From ueno at gnu.org  Fri Nov  7 01:59:02 2025
From: ueno at gnu.org (Daiki Ueno)
Date: Fri, 07 Nov 2025 09:59:02 +0900
Subject: [gnutls-help] Shall we update Nettle version requirement?
Message-ID: <87y0oislnt.fsf-ueno@gnu.org>

Hello,

Provoked by this issue[1], I started thinking about updating the minimum
version of Nettle required by GnuTLS.  Currently it's 3.6, while 3.10
was released 1.5 years ago.  By updating it, we can eliminate the
bundled copies of RSA-OAEP, AES-GCM-SIV, and SHAKE implementations, as
well as the CVE-2021-4209 fix.  Given Nettle 3.10.2 is ABI compatible
with 3.6, I'm assuming that there is little impact to downstreams.

Any thoughts?

Footnotes:
[1]  https://gitlab.com/gnutls/gnutls/-/issues/1759

-- 
Daiki Ueno


From ueno at gnu.org  Fri Nov  7 02:12:17 2025
From: ueno at gnu.org (Daiki Ueno)
Date: Fri, 07 Nov 2025 10:12:17 +0900
Subject: [gnutls-help] Set up FIPS with gnutls 3.8.9
In-Reply-To: <aOzykbuh3mksEZCN@t480> (akendo@akendo.eu's message of "Mon, 13
 Oct 2025 14:37:37 +0200")
References: <aOzykbuh3mksEZCN@t480>
Message-ID: <87tsz6sl1q.fsf-ueno@gnu.org>

Hello,

Sorry for the late reply.

akendo <akendo at akendo.eu> writes:

> Hi everyone,
>
> I tried to enable the fips mode with gnutls 3.8.9 and failed to get it
> started. My compiler flags
> are the default compiler flags for Debian. Since I use the Debian
> packages for Trixie as a sample
> build process.
>
> All I do is adding the parameter:
>
> --enable-fips140-mode
>
> The package build is going well, and I receive a package. However,
> after the installation of the
> package, I get the following error message:
>
>     gnutls-cli github.com -p443
>     Error in GnuTLS initialization: Error while performing self checks.
>     global_init: Error while performing self checks
>
> By setting GNUTLS_NO_IMPLICIT_INIT the global_init error message goes
> away. When I check for the
> fips-mode, gnutls-cli reports that this is working.
>
>     export GNUTLS_NO_IMPLICIT_INIT=1; gnutls-cli --fips140-mode
>     library is in FIPS140-2 mode
>
>     gnutls-cli github.com -p443
>     |<1>| FIPS140-2 self testing part 2 failed
>
>
> Reading through the documentation, I noticed that there is the
> statement regarding the self-test
> that it's possible to provide a ?-with-fips140-key for the
> self-test. Does this key have to be of
> special length since it It should be an HMAC key, correct?
>
> I'm just not sure if that's going to help here, anyone has some suggestion?
>
> My workaround is as of now to set GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1

To get the FIPS integrity check work, you would need ".hmac" files
installed alongside the GnuTLS and the dependent libraries. The file can
be generated with the "fipshmac" utility which should be built under
lib/.

For example, if you have installed the library as
/usr/lib/x86_64-linux-gnu/libgnutls.so.30, you can calculate the content
of the .hmac file with:

  lib/fipshmac /usr/lib/x86_64-linux-gnu/libgnutls.so.30

Then save it to /usr/lib/x86_64-linux-gnu/.libgnutls.so.30.hmac.

Regards,
-- 
Daiki Ueno




From simon at josefsson.org  Fri Nov  7 12:58:21 2025
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 07 Nov 2025 12:58:21 +0100
Subject: [gnutls-help] Shall we update Nettle version requirement?
In-Reply-To: <87y0oislnt.fsf-ueno@gnu.org> (Daiki Ueno's message of "Fri, 07
 Nov 2025 09:59:02 +0900")
References: <87y0oislnt.fsf-ueno@gnu.org>
Message-ID: <87bjleyrz6.fsf@josefsson.org>

+1

We'll never fully know if this is a real deal-breaker for anyone until
we try, so I suggest just bumping the requirement in a soonish GnuTLS
release, and then wait for people to package it, and only later start to
remove the duplicate code that is no longer needed.

/Simon

Daiki Ueno <ueno at gnu.org> writes:

> Hello,
>
> Provoked by this issue[1], I started thinking about updating the minimum
> version of Nettle required by GnuTLS.  Currently it's 3.6, while 3.10
> was released 1.5 years ago.  By updating it, we can eliminate the
> bundled copies of RSA-OAEP, AES-GCM-SIV, and SHAKE implementations, as
> well as the CVE-2021-4209 fix.  Given Nettle 3.10.2 is ABI compatible
> with 3.6, I'm assuming that there is little impact to downstreams.
>
> Any thoughts?
>
> Footnotes:
> [1]  https://gitlab.com/gnutls/gnutls/-/issues/1759
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20251107/51d7bd4a/attachment.sig>

From ueno at gnu.org  Thu Nov 20 03:57:06 2025
From: ueno at gnu.org (Daiki Ueno)
Date: Thu, 20 Nov 2025 11:57:06 +0900
Subject: [gnutls-help] gnutls 3.8.11 released
Message-ID: <87h5up76nx.fsf-ueno@gnu.org>

Hello,

We have just released gnutls-3.8.11. This is a bug fix, security and
enhancement release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Alexander Sosedkin, Alistair Francis, chenjianhu, Daiki Ueno, Daniel
P. Berrang?, David Dudas, fundawang, Hannes Reinecke, Jiasheng Jiang,
Karthik Das, Maxim Cournoyer, Samuel Zeter, Wilfred Mallawa, and Zoltan
Fridrich.

The detailed list of changes follows:

* Version 3.8.11 (released 2025-11-18)

** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
   CVSS: low] [CVE-2025-9820]

** libgnutls: MAC algorithms for PSK binders is now configurable
   The previous implementation assumed HMAC-SHA256 to calculate the
   PSK binders. With the new gnutls_psk_allocate_client_credentials2()
   and gnutls_psk_allocate_server_credentials2() functions, the
   application can use other MAC algorithms such as HMAC-SHA384.

** libgnutls: Expose a new function to provide the maximum record send size
   A new function gnutls_record_get_max_send_size() has been added to
   determine the maximum size of a TLS record to be sent to the peer.

** libgnutls: Expose a new function to update keys without sending a KeyUpdate
   to the peer. A new function gnutls_handshake_update_receiving_key()
   has been added to allow updating the local receiving key without
   sending any KeyUpdate messages.

** libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
   instead of a module path. To allow using a PKCS#11 module exposing
   multiple tokens, the "path" configuration keyword was replaced with
   the "url" keyword.

** libgnutls: Support crypto-auditing probe points
   crypto-auditing is a project to monitor which cryptographic
   operations are taking place in the library at run time, through
   eBPF. This adds necessary probe points for that, in public key
   cryptography and the TLS use-case. To enable this, run configure
   with --enable-crypto-auditing.

** build: The minimum version of Nettle has been updated to 3.10
   Given Nettle 3.10 is ABI compatible with 3.6 and includes several
   security relevant fixes, the library's minimum requirement of
   Nettle is updated to 3.10.

** build: The default priority file path is now constructed from sysconfdir
   Previously, the location of the default priority file was
   hard-coded to be /etc/gnutls/config. Now it takes into account of
   the --sysconfdir option given to the configure script.

** API and ABI modifications:
gnutls_psk_allocate_client_credentials2: New function
gnutls_psk_allocate_server_credentials2: New function
gnutls_record_get_max_send_size: New function
gnutls_handshake_update_receiving_key: New function
gnutls_audit_push_context: New function
gnutls_audit_pop_context: New function
gnutls_audit_current_context: New function

Getting the Software
================

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html

Here are the XZ compressed sources:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.11.tar.xz

Here are OpenPGP detached signatures signed using key:
462225C3B46F34879FC8496CD605848ED7E69871
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.11.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   rsa4096 2009-07-23 [SC] [expires: 2026-06-29]
      462225C3B46F34879FC8496CD605848ED7E69871
uid           [ultimate] Daiki Ueno <ueno at unixuser.org>
uid           [ultimate] Daiki Ueno <ueno at gnu.org>
sub   rsa4096 2010-02-04 [E]

Regards,
-- 
Daiki Ueno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20251120/b6bbd1a9/attachment.sig>

From ueno at gnu.org  Thu Nov 20 06:53:35 2025
From: ueno at gnu.org (Daiki Ueno)
Date: Thu, 20 Nov 2025 14:53:35 +0900
Subject: [gnutls-help] Shall we update Nettle version requirement?
In-Reply-To: <87bjleyrz6.fsf@josefsson.org> (Simon Josefsson's message of
 "Fri, 07 Nov 2025 12:58:21 +0100")
References: <87y0oislnt.fsf-ueno@gnu.org> <87bjleyrz6.fsf@josefsson.org>
Message-ID: <87v7j5jlls.fsf-ueno@gnu.org>

Simon Josefsson <simon at josefsson.org> writes:

> We'll never fully know if this is a real deal-breaker for anyone until
> we try, so I suggest just bumping the requirement in a soonish GnuTLS
> release, and then wait for people to package it, and only later start to
> remove the duplicate code that is no longer needed.

Thank you for the suggestion.  I've updated the requirement in 3.8.11
with a notice that the bundled code will only be kept for the next
couple of releases.

Regards,
-- 
Daiki Ueno