From Jeff.Cai at Sun.COM  Mon Jun  1 07:26:33 2009
From: Jeff.Cai at Sun.COM (Jeff Cai)
Date: Mon, 01 Jun 2009 13:26:33 +0800
Subject: GnuTLS 2.8.0
In-Reply-To: <878wkhabs7.fsf@mocca.josefsson.org>
References: <878wkhabs7.fsf@mocca.josefsson.org>
Message-ID: <1243833993.4273.1.camel@mvp>

I can not find the COPYING.LIB in the source tarball. 

Jeff

? 2009-05-28?? 10:10 +0200?Simon Josefsson???
> We are proud to announce a new stable GnuTLS release: Version 2.8.0.
> 
> GnuTLS is a modern C library that implements the standard network
> security protocol Transport Layer Security (TLS), for use by network
> applications.  GnuTLS is developed for GNU/Linux, but works on many
> Unix-like systems and comes with a binary installer for Windows.
> 
> The GnuTLS library is distributed under the terms of the GNU Lesser
> General Public License version 2.1 (or later).  The "extra" GnuTLS
> library (which contains TLS/IA support, LZO compression and Libgcrypt
> FIPS-mode handler), the OpenSSL compatibility library, the self tests
> and the command line tools are all distributed under the GNU General
> Public License version 3.0 (or later).  The manual is distributed
> under the GNU Free Documentation License version 1.3 (or later).
> 
> The project page of the library is available at:
>   http://www.gnu.org/software/gnutls/
> 
> What's New
> ==========
> 
> Version 2.8.0 is the first stable release on the 2.8.x branch and is the
> result of 7 months of work on the experimental 2.7.x branch.  The GnuTLS
> 2.8.x branch replaces the GnuTLS 2.6.x branch as the supported stable
> branch, although we will continue to support GnuTLS 2.6.x for some time.
> 
> ** lib: Linker version scripts reduces number of exported symbols.
> The linker version script now lists all exported ABIs explicitly, to
> avoid accidentally exporting unintended functions.  Compared to
> before, most symbols beginning with _gnutls* are no longer exported.
> These functions have never been intended for use by applications, and
> there were no prototypes for these function in the public header
> files.  Thus we believe it is possible to do this without incrementing
> the library ABI version which normally has to be done when removing an
> interface.
> 
> ** lib: Limit exported symbols on systems without LD linker scripts.
> Before all symbols were exported.  Now we limit the exported symbols
> to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
> _gnutls*.  This is a superset of the actual supported ABI, but still
> an improvement compared to before.  This is implemented using Libtool
> -export-symbols-regex.  It is more portable than linker version
> scripts.
> 
> ** libgnutls: Fix namespace issue with version symbols.
> The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
> LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
> LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
> GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
> GNUTLS_VERSION_NUMBER respectively.  The old symbols will continue to
> work but are deprecated.
> 
> ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
> The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
> GNUTLS_EXTRA_VERSION.  The old symbol will continue to work but is
> deprecated.
> 
> ** libgnutls: Add functions to verify a hash against a certificate.
> gnutls_x509_crt_verify_hash: ADDED
> gnutls_x509_crt_get_verify_algorithm: ADDED
> 
> ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
> 
> ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
> It is currently only used by the core library.  This will enable a new
> domain 'gnutls' for translations of the command line tools.
> 
> ** certtool: Query for multiple dnsName subjectAltName in interactive mode.
> This applies both to generating certificates and certificate requests.
> 
> ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
> Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
> be used for chain verification.
> 
> ** gnutls-serv: No longer disable MAC padding by default.
> Use --priority NORMAL:%COMPAT to disable MAC padding again.
> 
> ** gnutls-cli: Certificate information output format changed.
> The tool now uses libgnutls' functions to print certificate
> information.  This avoids code duplication.
> 
> ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
> ** and %VERIFY_ALLOW_X509_V1_CA_CRT.
> They can be used to override the default certificate chain validation
> behaviour.
> 
> ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
> 
> ** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
> 
> ** libgnutls: gnutls_handshake when sending client hello during a
> rehandshake, will not offer a version number larger than the current.
> 
> ** libgnutls: New interface to get key id for certificate requests.
> gnutls_x509_crq_get_key_id: ADDED.
> 
> ** libgnutls: gnutls_x509_crq_print will now also print public key id.
> 
> ** certtool: --verify-chain now prints results of using library verification.
> Earlier, certtool --verify-chain used its own validation algorithm
> which wasn't guaranteed to give the same result as the libgnutls
> internal validation algorithm.  Now this command print a new final
> line with header 'Chain verification output:' that contains the result
> From using the internal verification algorithm on the same chain.
> 
> ** libgnutls: Libgcrypt initialization changed.
> If libgcrypt has not already been initialized, GnuTLS will now
> initialize libgcrypt with disabled secure memory.  Initialize
> libgcrypt explicitly in your application if you want to enable secure
> memory.  Before GnuTLS initialized libgcrypt to use GnuTLS's memory
> allocation functions, which doesn't use secure memory, so there is no
> real change in behaviour.
> 
> ** libgnutls: Small byte reads via gnutls_record_recv() optimized.
> 
> ** gnutls-cli: Return non-zero exit code on error conditions.
> 
> ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
> 
> ** certtool: allow setting arbitrary key purpose object identifiers.
> 
> ** libgnutls: Change detection of when to use a linker version script.
> Use --enable-ld-version-script or --disable-ld-version-script to
> override auto-detection logic.
> 
> ** Fix warnings and build GnuTLS with more warnings enabled.
> 
> ** New API to set X.509 credentials from PKCS#12 memory structure.
> gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
> 
> ** Old libgnutls.m4 and libgnutls-config scripts removed.
> Please use pkg-config instead.
> 
> ** libgnutls: Added functions to handle CRL extensions.
> gnutls_x509_crl_get_authority_key_id: ADDED
> gnutls_x509_crl_get_number: ADDED
> gnutls_x509_crl_get_extension_oid: ADDED
> gnutls_x509_crl_get_extension_info: ADDED
> gnutls_x509_crl_get_extension_data: ADDED
> gnutls_x509_crl_set_authority_key_id: ADDED
> gnutls_x509_crl_set_number: ADDED
> 
> ** libgnutls: Added functions to handle X.509 extensions in Certificate
> Requests.
> gnutls_x509_crq_get_key_rsa_raw: ADDED
> gnutls_x509_crq_get_attribute_info: ADDED
> gnutls_x509_crq_get_attribute_data: ADDED
> gnutls_x509_crq_get_extension_info: ADDED
> gnutls_x509_crq_get_extension_data: ADDED
> gnutls_x509_crq_get_key_usage: ADDED
> gnutls_x509_crq_get_basic_constraints: ADDED
> gnutls_x509_crq_get_subject_alt_name: ADDED
> gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
> gnutls_x509_crq_get_extension_by_oid: ADDED
> gnutls_x509_crq_set_subject_alt_name: ADDED
> gnutls_x509_crq_set_basic_constraints: ADDED
> gnutls_x509_crq_set_key_usage: ADDED
> gnutls_x509_crq_get_key_purpose_oid: ADDED
> gnutls_x509_crq_set_key_purpose_oid: ADDED
> gnutls_x509_crq_print: ADDED
> gnutls_x509_crt_set_crq_extensions: ADDED
> 
> ** certtool: Print and set CRL and CRQ extensions.
> 
> ** minitasn1: Internal copy updated to libtasn1 v2.1.
> GnuTLS should work fine with libtasn1 v1.x and that is still
> supported.
> 
> ** examples: Now released into the public domain.
> This makes the license of the example code compatible with more
> licenses, including the (L)GPL.
> 
> ** The Texinfo and GTK-DOC manuals were improved.
> 
> ** Several self-tests were added and others improved.
> 
> API/ABI changes in GnuTLS 2.8
> =============================
> 
> No offically supported interfaces have been modified or removed.  The
> library should be completely backwards compatible on both the source
> and binary level.
> 
> The shared library no longer exports some symbols that have never been
> officially supported, i.e., not mentioned in any of the header files.
> The symbols are:
> 
>   _gnutls*
>   gnutls_asn1_tab
> 
> Normally when symbols are removed, the shared library version has to
> be incremented.  This leads to a significant cost for everyone using
> the library.  Because none of the above symbols have ever been
> intended for use by well-behaved applications, we decided that the it
> would be better for those applications to pay the price rather than
> incurring problems on the majority of applications.
> 
> If it turns out that applications have been using unofficial
> interfaces, we will need to release a follow-on release on the v2.8
> branch to exports additional interfaces.  However, initial testing
> suggests that few if any applications have been using any of the
> internal symbols.
> 
> Although not a new change compared to 2.6.x, we'd like to remind you
> interfaces have been modified so that X.509 chain verification now
> also checks activation/expiration times on certificates.  The affected
> functions are:
> 
> gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
> gnutls_certificate_verify_peers: Likewise.
> gnutls_certificate_verify_peers2: Likewise.
> GNUTLS_CERT_NOT_ACTIVATED: ADDED.
> GNUTLS_CERT_EXPIRED: ADDED.
> GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
> 
> This change in behaviour was made during the GnuTLS 2.6.x cycle, and
> we gave our rationale for it in earlier release notes.
> 
> The following symbols have been added to the library:
> 
> gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
> gnutls_x509_crl_get_authority_key_id: ADDED
> gnutls_x509_crl_get_extension_data: ADDED
> gnutls_x509_crl_get_extension_info: ADDED
> gnutls_x509_crl_get_extension_oid: ADDED
> gnutls_x509_crl_get_number: ADDED
> gnutls_x509_crl_set_authority_key_id: ADDED
> gnutls_x509_crl_set_number: ADDED
> gnutls_x509_crq_get_attribute_data: ADDED
> gnutls_x509_crq_get_attribute_info: ADDED
> gnutls_x509_crq_get_basic_constraints: ADDED
> gnutls_x509_crq_get_extension_by_oid: ADDED
> gnutls_x509_crq_get_extension_data: ADDED
> gnutls_x509_crq_get_extension_info: ADDED
> gnutls_x509_crq_get_key_id: ADDED.
> gnutls_x509_crq_get_key_purpose_oid: ADDED
> gnutls_x509_crq_get_key_rsa_raw: ADDED
> gnutls_x509_crq_get_key_usage: ADDED
> gnutls_x509_crq_get_subject_alt_name: ADDED
> gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
> gnutls_x509_crq_print: ADDED
> gnutls_x509_crq_set_basic_constraints: ADDED
> gnutls_x509_crq_set_key_purpose_oid: ADDED
> gnutls_x509_crq_set_key_usage: ADDED
> gnutls_x509_crq_set_subject_alt_name: ADDED
> gnutls_x509_crt_get_verify_algorithm: ADDED
> gnutls_x509_crt_set_crq_extensions: ADDED
> gnutls_x509_crt_verify_hash: ADDED
> 
> The following interfaces have been added to the header files:
> 
> GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
> GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
> GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
> GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
> GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
> GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
> 
> The following interfaces have been deprecated:
> 
> LIBGNUTLS_VERSION: DEPRECATED.
> LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
> LIBGNUTLS_VERSION_MINOR: DEPRECATED.
> LIBGNUTLS_VERSION_PATCH: DEPRECATED.
> LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
> LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
> 
> Getting the Software
> ====================
> 
> GnuTLS may be downloaded from one of the mirror sites or direct from
> <ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
> <http://www.gnu.org/software/gnutls/download.html>.
> 
> Here are the BZIP2 compressed sources (6.0MB):
> 
>   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
>   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
> 
> Here are OpenPGP detached signatures signed using key 0xB565716F:
> 
>   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
>   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
> 
> Note, that we don't distribute gzip compressed tarballs.
> 
> In order to check that the version of GnuTLS which you are going to
> install is an original and unmodified one, you should verify the OpenPGP
> signature.  You can use the command
> 
>      gpg --verify gnutls-2.8.0.tar.bz2.sig
> 
> This checks whether the signature file matches the source file.  You
> should see a message indicating that the signature is good and made by
> that signing key.  Make sure that you have the right key, either by
> checking the fingerprint of that key with other sources or by checking
> that the key has been signed by a trustworthy other key.  The signing
> key can be identified with the following information:
> 
> pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
>       Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
> uid                  Simon Josefsson <simon at josefsson.org>
> uid                  Simon Josefsson <jas at extundo.com>
> sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]
> 
> The key is available from:
>   http://josefsson.org/key.txt
>   dns:b565716f.josefsson.org?TYPE=CERT
> 
> Alternatively, after successfully verifying the OpenPGP signature of
> this announcement, you could verify that the files match the following
> checksum values.  The values are for SHA-1 and SHA-224 respectively:
> 
> 7c102253bb4e817f393b9979a62c647010312eac  gnutls-2.8.0.tar.bz2
> 
> 57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b  gnutls-2.8.0.tar.bz2
> 
> Documentation
> =============
> 
> The manual is available online at:
> 
>   http://www.gnu.org/software/gnutls/documentation.html
> 
> In particular the following formats are available:
> 
>  HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
>  PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
> 
> For developers there is a GnuTLS API reference manual formatted using
> the GTK-DOC tools:
> 
>   http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
> 
> Community
> =========
> 
> If you need help to use GnuTLS, or want to help others, you are invited
> to join our help-gnutls mailing list, see:
> 
>   http://lists.gnu.org/mailman/listinfo/help-gnutls
> 
> If you wish to participate in the development of GnuTLS, you are invited
> to join our gnutls-dev mailing list, see:
> 
>   http://lists.gnu.org/mailman/listinfo/gnutls-devel
> 
> Windows installer
> =================
> 
> GnuTLS has been ported to the Windows operating system, and a binary
> installer is available.  The installer contains DLLs for application
> development, manuals, examples, and source code.  The installer uses
> libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0.
> 
> For more information about GnuTLS for Windows:
>   http://josefsson.org/gnutls4win/
> 
> The Windows binary installer and PGP signature:
>   http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB)
>   http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig
> 
> The checksum values for SHA-1 and SHA-224 are:
> 
> 8a7965168c542edec3259469b6c0e87a9a2b4626  gnutls-2.8.0.exe
> 
> 5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3  gnutls-2.8.0.exe
> 
> A ZIP archive containing the Windows binaries:
>   http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB)
>   http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig
> 
> A Debian mingw32 package is also available:
>   http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)
> 
> The checksum values for SHA-1 and SHA-224 are:
> 
> aca9f9f1adba09b952e095039595d4c5d9e67d46  mingw32-gnutls_2.8.0-1_all.deb
> 
> 269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc  mingw32-gnutls_2.8.0-1_all.deb
> 
> Internationalization
> ====================
> 
> The GnuTLS library messages have been translated into Czech, Dutch,
> French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
> addition of more translations.
> 
> Support
> =======
> 
> Improving GnuTLS is costly, but you can help!  We are looking for
> organizations that find GnuTLS useful and wish to contribute back.  You
> can contribute by reporting bugs, improve the software, or donate money
> or equipment.
> 
> Commercial support contracts for GnuTLS are available, and they help
> finance continued maintenance.  Simon Josefsson Datakonsult AB, a
> Stockholm based privately held company, is currently funding GnuTLS
> maintenance.  We are always looking for interesting development
> projects.  See http://josefsson.org/ for more details.
> 
> The GnuTLS service directory is available at:
> 
>   http://www.gnu.org/software/gnutls/commercial.html
> 
> Happy Hacking,
> Simon
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel
-- 
Jeff Cai <jeff.cai at sun.com>


From simon at josefsson.org  Mon Jun  1 11:09:42 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 01 Jun 2009 11:09:42 +0200
Subject: Libtasn1
In-Reply-To: <200905302141.25676.matej@svrcek.org> (=?iso-8859-2?Q?=22Mat?=
	=?iso-8859-2?Q?=ECj_=A9vr=E8ek=22's?= message
	of "Sat, 30 May 2009 21:41:25 +0200")
References: <200905302141.25676.matej@svrcek.org>
Message-ID: <8763fgs4kp.fsf@mocca.josefsson.org>

Mat?j ?vr?ek <matej at svrcek.org> writes:

> Hallo,
>
> I would like to report a broken link on your site 
> http://www.gnu.org/software/gnutls/download.html
>
> I tried several links to download libtasn1, but none of the links worked for 
> me, it seems as libtasn1 is no longer part of GNU project.

Actually, libtasn1 just became a GNU project a few days ago. ;)

What URL is broken on the above page?

The new official home for libtasn1 is:
http://www.gnu.org/software/libtasn1/

I'll upload old releases to ftp.gnu.org now.

/Simon


From Martin.vGagern at gmx.net  Sat Jun  6 19:47:37 2009
From: Martin.vGagern at gmx.net (Martin von Gagern)
Date: Sat, 06 Jun 2009 19:47:37 +0200
Subject: gnutls_ext_register causing memory corruption
Message-ID: <4A2AABB9.9080309@gmx.net>

Hi folks!

There seems to be some evidence that the latest gnutls might be involved
in instabilities of the adobe flash plugin for mozilla firefox on gentoo
linux.

I myself got this error message and back trace at one point:

*** glibc detected *** /usr/lib/mozilla-firefox/firefox: realloc():
invalid next size: 0x1026c8f0 ***
======= Backtrace: =========
/lib/libc.so.6[0x4c59d7c4]
/lib/libc.so.6[0x4c5a2c24]
/lib/libc.so.6(realloc+0xdd)[0x4c5a2fbd]
/usr/lib/libgnutls.so.26(gnutls_ext_register+0x38)[0xb7b0185e]
/usr/lib/libgnutls.so.26[0xb7b01920]
/usr/lib/libgnutls.so.26(gnutls_global_init+0x1a0)[0xb7b08513]
/usr/lib/libcurl.so.4(Curl_gtls_init+0x2c)[0xb2d33037]
/usr/lib/libcurl.so.4(Curl_ssl_init+0x33)[0xb2d348fa]
/usr/lib/libcurl.so.4(curl_global_init+0x88)[0xb2d28d9d]
/opt/netscape/plugins/libflashplayer.so[0xb213de16]

http://bugs.gentoo.org/272388#c7 lists a similar back trace, with
"double free or corruption (!prev)" instead of "invalid next size".
http://bugs.gentoo.org/260630 might be dealing with the same bug.

In all these cases, the latest (and rather recently released) closed
source flash player was involved as well, so I cannot rule out a problem
with that code. You might wish to investigate the issue on the gnutls
side nevertheless, and maybe subscribe to those bugs to stay tuned.

Greetings,
 Martin von Gagern

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090606/12a18876/attachment.pgp>

From simon at josefsson.org  Mon Jun  8 16:58:00 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 16:58:00 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2AABB9.9080309@gmx.net> (Martin von Gagern's message of "Sat, 
	06 Jun 2009 19:47:37 +0200")
References: <4A2AABB9.9080309@gmx.net>
Message-ID: <87zlcin56v.fsf@mocca.josefsson.org>

Martin von Gagern <Martin.vGagern at gmx.net> writes:

> Hi folks!
>
> There seems to be some evidence that the latest gnutls might be involved
> in instabilities of the adobe flash plugin for mozilla firefox on gentoo
> linux.

Hi.  Interesting but difficult to debug.  The back traces looks weird,
the crash is in the global initialization function.  That function isn't
thread safe, so maybe it is a thread related problem?  Maybe set a
breakpoint on gnutls_ext_register to see if it is called multiple times
by the same process, that would suggest a problem.  However this code is
the same in 2.6.x and 2.8.0, so there must be something else too.

I'll look into this code in gnutls, but to really help on this I need a
simple-to-follow recipe to reproduce the problem.

Alternatively, if you can pin-point what change 2.6.6...2.8.0 introduce
the problem, that would also help -- try installing 2.7.0, 2.7.1, etc
and see when the problem starts to happen.  The final 2.7.9-2.7.14
contain mostly build fixes, so the early 2.7.x's are the interesting
ones.

Thanks,
/Simon


From simon at josefsson.org  Mon Jun  8 17:07:12 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 17:07:12 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2AABB9.9080309@gmx.net> (Martin von Gagern's message of "Sat, 
	06 Jun 2009 19:47:37 +0200")
References: <4A2AABB9.9080309@gmx.net>
Message-ID: <87vdn6n4rj.fsf@mocca.josefsson.org>

Btw, I installed latest firefox with latest flash 10 plugin, and it
worked fine on my x86 debian box.  OTOH, my flash plugin doesn't seem to
link to gnutls at all:

jas at mocca:~/firefox/plugins$ ldd libflashplayer.so |grep -i gnutls
jas at mocca:~/firefox/plugins$ sha1sum libflashplayer.so 
2b310b362d12c599865c767197a8077d3123b706  libflashplayer.so
jas at mocca:~/firefox/plugins$ 

I hope you can prepare some instructions how to reproduce this.

/Simon


From arfrever.fta at gmail.com  Mon Jun  8 17:39:45 2009
From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis)
Date: Mon, 8 Jun 2009 17:39:45 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <87vdn6n4rj.fsf@mocca.josefsson.org>
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
Message-ID: <200906081739.54433.Arfrever.FTA@gmail.com>

2009-06-08 17:07:12 Simon Josefsson napisa?(a):
> Btw, I installed latest firefox with latest flash 10 plugin, and it
> worked fine on my x86 debian box.  OTOH, my flash plugin doesn't seem to
> link to gnutls at all:
> 
> jas at mocca:~/firefox/plugins$ ldd libflashplayer.so |grep -i gnutls
> jas at mocca:~/firefox/plugins$ sha1sum libflashplayer.so 
> 2b310b362d12c599865c767197a8077d3123b706  libflashplayer.so
> jas at mocca:~/firefox/plugins$

libflashplayer.so uses dlopen() to open dependent libraries...

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090608/3bd37c1b/attachment.pgp>

From Martin.vGagern at gmx.net  Mon Jun  8 17:50:42 2009
From: Martin.vGagern at gmx.net (Martin von Gagern)
Date: Mon, 08 Jun 2009 17:50:42 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <87vdn6n4rj.fsf@mocca.josefsson.org>
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
Message-ID: <4A2D3352.8040409@gmx.net>

Simon Josefsson wrote:
> Btw, I installed latest firefox with latest flash 10 plugin, and it
> worked fine on my x86 debian box.  OTOH, my flash plugin doesn't seem to
> link to gnutls at all:

There is strong evidence that flash only depends on gnutls indirectly
via libcurl. If you haven't built libcurl against gnutls, this doesn't
show up. And libcurl is dynloaded, so ldd won't list it.

Please follow the bug reports I mentioned; a lot of people are quite
busy there, gathering evidence, discussing possibilities, stuff like
that. I ruled out concurrent initialization in a comment there.

In the meantime, I'm trying to get a proper git bisect running. I'm not
sure if I can do this, as the problem is difficult to trace. But when
running FF through valgrind and accessing the flash on
http://data.ndr.de/mv2009/index.html I just had a 100% rate to reproduce
at least some kind of error, mostly a segfault at application shutdown,
with gnutls 2.8.0, whereas 2.6.6 worked all right. I'll try to reproduce
this with gnutls built from git, and bisect the changes in between.

Greetings,
 Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090608/a8001512/attachment.pgp>

From Martin.vGagern at gmx.net  Mon Jun  8 18:11:29 2009
From: Martin.vGagern at gmx.net (Martin von Gagern)
Date: Mon, 08 Jun 2009 18:11:29 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D3352.8040409@gmx.net>
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net>
Message-ID: <4A2D3831.4090501@gmx.net>

Martin von Gagern wrote:
> In the meantime, I'm trying to get a proper git bisect running.

And failing miserably at it, because I'm still not comfortable with
autotools.

At first I tried varous sequences of autoheader, automake, autoconf and
libtoolize, but configure failed every time for the lib subdir. At some
point I got annoyed enough, and simply copied over the files from a
2.8.0 tarball which weren't present in the git already. 2.8.0 built
successfully with that, but moving to 2.6.6 still causes me trouble:

$ make
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh
/home/mvg/src/up/gnutls/gnutls/build-aux/missing --run aclocal-1.11 -I
m4 -I gl/m4 -I lib/gl/m4 -I libextra/gl/m4 -I lib/m4 -I libextra/m4
aclocal-1.11: couldn't open directory `lib/gl/m4': No such file or directory

So I assume that you added some gnulib macro files somewhere along the
way. But while I could simply copy build files from 2.6.6 as well, this
is no option for the intermediate revisions.

Is there a simple command to turn a git working tree into something
where I can do "./configure && make"? Preferrably without having to
recompile more than absolutely necessary, and without having to actually
run configure if its input wasn't modified?

Greetings,
 Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090608/c1584739/attachment.pgp>

From simon at josefsson.org  Mon Jun  8 18:19:50 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 18:19:50 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D3352.8040409@gmx.net> (Martin von Gagern's message of "Mon, 
	08 Jun 2009 17:50:42 +0200")
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net>
Message-ID: <87bpoyn1eh.fsf@mocca.josefsson.org>

Martin von Gagern <Martin.vGagern at gmx.net> writes:

> Simon Josefsson wrote:
>> Btw, I installed latest firefox with latest flash 10 plugin, and it
>> worked fine on my x86 debian box.  OTOH, my flash plugin doesn't seem to
>> link to gnutls at all:
>
> There is strong evidence that flash only depends on gnutls indirectly
> via libcurl. If you haven't built libcurl against gnutls, this doesn't
> show up. And libcurl is dynloaded, so ldd won't list it.

Ok, still can't reproduce but looking into it:

jas at mocca:~$ lsof -p 1907|grep gnut
firefox-b 1907  jas  mem    REG        8,3   233992 15982492 /usr/lib/libcurl-gnutls.so.4.1.0
firefox-b 1907  jas  mem    REG        8,3  2186701  8421702 /home/jas/lib/libgnutls.so.26.14.7
jas at mocca:~$ 

This is while accessing the URL below.

> Please follow the bug reports I mentioned; a lot of people are quite
> busy there, gathering evidence, discussing possibilities, stuff like
> that. I ruled out concurrent initialization in a comment there.
>
> In the meantime, I'm trying to get a proper git bisect running. I'm not
> sure if I can do this, as the problem is difficult to trace. But when
> running FF through valgrind and accessing the flash on
> http://data.ndr.de/mv2009/index.html I just had a 100% rate to reproduce
> at least some kind of error, mostly a segfault at application shutdown,
> with gnutls 2.8.0, whereas 2.6.6 worked all right. I'll try to reproduce
> this with gnutls built from git, and bisect the changes in between.

Thanks,
Simon


From simon at josefsson.org  Mon Jun  8 18:28:21 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 18:28:21 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D3831.4090501@gmx.net> (Martin von Gagern's message of "Mon, 
	08 Jun 2009 18:11:29 +0200")
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net> <4A2D3831.4090501@gmx.net>
Message-ID: <871vpun10a.fsf@mocca.josefsson.org>

Martin von Gagern <Martin.vGagern at gmx.net> writes:

> Martin von Gagern wrote:
>> In the meantime, I'm trying to get a proper git bisect running.
>
> And failing miserably at it, because I'm still not comfortable with
> autotools.
>
> At first I tried varous sequences of autoheader, automake, autoconf and
> libtoolize, but configure failed every time for the lib subdir. At some
> point I got annoyed enough, and simply copied over the files from a
> 2.8.0 tarball which weren't present in the git already. 2.8.0 built
> successfully with that, but moving to 2.6.6 still causes me trouble:
>
> $ make
> CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh
> /home/mvg/src/up/gnutls/gnutls/build-aux/missing --run aclocal-1.11 -I
> m4 -I gl/m4 -I lib/gl/m4 -I libextra/gl/m4 -I lib/m4 -I libextra/m4
> aclocal-1.11: couldn't open directory `lib/gl/m4': No such file or directory
>
> So I assume that you added some gnulib macro files somewhere along the
> way. But while I could simply copy build files from 2.6.6 as well, this
> is no option for the intermediate revisions.
>
> Is there a simple command to turn a git working tree into something
> where I can do "./configure && make"?

Try 'make autoreconf'.  During the v2.7.x branch the build system was
modified heavily, so it might not always work for these experimental
releases.

The released v2.7.x tar archives should work fine though, so it may be
easier to start with those and then switch over to git when you have
pinpointed the release that breaks things.

> Preferrably without having to recompile more than absolutely
> necessary, and without having to actually run configure if its input
> wasn't modified?

Between releases that is not likely to be the case, M4 files change in
practically every release.

/Simon


From simon at josefsson.org  Mon Jun  8 18:34:08 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 18:34:08 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <871vpun10a.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 08 Jun 2009 18:28:21 +0200")
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net> <4A2D3831.4090501@gmx.net>
	<871vpun10a.fsf@mocca.josefsson.org>
Message-ID: <87ws7mlm67.fsf@mocca.josefsson.org>

Does this patch work?

I haven't tested it, but it seems gnutls_global_init ->
gnutls_global_deinit -> gnutls_global_init would crash like the crash in
the bug report.  GnuTLS 2.6.x had a memory leak and didn't release this
memory, so you wouldn't notice.

/Simon


diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
index e4e536f..accb204 100644
--- a/lib/gnutls_extensions.c
+++ b/lib/gnutls_extensions.c
@@ -331,6 +331,7 @@ void
 _gnutls_ext_deinit (void)
 {
   gnutls_free (extfunc);
+  extfunc = NULL;
 }
 
 /**


From arfrever.fta at gmail.com  Mon Jun  8 18:36:26 2009
From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis)
Date: Mon, 8 Jun 2009 18:36:26 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D3831.4090501@gmx.net>
References: <4A2AABB9.9080309@gmx.net> <4A2D3352.8040409@gmx.net>
	<4A2D3831.4090501@gmx.net>
Message-ID: <200906081836.28275.Arfrever.FTA@gmail.com>

2009-06-08 18:11:29 Martin von Gagern napisa?(a):
> Martin von Gagern wrote:
> > In the meantime, I'm trying to get a proper git bisect running.
> 
> And failing miserably at it, because I'm still not comfortable with
> autotools.
> 
> At first I tried varous sequences of autoheader, automake, autoconf and
> libtoolize, but configure failed every time for the lib subdir.

See src_prepare() in gnutls-2.8.0.ebuild:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-libs/gnutls/gnutls-2.8.0.ebuild?view=markup

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090608/6f72f5d7/attachment.pgp>

From simon at josefsson.org  Mon Jun  8 18:43:23 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 18:43:23 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <87ws7mlm67.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 08 Jun 2009 18:34:08 +0200")
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net> <4A2D3831.4090501@gmx.net>
	<871vpun10a.fsf@mocca.josefsson.org>
	<87ws7mlm67.fsf@mocca.josefsson.org>
Message-ID: <87skiallqs.fsf@mocca.josefsson.org>

Of course, the patch should be as below.  I have confirmed this bug, and
written a self-test for it:

http://git.savannah.gnu.org/cgit/gnutls.git/tree/tests/init_roundtrip.c

It crashes with GnuTLS 2.8.x.

diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
index e4e536f..8fe2edd 100644
--- a/lib/gnutls_extensions.c
+++ b/lib/gnutls_extensions.c
@@ -331,6 +331,8 @@ void
 _gnutls_ext_deinit (void)
 {
   gnutls_free (extfunc);
+  extfunc = NULL;
+  extfunc_size = 0;
 }
 
 /**

/Simon


From Martin.vGagern at gmx.net  Mon Jun  8 18:53:05 2009
From: Martin.vGagern at gmx.net (Martin von Gagern)
Date: Mon, 08 Jun 2009 18:53:05 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <87skiallqs.fsf@mocca.josefsson.org>
References: <4A2AABB9.9080309@gmx.net>
	<87vdn6n4rj.fsf@mocca.josefsson.org>	<4A2D3352.8040409@gmx.net>
	<4A2D3831.4090501@gmx.net>	<871vpun10a.fsf@mocca.josefsson.org>	<87ws7mlm67.fsf@mocca.josefsson.org>
	<87skiallqs.fsf@mocca.josefsson.org>
Message-ID: <4A2D41F1.6040207@gmx.net>

Simon Josefsson wrote:
> diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
> index e4e536f..8fe2edd 100644
> --- a/lib/gnutls_extensions.c
> +++ b/lib/gnutls_extensions.c
> @@ -331,6 +331,8 @@ void
>  _gnutls_ext_deinit (void)
>  {
>    gnutls_free (extfunc);
> +  extfunc = NULL;
> +  extfunc_size = 0;
>  }
>  
>  /**
> 

Looks good to me; no more segfaults at shutdown. I'll point the Gentoo
folks at this, should give the issue quite a broad testing, based on the
high number of subscribers on the cc lists of the involved bug reports.

Will you release a 2.8.1 to address the issue? Given that it's a
regression, and could cause major data loss, I wouldn't want to wait too
long for this to get released officially, especially as the patch
obviously won't make things any worse.

Greetings, and thanks for the fix,
 Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090608/8f22d70c/attachment.pgp>

From arfrever.fta at gmail.com  Mon Jun  8 18:57:26 2009
From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis)
Date: Mon, 8 Jun 2009 18:57:26 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D41F1.6040207@gmx.net>
References: <4A2AABB9.9080309@gmx.net> <87skiallqs.fsf@mocca.josefsson.org>
	<4A2D41F1.6040207@gmx.net>
Message-ID: <200906081857.27212.Arfrever.FTA@gmail.com>

2009-06-08 18:53:05 Martin von Gagern napisa?(a):
> Simon Josefsson wrote:
> > diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
> > index e4e536f..8fe2edd 100644
> > --- a/lib/gnutls_extensions.c
> > +++ b/lib/gnutls_extensions.c
> > @@ -331,6 +331,8 @@ void
> >  _gnutls_ext_deinit (void)
> >  {
> >    gnutls_free (extfunc);
> > +  extfunc = NULL;
> > +  extfunc_size = 0;
> >  }
> >  
> >  /**
> > 
> 
> Looks good to me; no more segfaults at shutdown. I'll point the Gentoo
> folks at this

They surely know about it...

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090608/bf895a29/attachment.pgp>

From simon at josefsson.org  Mon Jun  8 19:01:51 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 08 Jun 2009 19:01:51 +0200
Subject: gnutls_ext_register causing memory corruption
In-Reply-To: <4A2D41F1.6040207@gmx.net> (Martin von Gagern's message of "Mon, 
	08 Jun 2009 18:53:05 +0200")
References: <4A2AABB9.9080309@gmx.net> <87vdn6n4rj.fsf@mocca.josefsson.org>
	<4A2D3352.8040409@gmx.net> <4A2D3831.4090501@gmx.net>
	<871vpun10a.fsf@mocca.josefsson.org>
	<87ws7mlm67.fsf@mocca.josefsson.org>
	<87skiallqs.fsf@mocca.josefsson.org> <4A2D41F1.6040207@gmx.net>
Message-ID: <87hbyqlkw0.fsf@mocca.josefsson.org>

Martin von Gagern <Martin.vGagern at gmx.net> writes:

> Simon Josefsson wrote:
>> diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
>> index e4e536f..8fe2edd 100644
>> --- a/lib/gnutls_extensions.c
>> +++ b/lib/gnutls_extensions.c
>> @@ -331,6 +331,8 @@ void
>>  _gnutls_ext_deinit (void)
>>  {
>>    gnutls_free (extfunc);
>> +  extfunc = NULL;
>> +  extfunc_size = 0;
>>  }
>>  
>>  /**
>> 
>
> Looks good to me; no more segfaults at shutdown. I'll point the Gentoo
> folks at this, should give the issue quite a broad testing, based on the
> high number of subscribers on the cc lists of the involved bug reports.

I would appreciate testing.  I've prepared a v2.8.x daily snapshot with
the patch, please test it:

http://daily.josefsson.org/gnutls-2.8/gnutls-2.8-20090608.tar.gz

> Will you release a 2.8.1 to address the issue? Given that it's a
> regression, and could cause major data loss, I wouldn't want to wait too
> long for this to get released officially, especially as the patch
> obviously won't make things any worse.

Right.  If testing is successful, I can make the release quickly.  The
above *.tar.gz is RC1 of 2.8.1.

/Simon


From simon at josefsson.org  Tue Jun  9 06:57:28 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 09 Jun 2009 06:57:28 +0200
Subject: GnuTLS 2.9.1
Message-ID: <87d49eknrb.fsf@mocca.josefsson.org>

The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.1.tar.bz2 (5.9MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.1.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.1.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.1.tar.bz2.sig

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.9.1 (released 2009-06-08)

** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
See <http://bugs.gentoo.org/272388>.

** tests: Added new self-tests init_roundtrip.c to detect previous problem.

** Reduce stack usage for some CRQ functions.

** Doc fixes for CRQ functions.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090609/3ec0a897/attachment.pgp>

From simon at josefsson.org  Wed Jun 10 18:52:05 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 10 Jun 2009 18:52:05 +0200
Subject: GnuTLS 2.8.1
Message-ID: <87ocsw9glm.fsf@mocca.josefsson.org>

We are proud to announce a new stable GnuTLS release: Version 2.8.1.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern at gmx.net> from
<http://bugs.gentoo.org/272388>.

** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs.  Reported by "Kukosa,
Tomas" <tomas.kukosa at siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (6.0MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.1.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.1.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.1.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.1.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.8.1.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

b5fd364848709393d05def7e926caddd27169525  gnutls-2.8.1.tar.bz2

8d94ffd6d37d0251778718933a63848521ab64c4700588455bcaa372  gnutls-2.8.1.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.1.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.8.1.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.1.exe.sig

The checksum values for SHA-1 and SHA-224 are:

3ac9beb22da8b0301c432861a74717d319f28020  gnutls-2.8.1.exe

b40ec214c8f251c9384ddbb3fb2c4d8ea9e746140414aa76b2793791  gnutls-2.8.1.exe

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.8.1.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.1.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.1-1_all.deb (4.8MB)

The checksum values for SHA-1 and SHA-224 are:

e34a20b91fc8e35c3a04ae8089d73fa45bb62fa4  mingw32-gnutls_2.8.1-1_all.deb

fc15cf1c37e7711d718e4b84739807d3498e3c0045c2cf9ce4bbdc23  mingw32-gnutls_2.8.1-1_all.deb

Internationalization
====================

The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
addition of more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090610/2ad43486/attachment.pgp>

From craig at postnewspapers.com.au  Wed Jun 10 08:17:41 2009
From: craig at postnewspapers.com.au (Craig Ringer)
Date: Wed, 10 Jun 2009 14:17:41 +0800
Subject: PKCS#11 support and proxy providers
Message-ID: <1244614661.11069.6.camel@wallace.localnet>

Hi

I've been doing some research into PKCS#11 support in GnuTLS and into
PKCS#11 proxy providers. There was some discussion on both some time ago
on the GnuTLS devel list, but I've been unable to find much more recent
than 2007. Current GnuTLS sources do not appear to support loading and
using a PKCS#11 provider module.

Is there PKCS#11 support in GnuTLS that I'm missing? Or did the PKCS#11
work done in 2007 not come to anything?

The reason I'm interested is that some apps I use, including Evolution
Data Server's Camel mail client module, use GnuTLS for their crypto
needs. This not only prevents them from talking to smart cards and other
hardware keys, but it prevents them from using centralized PKCS#11-based
certificate stores like the GNOME Keyring Daemon. Users must instead
configure each GnuTLS-using app to load their certificate from a PKCS#12
file.

I'm looking into ways to get a centralized key store, including PKCS#11
proxying for smart cards and the like, into wider use on Linux desktops.
As part of that I'd be really interested in any progress on PKCS#11
support in GnuTLS. For my purposes I'd only need single-provider
support, since GnuTLS would talk to the proxy provider over a UNIX
socket and that'd manage the keystore as well as any smart cards and the
like.

I've been unable to find any suitable existing proxy provider
implementations, so I was thinking of writing a thin PKCS#11 provider
module and a daemon that uses libnss to handle the keystore, card
proxying, and the like. Is anyone here aware of a suitable existing
PKCS#11 proxy daemon and provider that might do the job?

Thanks for listening.

--
Craig Ringer


From sunilkhatri at tamu.edu  Thu Jun 11 00:17:35 2009
From: sunilkhatri at tamu.edu (Sunil P Khatri)
Date: Wed, 10 Jun 2009 17:17:35 -0500
Subject: gnutls-cgi (version 2.8.1) on ubuntu 8.04 crashes
Message-ID: <20090610171735.43941a5e@tamu.edu>


Folks,

I am running Ubuntu 8.04 on a i386. While setting up the 
claws-mail client to use IMAP, I systematically got stream
errors and a failure to connect to the IMAP server.

The fine folks at the claws-mail support team diagnosed 
this as a gnutls bug. I am using 2.8.1, compiled out of the
source tarball. 

Below is a trace to illustrate the problem. The problem 
does not occur if I use SSL.

Best regards,
Sunil

(PS If you need to contact me to follow up, please email
me directly. I am not subscribed to the gnutls-devel list)

---------------------------------------------------------------------------------------
~> gnutls-cli neo.tamu.edu --port 993
Resolving 'neo.tamu.edu'...
Connecting to '165.91.23.114:993'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=Texas,L=College Station,O=Texas A and M
University,OU=Computing and Information Services,CN=neo.tamu.edu',
issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server
CA,EMAIL=premium-server at thawte.com', RSA key 1024 bits, signed
using RSA-SHA, activated `2009-05-29 19:33:18 UTC', expires
`2012-06-13 14:51:27 UTC', SHA-1 fingerprint
`fe4b9e6c138e3c9b6f236bbcca3cccd04918d9c8'
- The hostname in the certificate matches 'neo.tamu.edu'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: 3DES-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

* OK IMAP4 ready
1 CAPABILITY  
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

-------------------------------------------------------------------------------------------


Thanks!
Sunil


From simon at josefsson.org  Thu Jun 11 12:14:20 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 11 Jun 2009 12:14:20 +0200
Subject: gnutls-cgi (version 2.8.1) on ubuntu 8.04 crashes
In-Reply-To: <20090610171735.43941a5e@tamu.edu> (Sunil P. Khatri's message of
	"Wed, 10 Jun 2009 17:17:35 -0500")
References: <20090610171735.43941a5e@tamu.edu>
Message-ID: <87vdn33wn7.fsf@mocca.josefsson.org>

Sunil P Khatri <sunilkhatri at tamu.edu> writes:

> Folks,
>
> I am running Ubuntu 8.04 on a i386. While setting up the 
> claws-mail client to use IMAP, I systematically got stream
> errors and a failure to connect to the IMAP server.
>
> The fine folks at the claws-mail support team diagnosed 
> this as a gnutls bug. I am using 2.8.1, compiled out of the
> source tarball. 
>
> Below is a trace to illustrate the problem. The problem 
> does not occur if I use SSL.

Hi!  Thanks for the report.

> * OK IMAP4 ready
> 1 CAPABILITY  
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Server has terminated the connection abnormally.

The server does not appear to support record padding, which is a known
problem with some servers, see:

http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html

You can work around the problem by using the %COMPAT priority string:

gnutls-cli neo.tamu.edu --port 993 -d 4711 --priority NORMAL:%COMPAT

Claws mail should have a configuration knob that allows users to supply
a GnuTLS priority string.  The configuration string should be preferably
be per-server.  Would you bounce back that suggestion to them?  The
graphical interface could also use a knob to disable record padding
directly, without having the user understand GnuTLS priority strings.
Then claws mail needs to convert the knob settings to a priority string
internally.

Thanks,
Simon


From simon at josefsson.org  Thu Jun 11 12:20:04 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 11 Jun 2009 12:20:04 +0200
Subject: PKCS#11 support and proxy providers
In-Reply-To: <1244614661.11069.6.camel@wallace.localnet> (Craig Ringer's
	message of "Wed, 10 Jun 2009 14:17:41 +0800")
References: <1244614661.11069.6.camel@wallace.localnet>
Message-ID: <87r5xr3wdn.fsf@mocca.josefsson.org>

Craig Ringer <craig at postnewspapers.com.au> writes:

> Hi
>
> I've been doing some research into PKCS#11 support in GnuTLS and into
> PKCS#11 proxy providers. There was some discussion on both some time ago
> on the GnuTLS devel list, but I've been unable to find much more recent
> than 2007. Current GnuTLS sources do not appear to support loading and
> using a PKCS#11 provider module.
>
> Is there PKCS#11 support in GnuTLS that I'm missing? Or did the PKCS#11
> work done in 2007 not come to anything?
>
> The reason I'm interested is that some apps I use, including Evolution
> Data Server's Camel mail client module, use GnuTLS for their crypto
> needs. This not only prevents them from talking to smart cards and other
> hardware keys, but it prevents them from using centralized PKCS#11-based
> certificate stores like the GNOME Keyring Daemon. Users must instead
> configure each GnuTLS-using app to load their certificate from a PKCS#12
> file.
>
> I'm looking into ways to get a centralized key store, including PKCS#11
> proxying for smart cards and the like, into wider use on Linux desktops.
> As part of that I'd be really interested in any progress on PKCS#11
> support in GnuTLS. For my purposes I'd only need single-provider
> support, since GnuTLS would talk to the proxy provider over a UNIX
> socket and that'd manage the keystore as well as any smart cards and the
> like.
>
> I've been unable to find any suitable existing proxy provider
> implementations, so I was thinking of writing a thin PKCS#11 provider
> module and a daemon that uses libnss to handle the keystore, card
> proxying, and the like. Is anyone here aware of a suitable existing
> PKCS#11 proxy daemon and provider that might do the job?

Hi.

You should be able to implement what you need using the sign callback in
GnuTLS:

http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#index-gnutls_005fsign_005fcallback_005fset-268

This lets you send back the sign request to where the private keys is,
which can include a PKCS#11 provider.

However, I would agree with you that something more would be useful.

We have been thinking about a 'gnutlsd' daemon that can sit in the
background and hold private keys, or tunnel them to PKCS#11 providers.
See some ideas on:

http://redmine.josefsson.org/projects/gnutls/wiki/GnuTLSExternalValidation

Seahorse could implement the same protocol, and would then be able to
hold private keys and serve GnuTLS clients.

I think it makes more sense for these daemons to do the PKCS#11
integration than including that code in the TLS client library.  It
makes things simpler and easier to debug.

I wish I had more time to work on this, it would be quite interesting.
If you want to help, now is a good time to do it, since we have just
opened the 2.9.x branch.

/Simon


From tante at monkeycode.org  Mon Jun 15 14:25:44 2009
From: tante at monkeycode.org (=?ISO-8859-1?Q?J=FCrgen?= Geuter)
Date: Mon, 15 Jun 2009 14:25:44 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
Message-ID: <1245068744.6936.30.camel@yatahaze>

Hello.

As described in http://bugs.gentoo.org/show_bug.cgi?id=273756
gnutls-2.8.0 and gnutls-2.8.1 break Jabber support in the instant
messenger Pidgin.

The Jabber support always tries connecting securely in Jabber services
which works flawlessly with gnutls-2.6.6. With 2.8.0 or 2.8.1 the client
connects but the connection breaks down almost instantly. The error
messages look like this:

(21:19:23) jabber: Found bytestream proxy server: proxy.eu.jabber.org
(21:19:23) jabber: Sending (ssl): <iq type='get' id='purpleb77e8230'
to='proxy.eu.jabber.org'><query
xmlns='http://jabber.org/protocol/bytestreams'/></iq>
(21:19:23) jabber: xmlParseChunk returned warning 100
(21:19:23) util: Writing file accounts.xml to directory /home/tante/.purple
(21:19:23) util: Writing file /home/tante/.purple/accounts.xml
(21:19:24) gnutls: receive failed: A TLS fatal alert has been received.
(21:19:24) jabber: Disconnected: Input/output error

Recompiling pidgin does not help, just downgrading gnutls.

I'm posting this here since the Gentoo developer in charge of the package (Arfrever Frehtes Taifersar Arahesis) asked me to, if you need any extra information please ask and I'll try to supply the required information.

Regards,

J?rgen Geuter

-- 
ICQ #81510866  -  http://the-gay-bar.com  -  jabber tante at jabber.org
   Occam's Razor: 
       -"Entia non sunt multiplicanda praeter necessitatem."-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20090615/1caaaa7c/attachment.pgp>

From simon at josefsson.org  Tue Jun 16 10:03:30 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 16 Jun 2009 10:03:30 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <1245068744.6936.30.camel@yatahaze> (=?iso-8859-1?Q?=22J=FCrg?=
	=?iso-8859-1?Q?en?= Geuter"'s message of
	"Mon, 15 Jun 2009 14:25:44 +0200")
References: <1245068744.6936.30.camel@yatahaze>
Message-ID: <87ski0ip0t.fsf@mocca.josefsson.org>

J?rgen Geuter <tante at monkeycode.org> writes:

> Hello.
>
> As described in http://bugs.gentoo.org/show_bug.cgi?id=273756
> gnutls-2.8.0 and gnutls-2.8.1 break Jabber support in the instant
> messenger Pidgin.
>
> The Jabber support always tries connecting securely in Jabber services
> which works flawlessly with gnutls-2.6.6. With 2.8.0 or 2.8.1 the client
> connects but the connection breaks down almost instantly. The error
> messages look like this:
>
> (21:19:23) jabber: Found bytestream proxy server: proxy.eu.jabber.org
> (21:19:23) jabber: Sending (ssl): <iq type='get' id='purpleb77e8230'
> to='proxy.eu.jabber.org'><query
> xmlns='http://jabber.org/protocol/bytestreams'/></iq>
> (21:19:23) jabber: xmlParseChunk returned warning 100
> (21:19:23) util: Writing file accounts.xml to directory /home/tante/.purple
> (21:19:23) util: Writing file /home/tante/.purple/accounts.xml
> (21:19:24) gnutls: receive failed: A TLS fatal alert has been received.
> (21:19:24) jabber: Disconnected: Input/output error
>
> Recompiling pidgin does not help, just downgrading gnutls.
>
> I'm posting this here since the Gentoo developer in charge of the
> package (Arfrever Frehtes Taifersar Arahesis) asked me to, if you need
> any extra information please ask and I'll try to supply the required
> information.

Hello and thanks for the report!  The BTS seems to be down now, so I
can't check for more details.

A complete gnutls debug log is needed.  A patch to pidgin could be added
to do this, what is needed is a call to

  gnutls_global_set_log_level (level);

to set a debug level and a call to

  gnutls_global_set_log_function (tls_log_func);

to set a debug logger, which has to have this prototype:

static void
tls_log_func (int level, const char *str)
{
  fprintf (stderr, "|<%d>| %s", level, str);
}

Perhaps better to print the messages to the pidgin error log.

/Simon


From simon at josefsson.org  Wed Jun 17 09:23:31 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 17 Jun 2009 09:23:31 +0200
Subject: gnutls_dh_get_prime_bits() returns wrong values
In-Reply-To: <20090528182531.1883.qmail@wiredyne.com> (Peter Hendrickson's
	message of "28 May 2009 18:25:31 -0000")
References: <20090528182531.1883.qmail@wiredyne.com>
Message-ID: <87ljnrb9xo.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> When I run gnutls_dh_get_prime_bits() it returns a value 8 bits larger
> than the actual length of the prime.  For example, if I load a
> Diffie-Hellman parameter with 4096 bits, I am told after the
> negotiation that the prime was 4104 bits long.
>
> It looks like it's getting something from dh->prime.size and
> multiplying it by 8 and that prime.size is one larger than is correct.

Yes, that seems wrong.  Fixed like this:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=10a9cd097b97066983b248ff87910f3d772e8408

Thanks,
/Simon


From pdh at wiredyne.com  Wed Jun 17 20:13:22 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 17 Jun 2009 18:13:22 -0000
Subject: gnutls_dh_get_prime_bits() returns wrong values
In-Reply-To: <87ljnrb9xo.fsf@mocca.josefsson.org> (message from Simon
	Josefsson on Wed, 17 Jun 2009 09:23:31 +0200)
References: <20090528182531.1883.qmail@wiredyne.com>
	<87ljnrb9xo.fsf@mocca.josefsson.org>
Message-ID: <20090617181322.7640.qmail@wiredyne.com>

Simon wrote:
> Yes, that seems wrong.  Fixed like this:
> 
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=10a9cd097b97066983b248ff87910f3d772e8408

I tested gnutls_dh_get_prime_bits() and it looks good.

Thanks!

Peter


From M.Drochner at fz-juelich.de  Wed Jun 17 20:06:44 2009
From: M.Drochner at fz-juelich.de (Matthias Drochner)
Date: Wed, 17 Jun 2009 20:06:44 +0200
Subject: missing variable in gnutls-2.8 Makefile
Message-ID: <200906171806.UAA0000025732@zel459.zel.kfa-juelich.de>


Hi -

"LINK_WARNING_H" is not defined in gl/tests/Makefile.am.
This causes breakage on systems where sys/ioctl.h is
missing (Solaris 10), due to an invalid "sed" command
line argument.

best regards
Matthias


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------


From M.Drochner at fz-juelich.de  Wed Jun 17 21:08:52 2009
From: M.Drochner at fz-juelich.de (Matthias Drochner)
Date: Wed, 17 Jun 2009 21:08:52 +0200
Subject: gnutls "configure" inconsistency wrt openssl compatibility
Message-ID: <200906171908.VAA0000025965@zel459.zel.kfa-juelich.de>


Hi -
another one: the --disable-openssl-compatibility option doesn't
work, due to an inconsistency:
The "enable_openssl=$withval" in libextra/m4/hooks.m4 should be
"enable_openssl=$enableval".
Besides this, the logics is somewhat backwards: It prints
"whether to disable OpenSSL compatibility layer" but the result
is whether it is enabled -- the exact opposite.
best regards
Matthias


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------


From simon at josefsson.org  Thu Jun 18 22:22:04 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 18 Jun 2009 22:22:04 +0200
Subject: missing variable in gnutls-2.8 Makefile
In-Reply-To: <200906171806.UAA0000025732@zel459.zel.kfa-juelich.de> (Matthias
	Drochner's message of "Wed, 17 Jun 2009 20:06:44 +0200")
References: <200906171806.UAA0000025732@zel459.zel.kfa-juelich.de>
Message-ID: <87k539thqr.fsf@mocca.josefsson.org>

Matthias Drochner <M.Drochner at fz-juelich.de> writes:

> Hi -
>
> "LINK_WARNING_H" is not defined in gl/tests/Makefile.am.
> This causes breakage on systems where sys/ioctl.h is
> missing (Solaris 10), due to an invalid "sed" command
> line argument.

Hi.  Thanks for the report.  What error message do you get?  As far as I
can tell, the relevant sed command is:

	  sed -e 's|@''HAVE_SYS_IOCTL_H''@|$(HAVE_SYS_IOCTL_H)|g' \
	      -e 's|@''INCLUDE_NEXT''@|$(INCLUDE_NEXT)|g' \
	      -e 's|@''PRAGMA_SYSTEM_HEADER''@|@PRAGMA_SYSTEM_HEADER@|g' \
	      -e 's|@''NEXT_SYS_IOCTL_H''@|$(NEXT_SYS_IOCTL_H)|g' \
	      -e 's|@''GNULIB_IOCTL''@|$(GNULIB_IOCTL)|g' \
	      -e 's|@''SYS_IOCTL_H_HAVE_WINSOCK2_H''@|$(SYS_IOCTL_H_HAVE_WINSOCK2_H)|g' \
	      -e '/definition of GL_LINK_WARNING/r $(LINK_WARNING_H)' \
	      < $(srcdir)/sys_ioctl.in.h; \

Maybe it is really a make error you get?  Anyway, seeing the error
message would help.  I have built GnuTLS on Solaris 2.8 and didn't see
any errors like this.  Btw, which make implementation do you use?

/Simon


From simon at josefsson.org  Thu Jun 18 22:27:35 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 18 Jun 2009 22:27:35 +0200
Subject: gnutls "configure" inconsistency wrt openssl compatibility
In-Reply-To: <200906171908.VAA0000025965@zel459.zel.kfa-juelich.de> (Matthias
	Drochner's message of "Wed, 17 Jun 2009 21:08:52 +0200")
References: <200906171908.VAA0000025965@zel459.zel.kfa-juelich.de>
Message-ID: <87fxdxthhk.fsf@mocca.josefsson.org>

Matthias Drochner <M.Drochner at fz-juelich.de> writes:

> Hi -
> another one: the --disable-openssl-compatibility option doesn't
> work, due to an inconsistency:
> The "enable_openssl=$withval" in libextra/m4/hooks.m4 should be
> "enable_openssl=$enableval".
> Besides this, the logics is somewhat backwards: It prints
> "whether to disable OpenSSL compatibility layer" but the result
> is whether it is enabled -- the exact opposite.

Hi.  Thanks, fixed in:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=1fd7d3a1ce4a9dee7e38d732e88a8105b494d607

/Simon


From M.Drochner at fz-juelich.de  Thu Jun 18 22:44:47 2009
From: M.Drochner at fz-juelich.de (Matthias Drochner)
Date: Thu, 18 Jun 2009 22:44:47 +0200
Subject: missing variable in gnutls-2.8 Makefile 
In-Reply-To: <87k539thqr.fsf@mocca.josefsson.org> 
References: <200906171806.UAA0000025732@zel459.zel.kfa-juelich.de> 
	<87k539thqr.fsf@mocca.josefsson.org>
Message-ID: <200906182044.WAA0000030933@zel459.zel.kfa-juelich.de>


simon at josefsson.org said:
>  What error message do you get?

The original report is here:
http://mail-index.NetBSD.org/pkgsrc-bugs/2009/06/17/msg032744.html

"sed" complains with "filename expected".
I don't have a Solaris system, but I could reproduce it on NetBSD
by pre-setting a "configure" variable, "ac_cv_header_sys_ioctl_h"
iirc.

It seems that gnu sed silently ignores the case if the
file is not specified or does not exist:
On NetBSD:
$ sed '/xxx/r' </dev/null; echo $?
sed: 1: "/xxx/r": filename expected
1
On Linux:
$ sed '/xxx/r' </dev/null; echo $?
0

> I have built GnuTLS on Solaris 2.8
So perhaps you used gnu sed?

> which make implementation do you use?
For that package, gnu make is used. Makefiles generated by
autoconf/automake usually use some gnu specific extensions.

best regards
Matthias


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------


From tim.kosse at filezilla-project.org  Fri Jun 19 21:40:56 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Fri, 19 Jun 2009 21:40:56 +0200
Subject: Size of time_t in gnutls4win
Message-ID: <4A3BE9C8.7060109@filezilla-project.org>

The Windows GnuTLS binaries from http://josefsson.org/gnutls4win/ seem
to be compiled in an environment with a 32bit time_t at least in 2.6.4
and 2.8.1, the versions I have tried.

I'm using Visual Studio 2008 and on that platform time_t is 64bit in size.

The GnuTLS functions that have a time_t either as argument or as return
type thus have undefined behavior.

For example gnutls_x509_crt_get_expiration_time from the DLL returns a
32bit number, whereas the calling program expects a 64bit number. The
result is that the leading 32 bits of the value after the call are
whatever else was on the stack at the time of the call.

The behavior of functions expecting a time_t as argument will probably
be even more problematic.

I think instead of time_t a type should be used that's been chosen at
compile time of GnUTLS to match the size of time_t of the build environment.

Regards,
Tim Kosse

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090619/12ff2ed5/attachment.pgp>

From tim.kosse at filezilla-project.org  Sat Jun 20 00:13:03 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Sat, 20 Jun 2009 00:13:03 +0200
Subject: Patch for off-by-one in _gnutls_x509_parse_dn in lib/x509/dn.c
Message-ID: <4A3C0D6F.6070408@filezilla-project.org>

The size of the sizeof_escaped string in _gnutls_x509_parse_dn is one
byte too short.

The length passed to str_escape includes the terminating null, yet the
size calculation for sizeof_escaped does not.

The attached patch corrects this problem.

To reproduce:

Using GnuTLS 2.8.1
Run gnutls-cli www.gmx.de -p 443
It prints the following value for the 2.5.4.17 OID in the subject of
certificate 0:
#1405383038303

It's missing one character at the end, it should have printed:
#14053830383037

Regards,
Tim Kosse
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls_dn.patch
URL: </pipermail/attachments/20090620/f8c3591d/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090620/f8c3591d/attachment.pgp>

From simon at josefsson.org  Mon Jun 22 11:44:47 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 22 Jun 2009 11:44:47 +0200
Subject: Patch for off-by-one in _gnutls_x509_parse_dn in lib/x509/dn.c
In-Reply-To: <4A3C0D6F.6070408@filezilla-project.org> (Tim Kosse's message of
	"Sat, 20 Jun 2009 00:13:03 +0200")
References: <4A3C0D6F.6070408@filezilla-project.org>
Message-ID: <87ljnkmwkw.fsf@mocca.josefsson.org>

Tim Kosse <tim.kosse at filezilla-project.org> writes:

> The size of the sizeof_escaped string in _gnutls_x509_parse_dn is one
> byte too short.
>
> The length passed to str_escape includes the terminating null, yet the
> size calculation for sizeof_escaped does not.
>
> The attached patch corrects this problem.
>
> To reproduce:
>
> Using GnuTLS 2.8.1
> Run gnutls-cli www.gmx.de -p 443
> It prints the following value for the 2.5.4.17 OID in the subject of
> certificate 0:
> #1405383038303
>
> It's missing one character at the end, it should have printed:
> #14053830383037

Fixed in

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2773e82dd323c2699f6846a7691bf4fba697703f

I also added a regression check to catch future problems in this area:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=08d35c08e7186119076c118ed35ade0e32e89b58

Thanks,
/Simon


From simon at josefsson.org  Mon Jun 22 15:22:18 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 22 Jun 2009 15:22:18 +0200
Subject: Size of time_t in gnutls4win
In-Reply-To: <4A3BE9C8.7060109@filezilla-project.org> (Tim Kosse's message of
	"Fri, 19 Jun 2009 21:40:56 +0200")
References: <4A3BE9C8.7060109@filezilla-project.org>
Message-ID: <87ws74l7xx.fsf@mocca.josefsson.org>

Tim Kosse <tim.kosse at filezilla-project.org> writes:

> The Windows GnuTLS binaries from http://josefsson.org/gnutls4win/ seem
> to be compiled in an environment with a 32bit time_t at least in 2.6.4
> and 2.8.1, the versions I have tried.

Yes, both were built using the same mingw32 Debian package.

> I'm using Visual Studio 2008 and on that platform time_t is 64bit in
> size.

And ming32 appears to use a 32 bit time_t:

jas at mocca:~$ cat foo.c
#include <time.h>
#include <stdio.h>

int main() {
  printf ("time_t %d\n", sizeof (time_t));
  return 0;
}
jas at mocca:~$ i586-mingw32msvc-gcc -o foo.exe foo.c
jas at mocca:~$ ./foo.exe
time_t 4
jas at mocca:~$ 

> The GnuTLS functions that have a time_t either as argument or as return
> type thus have undefined behavior.
>
> For example gnutls_x509_crt_get_expiration_time from the DLL returns a
> 32bit number, whereas the calling program expects a 64bit number. The
> result is that the leading 32 bits of the value after the call are
> whatever else was on the stack at the time of the call.
>
> The behavior of functions expecting a time_t as argument will probably
> be even more problematic.

Yes, this sounds bad.

> I think instead of time_t a type should be used that's been chosen at
> compile time of GnUTLS to match the size of time_t of the build environment.

Yes, one needs to be sure to use the same ABI when linking different
components.

Some options:

1) Configure Visual Studio 2008 to use a 32-bit time_t.

  Does defining _USE_32BIT_TIME_T works?  It seems this is required for
  Visual Studio 2005/2008 to get a 32-bit time_t.  Reference:

  http://www.mail-archive.com/libtool-patches at gnu.org/msg04555.html

  This should solve your problem directly.

2) Change GnuTLS binary packages to use a 64-bit time_t.

  This will break with older Visual Studio.  I'm not sure it is a good
  idea.

3) Provide GnuTLS packages for both 32-bit and 64-bit time_t.

  This would seems to double the time to build Windows binaries, and
  building Windows binaries already is a pain for me.

4) Provide two ABIs for these functions under Windows, and use header
   file #if's to map the API to the right ABI.

  This may be the best solution long term, but requires that someone
  implements this.

/Simon


From paul at darkrain42.org  Mon Jun 22 19:22:09 2009
From: paul at darkrain42.org (Paul Aurich)
Date: Mon, 22 Jun 2009 10:22:09 -0700
Subject: Bug in gnutls breaking Pidgin Jabber support
References: 87ski0ip0t.fsf@mocca.josefsson.org
Message-ID: <4A3FBDC1.8070102@darkrain42.org>

J?rgen Geuter applied a patch [1] that logs gnutls' debug output at level
7. The resultant log is [2].

Pidgin's BTS should be a little more reliable now. If you can't access the
log, J?rgen or I can post it someplace else.

Thanks,
~Paul
P.S. Please CC me, I'm not on the list.

[1] http://developer.pidgin.im/attachment/ticket/9338/gnutls-logging.patch
[2]
http://developer.pidgin.im/raw-attachment/ticket/9338/pidgin-gnutls-debug-patch-output.txt


From simon at josefsson.org  Tue Jun 23 19:38:58 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 23 Jun 2009 19:38:58 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A3FBDC1.8070102@darkrain42.org> (Paul Aurich's message of "Mon, 
	22 Jun 2009 10:22:09 -0700")
References: <4A3FBDC1.8070102@darkrain42.org>
Message-ID: <873a9qu9xp.fsf@mocca.josefsson.org>

Paul Aurich <paul at darkrain42.org> writes:

> J?rgen Geuter applied a patch [1] that logs gnutls' debug output at level
> 7. The resultant log is [2].
>
> Pidgin's BTS should be a little more reliable now. If you can't access the
> log, J?rgen or I can post it someplace else.

I can now access it.  I happened to have an account in the pidgin's BTS,
so I replied there instead of here.

/Simon


From rene.bleisch at iap.unibe.ch  Wed Jun 24 15:53:13 2009
From: rene.bleisch at iap.unibe.ch (Rene Bleisch)
Date: Wed, 24 Jun 2009 15:53:13 +0200
Subject: gnutls13 1.4.4-3+etch4.
Message-ID: <4A422FC9.4090808@iap.unibe.ch>

Dear Sir or madam,
I'm system administrator at the Univ. of Berne.
We have Servers with Debian-Linux (etch) on it.
Yesterday I upgraded libgnutls13 from 1.4.4-3+etch1 to 1.4.4-3+etch4.
Afterwards ssh to our servers was only possible with keylogin. Useing 
ssh username at server,
there was always an authentification failure.
After a downgrade to 1.4.4-3+etch1 everything works as fine as before 
the upgrade,
so it seems, that something is wrong with libgnutls13 1.4.4-3+etch4.
Kind regards
Ren? Bleisch

-- 
Ren? Bleisch
Institute of Applied Physics
University of Bern
Sidlerstr.5
3012 Bern
Switzerland

Phone: +41 31 631 89 59
Mail: rene.bleisch at iap.unibe.ch


From simon at josefsson.org  Wed Jun 24 21:05:32 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 24 Jun 2009 21:05:32 +0200
Subject: gnutls13 1.4.4-3+etch4.
In-Reply-To: <4A422FC9.4090808@iap.unibe.ch> (Rene Bleisch's message of "Wed, 
	24 Jun 2009 15:53:13 +0200")
References: <4A422FC9.4090808@iap.unibe.ch>
Message-ID: <871vp9laf7.fsf@mocca.josefsson.org>

Rene Bleisch <rene.bleisch at iap.unibe.ch> writes:

> Dear Sir or madam,
> I'm system administrator at the Univ. of Berne.
> We have Servers with Debian-Linux (etch) on it.
> Yesterday I upgraded libgnutls13 from 1.4.4-3+etch1 to 1.4.4-3+etch4.
> Afterwards ssh to our servers was only possible with keylogin. Useing
> ssh username at server,
> there was always an authentification failure.
> After a downgrade to 1.4.4-3+etch1 everything works as fine as before
> the upgrade,
> so it seems, that something is wrong with libgnutls13 1.4.4-3+etch4.

Please report this to Debian, since you are using debian packages of
GnuTLS.

/Simon


From webmaster at technoplaza.net  Thu Jun 25 01:20:37 2009
From: webmaster at technoplaza.net (John Ratliff)
Date: Wed, 24 Jun 2009 19:20:37 -0400
Subject: gnutls website broken link
Message-ID: <4A42B4C5.2080800@technoplaza.net>

http://www.gnu.org/software/gnutls/devel.html

Daily snapshots link goes 404.
http://josefsson.org/daily/gnutls/

Can these be found elsewhere?

Thanks,

--John Ratliff


From webmaster at technoplaza.net  Thu Jun 25 01:21:51 2009
From: webmaster at technoplaza.net (John Ratliff)
Date: Wed, 24 Jun 2009 19:21:51 -0400
Subject: programs that use gnutls
Message-ID: <4A42B50F.8030204@technoplaza.net>

On your programs page: http://www.gnu.org/software/gnutls/programs.html

You don't list FileZilla (http://filezilla-project.org), a free FTP/SFTP 
program for Windows, Mac, and Unix.

--John Ratliff


From simon at josefsson.org  Thu Jun 25 11:28:25 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 25 Jun 2009 11:28:25 +0200
Subject: gnutls website broken link
In-Reply-To: <4A42B4C5.2080800@technoplaza.net> (John Ratliff's message of
	"Wed, 24 Jun 2009 19:20:37 -0400")
References: <4A42B4C5.2080800@technoplaza.net>
Message-ID: <87tz24irwm.fsf@mocca.josefsson.org>

John Ratliff <webmaster at technoplaza.net> writes:

> http://www.gnu.org/software/gnutls/devel.html
>
> Daily snapshots link goes 404.
> http://josefsson.org/daily/gnutls/
>
> Can these be found elsewhere?

The link should be http://daily.josefsson.org/gnutls/ I have fixed the
first page now, thanks.

/Simon


From simon at josefsson.org  Thu Jun 25 11:30:05 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 25 Jun 2009 11:30:05 +0200
Subject: programs that use gnutls
In-Reply-To: <4A42B50F.8030204@technoplaza.net> (John Ratliff's message of
	"Wed, 24 Jun 2009 19:21:51 -0400")
References: <4A42B50F.8030204@technoplaza.net>
Message-ID: <87prcsirtu.fsf@mocca.josefsson.org>

John Ratliff <webmaster at technoplaza.net> writes:

> On your programs page: http://www.gnu.org/software/gnutls/programs.html
>
> You don't list FileZilla (http://filezilla-project.org), a free
> FTP/SFTP program for Windows, Mac, and Unix.

Added now, thanks.

/Simon


From wk at gnupg.org  Sun Jun 28 16:54:20 2009
From: wk at gnupg.org (Werner Koch)
Date: Sun, 28 Jun 2009 16:54:20 +0200
Subject: Size of time_t in gnutls4win
In-Reply-To: <87ws74l7xx.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 22 Jun 2009 15:22:18 +0200")
References: <4A3BE9C8.7060109@filezilla-project.org>
	<87ws74l7xx.fsf@mocca.josefsson.org>
Message-ID: <87my7stnmr.fsf@wheatstone.g10code.de>

On Mon, 22 Jun 2009 15:22, simon at josefsson.org said:

> 4) Provide two ABIs for these functions under Windows, and use header
>    file #if's to map the API to the right ABI.

5) Add a new API to GNUTLS which uses a 15 byte string (yyyyddmmThhmmss)
   to express a timestamp.  This helps for the year 2038 problem and
   with some silly certificates which have an expire date set to more
   than 30 years in the future.

We do this in GnuPG because there is no other way to express calendar
dates in a portable way.  Yes, a 64 bit time_t would help but as long as
Ulrich Drepper rejects such a change in glibc, we can't help ourself and
have to resort to this solution.


Shalom-Salam,

   Werner
 

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


From webmaster at technoplaza.net  Mon Jun 29 01:58:04 2009
From: webmaster at technoplaza.net (John Ratliff)
Date: Sun, 28 Jun 2009 19:58:04 -0400
Subject: compilation difficulties on Mac
Message-ID: <4A48038C.80308@technoplaza.net>

For some reason, Mac cannot build the doc folder on gnutls. Because of 
this, make install will not proceed. I have been editing the Makefile to 
prevent the doc folder from being built, but I wonder if there is a 
better solution to this.

I am using the 2009-06-28 daily source release, but this problem affects 
all versions (2.8.1, 2.6.x, 2.4.2, and 2.2.5 tested). It manifests on 
both Tiger and Leopard.

My configure line

./configure --disable-shared 
--with-libgcrypt-prefix=$HOME/unix/libgcrypt --prefix 
$HOME/unix/gnutls-20090628

My configure output: http://code.technoplaza.net/temp/gnutls/configure.log
The output of make http://code.technoplaza.net/temp/gnutls/make.log

The library builds fine, and if I edit the Makefile to tell it to ignore 
the doc directory, I can use make install and the library works 
perfectly. I am presently using this patch 
http://code.technoplaza.net/filezilla/gnutls-2.8.patch to adjust the 
Makefile.

Any better suggestions?

I mentioned this problem last year on the help-gnutls list but received 
no response. 
http://lists.gnu.org/archive/html/help-gnutls/2008-12/msg00016.html
I also asked this question on the FileZilla forum where they suggested 
not to build the docs: 
http://forum.filezilla-project.org/viewtopic.php?f=3&t=9417

Thanks,

--John Ratliff


From tim.kosse at filezilla-project.org  Mon Jun 29 09:12:32 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Mon, 29 Jun 2009 09:12:32 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <873a9qu9xp.fsf@mocca.josefsson.org>
References: <4A3FBDC1.8070102@darkrain42.org>
	<873a9qu9xp.fsf@mocca.josefsson.org>
Message-ID: <4A486960.6010405@filezilla-project.org>

Hi,

> Simon Josefsson wrote:
> I can now access it.  I happened to have an account in the pidgin's BTS,
> so I replied there instead of here.

replying here since I have no account in Pidgin' trac.

FileZilla seems to suffer from this problem as well if linked against
GnuTLS 2.8.1, it's now too getting the "Bad record MAC" alert.
It happens on almost all file uploads, especially if enabling a speed
limit in FileZilla's settings.

> The reason why you see this and nobody else may be that pidgin's pull function seems to return EAGAIN quite often. That's OK but rather untypical. 

FileZilla's pull/push too return EAGAIN quite often, especially with
speed limits enabled.

I'll try building a version of GnuTLS with
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=745436e29f339da41249db1b715e28081373b190
reverted.


Regards,
Tim Kosse

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090629/5558722f/attachment.pgp>

From tim.kosse at filezilla-project.org  Mon Jun 29 10:01:07 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Mon, 29 Jun 2009 10:01:07 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A486960.6010405@filezilla-project.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>
	<4A486960.6010405@filezilla-project.org>
Message-ID: <4A4874C3.4010709@filezilla-project.org>

Hi,

found the problem. Happens if _gnutls_io_write_buffered gets called with
iptr == NULL and n < session->internals.record_send_buffer.length

It then gets up to n bytes from the send buffer into ptr. At that point
session->internals.record_send_buffer still contains additional
outstanding data.

If sending fails, it pushes the remaining data from ptr to the end of
the send buffer, causing the buffer contents to become reordered.
Instead it should have put it to the beginning. A gnutls_buffer_prepend
function would be needed.

A workaround is to always request the complete buffer, see attached
patch. That's identical to the behavior of older GnuTLS versions.

Tim

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls_buffers.patch
URL: </pipermail/attachments/20090629/7cde0115/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090629/7cde0115/attachment.pgp>

From nmav at gnutls.org  Tue Jun 30 20:44:29 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 30 Jun 2009 21:44:29 +0300
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A4874C3.4010709@filezilla-project.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>	<4A486960.6010405@filezilla-project.org>
	<4A4874C3.4010709@filezilla-project.org>
Message-ID: <4A4A5D0D.40701@gnutls.org>

Tim Kosse wrote:
> Hi,
> 
> found the problem. Happens if _gnutls_io_write_buffered gets called with
> iptr == NULL and n < session->internals.record_send_buffer.length
> 
> It then gets up to n bytes from the send buffer into ptr. At that point
> session->internals.record_send_buffer still contains additional
> outstanding data.
> 
> If sending fails, it pushes the remaining data from ptr to the end of
> the send buffer, causing the buffer contents to become reordered.
> Instead it should have put it to the beginning. A gnutls_buffer_prepend
> function would be needed.
> 
> A workaround is to always request the complete buffer, see attached
> patch. That's identical to the behavior of older GnuTLS versions.

I did a quick hack to make a prepend function. Does this solve the issue?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.patch
Type: text/x-patch
Size: 2925 bytes
Desc: not available
URL: </pipermail/attachments/20090630/9327a98d/attachment.bin>

From tim.kosse at filezilla-project.org  Tue Jun 30 21:25:35 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Tue, 30 Jun 2009 21:25:35 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A4A5D0D.40701@gnutls.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>	<4A486960.6010405@filezilla-project.org>
	<4A4874C3.4010709@filezilla-project.org>
	<4A4A5D0D.40701@gnutls.org>
Message-ID: <4A4A66AF.6010002@filezilla-project.org>

Hi,

> I did a quick hack to make a prepend function. Does this solve the issue?

sadly this patch does not work.

In _gnutls_io_write_buffered, if n is less than
session->internals.record_send_buffer.length and the sending succeeds,
the remaining buffer is silently discarded at the end of the function.

Tim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090630/70fbcfdf/attachment.pgp>

From nmav at gnutls.org  Tue Jun 30 22:14:13 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 30 Jun 2009 23:14:13 +0300
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A4A66AF.6010002@filezilla-project.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>	<4A486960.6010405@filezilla-project.org>
	<4A4874C3.4010709@filezilla-project.org>
	<4A4A5D0D.40701@gnutls.org>
	<4A4A66AF.6010002@filezilla-project.org>
Message-ID: <4A4A7215.6010402@gnutls.org>

Tim Kosse wrote:
> Hi,
> 
>> I did a quick hack to make a prepend function. Does this solve the issue?
> 
> sadly this patch does not work.
> 
> In _gnutls_io_write_buffered, if n is less than
> session->internals.record_send_buffer.length and the sending succeeds,
> the remaining buffer is silently discarded at the end of the function.

By n < session->internals.record_send_buffer.length you mean that it can
be any value less or zero?


From pdh at wiredyne.com  Tue Jun 30 22:24:48 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 30 Jun 2009 20:24:48 -0000
Subject: Certificate Request State
Message-ID: <20090630202448.19789.qmail@wiredyne.com>

Running GnuTLS 2.8.1 under Ubuntu 9.04, I find that
gnutls_certificate_client_get_request_status() falsely reports that no
client certificate was requested, even when there was a request.  (The
server code is supposed to be asking for a certificate, it
successfully verifies the client certificate, and I can see the
certificate request packet to the client and the client sending its
certificate.)

Watching in the debugger, it appears that when the "Certificate
Request" handshake packet arrives at the client from the server, the
client sets session->key->certificate_requested to 1 in
auth_cert.c:_gnutls_proc_cert_cert_req().

The problem seems to lie in gnutls_certificate_client_get_request_status()
itself.

It calls _gnutls_get_auth_info() to get a pointer called "info" which
is really just session->key->auth_info.  Then _get_request_status()
returns the value of info->certificate_requested; that is, effectively
session->key->auth_info->certificate_requested.  It should probably
just return session->key->certificate_requested.

Without having figured out every detail, it looks to me as if the code
that sets the status and the code that reads the status are using two
different locations.  There seems to be no relationship between the
two.  _get_request_status() seems to be the only place in the code
that does anything with session->key->auth_info->certificate_requested.

Peter


From tim.kosse at filezilla-project.org  Tue Jun 30 22:33:23 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Tue, 30 Jun 2009 22:33:23 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A4A7215.6010402@gnutls.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>	<4A486960.6010405@filezilla-project.org>
	<4A4874C3.4010709@filezilla-project.org>
	<4A4A5D0D.40701@gnutls.org>
	<4A4A66AF.6010002@filezilla-project.org>
	<4A4A7215.6010402@gnutls.org>
Message-ID: <4A4A7693.9000806@filezilla-project.org>

Hi,

> By n < session->internals.record_send_buffer.length you mean that it can
> be any value less or zero?

on a closer look n can only be 0 if iptr == NULL. So strictly speaking n
< session->internals.record_send_buffer.length holds.

I need to revise my earlier observation, there is no buffer reordering,
0 bytes taken from the beginning are added to the end.
However sending nothing always succeeds and the remaining buffer is
simply discarded at the end of the function.

So actually your prepend function does nothing, no functional change.


BTW, I am currently also tracking down a related problem in the
handshake code that I can observe in 2.6.4 even. By artificially forcing
the push function to return EAGAIN most of the times I managed to
trigger this other. I'll send more information once I figure out what's
going wrong in that case.

Tim


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090630/d9cecf74/attachment.pgp>

From tim.kosse at filezilla-project.org  Tue Jun 30 23:23:23 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Tue, 30 Jun 2009 23:23:23 +0200
Subject: Patch for _gnutls_send_finished in gnutls_handshake.c
Message-ID: <4A4A824B.1040905@filezilla-project.org>

This is the handshake issue I've mentioned earlier. This problem exists
in 2.6.4 as well as 2.8.

If _gnutls_send_finished fails with GNUTLS_E_AGAIN or GNUTLS_E_AGAIN it
eventually gets called a second time.

It however does not call _gnutls_send_handshake with a NULL pointer on
repeated calls, ultimately leading to an internal error in
_gnutls_handshake_io_send_int.

The attached patch simply makes sure to also pass a NULL pointer to
_gnutls_send_handshake if data_size is 0.

Regards,
Tim Kosse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: handshake.patch
Type: text/x-patch
Size: 347 bytes
Desc: not available
URL: </pipermail/attachments/20090630/f35e883a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090630/f35e883a/attachment.pgp>

From tim.kosse at filezilla-project.org  Tue Jun 30 23:54:21 2009
From: tim.kosse at filezilla-project.org (Tim Kosse)
Date: Tue, 30 Jun 2009 23:54:21 +0200
Subject: Bug in gnutls breaking Pidgin Jabber support
In-Reply-To: <4A4A7693.9000806@filezilla-project.org>
References: <4A3FBDC1.8070102@darkrain42.org>	<873a9qu9xp.fsf@mocca.josefsson.org>	<4A486960.6010405@filezilla-project.org>	<4A4874C3.4010709@filezilla-project.org>	<4A4A5D0D.40701@gnutls.org>	<4A4A66AF.6010002@filezilla-project.org>	<4A4A7215.6010402@gnutls.org>
	<4A4A7693.9000806@filezilla-project.org>
Message-ID: <4A4A898D.4000700@filezilla-project.org>

Hi,

since my initial assumptions got invalidated, I no longer consider my
earlier patch as a merely an ugly workaround but instead as a viable
solution. I've attached an updated version of the patch. In addition to
_gnutls_io_write_buffered, _gnutls_handshake_io_send_int is fixed as well.

Combined with the handshake patch I've previously mailed, I've been
unable to reproduce any problems with GnuTLS in FileZilla.

Tim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_buffers.patch
Type: text/x-patch
Size: 840 bytes
Desc: not available
URL: </pipermail/attachments/20090630/4cb88ba2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090630/4cb88ba2/attachment.pgp>