Jan 2026 02:11:14 +0000 Subject: [gnutls-devel] libtasn1 | doc: add security advisory for CVE-2025-13151 (!122) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122#note_2993246385 @sei-vsarvepalli @jas could you check? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122#note_2993246385 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 9 11:10:35 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Jan 2026 10:10:35 +0000 Subject: [gnutls-devel] libtasn1 | doc: add security advisory for CVE-2025-13151 (!122) In-Reply-To: References: Message-ID: Merge request !122 was merged Merge request URL: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 Project:Branches: dueno/libtasn1:wip/advisory/cve-2025-13151 to gnutls/libtasn1:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 9 17:06:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Jan 2026 16:06:39 +0000 Subject: [gnutls-devel] libtasn1 | doc: add security advisory for CVE-2025-13151 (!122) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 was reviewed by Vijay Sarvepalli -- Vijay Sarvepalli commented on a discussion: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122#note_2994986010 Looks good and clear to me. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 9 17:06:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 09 Jan 2026 16:06:39 +0000 Subject: [gnutls-devel] libtasn1 | doc: add security advisory for CVE-2025-13151 (!122) In-Reply-To: References: Message-ID: Vijay Sarvepalli commented: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122#note_2994986026 looks good. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/122#note_2994986026 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 10 08:18:49 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Jan 2026 07:18:49 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS uses expired CRLs without warning (#1781) References: Message-ID: Joyanta Debnath created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1781 ## Description of problem: GnuTLS does not explicitly check whether a CRL has expired at the time of validation. As a result, it continues to perform revocation checks using expired CRLs without raising any warnings or errors for the user. https://github.com/gnutls/gnutls/blob/0b7e7690a5744a501b887dd3a53e74c384b82a3c/lib/x509/x509.c#L3239 ## Version of gnutls used: latest or older ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Ubuntu ## Actual results: Accepts CRL for certificate validation ## Expected results: Rejects CRL for certificate validation -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1781 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 11 00:11:36 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Jan 2026 23:11:36 +0000 Subject: [gnutls-devel] GnuTLS | GnuTLS uses expired CRLs without warning (#1781) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1781#note_2996874484 Could you provide a reproducer? I suspect you are looking at a wrong code path; note that the CRL check is done in 2 phases: first with `gnutls_x509_crl_verify` (called by `gnutls_x509_trust_list_add_crls`) and then the call to `_gnutls_x509_crt_check_revocation` to each certificates (in `gnutls_x509_trust_list_verify_crt2`). `gnutls_x509_crl_verify` does have checks for CRL expiration: https://gitlab.com/gnutls/gnutls/-/blob/0b7e7690a5744a501b887dd3a53e74c384b82a3c/lib/x509/verify.c#L1786 I believe those are already exercised in our tests under: https://gitlab.com/gnutls/gnutls/-/blob/0b7e7690a5744a501b887dd3a53e74c384b82a3c/tests/cert-tests/crl.sh#L108 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1781#note_2996874484 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 11 00:18:32 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Jan 2026 23:18:32 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli (Version 3.8.10) on macOS aborts with "Curve 1.3.36.3.3.2.8.1.1.7 is not supported" and assertions when server cert uses brainpoolP256r1 (#1767) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno Issue #1767: https://gitlab.com/gnutls/gnutls/-/issues/1767 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1767 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 11 00:18:33 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 10 Jan 2026 23:18:33 +0000 Subject: [gnutls-devel] GnuTLS | gnutls-cli (Version 3.8.10) on macOS aborts with "Curve 1.3.36.3.3.2.8.1.1.7 is not supported" and assertions when server cert uses brainpoolP256r1 (#1767) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1767#note_2996881589 I'm closing this as I think the questions here are answered. If you need support for Brainpool curves, please open another issue. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1767#note_2996881589 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sun Jan 11 13:27:42 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sun, 11 Jan 2026 12:27:42 +0000 Subject: [gnutls-devel] libtasn1 | autoreconf on 4.2.21 sets wromg mtime for doc/libtasn1.texi (#57) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/57 Hello, 4.2.21 fails to build on make check after autoreconf if texinfo is not installed: ``` WARNING: 'makeinfo' is missing on your system. You should only need it if you modified a '.texi' file, or any other file indirectly affecting the aspect of the manual. You might want to install the Texinfo package: The spurious makeinfo call might also be the consequence of using a buggy 'make' (AIX, DU, IRIX), in which case you might want to install GNU make: make[3]: *** [Makefile:1765: libtasn1.info] Error 127 ``` I think this is the reason why, libtasn1.texi mtime is set to 0 by ./configure. ``` (sid)ametzler at argenau:/tmp/TASN/libtasn1$ ls -l doc/libtasn1.texi ; head doc/version.texi ; autoreconf ; ls -l doc/libtasn1.texi ; head doc/version.texi ; ./configure > /dev/null 2>&1 ; ls -l doc/libtasn1.texi ; head doc/version.texi -rw-r--r-- 1 ametzler ametzler 10949 Jan 8 12:19 doc/libtasn1.texi @set UPDATED 8 January 2026 @set UPDATED-MONTH January 2026 @set EDITION 4.21.0 @set VERSION 4.21.0 -rw-r--r-- 1 ametzler ametzler 10949 Jan 8 12:19 doc/libtasn1.texi @set UPDATED 8 January 2026 @set UPDATED-MONTH January 2026 @set EDITION 4.21.0 @set VERSION 4.21.0 -rw-r--r-- 1 ametzler ametzler 10949 Jan 1 1970 doc/libtasn1.texi @set UPDATED 8 January 2026 @set UPDATED-MONTH January 2026 @set EDITION 4.21.0 @set VERSION 4.21.0 ``` At build time this code in doc/Makefile is triggered because the mtime recorded in version.texi does not match the relal mtime of libtasn1.texi: ``` $(srcdir)/version.texi: $(srcdir)/stamp-vti $(srcdir)/stamp-vti: libtasn1.texi $(top_srcdir)/configure @(dir=.; test -f ./libtasn1.texi || dir=$(srcdir); \ set `$(SHELL) $(top_srcdir)/build-aux/mdate-sh $$dir/libtasn1.texi`; \ echo "@set UPDATED $$1 $$2 $$3"; \ echo "@set UPDATED-MONTH $$2 $$3"; \ echo "@set EDITION $(VERSION)"; \ echo "@set VERSION $(VERSION)") > vti.tmp$$$$ && \ (cmp -s vti.tmp$$$$ $(srcdir)/version.texi \ || (echo "Updating $(srcdir)/version.texi" && \ cp vti.tmp$$$$ $(srcdir)/version.texi.tmp$$$$ && \ mv $(srcdir)/version.texi.tmp$$$$ $(srcdir)/version.texi)) && \ rm -f vti.tmp$$$$ $(srcdir)/version.texi.$$$$ @cp $(srcdir)/version.texi $@ ``` Now version.texi is newer than libtasn1.info and the latter is out of date and make thinks it needs to be rebuilt. The code for settig the wrong time-stamp is in configure.ac ``` st_help2man=0 st_touch=197001010000.00 AC_MSG_CHECKING([for timestamps of last git commit]) if test -e "$srcdir"/.git && command -v git > /dev/null; then if tmp=$(git log -1 --format=%cd --date=unix); then st_help2man="$tmp" fi if tmp=$(env TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M.%S); then st_touch="$tmp" fi fi AC_SUBST(SOURCETIME_HELP2MAN, "${SOURCETIME_HELP2MAN:-$st_help2man}") AC_MSG_RESULT(help2man $SOURCETIME_HELP2MAN touch $st_touch) env TZ=UTC0 \ touch -m -t "$st_touch" \ "$srcdir"/NEWS.md "$srcdir"/doc/$PACKAGE.texi ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/57 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 12 08:43:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Jan 2026 07:43:47 +0000 Subject: [gnutls-devel] libtasn1 | autoreconf on 4.2.21 sets wromg mtime for doc/libtasn1.texi (#57) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/57#note_2998087542 Thank you, great catch! Indeed `makeinfo` shouldn't be a required tool when building. It seems getting this right is rather tricky... I noticed that Bruno Haible's recent `git-merge-changelog` package uses a `version.sh` for similar information. It feels a bit redundant because the information is in `NEWS`. I wonder why not any of our CI/CD jobs caught this. I'll see if it is possible to reproduce. My initial idea to solve this is to avoid using git to find out the last commit date, and just use the last release date from `NEWS` instead. I'm not yet sure what the best fix to avoid touching the file when building from a tarball though. Maybe touching the file should go into `./bootstrap` instead of `./configure`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/57#note_2998087542 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 12 12:03:19 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 12 Jan 2026 11:03:19 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Mikhail Dmitrichenko commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_2998611149 sure, done -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_2998611149 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 12:09:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 11:09:00 +0000 Subject: [gnutls-devel] GnuTLS | Draft: rnd: always clear internal RNG state and confidential temporary data (!2051) References: Message-ID: Markus Theil created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 Project:Branches: thillux/gnutls:mtheil/clear-rnd-state to gnutls/gnutls:master Author: Markus Theil * rnd: always clear internal RNG state and confidential temporary data Internal RNG state should not be left in memory after deallocating the RNG or exiting a process using GnuTLS. Fix this for the ChaCha20 based RNG implementation. The FIPS RNG impl. already does this, due to FIPS requirements. Signed-off-by: Markus Theil ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 12:11:46 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 11:11:46 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil marked merge request !2051 as ready -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 15:47:13 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 14:47:13 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on lib/nettle/rnd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002559712 > > static void wrap_nettle_rnd_deinit(void *_ctx) > { > + zeroize_key(_ctx, sizeof(*_ctx)); `sizeof(*_ctx)` doesn't look right, how would it know the right size? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002559712 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 15:51:29 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 14:51:29 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil commented on a discussion on lib/nettle/rnd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002575187 > > static void wrap_nettle_rnd_deinit(void *_ctx) > { > + zeroize_key(_ctx, sizeof(*_ctx)); Should be fixed now. Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002575187 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 15:52:57 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 14:52:57 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil commented on a discussion on lib/nettle/rnd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002581525 > > static void wrap_nettle_rnd_deinit(void *_ctx) > { > + zeroize_key(_ctx, sizeof(*_ctx)); Can I assume \_ctx to always point to memory or shall I check, if it is zero? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002581525 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 15:54:19 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 14:54:19 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on lib/nettle/rnd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002587232 > > static void wrap_nettle_rnd_deinit(void *_ctx) > { > + zeroize_key(_ctx, sizeof(*_ctx)); AFAICS, you can. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002587232 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 16:04:51 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 15:04:51 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002626425 I'm not sure of the importance of such zeroization in real life scenarios on modern platforms. That being said, I don't see why not have it either. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002626425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 16:05:16 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 15:05:16 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Merge request !2051 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 Project:Branches: thillux/gnutls:mtheil/clear-rnd-state to gnutls/gnutls:master Author: Markus Theil Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 16:12:51 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 15:12:51 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002653123 IMHO my two cents regarding your notice: May I'm wrong here, but a e.g. Linux kernel configured without clear on alloc or clear on free may provide a memory range of process p1 with key material from the GnuTLS RNG to another process p2 on the same platform, after p1 was (cleanly) terminated. More advanced are cold boot attacks or microarchitectural attacks like meltdown/spectre where its nice to limit the exposure of secret key material in RAM. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002653123 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 16:27:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 15:27:05 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002718070 I meant that you'd first have to do the unconventional step of configuring the kernel to hand out memory unzeroized. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002718070 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 13 16:44:52 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 13 Jan 2026 15:44:52 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002798892 Fair point :thumbsup: -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3002798892 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 05:28:42 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 04:28:42 +0000 Subject: [gnutls-devel] GnuTLS | Update year of copyright notices in doc/gnutls.texi (!2052) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052 Project:Branches: dueno/gnutls:wip/dueno/doc-update-copyright-year to gnutls/gnutls:master Author: Daiki Ueno * Update year of copyright notices in doc/gnutls.texi ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 05:47:32 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 04:47:32 +0000 Subject: [gnutls-devel] GnuTLS | Update year of copyright notices in doc/gnutls.texi (!2052) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052#note_3004186376 Just an annual chore; merging without approval. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052#note_3004186376 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 05:47:37 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 04:47:37 +0000 Subject: [gnutls-devel] GnuTLS | Update year of copyright notices in doc/gnutls.texi (!2052) In-Reply-To: References: Message-ID: Merge request !2052 was set to auto-merge by Daiki Ueno Merge request url: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052 Project:Branches: dueno/gnutls:wip/dueno/doc-update-copyright-year to gnutls/gnutls:master Author: Daiki Ueno Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 05:58:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 04:58:00 +0000 Subject: [gnutls-devel] GnuTLS | Update year of copyright notices in doc/gnutls.texi (!2052) In-Reply-To: References: Message-ID: Merge request !2052 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052 Project:Branches: dueno/gnutls:wip/dueno/doc-update-copyright-year to gnutls/gnutls:master Author: Daiki Ueno -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2052 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 06:22:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 05:22:48 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for Hygon Genuine CPUs in x86 acceleration (!2053) References: Message-ID: xinpeng wang created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053 Project:Branches: wxphaha/gnutls:adapter-Hygon to gnutls/gnutls:master Author: xinpeng wang * lib: add support for Hygon Genuine CPUs in x86 acceleration Hygon CPUs (HygonGenuine) share the same AES-NI and other crypto instruction sets with AMD Zen architecture. However, they were previously falling back to the generic software provider because the vendor check only recognized Intel and AMD. This fallback to the software provider (Nettle wrapper) could lead to numerical issues or crashes (e.g., divide-by-zero) in certain environments like Photoshop. This patch: 1. Adds X86_CPU_VENDOR_HYGON to x86_cpu_vendor enum. 2. Updates check_x86_cpu_vendor() to recognize Hygon CPUs. 3. Enables hardware acceleration for Hygon CPUs. Signed-off-by: xinpeng.wang ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 06:37:59 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 05:37:59 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004248192 @grey3228 Sorry to bother you, but could you rebase it against the git master? There was a known CI [issue](https://gitlab.com/gnutls/gnutls/-/merge_requests/2052) caused by outdated copyright year after 2026. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004248192 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 06:43:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 05:43:47 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Merge request !2051 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 Project:Branches: thillux/gnutls:mtheil/clear-rnd-state to gnutls/gnutls:master Author: Markus Theil Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 06:43:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 05:43:48 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/nettle/rnd.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004253700 > + zeroize_key(new_key, sizeof(new_key)); > gnutls_free(ctx); > return ret; Not a fault of this MR, but I would write like this to share the common code: ```suggestion:-8+0 *_ctx = _gnutls_steal_pointer(ctx); cleanup: zeroize_key(new_key, sizeof(new_key)); gnutls_free(ctx); return ret; ``` You would need to change `goto fail` to `goto cleanup`, and initialize `ret` to 0. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 06:43:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 05:43:47 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004253723 Looks good to me, just a minor suggestion. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004253723 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 08:54:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 07:54:50 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Mikhail Dmitrichenko commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004438554 no problems, done it -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004438554 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:05:17 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:05:17 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Merge request !2050 was approved by Daiki Ueno Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050 Project:Branches: grey3228/gnutls:fix/large-srp-group-stack-buff-overflow to gnutls/gnutls:master Author: Mikhail Dmitrichenko Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:05:27 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:05:27 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: All discussions on merge request !2050 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/2050 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:05:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:05:48 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Merge request !2050 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050 Project:Branches: grey3228/gnutls:fix/large-srp-group-stack-buff-overflow to gnutls/gnutls:master Author: Mikhail Dmitrichenko -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:05:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:05:50 +0000 Subject: [gnutls-devel] GnuTLS | srptool:possible stack buffer overflow with large SRP groups (#1777) In-Reply-To: References: Message-ID: Issue was closed by Daiki Ueno with commit 6181783e98117cebfa2ca36535ac70abd994f1d2 Issue #1777: https://gitlab.com/gnutls/gnutls/-/issues/1777 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1777 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:06:03 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:06:03 +0000 Subject: [gnutls-devel] GnuTLS | srptool: fix stack buffer overflow with large SRP groups (!2050) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004459834 Merged, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2050#note_3004459834 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 09:29:55 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 08:29:55 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Markus Theil commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004519619 @dueno Done. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004519619 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 10:39:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 09:39:48 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: All discussions on merge request !2051 were resolved by Daiki Ueno https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 10:40:08 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 09:40:08 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Merge request !2051 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 Project:Branches: thillux/gnutls:mtheil/clear-rnd-state to gnutls/gnutls:master Author: Markus Theil -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 10:40:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 09:40:23 +0000 Subject: [gnutls-devel] GnuTLS | rnd: always clear internal RNG state and confidential temporary data (!2051) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004693712 Merged, thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2051#note_3004693712 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 14 13:31:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 14 Jan 2026 12:31:05 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for Hygon Genuine CPUs in x86 acceleration (!2053) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053#note_3005170502 So, the change is purely to get past the `if (vendor == X86_CPU_VENDOR_OTHER) { return; }` check? And then the generic `GNUTLS_x86_cpuid_s[1] & bit_AES` just works? > This fallback to the software provider (Nettle wrapper) could lead to numerical issues or crashes (e.g., divide-by-zero) in certain environments like Photoshop. Could you please elaborate on that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053#note_3005170502 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 15 03:26:39 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Jan 2026 02:26:39 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for Hygon Genuine CPUs in x86 acceleration (!2053) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2053 was reviewed by xinpeng wang -- xinpeng wang commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053#note_3007000934 Hi Alexander, thanks for your feedback. Here is the elaboration on the hardware compatibility and the crash scenario: 1. Hardware Compatibility Evidence I?ve verified that Hygon CPUs are fully instruction-compatible with the paths enabled in register_x86_intel_crypto. Below is the raw output from a test program on a Hygon Dhyana processor mimicking GnuTLS's read_cpuid_vals(): Vendor ID: HygonGenuine ECX (vals[1]): 0x7ed8320b ? Bit 25 (AES-NI) is 1; Bit 9 (SSSE3) is 1. EBX (vals[2]): 0x209c01a9 ? Bit 29 (SHA-NI) is 1; Bit 5 (AVX2) is 1. The lscpu flags also confirm the presence of aes, ssse3, pclmulqdq, and sha_ni. Once identified, the existing feature-detection logic works perfectly for Hygon. 2. Elaboration on the Crash (0xc0000094) The issue was observed while running Windows versions of Photoshop via Wine on Linux. The Trigger: The application calls BCryptDecrypt for AES decryption. The Failure: When Hygon is identified as VENDOR_OTHER, GnuTLS bypasses hardware acceleration and falls back to the generic Nettle wrapper. Observation: IDA Pro analysis of the execution flow in this environment suggests that the generic software path triggers an Integer Divide-by-Zero (0xc0000094). The Fix: By enabling this patch, GnuTLS correctly initializes the _gnutls_aesni_x86 path. This uses hardware instructions directly, bypassing the problematic software division logic and resolving the crash. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 15 13:02:55 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Jan 2026 12:02:55 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for Hygon Genuine CPUs in x86 acceleration (!2053) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053#note_3008771136 I believe that warrants a separate issue, generic code mustn't crash either. But I don't have access to Hygon CPUs or Photoshop =/ -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053#note_3008771136 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 15 18:47:42 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Jan 2026 17:47:42 +0000 Subject: [gnutls-devel] GnuTLS | SafeSign IC 3.8.0.0 PKCS#11 module and GnuTLS incompatible (#1784) References: Message-ID: Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1784 Hello, this is http://bugs.debian.org/1125519 reported by Claudio Ferreira Filho. Attaching verbatim since I really have no opinion whether this is a clear-cut hardware bug or not. Dear Maintainer, I've discovered an incompatibility between GnuTLS 3.8.11 and SafeSign IC 3.8.0.0 PKCS#11 module that prevents the use of SafeSign tokens with applications like OpenConnect VPN. ## Problem Description When GnuTLS attempts to initialize the SafeSign PKCS#11 module, it fails with "Thread locking error" because SafeSign returns CKR_NEED_TO_CREATE_THREADS (0x09) when it receives the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag. This is contradictory behavior: the module is saying "I need to create threads" when explicitly told "you cannot create threads". However, SafeSign works correctly when initialized with flags=0. ## Steps to Reproduce 1. Install SafeSign IC 3.8.0.0 driver (libaetpkss.so) 2. Insert a SafeSign token (e.g., G&D StarSign CUT S) 3. Try to use the token with OpenConnect or any GnuTLS-based application 4. Observe "Cannot initialize PKCS #11 module" error ## Testing Direct testing shows the issue: ```c CK_C_INITIALIZE_ARGS args = {NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK | CKF_LIBRARY_CANT_CREATE_OS_THREADS, NULL}; rv = C_Initialize(&args); // SafeSign returns: 0x00000009 (CKR_NEED_TO_CREATE_THREADS) args.flags = 0; rv = C_Initialize(&args); // SafeSign returns: 0x00000000 (CKR_OK) ``` ## Proposed Solution Add a fallback for CKR_NEED_TO_CREATE_THREADS similar to the existing CKR_CANT_LOCK fallback. When a module returns CKR_NEED_TO_CREATE_THREADS, retry initialization with flags=0. I've attached a patch that implements this solution. The patch: - Maintains compatibility with conforming PKCS#11 modules - Enables support for SafeSign and potentially other non-conforming modules - Follows the same pattern as the existing CKR_CANT_LOCK fallback - Has been tested successfully with SafeSign tokens ## Impact This issue affects users of: - SafeSign tokens (common in Brazilian government/corporate environments) - OpenConnect VPN with certificate authentication - Any GnuTLS-based application using PKCS#11 ## Environment - Debian: Sid/Forky - GnuTLS: 3.8.11-3 - SafeSign: IC Standard Linux 3.8.0.0 - Token: Giesecke & Devrient StarSign CUT S - Certificate: ICP-Brasil (Brazilian PKI) ## Additional Information The issue does NOT occur with: - pkcs11-tool (OpenSC) - works correctly - GnuTLS 3.7.x (Debian Trixie) - works correctly This suggests the issue was introduced in GnuTLS 3.8.x or that 3.7.x had more lenient initialization logic. ## Documentation Complete investigation and testing documentation available at: https://github.com/dataprev/vpn-safesign-gnutls (if published) The investigation took approximately 8 hours and included: - Analysis of GnuTLS source code - Testing with multiple PKCS#11 modules - Comparison between GnuTLS 3.7.x and 3.8.x - Validation with real-world VPN usage ## Patch Please find attached the patch file: 0001-pkcs11-Add-fallback-for-CKR_NEED_TO_CREATE_THREADS.patch The patch is minimal (7 lines) and follows GnuTLS coding standards. [sugggested.patch](/uploads/17259892134d08ac9dd25c1371e075bb/sugggested.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 15 18:53:11 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 15 Jan 2026 17:53:11 +0000 Subject: [gnutls-devel] GnuTLS | SafeSign IC 3.8.0.0 PKCS#11 module and GnuTLS incompatible (#1784) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1784#note_3009850758 This is likely fixed with https://gitlab.com/gnutls/gnutls/-/merge_requests/2049, could they try that? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1784#note_3009850758 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 16 19:33:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Jan 2026 18:33:09 +0000 Subject: [gnutls-devel] GnuTLS | SafeSign IC 3.8.0.0 PKCS#11 module and GnuTLS incompatible (#1784) In-Reply-To: References: Message-ID: Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1784#note_3013035216 Alexander Sosedkin wrote 1 day ago > This is likely fixed with !2049 (merged), could they try that? Yes, Claudio confirmed that !2049 fixes this issue. Thank you! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1784#note_3013035216 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 16 19:49:05 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Jan 2026 18:49:05 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) References: Message-ID: Tim R?hsen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1787 For example: ``` @@ -196,7 +201,7 @@ int dane_query_to_raw_tlsa(dane_query_t q, unsigned int *data_entries, *dane_data_len = gnutls_calloc(q->data_entries + 1, sizeof(**dane_data_len)); if (*dane_data_len == NULL) { - free(*dane_data); + gnutls_free(*dane_data); *dane_data = NULL; return DANE_E_MEMORY_ERROR; } ``` Nothing serious, but better avoid mixing. Maybe worth a general check for these issues in `libdane/dane.c`. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 17 00:32:28 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 16 Jan 2026 23:32:28 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3013777883 ```c - free(*dane_data); + gnutls_free(*dane_data); *dane_data = NULL; ``` Given the commit d39778e43d1674cb3ab3685157fd299816d535c0 introduced automatic NULLification, can't we omit `*dane_data = NULL`? In any case, I'd suggest filing a merge request if you have time :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3013777883 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 17 19:02:59 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 17 Jan 2026 18:02:59 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Tim R?hsen commented: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3014699787 > In any case, I'd suggest filing a merge request if you have time :-) I wish I had :disappointed: , too much work for my job. All I can do atm is providing side-products of doing tests with AI finding issues in OSS products. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3014699787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 19 13:40:22 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Jan 2026 12:40:22 +0000 Subject: [gnutls-devel] GnuTLS | SafeSign IC 3.8.0.0 PKCS#11 module and GnuTLS incompatible (#1784) In-Reply-To: References: Message-ID: Issue was closed by Alexander Sosedkin Issue #1784: https://gitlab.com/gnutls/gnutls/-/issues/1784 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1784 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 19 16:59:53 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Jan 2026 15:59:53 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054 Project:Branches: asosedkin/gnutls:testdane-stability to gnutls/gnutls:master Author: Alexander Sosedkin tests/suite/testdane.sh didn't reliably test much. It depends on external infrastructure, but I still see the value of running it in CI to catch the most obvious regressions, so here I'm trying to go for letting it fail for half of the HTTP hosts or even all of the SMTP hosts, but at least test something without annoying us too much. * tests/suite/testdane.sh: with and w/o --local-dns; 50% success rate * tests/suite/testdane.sh: add more SMTP hosts * tests/suite/testdane.sh: add more HTTPS hosts * tests/suite/testdane.sh: insignificant tweaks ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 19 17:29:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Jan 2026 16:29:23 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3017629113 Sigh. ``` [1768839687] libunbound[86264:0] error: error parsing local-data at 71 'runner-ouuucgm9h-project-19721118-concurrent-1-c99eea43d5408809-build A 10.89.1.6': Label length overflow [1768839687] libunbound[86264:0] error: Bad local-data RR runner-ouuucgm9h-project-19721118-concurrent-1-c99eea43d5408809-build A 10.89.1.6 ``` on self-hosted runners is due to the hostname being too long. will need to apply something like https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26718#note_2008549120 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3017629113 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 19 19:35:15 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Jan 2026 18:35:15 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/testdane.sh: try to make it more stable (!2054) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3017849490 I give up tracing how I ended up with the hostname being overly long. Skipping on such hosts. Force-push to run again to check it's really stable. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2054#note_3017849490 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Mon Jan 19 20:30:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Mon, 19 Jan 2026 19:30:23 +0000 Subject: [gnutls-devel] GnuTLS | malformed CCS in TLS 1.3 is discarded without an alert (#1788) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1788 ## Description of problem: malformed CCS in TLS 1.3 is discarded without an alert ## Version of gnutls used: gnutls-3.8.11-5.fc43.x86_64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: reliably Steps to Reproduce: * `gnutls-serv --x509keyfile=key.pem --x509certfile=cert.pem --disable-client-cert --port=4433 --debug=10` (that 10 is important to see the 'discarding' message, its absence has initially confused me) * python3 scripts/test-tls13-ccs.py -p 4433 "two byte long CCS" ## Actual results: Server logs discarding change cipher spec in TLS1.3 and waits for more data: `|<10>| discarding change cipher spec in TLS1.3`. The tlsfuzzer script then times out. ## Expected results: Server validates CCS value and follows [RFC8446 Section 5](https://datatracker.ietf.org/doc/html/rfc8446#section-5): > An implementation which receives any other change_cipher_spec value or which receives a protected change_cipher_spec record MUST abort the handshake with an "unexpected_message" alert. ## Relevant code pointers: https://gitlab.com/gnutls/gnutls/-/blob/0c49dc6db376c2eccae98b0623dab60729d8f171/lib/record.c#L1333 ## Testing: I plan to update tlsfuzzer submodule and exclude the test initially. Then the validation could be just removing that exclusion from tests/suite/tls-fuzzer/gnutls-nocert-tls13.json. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1788 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 01:42:49 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 00:42:49 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 Project:Branches: asosedkin/gnutls:update-tlsfuzzer to gnutls/gnutls:master Author: Alexander Sosedkin * tests/suite/tls-fuzzer: update submodules, tweak/enable tests Modifies existing invocations of some updated tests: * test-dhe-rsa-key-exchange-with-bad-messages.py: wrong alert on missing dh_Yc * test-ecdsa-in-certificate-verify.py: skip sha224 and brainpool * test-tls13-ccs.py: see #1788 * test-tls13-certificate-verify.py: expect ML-DSA sigalgs * test-tls13-ecdsa-in-certificate-verify.py: expect ML-DSA sigalgs * test-tls13-ecdsa-support.py: no support for brainpool * test-tls13-keyupdate.py: be OK with first KeyUpdate taking effect * test-tls13-session-resumption.py: no NST on PSK_ONLY; wrong cert on 1.2 -> 1.3 Adds invocations for select new tests: * test-ccs.py * test-connection-abort.py * test-interleaved-CKE-with-CCS.py * test-no-mlkem-in-old-tls.py * test-point-extension.py (with a lot of waiving) * test-tls13-connection-abort.py * test-tls13-no-unknown-groups.py * test-tls13-unencrypted-alert.py Signed-off-by: Alexander Sosedkin CC: @tomato42 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 01:44:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 00:44:10 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid ephemeral port range in GETPORT (!2056) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056 Project:Branches: asosedkin/gnutls:getport-avoid-ephemeral to gnutls/gnutls:master Author: Alexander Sosedkin * tests/scripts/common.sh: avoid ephemeral port range in GETPORT The idea is to avoid a race condition between checking the port and some outgoing connection snatching it before the server binds to it. We're still racing against others, just outside of the ephemeral range. Signed-off-by: Alexander Sosedkin ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 01:45:53 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 00:45:53 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid IPv6 in check_if_port_* (!2057) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057 Project:Branches: asosedkin/gnutls:getport-avoid-ipv6 to gnutls/gnutls:master Author: Alexander Sosedkin * tests/scripts/common.sh: avoid IPv6 in check_if_port_* I've encountered a race condition when IPv4 couldn't bind, IPv6 did bind, the check passed because IPv6 could bind, but then tlsfuzzer testsuite used IPv4 and failed. One of the simplest solutions is to filter out IPv6 in the checks. Signed-off-by: Alexander Sosedkin I know it's not exactly the cleanest approach, and I'm open to better ideas. ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 03:54:20 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 02:54:20 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3018364856 I'm also busy so I asked AI to help write a GCC analyzer [plugin](https://gitlab.com/dueno/matchdealloc) to detect such issues :-) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3018364856 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 09:57:44 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 08:57:44 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Tim R?hsen commented: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3019067450 Great idea, very useful, love it! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3019067450 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 10:25:53 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 09:25:53 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) started a new discussion on tests/suite/tls-fuzzer/gnutls-nocert-tls13.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3019194928 > {"name" : "test-tls13-keyshare-omitted.py", > "arguments": ["-p", "@PORT@"]}, > {"name" : "test-tls13-keyupdate.py", > - "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket", > + "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket; two KeyUpdates in one record sends bad_record_mac instead of unexpected_message", shouldn't we have a bug for this? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3019194928 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 15:15:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 14:15:48 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/suite/tls-fuzzer/gnutls-nocert-tls13.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3020092478 > {"name" : "test-tls13-keyshare-omitted.py", > "arguments": ["-p", "@PORT@"]}, > {"name" : "test-tls13-keyupdate.py", > - "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket", > + "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket; two KeyUpdates in one record sends bad_record_mac instead of unexpected_message", > Handshake messages MUST NOT span key changes. Implementations MUST verify that all messages immediately preceding a key change align with a record boundary; if not, then they MUST terminate the connection with an "unexpected_message" alert. > [RFC 8846 5.1](https://www.ietf.org/rfc/rfc8446.html#section-5.1) Ehh, you're right, turns out this ain't as legal as it seemed to me last night. Will file a ticket. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3020092478 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 16:28:29 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 15:28:29 +0000 Subject: [gnutls-devel] GnuTLS | two KeyUpdates in one record do not get rejected with unexpected_message (#1789) References: Message-ID: Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1789 ## Description of problem: processing two KeyUpdate handshake messages in a single TLS 1.3 record doesn't abort with `unexpected_message`, but rather leads to a subsequent `bad_record_mac`. ## Version of gnutls used: gnutls-3.8.11-5.fc43 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Fedora ## How reproducible: reliably Steps to Reproduce: * set up tlsfuzzer * spin up a gnutls server * run `test-tls13-keyupdate.py` against the gnutls server ## Actual results: both KeyUpdate messages are processed by gnutls, which then fails with `bad_record_mac`. ## Expected results: gnutls implements stricter validation prescribed in [RFC 8446 5.1](https://www.ietf.org/rfc/rfc8446.html#section-5.1), refuses to process the second KeyUpdate and aborts with an `unexpected_message`: > Handshake messages MUST NOT span key changes. Implementations MUST verify that all messages immediately preceding a key change align with a record boundary; if not, then they MUST terminate the connection with an "unexpected_message" alert. ## Testing: I plan to update tlsfuzzer submodule in !2055 and waive the test initially. Then the validation could be just removing the expected failure from tests/suite/tls-fuzzer/gnutls-nocert-tls13.json. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1789 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 16:28:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 15:28:48 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: All discussions on merge request !2055 were resolved by Alexander Sosedkin https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 20 16:28:47 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 20 Jan 2026 15:28:47 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Alexander Sosedkin commented on a discussion on tests/suite/tls-fuzzer/gnutls-nocert-tls13.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3020352129 > {"name" : "test-tls13-keyshare-omitted.py", > "arguments": ["-p", "@PORT@"]}, > {"name" : "test-tls13-keyupdate.py", > - "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket", > + "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket; two KeyUpdates in one record sends bad_record_mac instead of unexpected_message", And that'd be https://gitlab.com/gnutls/gnutls/-/issues/1789 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3020352129 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 21 20:09:57 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 21 Jan 2026 19:09:57 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Brendan Shanks commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3024730452 I think [`__attribute__((malloc))`](https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-malloc-function-attribute) serves the same purpose? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3024730452 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 22 03:16:19 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Jan 2026 02:16:19 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3025297425 Thanks, I didn't know the attribute can take a deallocator argument. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787#note_3025297425 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 22 10:37:54 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Jan 2026 09:37:54 +0000 Subject: [gnutls-devel] GnuTLS | rnd: use matching allocator for gnutls_free (!2058) References: Message-ID: Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 Project:Branches: dueno/gnutls:wip/dueno/gcc-analyzer-fixes to gnutls/gnutls:master Author: Daiki Ueno * ocsp: suppress false-positive reported by GCC 15 analyzer GCC 15 analyzer reports: ``` ocsp.c:2470:17: warning: dereference of NULL '*ocsps' [CWE-476] [-Wanalyzer-null-dereference] 2470 | gnutls_ocsp_resp_deinit((*ocsps)[i]); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``` `*ocsps` should always be non-NULL when this part is exercised. This adds an assertion for that. * dane: use matching deallocator for gnutls_malloc Spotted by GCC analyzer: ``` dane.c:972:17: warning: memory allocated with 'gnutls_malloc' should be deallocated with 'free' but was deallocated with 'free' 972 | free(new_cert_list); | ^~~~~~~~~~~~~~~~~~~ ``` * rnd: use matching allocator for gnutls_free ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 22 10:43:34 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Jan 2026 09:43:34 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.8.12 (Nov 18, 2025?Jan 18, 2026) ( https://gitlab.com/gnutls/gnutls/-/milestones/50 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 22 10:43:31 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Jan 2026 09:43:31 +0000 Subject: [gnutls-devel] GnuTLS | libdane: A bit of a mix of gnutls_calloc and free (#1787) In-Reply-To: References: Message-ID: Milestone changed to Release of GnuTLS 3.10.0 ( https://gitlab.com/gnutls/gnutls/-/milestones/38 ) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1787 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 22 18:08:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 22 Jan 2026 17:08:26 +0000 Subject: [gnutls-devel] GnuTLS | assorted test stability improvements (!2059) References: Message-ID: Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059 Project:Branches: asosedkin/gnutls:tests-assorted-stability to gnutls/gnutls:master Author: Alexander Sosedkin Should fix a few CI failures, all probabilistic and sorta rare: - tests/suite/tls-fuzzer: exclude test?tls13?finished.py padding tests as gnutls sends NST early (explicitly valid by RFC8446 4.6.1) and that races against sending malformed Finished. - tests/resume.c: use a callback for processing NST data This is supposed to avoid a rare race condition with NST coming late. The callback and its use are taken from tests/tls13/hello_retry_request_resume.c - tests/suite/testrng.sh: shorten with a helper, check ./rng return code - tests/cert-reencoding.sh: clean up, valgrind, force IPv4 ## Checklist * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 23 01:28:03 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Jan 2026 00:28:03 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin was added as a reviewer. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 23 18:01:58 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Jan 2026 17:01:58 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on libdane/dane.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3030966929 > *dane_data_len = > gnutls_calloc(q->data_entries + 1, sizeof(**dane_data_len)); > if (*dane_data_len == NULL) { > free(*dane_data); Here's at least one mismatched free the analyzer didn't catch. `-Wanalyzer-too-complex` suggests it cuts the analysis short, and I get that the complexity could be real high when the inter-functional analysis meets a huge callgraph, but the mismatch here is entirely within one function =/ If only it still checked the smaller subtrees, or at least the leaves... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3030966929 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 23 18:03:11 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Jan 2026 17:03:11 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin started a new discussion on libdane/dane.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3030969405 > *dane_data_len = > gnutls_calloc(q->data_entries + 1, sizeof(**dane_data_len)); > if (*dane_data_len == NULL) { > free(*dane_data); Here's at least one mismatched free the analyzer didn't catch. `-Wanalyzer-too-complex` suggests it cuts the analysis short, and I get that the complexity could be real high when the inter-functional analysis meets a huge callgraph, but the mismatch here is entirely within one function =/ If only it still checked the smaller subtrees, or at least the leaves... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3030969405 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 23 20:24:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Jan 2026 19:24:23 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3031254571 And another one I found uses `_gnutls_reallocarray`: https://gitlab.com/gnutls/gnutls/-/blob/0c49dc6db376c2eccae98b0623dab60729d8f171/lib/cert-cred-x509.c#L1306 https://gitlab.com/gnutls/gnutls/-/blob/0c49dc6db376c2eccae98b0623dab60729d8f171/lib/cert-cred-x509.c#L1332 I used a delightfully low-fi and non-comprehensive approach to identify the suspicious places: mixed mentions within curly bracket blocks: ``` #/usr/bin/env python # public domain, trivial import sys import re from pathlib import Path ALLOCATOR_RELATED_FUNCTIONS = [ ['malloc', 'calloc', 'realloc', 'strdup', 'free'], ['gnutls_malloc', 'gnutls_calloc', 'gnutls_realloc', 'gnutls_realloc_fast', '_gnutls_reallocarray', '_gnutls_reallocarray_fast', 'gnutls_strdup', 'gnutls_free', 'gnutls_zfree'] ] for filepath in sorted(sys.argv[1:]): content = Path(filepath).read_text() if content.count('{') != content.count('}'): print(f'{filepath} has curly brace mismatch') continue stack, blocks = [], [] for i, char in enumerate(content): if char == '{': stack.append(i) elif char == '}': blocks.append((stack.pop(), i)) for start, end in blocks: block_text = content[start:end+1] families = [] for family in ALLOCATOR_RELATED_FUNCTIONS: funcs = [f for f in family if re.search(rf'\b{f}\b', block_text)] if funcs: families.append(funcs) if len(families) > 1: start_line = content[:start].count('\n') + 1 end_line = content[:end].count('\n') + 1 print(f'{filepath}:{start_line}-{end_line}: might mix up ' + ' with '.join(['/'.join(funcs) for funcs in families])) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3031254571 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 23 20:27:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 23 Jan 2026 19:27:00 +0000 Subject: [gnutls-devel] GnuTLS | Use matching allocator/deallocator (!2058) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3031258316 I find your plugin approach neat and the issues found by it are definitely worth fixing. I initially wanted to plumb the plugin into the CI, but it giving up on complex code makes me think it ain't worth it, unfortunately =/ And I couldn't find a way to convince it to stop giving up. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2058#note_3031258316 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 14:46:43 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 13:46:43 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3037786156 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3037786156 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 14:47:18 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 13:47:18 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: All discussions on merge request !2055 were resolved by Alicja Kario (@mention me if you need reply) https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 14:47:29 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 13:47:29 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Merge request !2055 was approved by Alicja Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 Project:Branches: asosedkin/gnutls:update-tlsfuzzer to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:38:41 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:38:41 +0000 Subject: [gnutls-devel] GnuTLS | assorted test stability improvements (!2059) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059#note_3037971294 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059#note_3037971294 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:40:00 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:40:00 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid ephemeral port range in GETPORT (!2056) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056#note_3037976097 LGTM -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056#note_3037976097 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:41:12 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:41:12 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid IPv6 in check_if_port_* (!2057) In-Reply-To: References: Message-ID: Alicja Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057#note_3037981206 LGTM though fixing tlsfuzzer to support IPv6 should be possible too... -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057#note_3037981206 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:43:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:43:26 +0000 Subject: [gnutls-devel] GnuTLS | assorted test stability improvements (!2059) In-Reply-To: References: Message-ID: Merge request !2059 was approved by Alicja Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059 Project:Branches: asosedkin/gnutls:tests-assorted-stability to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:44:20 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:44:20 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid ephemeral port range in GETPORT (!2056) In-Reply-To: References: Message-ID: Merge request !2056 was approved by Alicja Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056 Project:Branches: asosedkin/gnutls:getport-avoid-ephemeral to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 15:44:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 14:44:50 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid IPv6 in check_if_port_* (!2057) In-Reply-To: References: Message-ID: Merge request !2057 was approved by Alicja Kario (@mention me if you need reply) Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057 Project:Branches: asosedkin/gnutls:getport-avoid-ipv6 to gnutls/gnutls:master Author: Alexander Sosedkin Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 16:21:48 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 15:21:48 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3038148925 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055#note_3038148925 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 16:23:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 15:23:09 +0000 Subject: [gnutls-devel] GnuTLS | tests/suite/tls-fuzzer: update submodules, tweak/enable tests (!2055) In-Reply-To: References: Message-ID: Merge request !2055 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 Project:Branches: asosedkin/gnutls:update-tlsfuzzer to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2055 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 16:45:17 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 15:45:17 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid ephemeral port range in GETPORT (!2056) In-Reply-To: References: Message-ID: Merge request !2056 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056 Project:Branches: asosedkin/gnutls:getport-avoid-ephemeral to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2056 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 17:36:26 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 16:36:26 +0000 Subject: [gnutls-devel] GnuTLS | assorted test stability improvements (!2059) In-Reply-To: References: Message-ID: Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059#note_3038417722 Thank you for the review! -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059#note_3038417722 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Tue Jan 27 17:36:30 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Tue, 27 Jan 2026 16:36:30 +0000 Subject: [gnutls-devel] GnuTLS | assorted test stability improvements (!2059) In-Reply-To: References: Message-ID: Merge request !2059 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059 Project:Branches: asosedkin/gnutls:tests-assorted-stability to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2059 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 28 13:06:43 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Jan 2026 12:06:43 +0000 Subject: [gnutls-devel] GnuTLS | tests/scripts/common.sh: avoid IPv6 in check_if_port_* (!2057) In-Reply-To: References: Message-ID: Merge request !2057 was merged Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057 Project:Branches: asosedkin/gnutls:getport-avoid-ipv6 to gnutls/gnutls:master Author: Alexander Sosedkin -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2057 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Wed Jan 28 13:23:15 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Wed, 28 Jan 2026 12:23:15 +0000 Subject: [gnutls-devel] GnuTLS | lib: add support for Hygon Genuine CPUs in x86 acceleration (!2053) In-Reply-To: References: Message-ID: Merge request !2053 was approved by Alexander Sosedkin Merge request URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/2053 Project:Branches: wxphaha/gnutls:adapter-Hygon to gnutls/gnutls:master Author: xinpeng wang Assignees: Reviewers: -- You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 09:39:08 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 08:39:08 +0000 Subject: [gnutls-devel] GnuTLS | Support building with Nettle 4.0 (#1791) References: Message-ID: Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1791 Now that Nettle 4.0-rc1 has been [released](https://marc.info/?l=nettle-bugs&m=176961924602323&w=2), we should make GnuTLS build with that version. A tricky thing is that Nettle 4.0 introduces backward incompatible API changes, mainly omitting the output length argument from the hash functions. As we are still keeping compatibility with Nettle 3.6+ on the GnuTLS 3.8.x branch, I'd suggest the following approaches: - First try porting to Nettle 4 API only - Build with Nettle 3.6+, add compatibility definitions (or helper functions) as needed, in a revertible way - Update the bundled copy of Nettle source to Nettle 4.0-rc1 Alternatively we can jump to GnuTLS 4.0 as well and drop support for Nettle 3.6, but in that case I guess we need more discussion, which other backward incompatible changes we want to pick. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1791 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 16:51:50 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 15:51:50 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) References: Message-ID: Zolt?n Fridrich created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 Project:Branches: ZoltanFridrich/gnutls:zfridric_devel to gnutls/gnutls:master Author: Zolt?n Fridrich Assignee: Zolt?n Fridrich Reviewers: Daiki Ueno and Conor Tull Closes #1749 * Fix parsing of BIT STRING encoded EdDSA keys Signed-off-by: Zoltan Fridrich ## Checklist * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author * [ ] Code modified for feature * [ ] Test suite updated with functionality tests * [ ] Test suite updated with negative tests * [ ] Documentation updated / NEWS entry present (for non-trivial changes) ## Reviewer's checklist: * [ ] Any issues marked for closing are addressed * [ ] There is a test suite reasonably covering new functionality or modifications * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md` * [ ] This feature/change has adequate documentation added * [ ] No obvious mistakes in the code -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 16:51:49 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 15:51:49 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Daiki Ueno and Conor Tull were added as reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 16:51:53 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 15:51:53 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Reassigned merge request 2060 https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 17:01:15 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 16:01:15 +0000 Subject: [gnutls-devel] GnuTLS | Parsing of BIT STRING encoded EdDSA key fails in _gnutls_x509_decode_string (#1749) In-Reply-To: References: Message-ID: Reassigned Issue 1749 https://gitlab.com/gnutls/gnutls/-/issues/1749 Zolt?n Fridrich was added as an assignee. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1749 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 21:01:24 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 20:01:24 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Conor Tull was removed from reviewers. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 22:54:23 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 21:54:23 +0000 Subject: [gnutls-devel] GnuTLS | Support building with Nettle 4.0 (#1791) In-Reply-To: References: Message-ID: Simon Josefsson commented: https://gitlab.com/gnutls/gnutls/-/issues/1791#note_3045906110 What's the point of the bundled nettle? Removing that seems to resolve some concerns. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1791#note_3045906110 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Thu Jan 29 23:43:03 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Thu, 29 Jan 2026 22:43:03 +0000 Subject: [gnutls-devel] GnuTLS | Support building with Nettle 4.0 (#1791) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1791#note_3045984127 The purpose of bundling some nettle code has been to support new functionalities in nettle without bumping the version requirement of nettle. For example, RSA-OAEP and AES-GCM-SIV are a new addition in nettle 3.9 and 3.10, while we previously supported 3.6 at minimum. If we can hard-require 4.0+ and always bump the required nettle version, that would be simpler, though it would make backporting (e.g., to RHEL-9, RHEL-8, ...) harder. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1791#note_3045984127 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 30 04:05:09 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Jan 2026 03:05:09 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046311739 Can we have a test? I remember @ctull had some test data. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046311739 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 30 04:05:10 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Jan 2026 03:05:10 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 was reviewed by Daiki Ueno -- Daiki Ueno started a new discussion on lib/pubkey.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046311710 > + ASN1_ETYPE_OCTET_STRING, ecpoint->data, > + ecpoint->size, > + (const unsigned char **)&raw_point.data, Isn't `raw_point.data` leaking, as `asn1_decode_simple_der` returns data allocated with the system `malloc` and no call to `gnutls_free` at the end of this function anymore? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 30 08:29:02 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Jan 2026 07:29:02 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion on lib/pubkey.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046637989 > + &len_len); > + if (data_len < 0) > + return gnutls_assert_val( > + GNUTLS_E_ASN1_DER_ERROR); > + > + /* skip first byte of data (number of unused bits at the end) */ > + raw_point.data = ecpoint->data + tag_len + len_len + 1; > + raw_point.size = data_len - 1; > break; > - case 0x04: > - etype = ASN1_ETYPE_OCTET_STRING; > + case 0x04: /* OCTET STRING */ > + ret = asn1_decode_simple_der( > + ASN1_ETYPE_OCTET_STRING, ecpoint->data, > + ecpoint->size, > + (const unsigned char **)&raw_point.data, No, it is not. >From libtasn1 manual: asn1_decode_simple_der "Decodes a simple DER encoded type (e.g. a string, which is not constructed). The output is a pointer inside the der ." -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046637989 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 30 08:29:22 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Jan 2026 07:29:22 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: All discussions on merge request !2060 were resolved by Zolt?n Fridrich https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Fri Jan 30 08:32:16 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Fri, 30 Jan 2026 07:32:16 +0000 Subject: [gnutls-devel] GnuTLS | Fix parsing of BIT STRING encoded EdDSA keys (!2060) In-Reply-To: References: Message-ID: Zolt?n Fridrich commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046645141 I think we can. -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2060#note_3046645141 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnutls-devel at lists.gnutls.org Sat Jan 31 20:41:36 2026 From: gnutls-devel at lists.gnutls.org (Read-only notification of GnuTLS library development activities) Date: Sat, 31 Jan 2026 19:41:36 +0000 Subject: [gnutls-devel] GnuTLS | bootstrap fails when using gettext (autopoint) v. 1.0 (#1792) References: Message-ID: L-series created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1792 ## Description of problem: When running the bootstrap script or autoreconf, the newer version of autopoint detects duplicate `AM_GNU_GETTEXT_REQUIRE_VERSION` macros. ## Version of gnutls used: Commit id: `c235143f6f46edcd99eaffca7c848b51a753724a` ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) Build from source. ## How reproducible: Consistently Steps to Reproduce: * one: Make sure gettext v1.0 is installed on the system. * two: run either `./bootstrap` or `autoreconf -fiv` ## Actual results: ``` ./bootstrap: autopoint --force autopoint: *** found more than one invocation of AM_GNU_GETTEXT_REQUIRE_VERSION autopoint: *** Stop. ``` ## Expected results: A single invocation of the macro is detected. The offending lines of code are in configure.ac:411-415 ``` AM_GNU_GETTEXT([external]) AM_GNU_GETTEXT_VERSION([0.19]) m4_ifdef([AM_GNU_GETTEXT_REQUIRE_VERSION],[ AM_GNU_GETTEXT_REQUIRE_VERSION([0.19]) ]) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1792 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: