From simon at josefsson.org Sun May 3 21:41:55 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 03 May 2009 21:41:55 +0200 Subject: GnuTLS 2.7.8 Message-ID: <87hc02c6t8.fsf@mocca.josefsson.org> The GnuTLS 2.7.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2 (5.8MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2.sig Known open issues holding back the next stable release: * Make gnutls-cli/gnutls-serv work under Windows again * Resolve how to treat the partial TLS 1.2 implementation * Fix the API man page for priority strings * Confirm that Cedric BAIL's copyright assignment has arrived with the FSF The earlier plan to release on April 1th didn't work out, but I'm going to try work through these issues again now. If you want to see anything else done in the next stable release, now is the time to speak! Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.8 (released 2009-05-03) ** libgnutls: Fix DSA key generation. Merged from stable branch. [GNUTLS-SA-2009-2] [CVE-2009-1416] ** libgnutls: Check expiration/activation time on untrusted certificates. Merged from stable branch. Reported by Romain Francoise . This changes the semantics of gnutls_x509_crt_list_verify, which in turn is used by gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2. We add two new gnutls_certificate_status_t codes for reporting the new error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also add a new gnutls_certificate_verify_flags flag, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new behaviour. [GNUTLS-SA-2009-3] [CVE-2009-1417] ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols. This should have been done in the last release. ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. Reported by Peter Hendrickson in . ** doc: Improved sections for the info manual. We now follow the advice given by the texinfo manual on which directory categories to use. In particular, libgnutls moved from the 'GNU Libraries' section to the 'Software libraries' and the command line tools moved from 'Network Applications' to 'System Administration'. ** API and ABI modifications: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From arfrever.fta at gmail.com Sun May 3 22:51:30 2009 From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis) Date: Sun, 3 May 2009 22:51:30 +0200 Subject: GnuTLS 2.7.8 fails to build Message-ID: <200905032251.31280.Arfrever.FTA@gmail.com> GnuTLS 2.7.8 fails to build: /bin/sh ../libtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -std=gnu99 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack-protector -Woverlength-strings -Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-parameter -fdiagnostics-show-option -march=core2 -pipe -O3 -Wl,-O1,--as-needed,--gc-sections,--hash-style=gnu,--sort-common -o gnutls-serv serv.o common.o ../lib/libgnutls.la ../libextra/libgnutls-extra.la libcmd-serv.la ../gl/libgnu.la libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack-protector -Woverlength-strings -Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-parameter -fdiagnostics-show-option -march=core2 -pipe -O3 -Wl,-O1 -Wl,--as-needed -Wl,--gc-sections -Wl,--hash-style=gnu -Wl,--sort-common -o .libs/gnutls-serv serv.o common.o ../lib/.libs/libgnutls.so -L/usr/lib64 ../libextra/.libs/libgnutls-extra.so /usr/lib64/liblzo2.so /var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/lib/.libs/libgnutls.so /usr/lib64/libtasn1.so -lz /usr/lib64/libgcrypt.so /usr/lib64/libgpg-error.so ./.libs/libcmd-serv.a ../gl/.libs/libgnu.a ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_compression_algorithms' ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_comp_algorithms_size' ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_decompress_safe' ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_1_compress' collect2: ld returned 1 exit status make[3]: *** [gnutls-serv] Error 1 make[3]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8' make: *** [all] Error 2 -- Arfrever Frehtes Taifersar Arahesis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From simon at josefsson.org Sun May 3 23:33:08 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 03 May 2009 23:33:08 +0200 Subject: GnuTLS 2.7.8 fails to build In-Reply-To: <200905032251.31280.Arfrever.FTA@gmail.com> (Arfrever Frehtes Taifersar Arahesis's message of "Sun, 3 May 2009 22:51:30 +0200") References: <200905032251.31280.Arfrever.FTA@gmail.com> Message-ID: <87d4apdg8b.fsf@mocca.josefsson.org> Arfrever Frehtes Taifersar Arahesis writes: > ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_compression_algorithms' > ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_comp_algorithms_size' > ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_decompress_safe' > ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_1_compress' Thanks for testing! This only happens if you build --with-lzo. I've fixed it on master, it was a consequence of the new tighter symbol export list. But really, I think you should remove --with-lzo from your build. LZO compression is not standardized. Do you need it? Perhaps we should disable LZO more thoroughly before 2.8, there are some distributions that build gnutls with lzo enabled by default, and I don't think the reasons for enabling it are always well motivated. We could also just change --with-lzo to --with-experimental-lzo. People building --with-lzo will no longer get LZO. If they investigate why, they would end up reading the NEWS blurb where we can explain why users in general should not enable LZO. Thoughts? /Simon From tgc at jupiterrise.com Mon May 4 21:45:30 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Mon, 4 May 2009 21:45:30 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available Message-ID: <20090504194530.GA30365@ares.tgcnet> I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails in src/serv.c because AF_INET6 is undefined. gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want serv.c: In function 'get_port': serv.c:785: error: dereferencing pointer to incomplete type serv.c:787: error: 'AF_INET6' undeclared (first use in this function) serv.c:787: error: (Each undeclared identifier is reported only once serv.c:787: error: for each function it appears in.) serv.c:788: error: dereferencing pointer to incomplete type serv.c: In function 'main': serv.c:813: error: storage size of 'client_address' isn't known make[3]: *** [serv.o] Error 1 Grepping for AF_INET6 reveals the same issue in src/certtool-cfg.c I looked at 2.7.8 and there seems to have been no change in the situation there. The buildlog from 2.6.6 is available here: http://jupiterrise.com/tmp -tgc From simon at josefsson.org Tue May 5 12:01:00 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 05 May 2009 12:01:00 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <20090504194530.GA30365@ares.tgcnet> (Tom G. Christensen's message of "Mon, 4 May 2009 21:45:30 +0200") References: <20090504194530.GA30365@ares.tgcnet> Message-ID: <87skjjq36r.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails > in src/serv.c because AF_INET6 is undefined. > > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c > serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list > serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want > serv.c: In function 'get_port': > serv.c:785: error: dereferencing pointer to incomplete type > serv.c:787: error: 'AF_INET6' undeclared (first use in this function) > serv.c:787: error: (Each undeclared identifier is reported only once > serv.c:787: error: for each function it appears in.) > serv.c:788: error: dereferencing pointer to incomplete type > serv.c: In function 'main': > serv.c:813: error: storage size of 'client_address' isn't known > make[3]: *** [serv.o] Error 1 > > Grepping for AF_INET6 reveals the same issue in src/certtool-cfg.c > > I looked at 2.7.8 and there seems to have been no change in the > situation there. > > The buildlog from 2.6.6 is available here: > http://jupiterrise.com/tmp Thanks for the report. For 2.6.6, can you try the patch below? If it works, we can port it to GnuTLS 2.7.x as well. /Simon diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 796dc7e..6acf01c 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation * * This file is part of GNUTLS. * @@ -732,6 +732,7 @@ static int string_to_ip( unsigned char *ip, const char * str) int len = strlen( str); int ret; +#if HAVE_IPV6 if ( strchr(str, ':') != NULL || len > 16) { /* IPv6 */ ret = inet_pton(AF_INET6, str, ip); if (ret <= 0) { @@ -741,7 +742,9 @@ static int string_to_ip( unsigned char *ip, const char * str) /* To be done */ return 16; - } else { /* IPv4 */ + } else +#endif + { /* IPv4 */ ret = inet_pton(AF_INET, str, ip); if (ret <= 0) { fprintf(stderr, "Error in IPv4 address %s\n", str); diff --git a/src/serv.c b/src/serv.c index c138bff..a8e0910 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006, 2007, 2008 Free Software Foundation + * Copyright (C) 2004, 2006, 2007, 2008, 2009 Free Software Foundation * Copyright (C) 2001,2002 Paul Sheer * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos * @@ -784,8 +784,10 @@ get_port (const struct sockaddr_storage *addr) { switch (addr->ss_family) { +#if HAVE_IPV6 case AF_INET6: return ntohs (((const struct sockaddr_in6 *) addr)->sin6_port); +#endif case AF_INET: return ntohs (((const struct sockaddr_in *) addr)->sin_port); } From simon at josefsson.org Tue May 5 17:29:52 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 05 May 2009 17:29:52 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <20090505152415.GA5223@ares.tgcnet> (Tom G. Christensen's message of "Tue, 5 May 2009 17:24:15 +0200") References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> Message-ID: <87eiv3mutr.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote: >> "Tom G. Christensen" writes: >> >> > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails >> > in src/serv.c because AF_INET6 is undefined. >> > > >> Thanks for the report. For 2.6.6, can you try the patch below? If it >> works, we can port it to GnuTLS 2.7.x as well. >> > It works fine but it fails in src/serv.c on a related error in that > Solaris 2.6 does not define sockaddr_storage. > > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c > serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list > serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want > serv.c: In function 'get_port': > serv.c:785: error: dereferencing pointer to incomplete type > serv.c: In function 'main': > serv.c:815: error: storage size of 'client_address' isn't known > make[3]: *** [serv.o] Error 1 Interesting. Does adding this to the top of serv.c work: #ifndef HAVE_IPV6 # define sockaddr_storage sockaddr_in #endif /Simon From tgc at jupiterrise.com Tue May 5 17:24:15 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Tue, 5 May 2009 17:24:15 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <87skjjq36r.fsf@mocca.josefsson.org> References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> Message-ID: <20090505152415.GA5223@ares.tgcnet> On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: > > > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails > > in src/serv.c because AF_INET6 is undefined. > > > Thanks for the report. For 2.6.6, can you try the patch below? If it > works, we can port it to GnuTLS 2.7.x as well. > It works fine but it fails in src/serv.c on a related error in that Solaris 2.6 does not define sockaddr_storage. gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want serv.c: In function 'get_port': serv.c:785: error: dereferencing pointer to incomplete type serv.c: In function 'main': serv.c:815: error: storage size of 'client_address' isn't known make[3]: *** [serv.o] Error 1 -tgc From tgc at jupiterrise.com Tue May 5 19:26:37 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Tue, 5 May 2009 19:26:37 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <87eiv3mutr.fsf@mocca.josefsson.org> References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> <87eiv3mutr.fsf@mocca.josefsson.org> Message-ID: <20090505172637.GA9699@ares.tgcnet> On Tue, May 05, 2009 at 05:29:52PM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: > > > On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote: > >> "Tom G. Christensen" writes: > >> > >> > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails > >> > in src/serv.c because AF_INET6 is undefined. > >> > > > > >> Thanks for the report. For 2.6.6, can you try the patch below? If it > >> works, we can port it to GnuTLS 2.7.x as well. > >> > > It works fine but it fails in src/serv.c on a related error in that > > Solaris 2.6 does not define sockaddr_storage. > > > > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c > > serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list > > serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want > > serv.c: In function 'get_port': > > serv.c:785: error: dereferencing pointer to incomplete type > > serv.c: In function 'main': > > serv.c:815: error: storage size of 'client_address' isn't known > > make[3]: *** [serv.o] Error 1 > > Interesting. Does adding this to the top of serv.c work: > > #ifndef HAVE_IPV6 > # define sockaddr_storage sockaddr_in > #endif > This causes another error: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c serv.c: In function 'get_port': serv.c:789: error: 'const struct sockaddr_in' has no member named 'ss_family' make[3]: *** [serv.o] Error 1 -tgc From Jeff.Cai at Sun.COM Wed May 6 09:46:59 2009 From: Jeff.Cai at Sun.COM (Jeff Cai) Date: Wed, 06 May 2009 15:46:59 +0800 Subject: Libtasn1 2.1 In-Reply-To: <87skk8xjyo.fsf@mocca.josefsson.org> References: <87skk8xjyo.fsf@mocca.josefsson.org> Message-ID: <1241596019.2110.15.camel@par> Simon, I also found that libtasn1.pc also licensed under GPLv3. It this true? A library of LGPL v2 lives with a .pc file with GPL v3? Jeff On Fri, 2009-04-17 at 01:22 +0200, Simon Josefsson wrote: > Libtasn1 is a standalone library written in C for manipulating ASN.1 > objects including DER/BER encoding and DER/BER decoding. Libtasn1 is > used by GnuTLS to manipulate X.509 objects and by Shishi to handle > Kerberos V5 packets. > > Version 2.1 (released 2009-04-17) > - Fix compilation failure on platforms that can't generate empty archives, > e.g., Mac OS X. Reported by David Reiser . > > Commercial support contracts for Libtasn1 are available, and they help > finance continued maintenance. Simon Josefsson Datakonsult AB, a > Stockholm based privately held company, is currently funding Libtasn1 > maintenance. We are always looking for interesting development > projects. See http://josefsson.org/ for more details. > > If you need help to use Libtasn1, or want to help others, you are > invited to join the help-gnutls mailing list, see: > . > > Homepage: > http://josefsson.org/libtasn1/ > > Here are the compressed sources (1.6MB): > ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz > http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz > > Here are GPG detached signatures using key 0xB565716F: > ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig > http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig > > The software is cryptographically signed by the author using an > OpenPGP key identified by the following information: > > pub 1280R/B565716F 2002-05-05 [expires: 2010-02-22] > Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F > uid Simon Josefsson > uid Simon Josefsson > sub 1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21] > > The key is available from: > http://josefsson.org/key.txt > dns:b565716f.josefsson.org?TYPE=CERT > > Here are the SHA-1 and SHA-224 checksums: > > 884cc6609d7694a834a767b4b2975d6c5ab0d566 libtasn1-2.1.tar.gz > > 3e78a2af893cde0eda9820d46077bde6f1a6b083b3cc2ed90df2420d libtasn1-2.1.tar.gz > > Happy hacking, > Simon > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at gnu.org > http://lists.gnu.org/mailman/listinfo/gnutls-devel From simon at josefsson.org Wed May 6 09:56:59 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 09:56:59 +0200 Subject: Libtasn1 2.1 In-Reply-To: <1241596019.2110.15.camel@par> (Jeff Cai's message of "Wed, 06 May 2009 15:46:59 +0800") References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par> Message-ID: <878wlall4k.fsf@mocca.josefsson.org> Jeff Cai writes: > Simon, > > I also found that libtasn1.pc also licensed under GPLv3. It this true? > > A library of LGPL v2 lives with a .pc file with GPL v3? Hi. I've re-licensed it to LGPLv2.1+, see: http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=009b6c20ffc0164189691b47ad5f172518b97169 /Simon From simon at josefsson.org Wed May 6 10:01:20 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 10:01:20 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <20090505172637.GA9699@ares.tgcnet> (Tom G. Christensen's message of "Tue, 5 May 2009 19:26:37 +0200") References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> <87eiv3mutr.fsf@mocca.josefsson.org> <20090505172637.GA9699@ares.tgcnet> Message-ID: <874ovylkxb.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: >> Interesting. Does adding this to the top of serv.c work: >> >> #ifndef HAVE_IPV6 >> # define sockaddr_storage sockaddr_in >> #endif >> > This causes another error: > > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes > -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include > -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF > .deps/serv.Tpo -c -o serv.o serv.c > serv.c: In function 'get_port': > serv.c:789: error: 'const struct sockaddr_in' has no member named > 'ss_family' > make[3]: *** [serv.o] Error 1 Oops, try this instead: #ifndef HAVE_IPV6 # define sockaddr_storage sockaddr #endif There is another more complex work around mentioned at the end of: http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html Maybe the above won't work, and then maybe we need something like that. /Simon From Jeff.Cai at Sun.COM Wed May 6 10:21:09 2009 From: Jeff.Cai at Sun.COM (Jeff Cai) Date: Wed, 06 May 2009 16:21:09 +0800 Subject: Libtasn1 2.1 In-Reply-To: <878wlall4k.fsf@mocca.josefsson.org> References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par> <878wlall4k.fsf@mocca.josefsson.org> Message-ID: <1241598069.2110.18.camel@par> Thanks for your quick response. Do you think that Makefile.am under lib also needs to be licensed to LGPL? Jeff On Wed, 2009-05-06 at 09:56 +0200, Simon Josefsson wrote: > Jeff Cai writes: > > > Simon, > > > > I also found that libtasn1.pc also licensed under GPLv3. It this true? > > > > A library of LGPL v2 lives with a .pc file with GPL v3? > > Hi. I've re-licensed it to LGPLv2.1+, see: > > http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=009b6c20ffc0164189691b47ad5f172518b97169 > > /Simon From simon at josefsson.org Wed May 6 10:31:23 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 10:31:23 +0200 Subject: Libtasn1 2.1 In-Reply-To: <1241598069.2110.18.camel@par> (Jeff Cai's message of "Wed, 06 May 2009 16:21:09 +0800") References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par> <878wlall4k.fsf@mocca.josefsson.org> <1241598069.2110.18.camel@par> Message-ID: <87zldqk4ys.fsf@mocca.josefsson.org> Jeff Cai writes: > Thanks for your quick response. > > Do you think that Makefile.am under lib also needs to be licensed to > LGPL? I don't think so, since it is not something that is include in the installed software. The GPLv3 Makefile.am is needed to build libtasn1, but so is other GPLv3 tools (e.g., bison) so I don't see the difference. /Simon From tgc at jupiterrise.com Wed May 6 19:34:28 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Wed, 6 May 2009 19:34:28 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <874ovylkxb.fsf@mocca.josefsson.org> References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> <87eiv3mutr.fsf@mocca.josefsson.org> <20090505172637.GA9699@ares.tgcnet> <874ovylkxb.fsf@mocca.josefsson.org> Message-ID: <20090506173428.GA18697@ares.tgcnet> On Wed, May 06, 2009 at 10:01:20AM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: > > >> Interesting. Does adding this to the top of serv.c work: > >> > >> #ifndef HAVE_IPV6 > >> # define sockaddr_storage sockaddr_in > >> #endif > >> > > This causes another error: > > > > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes > > -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include > > -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF > > .deps/serv.Tpo -c -o serv.o serv.c > > serv.c: In function 'get_port': > > serv.c:789: error: 'const struct sockaddr_in' has no member named > > 'ss_family' > > make[3]: *** [serv.o] Error 1 > > Oops, try this instead: > > #ifndef HAVE_IPV6 > # define sockaddr_storage sockaddr > #endif > > There is another more complex work around mentioned at the end of: > > http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html > > Maybe the above won't work, and then maybe we need something like that. > If I'm reading the referenced manpage correctly struct sockaddr is not expected to have an ss_family member so the above define will not work as is. Instead I replaced the reference to ss_family with sa_family and now it builds to completion. I also ran the testsuite and it passes all tests. The full log from running the testsuite is available at http://jupiterrise.com/tmp I noticed that the compiler complained when building some of the test programs: x509self.c: In function 'server_start': x509self.c:360: warning: passing argument 4 of 'setsockopt' from incompatible pointer type x509self.c: In function 'server': x509self.c:434: warning: implicit declaration of function 'bzero' x509self.c:434: warning: incompatible implicit declaration of built-in function 'bzero' -tgc From simon at josefsson.org Thu May 7 14:31:38 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 07 May 2009 14:31:38 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <20090506173428.GA18697@ares.tgcnet> (Tom G. Christensen's message of "Wed, 6 May 2009 19:34:28 +0200") References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> <87eiv3mutr.fsf@mocca.josefsson.org> <20090505172637.GA9699@ares.tgcnet> <874ovylkxb.fsf@mocca.josefsson.org> <20090506173428.GA18697@ares.tgcnet> Message-ID: <87iqkdccwl.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: >> Oops, try this instead: >> >> #ifndef HAVE_IPV6 >> # define sockaddr_storage sockaddr >> #endif >> >> There is another more complex work around mentioned at the end of: >> >> http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html >> >> Maybe the above won't work, and then maybe we need something like that. >> > If I'm reading the referenced manpage correctly struct sockaddr is not > expected to have an ss_family member so the above define will not work > as is. > Instead I replaced the reference to ss_family with sa_family and now it > builds to completion. Ok, so adding the following to the top of src/serv.c works? #define sockaddr_storage sockaddr #define ss_family sa_family I've applied the earlier more obvious patch to GnuTLS 2.6.x and GnuTLS 2.7.x, but the sockaddr_storage part needs to be solved properly -- via gnulib. > I also ran the testsuite and it passes all tests. > The full log from running the testsuite is available at > http://jupiterrise.com/tmp Thanks! > I noticed that the compiler complained when building some of the test > programs: > x509self.c: In function 'server_start': > x509self.c:360: warning: passing argument 4 of 'setsockopt' from > incompatible pointer type > x509self.c: In function 'server': > x509self.c:434: warning: implicit declaration of function 'bzero' > x509self.c:434: warning: incompatible implicit declaration of built-in > function 'bzero' Thanks, both looks easily fixable. /Simon From tgc at jupiterrise.com Thu May 7 19:06:08 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Thu, 7 May 2009 19:06:08 +0200 Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available In-Reply-To: <87iqkdccwl.fsf@mocca.josefsson.org> References: <20090504194530.GA30365@ares.tgcnet> <87skjjq36r.fsf@mocca.josefsson.org> <20090505152415.GA5223@ares.tgcnet> <87eiv3mutr.fsf@mocca.josefsson.org> <20090505172637.GA9699@ares.tgcnet> <874ovylkxb.fsf@mocca.josefsson.org> <20090506173428.GA18697@ares.tgcnet> <87iqkdccwl.fsf@mocca.josefsson.org> Message-ID: <20090507170608.GB32501@ares.tgcnet> On Thu, May 07, 2009 at 02:31:38PM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: > > Ok, so adding the following to the top of src/serv.c works? > > #define sockaddr_storage sockaddr > #define ss_family sa_family > Yes. > I've applied the earlier more obvious patch to GnuTLS 2.6.x and GnuTLS > 2.7.x, but the sockaddr_storage part needs to be solved properly -- via > gnulib. > That sounds fine. -tgc From rpremuz at hera.hr Thu May 7 16:53:03 2009 From: rpremuz at hera.hr (=?iso-8859-2?Q?Robert_Premu=BE?=) Date: Thu, 7 May 2009 16:53:03 +0200 Subject: typos Message-ID: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local> Hi! On http://www.gnu.org/software/gnutls/openpgp.html the following should be corrected: exprerimental -> experimental and traditionaly -> traditionally Regards, -- Robert Premu? From simon at josefsson.org Fri May 8 12:54:16 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 08 May 2009 12:54:16 +0200 Subject: typos In-Reply-To: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local> ("Robert =?iso-8859-2?Q?Premu=BE=22's?= message of "Thu, 7 May 2009 16:53:03 +0200") References: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local> Message-ID: <874ovvyief.fsf@mocca.josefsson.org> Robert Premu? writes: > Hi! > > On http://www.gnu.org/software/gnutls/openpgp.html > the following should be corrected: > > exprerimental -> experimental > > and > > traditionaly -> traditionally Hi. Fixed, thank you! /Simon From simon at josefsson.org Mon May 11 16:55:53 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 May 2009 16:55:53 +0200 Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug In-Reply-To: <20090430175944.14170.qmail@wiredyne.com> (Peter Hendrickson's message of "30 Apr 2009 17:59:44 -0000") References: <20090417061402.13985.qmail@wiredyne.com> <87ws9juxlm.fsf@mocca.josefsson.org> <20090417192332.GA5390@manyfish.co.uk> <87skjykkp3.fsf@mocca.josefsson.org> <20090430031525.3676.qmail@wiredyne.com> <87hc06bk8i.fsf@mocca.josefsson.org> <20090430175944.14170.qmail@wiredyne.com> Message-ID: <87fxfbd6yu.fsf@mocca.josefsson.org> Peter Hendrickson writes: > Simon Josefsson wrote: >> > When bind() is called in listen_socket(), it is given two "res->" >> > arguments, but it should be two "ptr->" arguments. Otherwise it >> > doesn't move to ptr->ai_next the second time through the for loop. >> >> Oops. Thanks, committed, please try the next daily snapshot. > > I'm not seeing the fix in the 20090430 snapshot. I assume it will > show up in tomorrow's snapshot. Please try again. /Simon From simon at josefsson.org Mon May 11 16:57:18 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 May 2009 16:57:18 +0200 Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug In-Reply-To: <20090430135914.GA2034@manyfish.co.uk> (Joe Orton's message of "Thu, 30 Apr 2009 14:59:14 +0100") References: <20090417061402.13985.qmail@wiredyne.com> <87ws9juxlm.fsf@mocca.josefsson.org> <20090417192332.GA5390@manyfish.co.uk> <87skjykkp3.fsf@mocca.josefsson.org> <20090430135914.GA2034@manyfish.co.uk> Message-ID: <87bppzd6wh.fsf@mocca.josefsson.org> Joe Orton writes: > On Fri, Apr 24, 2009 at 07:47:36PM +0200, Simon Josefsson wrote: >> I'm not sure what you mean with v6-mapped IPv4 addresses, though. Is >> there anything extra the code needs to do? > > I meant v4-mapped IPv6 addresses, not sure the inverse exists ;) You get > different behaviour on different platforms w.r.t. attempts to bind to > ::/port and 0.0.0.0/port for a given port, depending on whether > v4-mapped IPv6 addresses are supported, and which order you attempt the > binds, etc. For a test app it's probably sufficient to simply ignore > bind() errors and hope for the best. Since we are changing how binding to sockets works, printing the error may provide more debug information in case someone runs into a problem. So I suggest we try the current code in GnuTLS 2.8.x and see if it handles IPv4 and/or IPv6 properly on various platforms. /Simon From simon at josefsson.org Mon May 11 18:53:22 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 May 2009 18:53:22 +0200 Subject: gdoc replacement (was: Re: Default record version) In-Reply-To: <49A8667D.6000608@gmx.net> (Martin von Gagern's message of "Fri, 27 Feb 2009 23:17:33 +0100") References: <4997EB28.8090100@gmx.net> <49985133.4010508@gnutls.org> <49986DCC.3030102@gmx.net> <499FE4A1.3000805@gnutls.org> <499FF411.40009@gmx.net> <49A00856.1040707@gmx.net> <49A01C69.2000708@gnutls.org> <49A02932.6060306@gmx.net> <49A1166C.6000703@gnutls.org> <87wsbh2j31.fsf@mocca.josefsson.org> <49A32436.60503@gmx.net> <87k57c8ekl.fsf@mocca.josefsson.org> <49A8667D.6000608@gmx.net> Message-ID: <87fxfbbmyl.fsf@mocca.josefsson.org> Hi Martin. I had finally time to look into this, and I believe I have solved it in git master. You can depend on the order things are substituted: they seems to be done in ASCII order. Your initial patch seems to be the correct thing. However, it changed the order of how the substitutions were applied. So rather than working around that problem using your patch (which caused other problems) I modified your initial regexp so that it does the same thing but is applied later. I really prefer to stop messing with the gdoc script. It should be rewritten cleanly and added to gnulib. Before doing that, it begs the question why we don't abandon the GTK-DOC style and use the doxygen format instead, which probably has conversion tools already. I'm not sure what the answer is. I think the GTK-DOC HTML manual and integration into the GNOME environment is a good thing. But maybe that can be achieved via doxygen anyway, through a conversion script? Changing to doxygen instead of gtk-doc will require source-code changes, too. What do people generally think of GTK-DOC vs Doxygen? /Simon From simon at josefsson.org Mon May 11 20:16:43 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 May 2009 20:16:43 +0200 Subject: GnuTLS 2.7.9 - release candidate 1 of GnuTLS 2.8.0 Message-ID: <8763g7bj3o.fsf@mocca.josefsson.org> To accelerate the GnuTLS 2.8.0 release, I've prepared a first release candidate. Please test this as if it were a new stable release. If I don't hear any complains about regressions compared to 2.6.x I will release this as 2.8.0 in two weeks. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.9.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.9.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.9.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.9.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.9-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.9 (released 2009-05-11) ** doc: Fix strings in man page of gnutls_priority_init. ** doc: Fix tables of error codes and supported algorithms. ** Fix build failure when cross-compiled using MinGW. ** Fix build failure when LZO is enabled. Reported by Arfrever Frehtes Taifersar Arahesis in . ** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6. Reported by "Tom G. Christensen" in . ** Fix warnings in self-tests. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From pdh at wiredyne.com Tue May 12 04:08:49 2009 From: pdh at wiredyne.com (Peter Hendrickson) Date: 12 May 2009 02:08:49 -0000 Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug In-Reply-To: <87fxfbd6yu.fsf@mocca.josefsson.org> (message from Simon Josefsson on Mon, 11 May 2009 16:55:53 +0200) References: <20090417061402.13985.qmail@wiredyne.com> <87ws9juxlm.fsf@mocca.josefsson.org> <20090417192332.GA5390@manyfish.co.uk> <87skjykkp3.fsf@mocca.josefsson.org> <20090430031525.3676.qmail@wiredyne.com> <87hc06bk8i.fsf@mocca.josefsson.org> <20090430175944.14170.qmail@wiredyne.com> <87fxfbd6yu.fsf@mocca.josefsson.org> Message-ID: <20090512020849.4030.qmail@wiredyne.com> Simon Josefsson wrote: > Peter Hendrickson writes: > > Simon Josefsson wrote: > >> > When bind() is called in listen_socket(), it is given two "res->" > >> > arguments, but it should be two "ptr->" arguments. Otherwise it > >> > doesn't move to ptr->ai_next the second time through the for loop. > >> > >> Oops. Thanks, committed, please try the next daily snapshot. > > > > I'm not seeing the fix in the 20090430 snapshot. I assume it will > > show up in tomorrow's snapshot. I checked the gnutls-20090512.tar.gz snapshot and it looks good. Both IPv4 and IPv6 ports are opened and the server correctly reports what it is doing. I tested IPv4 connections and it works. Peter From simon at josefsson.org Tue May 12 08:09:22 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 12 May 2009 08:09:22 +0200 Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug In-Reply-To: <20090512020849.4030.qmail@wiredyne.com> (Peter Hendrickson's message of "12 May 2009 02:08:49 -0000") References: <20090417061402.13985.qmail@wiredyne.com> <87ws9juxlm.fsf@mocca.josefsson.org> <20090417192332.GA5390@manyfish.co.uk> <87skjykkp3.fsf@mocca.josefsson.org> <20090430031525.3676.qmail@wiredyne.com> <87hc06bk8i.fsf@mocca.josefsson.org> <20090430175944.14170.qmail@wiredyne.com> <87fxfbd6yu.fsf@mocca.josefsson.org> <20090512020849.4030.qmail@wiredyne.com> Message-ID: <87vdo6am3x.fsf@mocca.josefsson.org> Peter Hendrickson writes: > Simon Josefsson wrote: >> Peter Hendrickson writes: >> > Simon Josefsson wrote: >> >> > When bind() is called in listen_socket(), it is given two "res->" >> >> > arguments, but it should be two "ptr->" arguments. Otherwise it >> >> > doesn't move to ptr->ai_next the second time through the for loop. >> >> >> >> Oops. Thanks, committed, please try the next daily snapshot. >> > >> > I'm not seeing the fix in the 20090430 snapshot. I assume it will >> > show up in tomorrow's snapshot. > > I checked the gnutls-20090512.tar.gz snapshot and it looks good. Both > IPv4 and IPv6 ports are opened and the server correctly reports what > it is doing. I tested IPv4 connections and it works. Great! Thanks for confirming. /Simon From nmav at gnutls.org Tue May 12 21:05:30 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 12 May 2009 22:05:30 +0300 Subject: gdoc replacement In-Reply-To: <87fxfbbmyl.fsf@mocca.josefsson.org> References: <4997EB28.8090100@gmx.net> <49985133.4010508@gnutls.org> <49986DCC.3030102@gmx.net> <499FE4A1.3000805@gnutls.org> <499FF411.40009@gmx.net> <49A00856.1040707@gmx.net> <49A01C69.2000708@gnutls.org> <49A02932.6060306@gmx.net> <49A1166C.6000703@gnutls.org> <87wsbh2j31.fsf@mocca.josefsson.org> <49A32436.60503@gmx.net> <87k57c8ekl.fsf@mocca.josefsson.org> <49A8667D.6000608@gmx.net> <87fxfbbmyl.fsf@mocca.josefsson.org> Message-ID: <4A09C87A.6070802@gnutls.org> Simon Josefsson wrote: > Hi Martin. I had finally time to look into this, and I believe I have > solved it in git master. You can depend on the order things are > substituted: they seems to be done in ASCII order. Your initial patch > seems to be the correct thing. However, it changed the order of how the > substitutions were applied. So rather than working around that problem > using your patch (which caused other problems) I modified your initial > regexp so that it does the same thing but is applied later. > > I really prefer to stop messing with the gdoc script. It should be > rewritten cleanly and added to gnulib. Before doing that, it begs the > question why we don't abandon the GTK-DOC style and use the doxygen > format instead, which probably has conversion tools already. I'm not > sure what the answer is. I think the GTK-DOC HTML manual and > integration into the GNOME environment is a good thing. But maybe that > can be achieved via doxygen anyway, through a conversion script? > Changing to doxygen instead of gtk-doc will require source-code changes, > too. > What do people generally think of GTK-DOC vs Doxygen? I used doxygen some time after I messed up with gdoc and I liked the output. The only reason I didn't port gnutls to it was lack of time :) best regards, Nikos From andrew.w.nosenko at gmail.com Wed May 13 11:13:52 2009 From: andrew.w.nosenko at gmail.com (Andrew W. Nosenko) Date: Wed, 13 May 2009 12:13:52 +0300 Subject: gdoc replacement In-Reply-To: <4A09C87A.6070802@gnutls.org> References: <4997EB28.8090100@gmx.net> <49A01C69.2000708@gnutls.org> <49A02932.6060306@gmx.net> <49A1166C.6000703@gnutls.org> <87wsbh2j31.fsf@mocca.josefsson.org> <49A32436.60503@gmx.net> <87k57c8ekl.fsf@mocca.josefsson.org> <49A8667D.6000608@gmx.net> <87fxfbbmyl.fsf@mocca.josefsson.org> <4A09C87A.6070802@gnutls.org> Message-ID: <6161f3180905130213g575af903yaa39ceb76bea18e6@mail.gmail.com> On Tue, May 12, 2009 at 10:05 PM, Nikos Mavrogiannopoulos wrote: > Simon Josefsson wrote: >> Hi Martin. ?I had finally time to look into this, and I believe I have >> solved it in git master. ?You can depend on the order things are >> substituted: they seems to be done in ASCII order. ?Your initial patch >> seems to be the correct thing. ?However, it changed the order of how the >> substitutions were applied. ?So rather than working around that problem >> using your patch (which caused other problems) I modified your initial >> regexp so that it does the same thing but is applied later. >> >> I really prefer to stop messing with the gdoc script. ?It should be >> rewritten cleanly and added to gnulib. ?Before doing that, it begs the >> question why we don't abandon the GTK-DOC style and use the doxygen >> format instead, which probably has conversion tools already. ?I'm not >> sure what the answer is. ?I think the GTK-DOC HTML manual and >> integration into the GNOME environment is a good thing. ?But maybe that >> can be achieved via doxygen anyway, through a conversion script? >> Changing to doxygen instead of gtk-doc will require source-code changes, >> too. >> What do people generally think of GTK-DOC vs Doxygen? > > I used doxygen some time after I messed up with gdoc and I liked the > output. The only reason I didn't port gnutls to it was lack of time :) > The most important disadvantage of doxygen, from my personal point of view, and the main reason why I stoped to use it is its inability to integrate with devhelp. -- Andrew W. Nosenko From simon at josefsson.org Wed May 13 19:31:11 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 13 May 2009 19:31:11 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 Message-ID: <87octwkizk.fsf@mocca.josefsson.org> The GnuTLS 2.8.0 release is getting closer; no major problem has been feedback in 2.7.9 so far. This is a second release candidate. Please test this as if it were the new stable release. If I don't hear any complains about regressions compared to 2.6.x I will release this as 2.8.0 within two weeks. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.10.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.10.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.10.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.10.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.10 (released 2009-05-13) ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** libgnutls: Fix crash in signature verification The fix for the CVE-2009-1415 problem wasn't merged completely. ** doc: Fixes for GTK-DOC output. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From tgc at jupiterrise.com Wed May 13 21:05:38 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Wed, 13 May 2009 21:05:38 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 Message-ID: <20090513190538.GA18880@ares.tgcnet> I've got a new build error on Solaris 2.6: make[4]: Entering directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.9/lib/minitasn1' /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT decoding.lo -MD -MP -MF .deps/decoding.Tpo -c -o decoding.lo decoding.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT decoding.lo -MD -MP -MF .deps/decoding.Tpo -c decoding.c -fPIC -DPIC -o .libs/decoding.o In file included from decoding.c:29: ./int.h:34:20: error: stdint.h: No such file or directory make[4]: *** [decoding.lo] Error 1 make[4]: Leaving directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.9/lib/minitasn1' Full log at http://jupiterrise.com/tmp/gnutls-2.7.9-sunos56s-gcc433-build.log -tgc From ankush.vaid at tcs.com Wed May 13 17:49:17 2009 From: ankush.vaid at tcs.com (Ankush Vaid) Date: Wed, 13 May 2009 21:19:17 +0530 Subject: About gnutls windows handshake problem Message-ID: Hi, This is regarding handshaking failure on qualcomm mobile 6280 using security, after digging into the problem I come to know about that error is coming at finished message which is found of size 208 bytes. There is link given below which suggest that some mobiles don't support non minimal record padding. http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html If this the case probably there is a workaround in gnutls library we are using to resolve/fix this issue. Thanks and Regards Ankush Vaid Tata Consultancy Services TCS Towers, 249 D&E Udyog Vihar, Phase IV, Gurgaon Gurgaon - 122001,Haryana India Cell:- 09718290491 Mailto: ankush.vaid at tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you From nmav at gnutls.org Thu May 14 06:23:45 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 14 May 2009 07:23:45 +0300 Subject: About gnutls windows handshake problem In-Reply-To: References: Message-ID: <4A0B9CD1.50000@gnutls.org> Ankush Vaid wrote: > Hi, > > This is regarding handshaking failure on qualcomm mobile 6280 using > security, after digging into the problem I come to know about that error is > coming at finished message which is found of size 208 bytes. > > There is link given below which suggest that some mobiles don't support non > minimal record padding. > > http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html > > If this the case probably there is a workaround in gnutls library we are > using to resolve/fix this issue. Hi, I do not understand what is the question here. If you ask for a workaround this is discussed in the page you refer to (the %COMPAT priority string). regards, Nikos From simon at josefsson.org Thu May 14 13:28:27 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 14 May 2009 13:28:27 +0200 Subject: draft release announcement text Message-ID: <87ab5fhqjo.fsf@mocca.josefsson.org> I'm preparing the release announcement for 2.8.0. Comments? /Simon We are proud to announce a new stable GnuTLS release: Version 2.8.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== Version 2.8.0 is the first stable release on the 2.8.x branch and is the result of 7 months of work on the experimental 2.7.x branch. ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Fix namespace issue with version symbols. The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER, GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to work but are deprecated. ** libgnutls: Add functions to verify a hash against a certificate. gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. ** certtool: Query for multiple dnsName subjectAltName in interactive mode. This applies both to generating certificates and certificate requests. ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to be used for chain verification. ** gnutls-serv: No longer disable MAC padding by default. Use --priority NORMAL:%COMPAT to disable MAC padding again. ** gnutls-cli: Certificate information output format changed. The tool now uses libgnutls' functions to print certificate information. This avoids code duplication. ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 ** and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. ** libgnutls: gnutls_openpgp_crt_print supports oneline mode. ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. ** libgnutls: New interface to get key id for certificate requests. gnutls_x509_crq_get_key_id: ADDED. ** libgnutls: gnutls_x509_crq_print will now also print public key id. ** certtool: --verify-chain now prints results of using library verification. Earlier, certtool --verify-chain used its own validation algorithm which wasn't guaranteed to give the same result as the libgnutls internal validation algorithm. Now this command print a new final line with header 'Chain verification output:' that contains the result from using the internal verification algorithm on the same chain. ** libgnutls: Libgcrypt initialization changed. If libgcrypt has not already been initialized, GnuTLS will now initialize libgcrypt with disabled secure memory. Initialize libgcrypt explicitly in your application if you want to enable secure memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory allocation functions, which doesn't use secure memory, so there is no real change in behaviour. ** libgnutls: Small byte reads via gnutls_record_recv() optimized. ** gnutls-cli: Return non-zero exit code on error conditions. ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. ** certtool: allow setting arbitrary key purpose object identifiers. ** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. ** Fix warnings and build GnuTLS with more warnings enabled. ** New API to set X.509 credentials from PKCS#12 memory structure. gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED ** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. ** libgnutls: Added functions to handle CRL extensions. gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED ** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED ** certtool: Print and set CRL and CRQ extensions. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** The Texinfo and GTK-DOC manuals were improved. ** Several self-tests were added and others improved. API/ABI changes in GnuTLS 2.8 ============================= No functions have been removed or modified. The library should be fully backwards compatible on both the source and binary level. Although the same patch has also been applied to the 2.6.x branch, we'd like to remind you functions have been changed so that X.509 chain verification now also checks activation/expiration times on certificates. The affected functions are: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. The following functions or symbols have been added to the library or header files: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. The following symbols have been deprecated: LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (4.9MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: d1693e611aa7270f14bc500bd56ef529ffcb1703 gnutls-2.6.6.tar.bz2 5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61 gnutls-2.6.6.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer uses libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.1, and GnuTLS v2.8.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig The checksum values for SHA-1 and SHA-224 are: 8a86a846cbdc16b6c21442c706854a5c02416336 gnutls-2.6.6.exe 555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc gnutls-2.6.6.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: b141f97c196d408bf12b8a58ede6bda8fb291be6 mingw32-gnutls_2.6.6-1_all.deb 541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93 mingw32-gnutls_2.6.6-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon From simon at josefsson.org Thu May 14 13:34:39 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 14 May 2009 13:34:39 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 In-Reply-To: <20090513190538.GA18880@ares.tgcnet> (Tom G. Christensen's message of "Wed, 13 May 2009 21:05:38 +0200") References: <20090513190538.GA18880@ares.tgcnet> Message-ID: <8763g3hq9c.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > I've got a new build error on Solaris 2.6: Thanks, should be fixed in git master now. Please try a daily snapshot, a new one should be ready in a few hours. /Simon From simon at josefsson.org Thu May 14 15:15:53 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 14 May 2009 15:15:53 +0200 Subject: How to send in build logs In-Reply-To: <20090513190538.GA18880@ares.tgcnet> (Tom G. Christensen's message of "Wed, 13 May 2009 21:05:38 +0200") References: <20090513190538.GA18880@ares.tgcnet> Message-ID: <87tz3ng706.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > Full log at > http://jupiterrise.com/tmp/gnutls-2.7.9-sunos56s-gcc433-build.log Btw, if you e-mail that log to gnutls at autobuild.josefsson.org it will end up on this page: http://autobuild.josefsson.org/gnutls/ I regularly monitor that page for errors. So if you want to make sure GnuTLS remains buildable on Solaris 2.6, and don't want to manually build it every time, consider setting up a script to download and build the daily snapshots, and e-mail the result. I'm using this script on some systems: http://git.josefsson.org/cgi-bin/gitweb.cgi?p=tools.git;a=blob;f=scripts/daily-build-simple;hb=HEAD Of course this applies to anyone that wants to help improving build quality of GnuTLS for any platform. /Simon From simon at josefsson.org Thu May 14 15:10:35 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 14 May 2009 15:10:35 +0200 Subject: About gnutls windows handshake problem In-Reply-To: <4A0B9CD1.50000@gnutls.org> (Nikos Mavrogiannopoulos's message of "Thu, 14 May 2009 07:23:45 +0300") References: <4A0B9CD1.50000@gnutls.org> Message-ID: <871vqrhltg.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Ankush Vaid wrote: >> Hi, >> >> This is regarding handshaking failure on qualcomm mobile 6280 using >> security, after digging into the problem I come to know about that error is >> coming at finished message which is found of size 208 bytes. >> >> There is link given below which suggest that some mobiles don't support non >> minimal record padding. >> >> http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html >> >> If this the case probably there is a workaround in gnutls library we are >> using to resolve/fix this issue. > > Hi, > I do not understand what is the question here. If you ask for a > workaround this is discussed in the page you refer to (the %COMPAT > priority string). Indeed %COMPAT seems like the answer. However, isn't that keyword confusing? How about adding %DISABLE_MAC_PADDING? Today those two keywords would do the same, but if we encounter other compatibility hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would only disable MAC padding. It seems better to introduce this today rather than when the next compatibility hack is introduced. /Simon From ametzler at downhill.at.eu.org Thu May 14 19:47:29 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Thu, 14 May 2009 19:47:29 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <87octwkizk.fsf@mocca.josefsson.org> References: <87octwkizk.fsf@mocca.josefsson.org> Message-ID: <20090514174729.GA3585@downhill.g.la> On 2009-05-13 Simon Josefsson wrote: > The GnuTLS 2.8.0 release is getting closer; no major problem has been > feedback in 2.7.9 so far. This is a second release candidate. Please > test this as if it were the new stable release. If I don't hear any > complains about regressions compared to 2.6.x I will release this as > 2.8.0 within two weeks. It fails to configure if --disable-cxx is set: [...] checking for shutdown... (cached) yes configure: error: conditional "am__fastdepCXX" was never defined. Usually this means the macro was only invoked conditionally. configure: error: ./configure failed for lib [...] cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From tgc at jupiterrise.com Thu May 14 20:49:52 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Thu, 14 May 2009 20:49:52 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 In-Reply-To: <8763g3hq9c.fsf@mocca.josefsson.org> References: <20090513190538.GA18880@ares.tgcnet> <8763g3hq9c.fsf@mocca.josefsson.org> Message-ID: <20090514184952.GA803@ares.tgcnet> On Thu, May 14, 2009 at 01:34:39PM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: > > > I've got a new build error on Solaris 2.6: > > Thanks, should be fixed in git master now. Please try a daily snapshot, > a new one should be ready in a few hours. > With gnutls-20090514 it gets past the previous point only to fail later: make[5]: Entering directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl' /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT hmac-md5.lo -MD -MP -MF .deps/hmac-md5.Tpo -c -o hmac-md5.lo hmac-md5.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT hmac-md5.lo -MD -MP -MF .deps/hmac-md5.Tpo -c hmac-md5.c -fPIC -DPIC -o .libs/hmac-md5.o In file included from hmac-md5.c:25: md5.h:25:20: error: stdint.h: No such file or directory In file included from hmac-md5.c:25: md5.h:60: error: expected specifier-qualifier-list before 'uint32_t' make[5]: *** [hmac-md5.lo] Error 1 make[5]: Leaving directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl' -tgc From ametzler at downhill.at.eu.org Fri May 15 20:13:27 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Fri, 15 May 2009 20:13:27 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <20090514174729.GA3585@downhill.g.la> References: <87octwkizk.fsf@mocca.josefsson.org> <20090514174729.GA3585@downhill.g.la> Message-ID: <20090515181326.GA3768@downhill.g.la> On 2009-05-14 Andreas Metzler wrote: > On 2009-05-13 Simon Josefsson wrote: > > The GnuTLS 2.8.0 release is getting closer; no major problem has been > > feedback in 2.7.9 so far. This is a second release candidate. Please > > test this as if it were the new stable release. If I don't hear any > > complains about regressions compared to 2.6.x I will release this as > > 2.8.0 within two weeks. > It fails to configure if --disable-cxx is set: > [...] > checking for shutdown... (cached) yes > configure: error: conditional "am__fastdepCXX" was never defined. > Usually this means the macro was only invoked conditionally. > configure: error: ./configure failed for lib > [...] > cu andreas This seems to be the culprit: ./lib/configure.ac-------------------- # Finish things from ../configure.ac. AC_SUBST([WARN_CFLAGS]) AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") if test "$use_cxx" != "no"; then AC_PROG_CXX fi ------------------------------------- Running AC_PROG_CXX no matter whether $use_cxx was set makes the error go away.[1] I have not got a system without C++ compiler, so I cannot say whether this would break compilation there. cu andreas [1] No idea why AS_IF([test "$use_cxx" != "no"], [AC_PROG_CXX]) seems to also run the test unconditionally. -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From simon at josefsson.org Sat May 16 16:27:14 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 16 May 2009 16:27:14 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 In-Reply-To: <20090514184952.GA803@ares.tgcnet> (Tom G. Christensen's message of "Thu, 14 May 2009 20:49:52 +0200") References: <20090513190538.GA18880@ares.tgcnet> <8763g3hq9c.fsf@mocca.josefsson.org> <20090514184952.GA803@ares.tgcnet> Message-ID: <87k54hktrx.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > On Thu, May 14, 2009 at 01:34:39PM +0200, Simon Josefsson wrote: >> "Tom G. Christensen" writes: >> >> > I've got a new build error on Solaris 2.6: >> >> Thanks, should be fixed in git master now. Please try a daily snapshot, >> a new one should be ready in a few hours. >> > With gnutls-20090514 it gets past the previous point only to fail later: > > make[5]: Entering directory > `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl' > /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. > -I.. -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT hmac-md5.lo > -MD -MP -MF .deps/hmac-md5.Tpo -c -o hmac-md5.lo hmac-md5.c > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../lgl -I../lgl > -I/usr/tgcware/include -g -O2 -MT hmac-md5.lo -MD -MP -MF > .deps/hmac-md5.Tpo -c hmac-md5.c -fPIC -DPIC -o .libs/hmac-md5.o > In file included from hmac-md5.c:25: > md5.h:25:20: error: stdint.h: No such file or directory Thanks. Variation on the same problem as before actually. Should be fixed now. I looked for other occurrences of the same problem, but I didn't find any. /Simon From simon at josefsson.org Sun May 17 10:42:03 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 17 May 2009 10:42:03 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <20090515181326.GA3768@downhill.g.la> (Andreas Metzler's message of "Fri, 15 May 2009 20:13:27 +0200") References: <87octwkizk.fsf@mocca.josefsson.org> <20090514174729.GA3585@downhill.g.la> <20090515181326.GA3768@downhill.g.la> Message-ID: <871vqoglyc.fsf@mocca.josefsson.org> Andreas Metzler writes: > On 2009-05-14 Andreas Metzler wrote: >> On 2009-05-13 Simon Josefsson wrote: >> > The GnuTLS 2.8.0 release is getting closer; no major problem has been >> > feedback in 2.7.9 so far. This is a second release candidate. Please >> > test this as if it were the new stable release. If I don't hear any >> > complains about regressions compared to 2.6.x I will release this as >> > 2.8.0 within two weeks. > >> It fails to configure if --disable-cxx is set: >> [...] >> checking for shutdown... (cached) yes >> configure: error: conditional "am__fastdepCXX" was never defined. >> Usually this means the macro was only invoked conditionally. >> configure: error: ./configure failed for lib >> [...] > >> cu andreas > > This seems to be the culprit: > > ./lib/configure.ac-------------------- > # Finish things from ../configure.ac. > AC_SUBST([WARN_CFLAGS]) > AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") > if test "$use_cxx" != "no"; then > AC_PROG_CXX > fi > ------------------------------------- > > Running AC_PROG_CXX no matter whether $use_cxx was set makes the error > go away.[1] I have not got a system without C++ compiler, so I > cannot say whether this would break compilation there. We've switched back and forth on this: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e0ed8d655f76b1a856773ed2d5b4155d1d840211 https://savannah.gnu.org/support/?106542 I was able to reproduce your problem. This suggests that AC_PROG_CXX really cannot be invoked optionally. I have pushed a patch now: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4f155e7109699fdf98683549e48142f018f6546e Looking through the original 106542 bug report, I'm unsure what the real problem was. Detecting g++ but never using it does not hurt anything (except a tiny performance price), as far as I understand. Daniel, can you test tomorrow's daily snapshot and see if it works for you? It seems clear now that we cannot run AC_PROG_CXX conditionally, so if this patch does not work for you we need to solve your problem in some other way. We'll need another release candidate, I'll prepare it tomorrow. /Simon From tgc at jupiterrise.com Sun May 17 12:16:44 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Sun, 17 May 2009 12:16:44 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 In-Reply-To: <87k54hktrx.fsf@mocca.josefsson.org> References: <20090513190538.GA18880@ares.tgcnet> <8763g3hq9c.fsf@mocca.josefsson.org> <20090514184952.GA803@ares.tgcnet> <87k54hktrx.fsf@mocca.josefsson.org> Message-ID: <20090517101644.GA28643@ares.tgcnet> On Sat, May 16, 2009 at 04:27:14PM +0200, Simon Josefsson wrote: > Thanks. Variation on the same problem as before actually. Should be > fixed now. I looked for other occurrences of the same problem, but I > didn't find any. > I'm still not able to complete the build. I've sent the full log to your autobuild service but these are the two problems I see: serv.c: In function 'listen_socket': serv.c:650: error: 'NI_MAXHOST' undeclared (first use in this function) serv.c:650: error: (Each undeclared identifier is reported only once serv.c:650: error: for each function it appears in.) serv.c:650: error: 'NI_MAXSERV' undeclared (first use in this function) serv.c:650: warning: unused variable 'service' [-Wunused-variable] serv.c:650: warning: unused variable 'host' [-Wunused-variable] make[3]: *** [serv.o] Error 1 And this: ld: warning: file /export/home/tgc/tmp/daily-build/gnutls/gnutls-2.7.11/lib/.libs/libgnutls.so: linked to ../lib/.libs/libgnutls.so: attempted multiple inclusion of file Undefined first referenced symbol in file gethostbyname ../gl/.libs/libgnu.a(getaddrinfo.o) (symbol belongs to implicit dependency /usr/lib/libnsl.so.1) ld: fatal: Symbol referencing errors. No output written to .libs/gnutls-cli collect2: ld returned 1 exit status make[3]: *** [gnutls-cli] Error 1 -tgc From dragonheart at gentoo.org Mon May 18 04:45:53 2009 From: dragonheart at gentoo.org (Daniel Black) Date: Mon, 18 May 2009 12:45:53 +1000 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <871vqoglyc.fsf@mocca.josefsson.org> References: <87octwkizk.fsf@mocca.josefsson.org> <20090515181326.GA3768@downhill.g.la> <871vqoglyc.fsf@mocca.josefsson.org> Message-ID: <200905181245.56068.dragonheart@gentoo.org> Folks, >Looking through the original 106542 bug report, I'm unsure what the real >problem was. was more building on embedded machines without a g++ compiler. >Detecting g++ but never using it does not hurt anything >(except a tiny performance price), as far as I understand. Daniel, can >you test tomorrow's daily snapshot and see if it works for you? gnutls-20090518 well it configures ok unless I don't have g++ installed which I do admit is an edge case. >It >seems clear now that we cannot run AC_PROG_CXX conditionally, Did you see this patch? is seems to account for the "configure: error: conditional "am__fastdepCXX" was never defined.:" error by defining it. from: https://savannah.gnu.org/support/?106542#comment3 patch: https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234 >so if this >patch does not work for you we need to solve your problem in some other >way. > >We'll need another release candidate, I'll prepare it tomorrow. Daniel From simon at josefsson.org Mon May 18 11:12:07 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 11:12:07 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <200905181245.56068.dragonheart@gentoo.org> (Daniel Black's message of "Mon, 18 May 2009 12:45:53 +1000") References: <87octwkizk.fsf@mocca.josefsson.org> <20090515181326.GA3768@downhill.g.la> <871vqoglyc.fsf@mocca.josefsson.org> <200905181245.56068.dragonheart@gentoo.org> Message-ID: <873ab2rd08.fsf@mocca.josefsson.org> Daniel Black writes: > Folks, > >>Looking through the original 106542 bug report, I'm unsure what the real >>problem was. > > was more building on embedded machines without a g++ compiler. > >>Detecting g++ but never using it does not hurt anything >>(except a tiny performance price), as far as I understand. Daniel, can >>you test tomorrow's daily snapshot and see if it works for you? > > gnutls-20090518 > > well it configures ok unless I don't have g++ installed which I do > admit is an edge case. What happens if you don't have g++ installed? As far as I could tell, AM_PROG_CXX should not fail in this situation, so building should work. Isn't this the case? >>It >>seems clear now that we cannot run AC_PROG_CXX conditionally, > > Did you see this patch? is seems to account for the > "configure: error: conditional "am__fastdepCXX" was never defined.:" > error by defining it. > from: > https://savannah.gnu.org/support/?106542#comment3 > patch: > https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234 That relies on internal magic in automake, so that's not something I'd want to integrate. I can try to come up with something better, or report it as an automake bug, if I can understand better what the real problem is (see above). /Simon From simon at josefsson.org Mon May 18 14:58:18 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 14:58:18 +0200 Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6 In-Reply-To: <20090517101644.GA28643@ares.tgcnet> (Tom G. Christensen's message of "Sun, 17 May 2009 12:16:44 +0200") References: <20090513190538.GA18880@ares.tgcnet> <8763g3hq9c.fsf@mocca.josefsson.org> <20090514184952.GA803@ares.tgcnet> <87k54hktrx.fsf@mocca.josefsson.org> <20090517101644.GA28643@ares.tgcnet> Message-ID: <871vqmpnyt.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > On Sat, May 16, 2009 at 04:27:14PM +0200, Simon Josefsson wrote: >> Thanks. Variation on the same problem as before actually. Should be >> fixed now. I looked for other occurrences of the same problem, but I >> didn't find any. >> > I'm still not able to complete the build. > I've sent the full log to your autobuild service but these are the two > problems I see: > > serv.c: In function 'listen_socket': > serv.c:650: error: 'NI_MAXHOST' undeclared (first use in this function) > serv.c:650: error: (Each undeclared identifier is reported only once > serv.c:650: error: for each function it appears in.) > serv.c:650: error: 'NI_MAXSERV' undeclared (first use in this function) > serv.c:650: warning: unused variable 'service' [-Wunused-variable] > serv.c:650: warning: unused variable 'host' [-Wunused-variable] > make[3]: *** [serv.o] Error 1 > > And this: > > ld: warning: file > /export/home/tgc/tmp/daily-build/gnutls/gnutls-2.7.11/lib/.libs/libgnutls.so: > linked to ../lib/.libs/libgnutls.so: attempted multiple inclusion of > file > Undefined first referenced > symbol in file > gethostbyname ../gl/.libs/libgnu.a(getaddrinfo.o) > (symbol belongs to implicit dependency /usr/lib/libnsl.so.1) > ld: fatal: Symbol referencing errors. No output written to > .libs/gnutls-cli > collect2: ld returned 1 exit status > make[3]: *** [gnutls-cli] Error 1 Both should be fixed in master now, I'm going to release another RC so please that. /Simon From simon at josefsson.org Mon May 18 15:01:34 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 15:01:34 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <873ab2rd08.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Mon, 18 May 2009 11:12:07 +0200") References: <87octwkizk.fsf@mocca.josefsson.org> <20090515181326.GA3768@downhill.g.la> <871vqoglyc.fsf@mocca.josefsson.org> <200905181245.56068.dragonheart@gentoo.org> <873ab2rd08.fsf@mocca.josefsson.org> Message-ID: <87ws8eo98x.fsf@mocca.josefsson.org> I just removed my g++, and tried to rebuild GnuTLS. It correctly detected that no C++ compiler was available, and disable the C++ library automatically. So if you still have problem building the very soon to be released new RC, please let me know and quote the error messages. /Simon From ametzler at downhill.at.eu.org Mon May 18 18:38:41 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 18 May 2009 18:38:41 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <87ws8eo98x.fsf@mocca.josefsson.org> References: <87octwkizk.fsf@mocca.josefsson.org> <20090515181326.GA3768@downhill.g.la> <871vqoglyc.fsf@mocca.josefsson.org> <200905181245.56068.dragonheart@gentoo.org> <873ab2rd08.fsf@mocca.josefsson.org> <87ws8eo98x.fsf@mocca.josefsson.org> Message-ID: <20090518163841.GA5613@downhill.g.la> On 2009-05-18 Simon Josefsson wrote: > I just removed my g++, and tried to rebuild GnuTLS. It correctly > detected that no C++ compiler was available, and disable the C++ library > automatically. So if you still have problem building the very soon to > be released new RC, please let me know and quote the error messages. FWIW I ran a similar test yesterday, moving /usr/bin/*++* away from $PATH, and I also had a successful build. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at downhill.at.eu.org Mon May 18 18:40:53 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 18 May 2009 18:40:53 +0200 Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 In-Reply-To: <200905181245.56068.dragonheart@gentoo.org> References: <87octwkizk.fsf@mocca.josefsson.org> <20090515181326.GA3768@downhill.g.la> <871vqoglyc.fsf@mocca.josefsson.org> <200905181245.56068.dragonheart@gentoo.org> Message-ID: <20090518164053.GB5613@downhill.g.la> On 2009-05-18 Daniel Black wrote: [...] > Did you see this patch? is seems to account for the > "configure: error: conditional "am__fastdepCXX" was never defined.:" > error by defining it. > from: > https://savannah.gnu.org/support/?106542#comment3 > patch: > https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234 [...] -------------- AC_LANG_POP(C++) + AC_PROG_CXX +else + AM_CONDITIONAL([am__fastdepCXX], [false]) fi -------------- Looks like something that is going to break again with every other new upstream release of automake. :-( cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From simon at josefsson.org Mon May 18 22:21:39 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 22:21:39 +0200 Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0 Message-ID: <87eium17sc.fsf@mocca.josefsson.org> A few build problems has been fixed, but nothing critical has been reported, so we are on track to release 2.8.0 within a week or so. Please test this release as if it were the new stable release. There have been many e-mails (both on-list and off-list) about different problems lately, and I have probably forgotten to reply to some of them. Some of the patches introduced may also lead to new problems, of course. So, please try and build 2.7.11 again, even if you tried earlier RCs. If you can reproduce a problem with 2.7.11 that you have reported earlier, please send me a ping about it. I'm not actively working on fixing anything right now. Btw, josefsson.org and gnutls.org is currently down and may remain so for a few days. But when it is back up, the URLs below will start to work. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.11.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.11.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.11.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.11.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.11-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.11 (released 2009-05-18) ** minitasn1: Fix build failure when using internal libtasn1. Reported by "Tom G. Christensen" in . ** libgnutls: Fix build failure with --disable-cxx. Reported by Andreas Metzler in . ** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV. Reported by "Tom G. Christensen" in ** Building with many warning flags now requires --enable-gcc-warnings. This avoids crying wolf for normal compiles. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From ankush.vaid at tcs.com Sun May 17 14:00:00 2009 From: ankush.vaid at tcs.com (Ankush Vaid) Date: Sun, 17 May 2009 17:30:00 +0530 Subject: About gnutls windows handshake problem In-Reply-To: <871vqrhltg.fsf@mocca.josefsson.org> References: <4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org> Message-ID: Hi Nikos/Simon I have implemented disable padding function, but after that it also got failed, I guess reason of failure is something else. I am sending the log details of the failure. The whole log follows below:- Please help me in decoding this log Thanks Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\trinitypc>cd c:\ C:\>gnutls-serv --http --port 7070 --debug 10 --x509cafile cacert.pem --x509keyf ile server-key.pem --x509certfile server-cert.pem Set static Diffie Hellman parameters, consider --dhparams. |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_x509.c:1376 Error reading 'cacert.pem' Error: Error while reading file. C:\> C:\>cd program files C:\Program Files>cd gnutls-2.0.0 C:\Program Files\GnuTLS-2.0.0>cd bin C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 10 --x5 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile server-cert.pem Set static Diffie Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server ready. Listening to port '7070'. |<7>| READ: Got 5 bytes from 20 |<7>| READ: read 5 bytes from 20 |<7>| 0000 - 16 03 01 00 2d |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[ac33d8]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[ac33d8]: Received Packet[0] Handshake(22) with length: 45 |<7>| READ: Got 45 bytes from 20 |<7>| READ: read 45 bytes from 20 |<7>| 0000 - 01 00 00 29 03 01 37 11 00 00 ce 21 55 ca 9e 30 |<7>| 0001 - 3b 6a c5 bb 87 03 d7 c0 1a 4a 04 ce 17 d2 db 21 |<7>| 0002 - 7e 57 eb 05 4b a8 00 00 02 00 2f 01 00 |<7>| RB: Have 5 bytes into buffer. Adding 45 bytes. |<7>| RB: Requested 50 bytes |<4>| REC[ac33d8]: Decrypted Packet[0] Handshake(22) with length: 45 |<6>| BUF[HSK]: Inserted 45 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[ac33d8]: CLIENT HELLO was received [45 bytes] |<6>| BUF[REC][HD]: Read 41 bytes of Data(22) |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 41 bytes of Data |<3>| HSK[ac33d8]: Client's version: 3.1 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:327 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:247 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_algorithms.c:1628 |<3>| HSK[ac33d8]: Selected Compression Method: NULL |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_extensions.c:162 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Selected cipher suite: RSA_AES_128_CBC_SHA1 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:180 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:237 |<3>| HSK[ac33d8]: SessionID: d509786573e00a3e5306e75185294329676485f91c60fe3460 d50d65bd52aa47 |<3>| HSK[ac33d8]: SERVER HELLO was send [74 bytes] |<6>| BUF[HSK]: Peeked 45 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[0] Handshake(22) with length: 74 |<7>| WRITE: Will write 79 bytes to 20. |<7>| WRITE: wrote 79 bytes to 20. Left 0 bytes. Total 79 bytes. |<7>| 0000 - 16 03 01 00 4a 02 00 00 46 03 01 4a 0d 39 24 a0 |<7>| 0001 - b7 35 6e 9f c8 88 0d 37 55 4e 67 63 88 10 db ca |<7>| 0002 - 3c 80 3f ba c9 f7 1c 51 b8 7b 6a 20 d5 09 78 65 |<7>| 0003 - 73 e0 0a 3e 53 06 e7 51 85 29 43 29 67 64 85 f9 |<7>| 0004 - 1c 60 fe 34 60 d5 0d 65 bd 52 aa 47 00 2f 00 |<4>| REC[ac33d8]: Sent Packet[1] Handshake(22) with length: 79 |<3>| HSK[ac33d8]: CERTIFICATE was send [930 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[1] Handshake(22) with length: 930 |<7>| WRITE: Will write 935 bytes to 20. |<7>| WRITE: wrote 935 bytes to 20. Left 0 bytes. Total 935 bytes. |<7>| 0000 - 16 03 01 03 a2 0b 00 03 9e 00 03 9b 00 03 98 30 |<7>| 0001 - 82 03 94 30 82 02 7c a0 03 02 01 02 02 03 10 00 |<7>| 0002 - 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 |<7>| 0003 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31 |<7>| 0004 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e |<7>| 0005 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65 |<7>| 0006 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41 |<7>| 0007 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03 |<7>| 0008 - 13 08 41 65 72 6f 66 6c 65 78 30 1e 17 0d 30 38 |<7>| 0009 - 30 37 32 33 30 38 31 38 32 33 5a 17 0d 31 33 30 |<7>| 000a - 37 32 32 30 38 31 38 32 33 5a 30 44 31 0b 30 09 |<7>| 000b - 06 03 55 04 06 13 02 55 4b 31 0f 30 0d 06 03 55 |<7>| 000c - 04 08 13 06 4c 6f 6e 64 6f 6e 31 11 30 0f 06 03 |<7>| 000d - 55 04 0a 13 08 41 65 72 6f 66 6c 65 78 31 11 30 |<7>| 000e - 0f 06 03 55 04 03 13 08 41 65 72 6f 66 6c 65 78 |<7>| 000f - 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |<7>| 0010 - 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 |<7>| 0011 - 00 be 17 70 dc 6c 04 ba 89 ce 7a a6 77 ba 3f 2c |<7>| 0012 - 13 4e b4 65 8a c8 9c dd f3 32 73 14 e8 03 f8 8f |<7>| 0013 - f3 7c 53 a2 b4 d6 b0 7b 88 e4 0e 1b c6 fa b6 93 |<7>| 0014 - 47 4e 41 08 8c 40 83 44 78 5c a2 ab f9 1d 28 53 |<7>| 0015 - da fb f1 a6 dd a0 1b 28 ad a3 12 79 e0 60 bb dd |<7>| 0016 - a7 b8 ea ea 9d 54 4d f0 ac 65 a8 1c c7 f3 d2 5e |<7>| 0017 - 99 b5 ec 04 93 ad 58 ed bc 07 43 32 61 4f 21 00 |<7>| 0018 - 38 a4 df 49 a5 d2 aa 14 72 c7 98 18 18 86 b4 80 |<7>| 0019 - 52 0a d2 c8 09 d8 f3 09 ee b4 d8 42 fb 18 18 6b |<7>| 001a - 8c 19 be 05 55 29 ef be 85 14 eb 33 05 8d c0 7f |<7>| 001b - 7b 88 59 cb f3 0c bc ac d5 bf 2b 27 79 b7 44 be |<7>| 001c - eb f3 8c 92 9c 1a ec c1 fb 3c 91 5c 18 1f 3b 0b |<7>| 001d - 52 1b 7c d7 57 61 22 80 2d 28 8a c7 25 bf 3e 92 |<7>| 001e - 50 96 3d 35 81 cd ea 04 b0 59 bc f3 5f 8d df b3 |<7>| 001f - 00 22 9c 6c 59 f2 de 57 34 ab ff 45 ec 91 25 8f |<7>| 0020 - a7 0e c2 61 4b 0a 36 c5 99 1f cf 90 e8 24 40 bc |<7>| 0021 - d7 02 03 01 00 01 a3 7b 30 79 30 09 06 03 55 1d |<7>| 0022 - 13 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 |<7>| 0023 - 01 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 |<7>| 0024 - 6e 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 |<7>| 0025 - 61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 42 15 |<7>| 0026 - 35 c7 fc ba 91 0f 9e 99 09 fa 68 26 6a e4 a0 d4 |<7>| 0027 - 2c a1 30 1f 06 03 55 1d 23 04 18 30 16 80 14 90 |<7>| 0028 - c1 e9 00 e7 db fe 76 9e f8 b8 7c 00 66 ed ef 0a |<7>| 0029 - 3d 30 30 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 |<7>| 002a - 05 00 03 82 01 01 00 01 27 e4 9f 51 3d 42 1a 20 |<7>| 002b - fd a9 28 91 fe 2d e2 bf 04 c1 bd 52 38 e5 2e de |<7>| 002c - 31 f2 10 ea c6 d3 f5 74 34 89 9a 91 fe db 98 5a |<7>| 002d - 77 d4 9e 6b 67 b5 2f fa 0e 79 96 c2 cd 86 8f b1 |<7>| 002e - 0f 8e f1 0c a3 fd 3e d6 2b 85 7b 36 15 3f 76 69 |<7>| 002f - f3 c2 9c 28 6d a1 4e 19 ae 82 8a 17 a2 f3 57 eb |<7>| 0030 - 18 74 a9 f6 cc 0c 17 db 7e 4e 47 d9 cc 3b 87 7a |<7>| 0031 - 74 98 c3 43 c3 69 55 f4 a8 a2 7a 9d b2 d6 76 f4 |<7>| 0032 - c2 23 a3 ae f2 e5 6e 34 5c a6 60 fe 8e d9 13 68 |<7>| 0033 - 49 61 b5 f7 ed b2 e3 6a 06 73 88 65 32 b7 42 de |<7>| 0034 - 8d 5d a6 09 94 bb c4 21 48 1a 2b c0 04 cb b5 d3 |<7>| 0035 - 01 8b 90 9a ee a3 2a 10 7f cd d3 ea 26 da 82 a2 |<7>| 0036 - 0f b3 33 10 0f 09 fc e2 ee c6 26 a5 25 6e ab d9 |<7>| 0037 - cd 1d f2 2b eb 9d d5 3f 04 14 f3 f5 3c a1 3c 1c |<7>| 0038 - 94 a7 dd 5a 24 4e 60 9c 01 0e a4 78 8b c2 18 1a |<7>| 0039 - 38 b8 87 3d 2a 32 b8 c5 06 a9 bc 40 94 cf f7 6e |<7>| 003a - 7e c9 d7 de 49 1c de |<4>| REC[ac33d8]: Sent Packet[2] Handshake(22) with length: 935 |<3>| HSK[ac33d8]: CERTIFICATE REQUEST was send [101 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[2] Handshake(22) with length: 101 |<7>| WRITE: Will write 106 bytes to 20. |<7>| WRITE: wrote 106 bytes to 20. Left 0 bytes. Total 106 bytes. |<7>| 0000 - 16 03 01 00 65 0d 00 00 61 02 01 02 00 5c 00 5a |<7>| 0001 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31 |<7>| 0002 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e |<7>| 0003 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65 |<7>| 0004 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41 |<7>| 0005 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03 |<7>| 0006 - 13 08 41 65 72 6f 66 6c 65 78 |<4>| REC[ac33d8]: Sent Packet[3] Handshake(22) with length: 106 |<3>| HSK[ac33d8]: SERVER HELLO DONE was send [4 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[3] Handshake(22) with length: 4 |<7>| WRITE: Will write 9 bytes to 20. |<7>| WRITE: wrote 9 bytes to 20. Left 0 bytes. Total 9 bytes. |<7>| 0000 - 16 03 01 00 04 0e 00 00 00 |<4>| REC[ac33d8]: Sent Packet[4] Handshake(22) with length: 9 |<7>| READ: Got 5 bytes from 20 |<7>| READ: read 5 bytes from 20 |<7>| 0000 - 15 03 01 00 02 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[ac33d8]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 20 |<7>| READ: read 2 bytes from 20 |<7>| 0000 - 02 28 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2 |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:681 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:1028 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_buffers.c:1188 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:962 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568 |<6>| BUF[HSK]: Cleared Data from buffer * Received alert '40': Handshake failed. Error in handshake Error: A TLS fatal alert has been received. |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:241 Ankush Vaid Tata Consultancy Services TCS Towers, 249 D&E Udyog Vihar, Phase IV, Gurgaon Gurgaon - 122001,Haryana India Cell:- 09718290491 Mailto: ankush.vaid at tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ Simon Josefsson 05/14/2009 06:40 PM To Nikos Mavrogiannopoulos cc Ankush Vaid , Gnutls-dev at gnupg.org Subject Re: About gnutls windows handshake problem Nikos Mavrogiannopoulos writes: > Ankush Vaid wrote: >> Hi, >> >> This is regarding handshaking failure on qualcomm mobile 6280 using >> security, after digging into the problem I come to know about that error is >> coming at finished message which is found of size 208 bytes. >> >> There is link given below which suggest that some mobiles don't support non >> minimal record padding. >> >> http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html >> >> If this the case probably there is a workaround in gnutls library we are >> using to resolve/fix this issue. > > Hi, > I do not understand what is the question here. If you ask for a > workaround this is discussed in the page you refer to (the %COMPAT > priority string). Indeed %COMPAT seems like the answer. However, isn't that keyword confusing? How about adding %DISABLE_MAC_PADDING? Today those two keywords would do the same, but if we encounter other compatibility hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would only disable MAC padding. It seems better to introduce this today rather than when the next compatibility hack is introduced. /Simon ForwardSourceID:NT000040F2 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From ankush.vaid at tcs.com Sun May 17 14:00:00 2009 From: ankush.vaid at tcs.com (Ankush Vaid) Date: Sun, 17 May 2009 17:30:00 +0530 Subject: About gnutls windows handshake problem In-Reply-To: <871vqrhltg.fsf@mocca.josefsson.org> References: <4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org> Message-ID: Hi Nikos/Simon I have implemented disable padding function, but after that it also got failed, I guess reason of failure is something else. I am sending the log details of the failure. The whole log follows below:- Please help me in decoding this log Thanks Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\trinitypc>cd c:\ C:\>gnutls-serv --http --port 7070 --debug 10 --x509cafile cacert.pem --x509keyf ile server-key.pem --x509certfile server-cert.pem Set static Diffie Hellman parameters, consider --dhparams. |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_x509.c:1376 Error reading 'cacert.pem' Error: Error while reading file. C:\> C:\>cd program files C:\Program Files>cd gnutls-2.0.0 C:\Program Files\GnuTLS-2.0.0>cd bin C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 10 --x5 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile server-cert.pem Set static Diffie Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server ready. Listening to port '7070'. |<7>| READ: Got 5 bytes from 20 |<7>| READ: read 5 bytes from 20 |<7>| 0000 - 16 03 01 00 2d |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[ac33d8]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[ac33d8]: Received Packet[0] Handshake(22) with length: 45 |<7>| READ: Got 45 bytes from 20 |<7>| READ: read 45 bytes from 20 |<7>| 0000 - 01 00 00 29 03 01 37 11 00 00 ce 21 55 ca 9e 30 |<7>| 0001 - 3b 6a c5 bb 87 03 d7 c0 1a 4a 04 ce 17 d2 db 21 |<7>| 0002 - 7e 57 eb 05 4b a8 00 00 02 00 2f 01 00 |<7>| RB: Have 5 bytes into buffer. Adding 45 bytes. |<7>| RB: Requested 50 bytes |<4>| REC[ac33d8]: Decrypted Packet[0] Handshake(22) with length: 45 |<6>| BUF[HSK]: Inserted 45 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[ac33d8]: CLIENT HELLO was received [45 bytes] |<6>| BUF[REC][HD]: Read 41 bytes of Data(22) |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 41 bytes of Data |<3>| HSK[ac33d8]: Client's version: 3.1 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:327 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:247 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_algorithms.c:1628 |<3>| HSK[ac33d8]: Selected Compression Method: NULL |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_extensions.c:162 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[ac33d8]: Selected cipher suite: RSA_AES_128_CBC_SHA1 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:180 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:237 |<3>| HSK[ac33d8]: SessionID: d509786573e00a3e5306e75185294329676485f91c60fe3460 d50d65bd52aa47 |<3>| HSK[ac33d8]: SERVER HELLO was send [74 bytes] |<6>| BUF[HSK]: Peeked 45 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[0] Handshake(22) with length: 74 |<7>| WRITE: Will write 79 bytes to 20. |<7>| WRITE: wrote 79 bytes to 20. Left 0 bytes. Total 79 bytes. |<7>| 0000 - 16 03 01 00 4a 02 00 00 46 03 01 4a 0d 39 24 a0 |<7>| 0001 - b7 35 6e 9f c8 88 0d 37 55 4e 67 63 88 10 db ca |<7>| 0002 - 3c 80 3f ba c9 f7 1c 51 b8 7b 6a 20 d5 09 78 65 |<7>| 0003 - 73 e0 0a 3e 53 06 e7 51 85 29 43 29 67 64 85 f9 |<7>| 0004 - 1c 60 fe 34 60 d5 0d 65 bd 52 aa 47 00 2f 00 |<4>| REC[ac33d8]: Sent Packet[1] Handshake(22) with length: 79 |<3>| HSK[ac33d8]: CERTIFICATE was send [930 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[1] Handshake(22) with length: 930 |<7>| WRITE: Will write 935 bytes to 20. |<7>| WRITE: wrote 935 bytes to 20. Left 0 bytes. Total 935 bytes. |<7>| 0000 - 16 03 01 03 a2 0b 00 03 9e 00 03 9b 00 03 98 30 |<7>| 0001 - 82 03 94 30 82 02 7c a0 03 02 01 02 02 03 10 00 |<7>| 0002 - 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 |<7>| 0003 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31 |<7>| 0004 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e |<7>| 0005 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65 |<7>| 0006 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41 |<7>| 0007 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03 |<7>| 0008 - 13 08 41 65 72 6f 66 6c 65 78 30 1e 17 0d 30 38 |<7>| 0009 - 30 37 32 33 30 38 31 38 32 33 5a 17 0d 31 33 30 |<7>| 000a - 37 32 32 30 38 31 38 32 33 5a 30 44 31 0b 30 09 |<7>| 000b - 06 03 55 04 06 13 02 55 4b 31 0f 30 0d 06 03 55 |<7>| 000c - 04 08 13 06 4c 6f 6e 64 6f 6e 31 11 30 0f 06 03 |<7>| 000d - 55 04 0a 13 08 41 65 72 6f 66 6c 65 78 31 11 30 |<7>| 000e - 0f 06 03 55 04 03 13 08 41 65 72 6f 66 6c 65 78 |<7>| 000f - 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |<7>| 0010 - 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 |<7>| 0011 - 00 be 17 70 dc 6c 04 ba 89 ce 7a a6 77 ba 3f 2c |<7>| 0012 - 13 4e b4 65 8a c8 9c dd f3 32 73 14 e8 03 f8 8f |<7>| 0013 - f3 7c 53 a2 b4 d6 b0 7b 88 e4 0e 1b c6 fa b6 93 |<7>| 0014 - 47 4e 41 08 8c 40 83 44 78 5c a2 ab f9 1d 28 53 |<7>| 0015 - da fb f1 a6 dd a0 1b 28 ad a3 12 79 e0 60 bb dd |<7>| 0016 - a7 b8 ea ea 9d 54 4d f0 ac 65 a8 1c c7 f3 d2 5e |<7>| 0017 - 99 b5 ec 04 93 ad 58 ed bc 07 43 32 61 4f 21 00 |<7>| 0018 - 38 a4 df 49 a5 d2 aa 14 72 c7 98 18 18 86 b4 80 |<7>| 0019 - 52 0a d2 c8 09 d8 f3 09 ee b4 d8 42 fb 18 18 6b |<7>| 001a - 8c 19 be 05 55 29 ef be 85 14 eb 33 05 8d c0 7f |<7>| 001b - 7b 88 59 cb f3 0c bc ac d5 bf 2b 27 79 b7 44 be |<7>| 001c - eb f3 8c 92 9c 1a ec c1 fb 3c 91 5c 18 1f 3b 0b |<7>| 001d - 52 1b 7c d7 57 61 22 80 2d 28 8a c7 25 bf 3e 92 |<7>| 001e - 50 96 3d 35 81 cd ea 04 b0 59 bc f3 5f 8d df b3 |<7>| 001f - 00 22 9c 6c 59 f2 de 57 34 ab ff 45 ec 91 25 8f |<7>| 0020 - a7 0e c2 61 4b 0a 36 c5 99 1f cf 90 e8 24 40 bc |<7>| 0021 - d7 02 03 01 00 01 a3 7b 30 79 30 09 06 03 55 1d |<7>| 0022 - 13 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 |<7>| 0023 - 01 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 |<7>| 0024 - 6e 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 |<7>| 0025 - 61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 42 15 |<7>| 0026 - 35 c7 fc ba 91 0f 9e 99 09 fa 68 26 6a e4 a0 d4 |<7>| 0027 - 2c a1 30 1f 06 03 55 1d 23 04 18 30 16 80 14 90 |<7>| 0028 - c1 e9 00 e7 db fe 76 9e f8 b8 7c 00 66 ed ef 0a |<7>| 0029 - 3d 30 30 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 |<7>| 002a - 05 00 03 82 01 01 00 01 27 e4 9f 51 3d 42 1a 20 |<7>| 002b - fd a9 28 91 fe 2d e2 bf 04 c1 bd 52 38 e5 2e de |<7>| 002c - 31 f2 10 ea c6 d3 f5 74 34 89 9a 91 fe db 98 5a |<7>| 002d - 77 d4 9e 6b 67 b5 2f fa 0e 79 96 c2 cd 86 8f b1 |<7>| 002e - 0f 8e f1 0c a3 fd 3e d6 2b 85 7b 36 15 3f 76 69 |<7>| 002f - f3 c2 9c 28 6d a1 4e 19 ae 82 8a 17 a2 f3 57 eb |<7>| 0030 - 18 74 a9 f6 cc 0c 17 db 7e 4e 47 d9 cc 3b 87 7a |<7>| 0031 - 74 98 c3 43 c3 69 55 f4 a8 a2 7a 9d b2 d6 76 f4 |<7>| 0032 - c2 23 a3 ae f2 e5 6e 34 5c a6 60 fe 8e d9 13 68 |<7>| 0033 - 49 61 b5 f7 ed b2 e3 6a 06 73 88 65 32 b7 42 de |<7>| 0034 - 8d 5d a6 09 94 bb c4 21 48 1a 2b c0 04 cb b5 d3 |<7>| 0035 - 01 8b 90 9a ee a3 2a 10 7f cd d3 ea 26 da 82 a2 |<7>| 0036 - 0f b3 33 10 0f 09 fc e2 ee c6 26 a5 25 6e ab d9 |<7>| 0037 - cd 1d f2 2b eb 9d d5 3f 04 14 f3 f5 3c a1 3c 1c |<7>| 0038 - 94 a7 dd 5a 24 4e 60 9c 01 0e a4 78 8b c2 18 1a |<7>| 0039 - 38 b8 87 3d 2a 32 b8 c5 06 a9 bc 40 94 cf f7 6e |<7>| 003a - 7e c9 d7 de 49 1c de |<4>| REC[ac33d8]: Sent Packet[2] Handshake(22) with length: 935 |<3>| HSK[ac33d8]: CERTIFICATE REQUEST was send [101 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[2] Handshake(22) with length: 101 |<7>| WRITE: Will write 106 bytes to 20. |<7>| WRITE: wrote 106 bytes to 20. Left 0 bytes. Total 106 bytes. |<7>| 0000 - 16 03 01 00 65 0d 00 00 61 02 01 02 00 5c 00 5a |<7>| 0001 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31 |<7>| 0002 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e |<7>| 0003 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65 |<7>| 0004 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41 |<7>| 0005 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03 |<7>| 0006 - 13 08 41 65 72 6f 66 6c 65 78 |<4>| REC[ac33d8]: Sent Packet[3] Handshake(22) with length: 106 |<3>| HSK[ac33d8]: SERVER HELLO DONE was send [4 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[ac33d8]: Sending Packet[3] Handshake(22) with length: 4 |<7>| WRITE: Will write 9 bytes to 20. |<7>| WRITE: wrote 9 bytes to 20. Left 0 bytes. Total 9 bytes. |<7>| 0000 - 16 03 01 00 04 0e 00 00 00 |<4>| REC[ac33d8]: Sent Packet[4] Handshake(22) with length: 9 |<7>| READ: Got 5 bytes from 20 |<7>| READ: read 5 bytes from 20 |<7>| 0000 - 15 03 01 00 02 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[ac33d8]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 20 |<7>| READ: read 2 bytes from 20 |<7>| 0000 - 02 28 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2 |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:681 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:1028 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_buffers.c:1188 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:962 |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568 |<6>| BUF[HSK]: Cleared Data from buffer * Received alert '40': Handshake failed. Error in handshake Error: A TLS fatal alert has been received. |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:241 Ankush Vaid Tata Consultancy Services TCS Towers, 249 D&E Udyog Vihar, Phase IV, Gurgaon Gurgaon - 122001,Haryana India Cell:- 09718290491 Mailto: ankush.vaid at tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ Simon Josefsson 05/14/2009 06:40 PM To Nikos Mavrogiannopoulos cc Ankush Vaid , Gnutls-dev at gnupg.org Subject Re: About gnutls windows handshake problem Nikos Mavrogiannopoulos writes: > Ankush Vaid wrote: >> Hi, >> >> This is regarding handshaking failure on qualcomm mobile 6280 using >> security, after digging into the problem I come to know about that error is >> coming at finished message which is found of size 208 bytes. >> >> There is link given below which suggest that some mobiles don't support non >> minimal record padding. >> >> http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html >> >> If this the case probably there is a workaround in gnutls library we are >> using to resolve/fix this issue. > > Hi, > I do not understand what is the question here. If you ask for a > workaround this is discussed in the page you refer to (the %COMPAT > priority string). Indeed %COMPAT seems like the answer. However, isn't that keyword confusing? How about adding %DISABLE_MAC_PADDING? Today those two keywords would do the same, but if we encounter other compatibility hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would only disable MAC padding. It seems better to introduce this today rather than when the next compatibility hack is introduced. /Simon ForwardSourceID:NT000040F2 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Tue May 19 17:18:00 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 19 May 2009 17:18:00 +0200 Subject: About gnutls windows handshake problem In-Reply-To: (Ankush Vaid's message of "Sun, 17 May 2009 17:30:00 +0530") References: <4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org> Message-ID: <87r5ylazpz.fsf@mocca.josefsson.org> Ankush Vaid writes: > Hi Nikos/Simon > > I have implemented disable padding function, but after that it also got > failed, I guess reason of failure is something else. > > I am sending the log details of the failure. ... > C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug > 10 --x5 > 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile > server-cert.pem I don't see any --priority NORMAL:%COMPAT parameter here? Are you developing a GnuTLS client too? > |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2 > |<7>| READ: Got 2 bytes from 20 > |<7>| READ: read 2 bytes from 20 > |<7>| 0000 - 02 28 > |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. > |<7>| RB: Requested 7 bytes > |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2 > |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received This means the client refused to handshake with the gnutls-serv instance. What kind of error message do you get on the client side? I think you need to debug the client side to understand what the problem is. Enable debug logging on that side too. /Simon From ametzler at downhill.at.eu.org Tue May 19 19:53:04 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Tue, 19 May 2009 19:53:04 +0200 Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0 In-Reply-To: <87eium17sc.fsf@mocca.josefsson.org> References: <87eium17sc.fsf@mocca.josefsson.org> Message-ID: <20090519175304.GB4547@downhill.g.la> On 2009-05-18 Simon Josefsson wrote: > A few build problems has been fixed, but nothing critical has been > reported, so we are on track to release 2.8.0 within a week or so. > Please test this release as if it were the new stable release. [...] Hello, is it just me, or does the crq_key_id test take ages? It seems to need _huge_ amounts of entropy to successfully complete. Here on my local workstation it takes about 30 seconds (with constant intentional mouse movements, the fasted way to gather entropy) to complete. This patch works for me: -------------------------------------- --- gnutls-2.7.11.orig/tests/crq_key_id.c 2009-05-11 18:15:43.000000000 +0200 +++ gnutls-2.7.11/tests/crq_key_id.c 2009-05-19 19:44:58.000000000 +0200 @@ -55,6 +55,9 @@ int ret; + /* initialize gcrypt explicitely */ + gcry_check_version (NULL); + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); ret = gnutls_global_init (); -------------------------------------- cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From tgc at jupiterrise.com Tue May 19 22:12:13 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Tue, 19 May 2009 22:12:13 +0200 Subject: Buildreport for GnuTLS 2.7.11 Message-ID: <20090519201213.GA437@ares.tgcnet> The new release builds and passes all tests on Solaris 2.6. Unfortunately there's a few issues on IRIX 5.3 and 6.2. First is a problem with the 'struct sockaddr_storage' replacement in the gnulib sys_socket module: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I./../gl -I./../gl -I./../includes -I./../includes -I./.. -I./../minitasn1 -I/usr/tgcware/include -g -O2 -MT common.lo -MD -MP -MF .deps/common.Tpo -c common.c -DPIC -o .libs/common.o In file included from ../gnutls_int.h:48, from common.c:25: ./../gl/sys/socket.h:61: error: expected specifier-qualifier-list before 'sa_family_t' make[4]: *** [common.lo] Error 1 The problem is that sa_family_t is not defined instead 'struct sockaddr' uses unsigned short for sa_family. I temporarily added a typedef to sys_socket.in.h to bypass this problem. The second problem is that these older IRIX releases lack vsnprintf (used in lib/gnutls_errors.c): 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool: rld: Error: unresolvable symbol in /usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/lib/.libs/libgnutls.so.27: vsnprintf 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool: rld: Fatal Error: this executable has unresolvable symbols Thirdly I see variations on this warning repeatedly: In file included from ../gnutls_int.h:29, from opencdk.h:30, from kbnode.c:31: ../config.h:357:1: warning: "SIZE_MAX" redefined In file included from ./../gl/stdlib.h:52, from kbnode.c:28: ./../gl/stdint.h:473:1: warning: this is the location of the previous definition My guess is that config.h is unconditionally defining SIZE_MAX after the definition in the stdint.h replacement has been activated. Perhaps config.h should not define SIZE_MAX but leave it to stdint.h? When linking libgnutls.so on IRIX 5.3 I also see this error from the linker: ld: ERROR 4: Conflicting flag setting: -exports_file I'm not familiar with how this ld option should be used but apparently libtool is doing it wrong. Also this option was not used on IRIX 6.2 which leads me to believe that some libtool test has guessed wrong. I know this is probably not something you can fix in gnutls but it's here for the record. Logs are here: http://jupiterrise.com/tmp Beware that the log for IRIX 6.2 is a bit messy since it contains a few restarts and whatnot. -tgc From simon at josefsson.org Wed May 20 08:03:51 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 08:03:51 +0200 Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0 In-Reply-To: <20090519175304.GB4547@downhill.g.la> (Andreas Metzler's message of "Tue, 19 May 2009 19:53:04 +0200") References: <87eium17sc.fsf@mocca.josefsson.org> <20090519175304.GB4547@downhill.g.la> Message-ID: <87bppo8g54.fsf@mocca.josefsson.org> Andreas Metzler writes: > On 2009-05-18 Simon Josefsson wrote: >> A few build problems has been fixed, but nothing critical has been >> reported, so we are on track to release 2.8.0 within a week or so. > >> Please test this release as if it were the new stable release. > [...] > > Hello, > > is it just me, or does the crq_key_id test take ages? It seems to need > _huge_ amounts of entropy to successfully complete. Here on my local > workstation it takes about 30 seconds (with constant intentional mouse > movements, the fasted way to gather entropy) to complete. > > This patch works for me: Thanks, the patch seems to be the right thing, and it has been pushed. The self-test generates RSA/DSA private keys, and the default is to use /dev/random for this. /Simon > -------------------------------------- > --- gnutls-2.7.11.orig/tests/crq_key_id.c 2009-05-11 18:15:43.000000000 +0200 > +++ gnutls-2.7.11/tests/crq_key_id.c 2009-05-19 19:44:58.000000000 +0200 > @@ -55,6 +55,9 @@ > > int ret; > > + /* initialize gcrypt explicitely */ > + gcry_check_version (NULL); > + > gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); > > ret = gnutls_global_init (); > -------------------------------------- > cu andreas From simon at josefsson.org Wed May 20 09:08:25 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 09:08:25 +0200 Subject: Buildreport for GnuTLS 2.7.11 In-Reply-To: <20090519201213.GA437@ares.tgcnet> (Tom G. Christensen's message of "Tue, 19 May 2009 22:12:13 +0200") References: <20090519201213.GA437@ares.tgcnet> Message-ID: <873ab0uu8m.fsf@mocca.josefsson.org> "Tom G. Christensen" writes: > The new release builds and passes all tests on Solaris 2.6. Great! > Unfortunately there's a few issues on IRIX 5.3 and 6.2. Ouch. > First is a problem with the 'struct sockaddr_storage' replacement in the > gnulib sys_socket module: > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I./../gl -I./../gl > -I./../includes -I./../includes -I./.. -I./../minitasn1 > -I/usr/tgcware/include -g -O2 -MT common.lo -MD -MP -MF .deps/common.Tpo > -c common.c -DPIC -o .libs/common.o > In file included from ../gnutls_int.h:48, > from common.c:25: > ./../gl/sys/socket.h:61: error: expected > specifier-qualifier-list before 'sa_family_t' > make[4]: *** [common.lo] Error 1 > > The problem is that sa_family_t is not defined instead 'struct sockaddr' > uses unsigned short for sa_family. > I temporarily added a typedef to sys_socket.in.h to bypass this problem. Should be fixed in master now, please try a snapshot in a few hours. > The second problem is that these older IRIX releases lack vsnprintf > (used in lib/gnutls_errors.c): > 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool: > rld: Error: unresolvable symbol in > /usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/lib/.libs/libgnutls.so.27: > vsnprintf > 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool: > rld: Fatal Error: this executable has unresolvable symbols Should be fixed as well, by adding the 'vsnprintf' module. > Thirdly I see variations on this warning repeatedly: > In file included from ../gnutls_int.h:29, > from opencdk.h:30, > from kbnode.c:31: > ../config.h:357:1: warning: "SIZE_MAX" redefined > In file included from ./../gl/stdlib.h:52, > from kbnode.c:28: > ./../gl/stdint.h:473:1: warning: this is the location of the previous definition > > My guess is that config.h is unconditionally defining SIZE_MAX after the > definition in the stdint.h replacement has been activated. > Perhaps config.h should not define SIZE_MAX but leave it to stdint.h? I agree. I've brought it up on the gnulib list. > When linking libgnutls.so on IRIX 5.3 I also see this error from the > linker: > ld: ERROR 4: Conflicting flag setting: -exports_file > > I'm not familiar with how this ld option should be used but apparently > libtool is doing it wrong. Also this option was not used on IRIX 6.2 > which leads me to believe that some libtool test has guessed wrong. > I know this is probably not something you can fix in gnutls but it's here > for the record. Thanks for information. It seems like a libtool problem, so it would be useful to report it as such. There is some discussion about exported_symbol and exports_file in libtool.m4. > Logs are here: > http://jupiterrise.com/tmp Thanks, Simon From simon at josefsson.org Wed May 20 12:12:53 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 12:12:53 +0200 Subject: Libtasn2 2.2 Message-ID: <873ab0hyl6.fsf@mocca.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 2.2 (released 2009-05-20) - Change how the ASN1_API decorator is used in libtasn1.h, for GTK-DOC. - Changed license of libtasn1.pc from GPLv3+ to LGPLv2.1+. Reported by Jeff Cai . - Building with many warning flags now requires --enable-gcc-warnings. - Some warnings fixed. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join the help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Here are the compressed sources (1.6MB): ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig A ZIP archive containing the Windows binaries (284KB): http://josefsson.org/gnutls4win/libtasn1-2.2.zip http://josefsson.org/gnutls4win/libtasn1-2.2.zip.sig A Debian mingw32 package is also available (256KB): http://josefsson.org/gnutls4win/mingw32-libtasn1_2.2-1_all.deb The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: d6e0d449cf2da04c93f498d2cf4415f572611b46 libtasn1-2.2.tar.gz 312f9db820bab1203032215c99f44c038381c940952e92cafef23aca libtasn1-2.2.tar.gz fb176e35da39d8c767aa881512dc07aac35b7d35 libtasn1-2.2.zip a30bbdbca8bd4efffbd43b1d1bfcde4b3c891080e4010fafe66f061f libtasn1-2.2.zip b73cee7d754fec2451b208bb17a383da95b4b1b0 mingw32-libtasn1_2.2-1_all.deb 2ea355177983beb522423b983c4105e933ede1822e05130352b18a75 mingw32-libtasn1_2.2-1_all.deb Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed May 20 13:15:23 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 13:15:23 +0200 Subject: GnuTLS 2.7.12 - release candidate 4 of GnuTLS 2.8.0 Message-ID: <87r5ykgh4k.fsf@mocca.josefsson.org> This makes gnutls-serv and gnutls-cli-debug work on Windows, and fixes some other minor things. We are on track to release this as 2.8.0 within a week or so. I'll be away on vacation in Budapest until Monday, so don't expect any quick replies. Use the time to test the RC! :) Please test this release as if it were the new stable release! Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.12.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.12.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.12.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.12.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.12-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.12 (released 2009-05-20) ** gnutls-serv, gnutls-cli-debug: Make them work on Windows. ** tests/crq_key_id: Don't read entropy from /dev/random in self-test. Reported by Andreas Metzler in . ** Fix build failures. Missing sa_family_t and vsnprintf on IRIX. Reported by "Tom G. Christensen" in . ** minitasn1: Internal copy updated to libtasn1 v2.2. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From ametzler at downhill.at.eu.org Wed May 20 21:28:51 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Wed, 20 May 2009 21:28:51 +0200 Subject: Enhanced symbol versioning in 2.7.x Message-ID: <20090520192851.GA4298@downhill.g.la> Hello, with 2.7.x you seem to have started to use a different symbol versioning for newly added symbols (since 2.6.x). Well, at least that is my understanding. ;-) I am not sure abut the point, is this for RedHats automatically versioned library dependencies? Anyway, I think this patch should be applied, gnutls_x509_crq_set_key is already present in 2.6.6, versioning it @GNUTLS_2_8 would break the ABI, afaik. --- libgnutls.map.orig 2009-05-20 20:53:15.000000000 +0200 +++ libgnutls.map 2009-05-20 20:54:14.000000000 +0200 @@ -414,6 +414,7 @@ gnutls_x509_crq_set_basic_constraints; gnutls_x509_crq_set_challenge_password; gnutls_x509_crq_set_dn_by_oid; + gnutls_x509_crq_set_key; gnutls_x509_crq_set_key_rsa_raw; gnutls_x509_crq_set_key_usage; gnutls_x509_crq_set_version; @@ -564,7 +565,6 @@ gnutls_x509_crq_get_subject_alt_othername_oid; gnutls_x509_crq_get_extension_by_oid; gnutls_x509_crq_set_subject_alt_name; - gnutls_x509_crq_set_key; gnutls_x509_crq_get_key_purpose_oid; gnutls_x509_crq_set_key_purpose_oid; gnutls_x509_crq_print; I assume that if there was a soname bump we would change from -------------- GNUTLS_1_4 { ... }; GNUTLS_2_8 { ... } GNUTLS_1_4; GNUTLS_PRIVATE { }; -------------- to -------------- GNUTLS_2_10 { [symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here] }; GNUTLS_PRIVATE_2_10 { [symbols listed previously in GNUTLS_PRIVATE go here] }; -------------- Am I correct? cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From tgc at jupiterrise.com Wed May 20 23:27:25 2009 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Wed, 20 May 2009 23:27:25 +0200 Subject: Buildreport for GnuTLS 2.7.11 In-Reply-To: <873ab0uu8m.fsf@mocca.josefsson.org> References: <20090519201213.GA437@ares.tgcnet> <873ab0uu8m.fsf@mocca.josefsson.org> Message-ID: <20090520212725.GA15931@ares.tgcnet> On Wed, May 20, 2009 at 09:08:25AM +0200, Simon Josefsson wrote: > "Tom G. Christensen" writes: Latest snapshot builds and passes the testsuite on IRIX 6.2 and I assume IRIX 5.3 if can I figure out the libtool problem. -tgc From ametzler at downhill.at.eu.org Thu May 21 11:17:46 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Thu, 21 May 2009 11:17:46 +0200 Subject: Enhanced symbol versioning in 2.7.x In-Reply-To: <20090520192851.GA4298@downhill.g.la> References: <20090520192851.GA4298@downhill.g.la> Message-ID: <20090521091746.GB3443@downhill.g.la> On 2009-05-20 Andreas Metzler wrote: > with 2.7.x you seem to have started to use a different symbol > versioning for newly added symbols (since 2.6.x). Well, at least that > is my understanding. ;-) I am not sure abut the point, is this for > RedHats automatically versioned library dependencies? > Anyway, I think this patch should be applied, > gnutls_x509_crq_set_key is already present in 2.6.6, versioning it > @GNUTLS_2_8 would break the ABI, afaik. [...] On a sidenote gnutls_x509_crq_set_basic_constraints and gnutls_x509_crq_set_key_usage are new in 2.7.x. If my understanding were correct they should be versioned @GNUTLS_2_8 instead of @GNUTLS_1_4. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ankush.vaid at tcs.com Wed May 20 06:43:17 2009 From: ankush.vaid at tcs.com (Ankush Vaid) Date: Wed, 20 May 2009 10:13:17 +0530 Subject: About gnutls windows handshake problem In-Reply-To: <87r5ylazpz.fsf@mocca.josefsson.org> References: <4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org> <87r5ylazpz.fsf@mocca.josefsson.org> Message-ID: Hi Simon, Thanks for the info. I am developing gnutls client. I have used gnutls_record_disable_padding function to disbale padding and log I have sent to you. later I have used gnutls_priority_set_direct(session, "NORMAL:%COMPAT", NULL); function but got the same result. I will debug client side (UE) by using some diagnostic tool and come back to you with useful information. Regards Ankush Vaid Simon Josefsson 05/19/2009 08:48 PM To Ankush Vaid cc Gnutls-dev at gnupg.org Subject Re: About gnutls windows handshake problem Ankush Vaid writes: > Hi Nikos/Simon > > I have implemented disable padding function, but after that it also got > failed, I guess reason of failure is something else. > > I am sending the log details of the failure. ... > C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug > 10 --x5 > 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile > server-cert.pem I don't see any --priority NORMAL:%COMPAT parameter here? Are you developing a GnI am > |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2 > |<7>| READ: Got 2 bytes from 20 > |<7>| READ: read 2 bytes from 20 > |<7>| 0000 - 02 28 > |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. > |<7>| RB: Requested 7 bytes > |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2 > |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received This means the client refused to handshake with the gnutls-serv instance. What kind of error message do you get on the client side? I think you need to debug the client side to understand what the problem is. Enable debug logging on that side too. /Simon ForwardSourceID:NT0000424E =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at downhill.at.eu.org Sat May 23 13:50:37 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sat, 23 May 2009 13:50:37 +0200 Subject: 2.7.12 test suite error on chainverify Message-ID: <20090523115037.GJ3498@downhill.g.la> Hello, The chainverify test does not complete successfully anymore. This is rather strange, it worked two days ago (on the 21st). Strange data points: * This is not limited to my local system. * Neither build-depencies nor toolchain (gcc, g++, binutils) nor kernel has changed. * I still had the build tree of 2.7.11 including all binaries from 2009-05-19. If I run this old chainverify binary I still get the error. * It fails both on up to date Debian sid and Debian lenny. The only thing I can think of that has changed for sure is the date. Hmm. Is this the cause? Chain 'v1ca ok' (15)... Adding certificate 0...done Certificate 0: subject `C=US,ST=Illinois,L=Du Page,O=Argonne National Laboratory,CN=auth2.it.anl.gov', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA', RSA key 1024 bits, signed using RSA-SHA, activated `2008-05-05 00:00:00 UTC', expires `2009-05-22 23:59:59 UTC', SHA-1 fingerprint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: success.gz Type: application/octet-stream Size: 2908 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error.gz Type: application/octet-stream Size: 2925 bytes Desc: not available URL: From dg at ulysium.net Sat May 23 22:01:39 2009 From: dg at ulysium.net (Didier Godefroy) Date: Sat, 23 May 2009 22:01:39 +0200 Subject: libtasn1 compile issue in ANS1.c Message-ID: Hello, Trying to compile the stand alone libtans1 on a tru64 5.1b system. I get errors in lib/ASN1.c on the TRUE and FALSE enumerators: source='ASN1.c' object='ASN1.lo' libtool=yes \ DEPDIR=.deps depmode=tru64 /bin/bash ../build-aux/depcomp \ /bin/bash ../libtool --tag=CC --mode=compile cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING -pthread -I/usr/local/include -O4 -g3 -w -c -o ASN1.lo ASN1.c libtool: compile: cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c -DPIC -o .libs/ASN1.o cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum) TRUE = 277, -----^ cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum) FALSE = 278, -----^ They look to me to be the same as all the others, but only TRUE and FALSE are causing the error. I haven't found any hints on possible fixes and the latest daily snapshot doesn't fix that either. I'm using the tru64 native compiler and I only use the configure flags as follows: --prefix=/usr/local --enable-gtk-doc-html=no I'm not a C programmer and I couldn't find a fix for this... Thanks, -- Didier Godefroy mailto:dg at ulysium.net Support anti-Spam legislation. Join the fight http://www.cauce.org/ From trixter at 0xdecafbad.com Sun May 24 12:47:57 2009 From: trixter at 0xdecafbad.com (Trixter aka Bret McDanel) Date: Sun, 24 May 2009 03:47:57 -0700 Subject: tls iwthout sockets Message-ID: <1243162077.6071.263.camel@trixeee> I have a quirky app that while connection based is not tcp based. I am looking for some way to use tls (or something comparable in terms of peer review, security, etc) for authentication of both ends of the connection. Is there an example of how to use gnutls without it managing the socket? Is there something better than TLS for authentication (may be anonymous or certificate based) given the fact that it wont be over a tcp link? Thanks -- Trixter http://www.0xdecafbad.com Bret McDanel pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721 From nmav at gnutls.org Sun May 24 19:41:11 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 May 2009 20:41:11 +0300 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: References: Message-ID: <4A1986B7.7090908@gnutls.org> Didier Godefroy wrote: > Hello, > > Trying to compile the stand alone libtans1 on a tru64 5.1b system. > I get errors in lib/ASN1.c on the TRUE and FALSE enumerators: > > source='ASN1.c' object='ASN1.lo' libtool=yes \ > DEPDIR=.deps depmode=tru64 /bin/bash ../build-aux/depcomp \ > /bin/bash ../libtool --tag=CC --mode=compile cc -DHAVE_CONFIG_H -I. > -I.. -I./gllib -DASN1_BUILDING -pthread -I/usr/local/include -O4 -g3 -w > -c -o ASN1.lo ASN1.c > libtool: compile: cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING > -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c -DPIC -o > .libs/ASN1.o > cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum) > TRUE = 277, > -----^ > cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum) > FALSE = 278, > -----^ > > They look to me to be the same as all the others, but only TRUE and FALSE > are causing the error. > I haven't found any hints on possible fixes and the latest daily snapshot > doesn't fix that either. maybe TRUE and FALSE are reserved in this compiler. If you replace them with ASN1_TRUE and ASN1_FALSE the compiler complains? regards, Nikos From nmav at gnutls.org Sun May 24 19:43:38 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 May 2009 20:43:38 +0300 Subject: tls iwthout sockets In-Reply-To: <1243162077.6071.263.camel@trixeee> References: <1243162077.6071.263.camel@trixeee> Message-ID: <4A19874A.4090100@gnutls.org> Trixter aka Bret McDanel wrote: > I have a quirky app that while connection based is not tcp based. I am > looking for some way to use tls (or something comparable in terms of > peer review, security, etc) for authentication of both ends of the > connection. > > Is there an example of how to use gnutls without it managing the socket? Yes, you can set hooks to replace the push and pull functions. Check gnutls_transport_set_push_function and gnutls_transport_set_pull_function. As long as the underlying layer is reliable it would work. > Is there something better than TLS for authentication (may be anonymous > or certificate based) given the fact that it wont be over a tcp link? TLS is not for TCP connections only. Anyway if it is not for a reliable transport you should check DTLS as well (not implemented in gnutls). regards, Nikos From simon at josefsson.org Mon May 25 10:07:55 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 10:07:55 +0200 Subject: tls iwthout sockets In-Reply-To: <1243162077.6071.263.camel@trixeee> (Trixter aka Bret McDanel's message of "Sun, 24 May 2009 03:47:57 -0700") References: <1243162077.6071.263.camel@trixeee> Message-ID: <871vqdbo6c.fsf@mocca.josefsson.org> Trixter aka Bret McDanel writes: > I have a quirky app that while connection based is not tcp based. I am > looking for some way to use tls (or something comparable in terms of > peer review, security, etc) for authentication of both ends of the > connection. > > Is there an example of how to use gnutls without it managing the socket? Nikos answered, but I just wanted to add that you can see the mini.c for an example how to write a GnuTLS application with both client and server code in it without any sockets: http://git.savannah.gnu.org/cgit/gnutls.git/tree/tests/mini.c > Is there something better than TLS for authentication (may be anonymous > or certificate based) given the fact that it wont be over a tcp link? There is IPSEC but it seems TLS is better here. You could also consider stored security formats like OpenPGP or S/MIME. /Simon From simon at josefsson.org Mon May 25 10:11:10 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 10:11:10 +0200 Subject: About gnutls windows handshake problem In-Reply-To: (Ankush Vaid's message of "Wed, 20 May 2009 10:13:17 +0530") References: <4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org> <87r5ylazpz.fsf@mocca.josefsson.org> Message-ID: <87ws85a9gh.fsf@mocca.josefsson.org> Ankush Vaid writes: > Hi Simon, > > Thanks for the info. > > I am developing gnutls client. > > I have used gnutls_record_disable_padding function to disbale padding and > log I have sent to you. later I have used > gnutls_priority_set_direct(session, "NORMAL:%COMPAT", NULL); function but > got the same result. There must be some other problem. You only need to disable MAC padding when talking to buggy TLS implementations (e.g., Symbian's). When both the client and server uses GnuTLS, it is never needed. > I will debug client side (UE) by using some diagnostic tool and come back > to you with useful information. Thanks. /Simon From simon at josefsson.org Mon May 25 10:05:27 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 10:05:27 +0200 Subject: 2.7.12 test suite error on chainverify In-Reply-To: <20090523115037.GJ3498@downhill.g.la> (Andreas Metzler's message of "Sat, 23 May 2009 13:50:37 +0200") References: <20090523115037.GJ3498@downhill.g.la> Message-ID: <8763fpboag.fsf@mocca.josefsson.org> Andreas Metzler writes: > Hello, > > The chainverify test does not complete successfully anymore. > > This is rather strange, it worked two days ago (on the 21st). > > Strange data points: > * This is not limited to my local system. > * Neither build-depencies nor toolchain (gcc, g++, binutils) nor > kernel has changed. > * I still had the build tree of 2.7.11 including all binaries from > 2009-05-19. If I run this old chainverify binary I still get the > error. > * It fails both on up to date Debian sid and Debian lenny. > > The only thing I can think of that has changed for sure is the date. > Hmm. Is this the cause? > > Chain 'v1ca ok' (15)... > Adding certificate 0...done > Certificate 0: subject `C=US,ST=Illinois,L=Du Page,O=Argonne > National Laboratory,CN=auth2.it.anl.gov', issuer `C=US,O=VeriSign\, > Inc.,OU=VeriSign Trust Network,OU=Terms of use at > https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server > CA', RSA key 1024 bits, signed using RSA-SHA, activated `2008-05-05 > 00:00:00 UTC', expires `2009-05-22 23:59:59 UTC', SHA-1 fingerprint > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Indeed, that certificate just expired. I have split the test into two, one that should fail due to an expired certificate, and one with a flag to disable activation time checks that should succeed. There was another similar one too. Thanks, /Simon From simon at josefsson.org Mon May 25 10:27:25 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 10:27:25 +0200 Subject: Enhanced symbol versioning in 2.7.x In-Reply-To: <20090520192851.GA4298@downhill.g.la> (Andreas Metzler's message of "Wed, 20 May 2009 21:28:51 +0200") References: <20090520192851.GA4298@downhill.g.la> Message-ID: <87skita8pe.fsf@mocca.josefsson.org> Andreas Metzler writes: > Hello, > > with 2.7.x you seem to have started to use a different symbol > versioning for newly added symbols (since 2.6.x). Well, at least that > is my understanding. ;-) I am not sure abut the point, is this for > RedHats automatically versioned library dependencies? It helps to track ABI versioning, and can be useful even in Debian: http://wiki.debian.org/Projects/ImprovedDpkgShlibdeps > Anyway, I think this patch should be applied, > gnutls_x509_crq_set_key is already present in 2.6.6, versioning it > @GNUTLS_2_8 would break the ABI, afaik. Thanks! I'm going to build the latest gnutls 2.6.x release and compare the exported symbols with what's in the file now, it would be bad if mistakes like this made it into the 2.8.0 release. > I assume that if there was a soname bump we would change from > -------------- > GNUTLS_1_4 > { > ... > }; > > GNUTLS_2_8 > { > ... > } GNUTLS_1_4; > > GNUTLS_PRIVATE { > }; > -------------- > > to > > -------------- > GNUTLS_2_10 > { > [symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here] > }; > > > GNUTLS_PRIVATE_2_10 { > [symbols listed previously in GNUTLS_PRIVATE go here] > }; > -------------- > Am I correct? That's not required, but I don't see how it would hurt from a technical point of view. I don't see any advantage in that, though, because having the old version names even in the new soname bump can be informative. On the other hand, the current name GNUTLS_1_4 is confusing because even symbols added up until GnuTLS 2.6 is included under that label. So if we do a soname bump at some point maybe we could rename GNUTLS_1_4 to GNUTLS_LEGACY or similar. But it doesn't really matter, since the symbol names are only for human interpretation. > On a sidenote gnutls_x509_crq_set_basic_constraints and > gnutls_x509_crq_set_key_usage are new in 2.7.x. If my understanding > were correct they should be versioned @GNUTLS_2_8 instead of > @GNUTLS_1_4. Also fixed. Thanks. /Simon From simon at josefsson.org Mon May 25 12:00:42 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 12:00:42 +0200 Subject: draft release announcement text In-Reply-To: <87ab5fhqjo.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 14 May 2009 13:28:27 +0200") References: <87ab5fhqjo.fsf@mocca.josefsson.org> Message-ID: <87skit8pth.fsf@mocca.josefsson.org> Updated release notes below, in particular the API/ABI section has been improved. /Simon We are proud to announce a new stable GnuTLS release: Version 2.8.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== Version 2.8.0 is the first stable release on the 2.8.x branch and is the result of 7 months of work on the experimental 2.7.x branch. ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Fix namespace issue with version symbols. The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER, GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to work but are deprecated. ** libgnutls: Add functions to verify a hash against a certificate. gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. ** certtool: Query for multiple dnsName subjectAltName in interactive mode. This applies both to generating certificates and certificate requests. ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to be used for chain verification. ** gnutls-serv: No longer disable MAC padding by default. Use --priority NORMAL:%COMPAT to disable MAC padding again. ** gnutls-cli: Certificate information output format changed. The tool now uses libgnutls' functions to print certificate information. This avoids code duplication. ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 ** and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. ** libgnutls: gnutls_openpgp_crt_print supports oneline mode. ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. ** libgnutls: New interface to get key id for certificate requests. gnutls_x509_crq_get_key_id: ADDED. ** libgnutls: gnutls_x509_crq_print will now also print public key id. ** certtool: --verify-chain now prints results of using library verification. Earlier, certtool --verify-chain used its own validation algorithm which wasn't guaranteed to give the same result as the libgnutls internal validation algorithm. Now this command print a new final line with header 'Chain verification output:' that contains the result from using the internal verification algorithm on the same chain. ** libgnutls: Libgcrypt initialization changed. If libgcrypt has not already been initialized, GnuTLS will now initialize libgcrypt with disabled secure memory. Initialize libgcrypt explicitly in your application if you want to enable secure memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory allocation functions, which doesn't use secure memory, so there is no real change in behaviour. ** libgnutls: Small byte reads via gnutls_record_recv() optimized. ** gnutls-cli: Return non-zero exit code on error conditions. ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. ** certtool: allow setting arbitrary key purpose object identifiers. ** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. ** Fix warnings and build GnuTLS with more warnings enabled. ** New API to set X.509 credentials from PKCS#12 memory structure. gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED ** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. ** libgnutls: Added functions to handle CRL extensions. gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED ** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED ** certtool: Print and set CRL and CRQ extensions. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** The Texinfo and GTK-DOC manuals were improved. ** Several self-tests were added and others improved. API/ABI changes in GnuTLS 2.8 ============================= No offically supported interfaces have been modified or removed. The library should be completely backwards compatible on both the source and binary level. The shared library no longer exports some symbols that have never been officially supported, i.e., not mentioned in any of the header files. The symbols are: _gnutls* gnutls_asn1_tab Normally when symbols are removed, the shared library version has to be incremented. This leads to a significant cost for everyone using the library. Because none of the above symbols have ever been intended for use by well-behaved applications, we decided that the it would be better for those applications to pay the price rather than incurring problems on the majority of applications. If it turns out that applications have been using unofficial interfaces, we will need to release a follow-on release on the v2.8 branch to exports additional interfaces. However, initial testing suggests that few if any applications have been using any of the internal symbols. Although not a new change compared to 2.6.x, we'd like to remind you interfaces have been modified so that X.509 chain verification now also checks activation/expiration times on certificates. The affected functions are: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. This change in behaviour was made during the GnuTLS 2.6.x cycle, and we gave our rationale for it in earlier release notes. The following symbols have been added to the library: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_key_id: ADDED. gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED gnutls_x509_crt_set_crq_extensions: ADDED gnutls_x509_crt_verify_hash: ADDED The following interfaces have been added to the header files: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. The following interfaces have been deprecated: LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: d1693e611aa7270f14bc500bd56ef529ffcb1703 gnutls-2.8.0.tar.bz2 5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61 gnutls-2.8.0.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer uses libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig The checksum values for SHA-1 and SHA-224 are: 8a86a846cbdc16b6c21442c706854a5c02416336 gnutls-2.8.0.exe 555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc gnutls-2.8.0.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: b141f97c196d408bf12b8a58ede6bda8fb291be6 mingw32-gnutls_2.8.0-1_all.deb 541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93 mingw32-gnutls_2.8.0-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon From simon at josefsson.org Mon May 25 12:32:36 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 12:32:36 +0200 Subject: GnuTLS 2.7.13 - release candidate 5 of GnuTLS 2.8.0 Message-ID: <87k5458ocb.fsf@mocca.josefsson.org> Hopefully this will be the final RC. I'll release this as v2.8.0 tomorrow morning unless I hear objections. Meanwhile, please build it and proof read the release notes: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589 Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.13.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.13.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.13.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.13.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.13-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.13 (released 2009-05-25) ** libgnutls: Fix version of some exported symbols in the shared library. Reported by Andreas Metzler in . ** tests: Handle recently expired certificates in chainverify self-test. Reported by Andreas Metzler in . ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From ametzler at downhill.at.eu.org Mon May 25 18:53:51 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 25 May 2009 18:53:51 +0200 Subject: Enhanced symbol versioning in 2.7.x In-Reply-To: <87skita8pe.fsf@mocca.josefsson.org> References: <20090520192851.GA4298@downhill.g.la> <87skita8pe.fsf@mocca.josefsson.org> Message-ID: <20090525165351.GB4402@downhill.g.la> On 2009-05-25 Simon Josefsson wrote: > Andreas Metzler writes: [...] > > I assume that if there was a soname bump we would change from > > -------------- > > GNUTLS_1_4 > > { > > ... > > }; > > > > GNUTLS_2_8 > > { > > ... > > } GNUTLS_1_4; > > > > GNUTLS_PRIVATE { > > }; > > -------------- > > > > to > > > > -------------- > > GNUTLS_2_10 > > { > > [symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here] > > }; > > > > > > GNUTLS_PRIVATE_2_10 { > > [symbols listed previously in GNUTLS_PRIVATE go here] > > }; > > -------------- > > Am I correct? > That's not required, but I don't see how it would hurt from a technical > point of view. > I don't see any advantage in that, though, because having the old > version names even in the new soname bump can be informative. Well I am not sure either. I know that *without* symbol versioning you get crashes due to symbol clashes whenever two different versions of the library are linked (indirectly) into a single binary. Versioning the symbols in the different library versions (I am always taling about sonames) protects against that. I *assume* you would have the same problem if the two versions of the library were using the same versioning, the symbols would clash. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Tue May 26 04:16:01 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 26 May 2009 05:16:01 +0300 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: References: Message-ID: <4A1B50E1.3090404@gnutls.org> Didier Godefroy wrote: >>> libtool: compile: cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING >>> -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c -DPIC -o >>> .libs/ASN1.o >>> cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum) >>> TRUE = 277, >>> -----^ >>> cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum) >>> FALSE = 278, >>> -----^ >>> >>> They look to me to be the same as all the others, but only TRUE and FALSE >>> are causing the error. >>> I haven't found any hints on possible fixes and the latest daily snapshot >>> doesn't fix that either. >> maybe TRUE and FALSE are reserved in this compiler. If you replace them >> with ASN1_TRUE and ASN1_FALSE the compiler complains? > That did it!!! > It didn't complain, built all the way and all 5 tests passed. > One more porting issue fixed. I just noticed that this enumeration is auto-generated with bison from the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However would adding #undef TRUE and #undef FALSE solve the compilation issue for you? regards, Nikos From dkg at fifthhorseman.net Tue May 26 07:13:42 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 26 May 2009 01:13:42 -0400 Subject: 2.7.12 test suite error on chainverify In-Reply-To: <8763fpboag.fsf@mocca.josefsson.org> References: <20090523115037.GJ3498@downhill.g.la> <8763fpboag.fsf@mocca.josefsson.org> Message-ID: <4A1B7A86.7050900@fifthhorseman.net> On 05/25/2009 04:05 AM, Simon Josefsson wrote: > Indeed, that certificate just expired. I have split the test into two, > one that should fail due to an expired certificate, and one with a flag > to disable activation time checks that should succeed. There was > another similar one too. Perhaps the tests could run with something like faketime or datefudge to ensure that the date validations are reasonable? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Tue May 26 11:05:39 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 May 2009 11:05:39 +0200 Subject: Enhanced symbol versioning in 2.7.x In-Reply-To: <20090525165351.GB4402@downhill.g.la> (Andreas Metzler's message of "Mon, 25 May 2009 18:53:51 +0200") References: <20090520192851.GA4298@downhill.g.la> <87skita8pe.fsf@mocca.josefsson.org> <20090525165351.GB4402@downhill.g.la> Message-ID: <87r5ycz124.fsf@mocca.josefsson.org> Andreas Metzler writes: > Well I am not sure either. I know that *without* symbol versioning you > get crashes due to symbol clashes whenever two different versions of > the library are linked (indirectly) into a single binary. Versioning > the symbols in the different library versions (I am always taling > about sonames) protects against that. I *assume* you would have the > same problem if the two versions of the library were using the same > versioning, the symbols would clash. Ah, good point. Yes, that seems to suggest that whenever a soname bump is done, you can no longer use the old version symbols. That was rather non-obvious to me. Maybe a tutorial on "shared library versioning for maintainers" howto would be useful, I don't think Uri's documentation is well suited for that purpose. /Simon From simon at josefsson.org Tue May 26 11:08:36 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 May 2009 11:08:36 +0200 Subject: 2.7.12 test suite error on chainverify In-Reply-To: <4A1B7A86.7050900@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 26 May 2009 01:13:42 -0400") References: <20090523115037.GJ3498@downhill.g.la> <8763fpboag.fsf@mocca.josefsson.org> <4A1B7A86.7050900@fifthhorseman.net> Message-ID: <87my90z0x7.fsf@mocca.josefsson.org> Daniel Kahn Gillmor writes: > On 05/25/2009 04:05 AM, Simon Josefsson wrote: >> Indeed, that certificate just expired. I have split the test into two, >> one that should fail due to an expired certificate, and one with a flag >> to disable activation time checks that should succeed. There was >> another similar one too. > > Perhaps the tests could run with something like faketime or datefudge to > ensure that the date validations are reasonable? This is kind of tested now, isn't it? I split the test into two parts: one that is expected to fail because of an expired cert, and one that is expected to succeed (because time checks are disabled). But using datefudge or something similar seems useful for improving the chain validation test further. /Simon From simon at josefsson.org Tue May 26 11:11:33 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 May 2009 11:11:33 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: <4A1B50E1.3090404@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 26 May 2009 05:16:01 +0300") References: <4A1B50E1.3090404@gnutls.org> Message-ID: <87iqjoz0sa.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Didier Godefroy wrote: > >>>> libtool: compile: cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING >>>> -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c -DPIC -o >>>> .libs/ASN1.o >>>> cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum) >>>> TRUE = 277, >>>> -----^ >>>> cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum) >>>> FALSE = 278, >>>> -----^ >>>> >>>> They look to me to be the same as all the others, but only TRUE and FALSE >>>> are causing the error. >>>> I haven't found any hints on possible fixes and the latest daily snapshot >>>> doesn't fix that either. >>> maybe TRUE and FALSE are reserved in this compiler. If you replace them >>> with ASN1_TRUE and ASN1_FALSE the compiler complains? >> That did it!!! >> It didn't complain, built all the way and all 5 tests passed. >> One more porting issue fixed. > > I just noticed that this enumeration is auto-generated with bison from > the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However > would adding #undef TRUE and #undef FALSE solve the compilation issue > for you? We can change the bison source, can't we? Like this: /Simon diff --git a/lib/ASN1.y b/lib/ASN1.y index b335cbc..14e2eb6 100644 --- a/lib/ASN1.y +++ b/lib/ASN1.y @@ -85,8 +85,8 @@ static int _asn1_yylex(void); %token OBJECT %token STR_IDENTIFIER %token BOOLEAN -%token TRUE -%token FALSE +%token ASN1_TRUE +%token ASN1_FALSE %token TOKEN_NULL %token ANY %token DEFINED @@ -195,8 +195,8 @@ tag : tag_type {$$=$1;} default : DEFAULT pos_neg_identifier {$$=_asn1_add_node(TYPE_DEFAULT); _asn1_set_value($$,$2,strlen($2)+1);} - | DEFAULT TRUE {$$=_asn1_add_node(TYPE_DEFAULT|CONST_TRUE);} - | DEFAULT FALSE {$$=_asn1_add_node(TYPE_DEFAULT|CONST_FALSE);} + | DEFAULT ASN1_TRUE {$$=_asn1_add_node(TYPE_DEFAULT|CONST_TRUE);} + | DEFAULT ASN1_FALSE {$$=_asn1_add_node(TYPE_DEFAULT|CONST_FALSE);} ; @@ -415,7 +415,7 @@ static const int key_word_token[] = { ASSIG,OPTIONAL,INTEGER,SIZE,OCTET,STRING ,SEQUENCE,BIT,UNIVERSAL,PRIVATE,OPTIONAL ,DEFAULT,CHOICE,OF,OBJECT,STR_IDENTIFIER - ,BOOLEAN,TRUE,FALSE,APPLICATION,ANY,DEFINED + ,BOOLEAN,ASN1_TRUE,ASN1_FALSE,APPLICATION,ANY,DEFINED ,SET,BY,EXPLICIT,IMPLICIT,DEFINITIONS,TAGS ,BEGIN,END,UTCTime,GeneralizedTime ,GeneralString,FROM,IMPORTS,TOKEN_NULL,ENUMERATED}; From simon at josefsson.org Tue May 26 11:46:32 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 May 2009 11:46:32 +0200 Subject: GnuTLS 2.7.14 - release candidate 6 of GnuTLS 2.8.0 Message-ID: <87eiucyz5z.fsf@mocca.josefsson.org> Good feedback on RC5 resulted in one important change, so let's do a RC6. I'll release this as v2.8.0 tomorrow morning unless I hear objections. Meanwhile, please build it and proof read the release notes: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589 Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.14.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.14.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.14.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.14.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.14-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.14 (released 2009-05-26) ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra. The symbol LIBGNUTLS_EXTRA_VERSION were renamed to GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is deprecated. ** Doc: Several typo fixes in documentation. Reported by Peter Hendrickson . ** API and ABI modifications: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Thu May 28 10:10:00 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 10:10:00 +0200 Subject: GnuTLS 2.8.0 Message-ID: <878wkhabs7.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.8.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== Version 2.8.0 is the first stable release on the 2.8.x branch and is the result of 7 months of work on the experimental 2.7.x branch. The GnuTLS 2.8.x branch replaces the GnuTLS 2.6.x branch as the supported stable branch, although we will continue to support GnuTLS 2.6.x for some time. ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Fix namespace issue with version symbols. The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER, GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to work but are deprecated. ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra. The symbol LIBGNUTLS_EXTRA_VERSION were renamed to GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is deprecated. ** libgnutls: Add functions to verify a hash against a certificate. gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. ** certtool: Query for multiple dnsName subjectAltName in interactive mode. This applies both to generating certificates and certificate requests. ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to be used for chain verification. ** gnutls-serv: No longer disable MAC padding by default. Use --priority NORMAL:%COMPAT to disable MAC padding again. ** gnutls-cli: Certificate information output format changed. The tool now uses libgnutls' functions to print certificate information. This avoids code duplication. ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 ** and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. ** libgnutls: gnutls_openpgp_crt_print supports oneline mode. ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. ** libgnutls: New interface to get key id for certificate requests. gnutls_x509_crq_get_key_id: ADDED. ** libgnutls: gnutls_x509_crq_print will now also print public key id. ** certtool: --verify-chain now prints results of using library verification. Earlier, certtool --verify-chain used its own validation algorithm which wasn't guaranteed to give the same result as the libgnutls internal validation algorithm. Now this command print a new final line with header 'Chain verification output:' that contains the result From using the internal verification algorithm on the same chain. ** libgnutls: Libgcrypt initialization changed. If libgcrypt has not already been initialized, GnuTLS will now initialize libgcrypt with disabled secure memory. Initialize libgcrypt explicitly in your application if you want to enable secure memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory allocation functions, which doesn't use secure memory, so there is no real change in behaviour. ** libgnutls: Small byte reads via gnutls_record_recv() optimized. ** gnutls-cli: Return non-zero exit code on error conditions. ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. ** certtool: allow setting arbitrary key purpose object identifiers. ** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. ** Fix warnings and build GnuTLS with more warnings enabled. ** New API to set X.509 credentials from PKCS#12 memory structure. gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED ** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. ** libgnutls: Added functions to handle CRL extensions. gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED ** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED ** certtool: Print and set CRL and CRQ extensions. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** The Texinfo and GTK-DOC manuals were improved. ** Several self-tests were added and others improved. API/ABI changes in GnuTLS 2.8 ============================= No offically supported interfaces have been modified or removed. The library should be completely backwards compatible on both the source and binary level. The shared library no longer exports some symbols that have never been officially supported, i.e., not mentioned in any of the header files. The symbols are: _gnutls* gnutls_asn1_tab Normally when symbols are removed, the shared library version has to be incremented. This leads to a significant cost for everyone using the library. Because none of the above symbols have ever been intended for use by well-behaved applications, we decided that the it would be better for those applications to pay the price rather than incurring problems on the majority of applications. If it turns out that applications have been using unofficial interfaces, we will need to release a follow-on release on the v2.8 branch to exports additional interfaces. However, initial testing suggests that few if any applications have been using any of the internal symbols. Although not a new change compared to 2.6.x, we'd like to remind you interfaces have been modified so that X.509 chain verification now also checks activation/expiration times on certificates. The affected functions are: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. This change in behaviour was made during the GnuTLS 2.6.x cycle, and we gave our rationale for it in earlier release notes. The following symbols have been added to the library: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_key_id: ADDED. gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED gnutls_x509_crt_set_crq_extensions: ADDED gnutls_x509_crt_verify_hash: ADDED The following interfaces have been added to the header files: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. The following interfaces have been deprecated: LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 7c102253bb4e817f393b9979a62c647010312eac gnutls-2.8.0.tar.bz2 57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b gnutls-2.8.0.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer uses libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig The checksum values for SHA-1 and SHA-224 are: 8a7965168c542edec3259469b6c0e87a9a2b4626 gnutls-2.8.0.exe 5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3 gnutls-2.8.0.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: aca9f9f1adba09b952e095039595d4c5d9e67d46 mingw32-gnutls_2.8.0-1_all.deb 269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc mingw32-gnutls_2.8.0-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Thu May 28 10:42:41 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 10:42:41 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Wed, 27 May 2009 17:24:33 +0200") References: Message-ID: <87vdnl8vpa.fsf@mocca.josefsson.org> Didier Godefroy writes: > on 5/27/09 7:41 AM, Simon Josefsson at simon at josefsson.org uttered the > following: > >>> Ok, I applied the patch and reverted ASN1.c to original, but configure >>> doesn't cause the generation of a new ASN1.c it appears (making my patch on >>> it useless). >>> How do we get the new ASN1.c regenerated? >> >> Make sure ASN1.y has a newer timestamp than ASN1.c, and it should be >> re-built automatically. E.g., try 'touch lib/ASN1.y'. You could also >> remove the built file, 'rm lib/ASN1.c', then it will be re-built for >> sure. Thanks for testing! > > Ok, thanks, I tried that and along the way I got this message: > > lib/ASN1.y:81.8-15: warning: symbol OPTIONAL redeclared That is harmless. > But I also found out I had a serious problem with bison, it hangs and grabs > almost a full cpu, so I'm looking into this issue and I'll see what happens > when/if I can fix bison.. Try bison 2.4.1. /Simon From simon at josefsson.org Thu May 28 12:03:54 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 12:03:54 +0200 Subject: GnuTLS 2.9.0 Message-ID: <87ab4x8rxx.fsf@mocca.josefsson.org> The GnuTLS 2.9.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. This is a quick release to jump-start the next v2.9.x development branch. It would be nice to complete the TLS 1.2 support in it. What else do you think we should do? Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2.sig Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.9.0 (released 2009-05-28) ** Doc fixes. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Thu May 28 12:31:08 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 12:31:08 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Thu, 28 May 2009 12:17:59 +0200") References: Message-ID: <874ov58qoj.fsf@mocca.josefsson.org> Didier, please also reply to the list, to archive the discussion. Didier Godefroy writes: >>> But I also found out I had a serious problem with bison, it hangs and grabs >>> almost a full cpu, so I'm looking into this issue and I'll see what happens >>> when/if I can fix bison.. >> >> Try bison 2.4.1. > > I had 2.3 and now 2.4.1 does the same thing, on more than one machine. > I don't know what's causing this, it hangs thee, grabbing nearly a full cpu > by itself. During the tests, many tests hang that way and I have to kill the > hung process to go on to the next. > There must be something specific to tru64, because it does this on different > machines. I run 5.1b on all systems. > > I'm stuck with bison, so I can regenerate that new ASN1.c for now.. Strange, you should probably report that as a bison bug. I have applied the patch to libtasn1, so please try to build this snapshot: http://daily.josefsson.org/libtasn1/libtasn1-20090528.tar.gz /Simon From simon at josefsson.org Thu May 28 13:33:51 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 13:33:51 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Thu, 28 May 2009 12:55:31 +0200") References: Message-ID: <87vdnl797k.fsf@mocca.josefsson.org> Didier Godefroy writes: > on 5/28/09 12:31 PM, Simon Josefsson at simon at josefsson.org uttered the > following: > >> Didier, please also reply to the list, to archive the discussion. > > Sorry about that ;-/ > >> Strange, you should probably report that as a bison bug. > > I will probably end up doing that, I can't figure out what's causing this. > >> I have applied the patch to libtasn1, so please try to build this >> snapshot: >> >> http://daily.josefsson.org/libtasn1/libtasn1-20090528.tar.gz > > Ok, it built nicely. > I'm attaching data from the build you might be interested in (attachments > may not be useful on the list...). Ok, great, thanks for confirming. > Here are the variables I put in the environment before configure: > > CC=cc > CFLAGS="-O4 -g3 -w" > CPPFLAGS="-pthread -I/usr/local/include" > LDFLAGS="-L/usr/local/lib" > LD_LIBRARY_PATH=/usr/local/lib > MAKE=gmake > PATH=/usr/bin:/bin:/usr/sbin:/sbin:.:/usr/local/bin > > And this is all I have for configure: > > ./configure \ > --prefix=/usr/local \ > --enable-gtk-doc-html=no \ > --verbose > > I turn off the compiler warnings with -w but if you wanted to clean up a few > more things, I could re-run the build without it and send you that log. > This should give you a pretty good look into tru64's building of tasn1 now. > It's working nicely out of the box now, aside from a few small details such > as the "cannot open ./.prev-version" and maybe some compiler warnings, it's > looking good. Please do a -w compile. The .prev-version is harmless. /Simon From pdh at wiredyne.com Thu May 28 18:02:47 2009 From: pdh at wiredyne.com (Peter Hendrickson) Date: 28 May 2009 16:02:47 -0000 Subject: gnutls_record_check_pending() broken? Message-ID: <20090528160247.2497.qmail@wiredyne.com> gnutls_record_check_pending() doesn't work for me. It always returns 0, even when data is pending. I've seen this behavior under Ubuntu 8.10 which has GnuTLS 2.4.1 as well as under OpenBSD 4.4 running GnuTLS 2.7.11. I followed the 2.7.11 version in the debugger and it quickly ends up in gnutls_buffers.c:_gnutls_record_buffer_get_size(). That function just returns the value kept in session->internals.application_data_buffer.length -- and that value seems to be consistently zero. I haven't figured out what is supposed to be setting it. I don't see a test for this function in the self checking code. Is anybody else seeing it work? Peter From simon at josefsson.org Thu May 28 18:38:12 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 18:38:12 +0200 Subject: gnutls_record_check_pending() broken? In-Reply-To: <20090528160247.2497.qmail@wiredyne.com> (Peter Hendrickson's message of "28 May 2009 16:02:47 -0000") References: <20090528160247.2497.qmail@wiredyne.com> Message-ID: <87octd5gjv.fsf@mocca.josefsson.org> Peter Hendrickson writes: > gnutls_record_check_pending() doesn't work for me. It always returns > 0, even when data is pending. How did you test this? A small code demonstrating the problem would help. I'll see if I can get something to work too... Note that the function doesn't peek in the socket, it just returns what's stored in the internal buffer. You need to use poll or select to check whether data is pending in the socket. Presumably, if you set up a server that returns a large buffer, and writes a client that reads just one byte, then the g_r_check_pending function should return non-0. > I followed the 2.7.11 version in the debugger and it quickly ends up > in gnutls_buffers.c:_gnutls_record_buffer_get_size(). That function > just returns the value kept in > session->internals.application_data_buffer.length -- and that value > seems to be consistently zero. I haven't figured out what is supposed > to be setting it. It is typically set by, e.g., _gnutls_record_buffer_put. /Simon From simon at josefsson.org Thu May 28 18:46:03 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 18:46:03 +0200 Subject: gnutls_record_check_pending() broken? In-Reply-To: <87octd5gjv.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 28 May 2009 18:38:12 +0200") References: <20090528160247.2497.qmail@wiredyne.com> <87octd5gjv.fsf@mocca.josefsson.org> Message-ID: <87k5415g6s.fsf@mocca.josefsson.org> Simon Josefsson writes: > Peter Hendrickson writes: > >> gnutls_record_check_pending() doesn't work for me. It always returns >> 0, even when data is pending. > > How did you test this? A small code demonstrating the problem would > help. I'll see if I can get something to work too... Indeed, the patch below against mini.c demonstrate it working. For me it prints: ... ret 1 waiting 8 ... /Simon diff --git a/tests/mini.c b/tests/mini.c index b64401d..a883c67 100644 --- a/tests/mini.c +++ b/tests/mini.c @@ -218,7 +218,12 @@ doit (void) ns = gnutls_record_send (server, MSG, strlen (MSG)); success ("server: sent %d\n", ns); - ret = gnutls_record_recv (client, buffer, MAX_BUF); + ret = gnutls_record_recv (client, buffer, 1); + printf ("ret %d\n", ret); + + printf ("waiting %d\n", gnutls_record_check_pending (client)); + + ret = gnutls_record_recv (client, buffer + 1, MAX_BUF); if (ret == 0) { fail ("client: Peer has closed the TLS connection\n"); From pdh at wiredyne.com Thu May 28 19:56:32 2009 From: pdh at wiredyne.com (Peter Hendrickson) Date: 28 May 2009 17:56:32 -0000 Subject: gnutls_record_check_pending() broken? In-Reply-To: <87k5415g6s.fsf@mocca.josefsson.org> (message from Simon Josefsson on Thu, 28 May 2009 18:46:03 +0200) References: <20090528160247.2497.qmail@wiredyne.com> <87octd5gjv.fsf@mocca.josefsson.org> <87k5415g6s.fsf@mocca.josefsson.org> Message-ID: <20090528175632.28741.qmail@wiredyne.com> Simon writes: > Simon Josefsson writes: > > Peter Hendrickson writes: > > > >> gnutls_record_check_pending() doesn't work for me. It always returns > >> 0, even when data is pending. > > > > How did you test this? A small code demonstrating the problem would > > help. I'll see if I can get something to work too... > > Indeed, the patch below against mini.c demonstrate it working. For me > it prints: It prints for me, too. What happens if you put the record_check_pending() call before you do the gnutls_record_recv()? For me, it reports no bytes pending, even if I do a sleep(10). Peter From pdh at wiredyne.com Thu May 28 20:25:31 2009 From: pdh at wiredyne.com (Peter Hendrickson) Date: 28 May 2009 18:25:31 -0000 Subject: gnutls_dh_get_prime_bits() returns wrong values Message-ID: <20090528182531.1883.qmail@wiredyne.com> When I run gnutls_dh_get_prime_bits() it returns a value 8 bits larger than the actual length of the prime. For example, if I load a Diffie-Hellman parameter with 4096 bits, I am told after the negotiation that the prime was 4104 bits long. It looks like it's getting something from dh->prime.size and multiplying it by 8 and that prime.size is one larger than is correct. In the debugger I watched gnutls_dh_params_import_pkcs3() load the parameters and it looks like one-larger prime.size is getting set in the process of ASN.1 parsing and MPI construction. Probably that's correct and dh_get_prime_bits() should be doing a little more work to report the right value. For one thing, if it's reporting the number of bits, it can't multiply an integer by 8 and always be correct. Peter From simon at josefsson.org Thu May 28 20:28:34 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 20:28:34 +0200 Subject: gnutls_record_check_pending() broken? In-Reply-To: <20090528175632.28741.qmail@wiredyne.com> (Peter Hendrickson's message of "28 May 2009 17:56:32 -0000") References: <20090528160247.2497.qmail@wiredyne.com> <87octd5gjv.fsf@mocca.josefsson.org> <87k5415g6s.fsf@mocca.josefsson.org> <20090528175632.28741.qmail@wiredyne.com> Message-ID: <87r5y9w08d.fsf@mocca.josefsson.org> Peter Hendrickson writes: > Simon writes: >> Simon Josefsson writes: >> > Peter Hendrickson writes: >> > >> >> gnutls_record_check_pending() doesn't work for me. It always returns >> >> 0, even when data is pending. >> > >> > How did you test this? A small code demonstrating the problem would >> > help. I'll see if I can get something to work too... >> >> Indeed, the patch below against mini.c demonstrate it working. For me >> it prints: > > It prints for me, too. > > What happens if you put the record_check_pending() call before you do > the gnutls_record_recv()? For me, it reports no bytes pending, even > if I do a sleep(10). That won't work: the purpose of gnutls_record_check_pending() is to check if there is data stored in buffers within GnuTLS. Before you call gnutls_record_recv, there won't be any data in the buffers. After a call to gnutls_record_recv, the data that was not returned to the caller of the function will be stored in an internal buffer. The purpose of the function is to find out if there is such data pending. So I don't see a problem here actually. It sounds as if you should use poll/select to check if there is data pending to be read from the socket. When that is true, you should call gnutls_record_recv. Of that returns a complete buffer, you can call gnutls_record_check_pending how much data is stored in a buffer -- that amount of data can be read without a blocking socket read, again by calling gnutls_record_recv. /Simon From nmav at gnutls.org Thu May 28 20:49:01 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 28 May 2009 21:49:01 +0300 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: <87iqjoz0sa.fsf@mocca.josefsson.org> References: <4A1B50E1.3090404@gnutls.org> <87iqjoz0sa.fsf@mocca.josefsson.org> Message-ID: <4A1EDC9D.90608@gnutls.org> Simon Josefsson wrote: >>> That did it!!! >>> It didn't complain, built all the way and all 5 tests passed. >>> One more porting issue fixed. >> I just noticed that this enumeration is auto-generated with bison from >> the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However >> would adding #undef TRUE and #undef FALSE solve the compilation issue >> for you? > > We can change the bison source, can't we? Like this: It seems I'm no longer familiar with bison :) regards, Nikos From pdh at wiredyne.com Thu May 28 21:02:55 2009 From: pdh at wiredyne.com (Peter Hendrickson) Date: 28 May 2009 19:02:55 -0000 Subject: gnutls_record_check_pending() broken? In-Reply-To: <87r5y9w08d.fsf@mocca.josefsson.org> (message from Simon Josefsson on Thu, 28 May 2009 20:28:34 +0200) References: <20090528160247.2497.qmail@wiredyne.com> <87octd5gjv.fsf@mocca.josefsson.org> <87k5415g6s.fsf@mocca.josefsson.org> <20090528175632.28741.qmail@wiredyne.com> <87r5y9w08d.fsf@mocca.josefsson.org> Message-ID: <20090528190255.14915.qmail@wiredyne.com> Simon writes: > That won't work: the purpose of gnutls_record_check_pending() is to > check if there is data stored in buffers within GnuTLS. Before you > call gnutls_record_recv, there won't be any data in the buffers. > After a call to gnutls_record_recv, the data that was not returned > to the caller of the function will be stored in an internal buffer. > The purpose of the function is to find out if there is such data > pending. Okay, that makes sense to me. This should be elaborated upon in the documentation because the obvious use for this function is to ask "if I run gnutls_record_recv() will it block?" which is apparently not what it does. > So I don't see a problem here actually. It sounds as if you should use > poll/select to check if there is data pending to be read from the > socket. When that is true, you should call gnutls_record_recv. I needed to do that anyway, so no great loss. ;-) Peter From simon at josefsson.org Thu May 28 22:18:58 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 22:18:58 +0200 Subject: gnutls_record_check_pending() broken? In-Reply-To: <20090528190255.14915.qmail@wiredyne.com> (Peter Hendrickson's message of "28 May 2009 19:02:55 -0000") References: <20090528160247.2497.qmail@wiredyne.com> <87octd5gjv.fsf@mocca.josefsson.org> <87k5415g6s.fsf@mocca.josefsson.org> <20090528175632.28741.qmail@wiredyne.com> <87r5y9w08d.fsf@mocca.josefsson.org> <20090528190255.14915.qmail@wiredyne.com> Message-ID: <87ws81nfpp.fsf@mocca.josefsson.org> Peter Hendrickson writes: > Simon writes: >> That won't work: the purpose of gnutls_record_check_pending() is to >> check if there is data stored in buffers within GnuTLS. Before you >> call gnutls_record_recv, there won't be any data in the buffers. >> After a call to gnutls_record_recv, the data that was not returned >> to the caller of the function will be stored in an internal buffer. >> The purpose of the function is to find out if there is such data >> pending. > > Okay, that makes sense to me. This should be elaborated upon in the > documentation because the obvious use for this function is to ask "if > I run gnutls_record_recv() will it block?" which is apparently not > what it does. It can be used for that -- gnutls_record_recv will never invoke the pull function (and thus will never block) if you call it with a sizeofdata parameter less/equal to what gnutls_record_check_pending has just returned. /Simon From dg at ulysium.net Thu May 28 22:54:14 2009 From: dg at ulysium.net (Didier Godefroy) Date: Thu, 28 May 2009 22:54:14 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: <87vdnl797k.fsf@mocca.josefsson.org> Message-ID: on 5/28/09 1:33 PM, Simon Josefsson at simon at josefsson.org uttered the following: >> Here are the variables I put in the environment before configure: >> >> CC=cc >> CFLAGS="-O4 -g3 -w" >> CPPFLAGS="-pthread -I/usr/local/include" >> LDFLAGS="-L/usr/local/lib" >> LD_LIBRARY_PATH=/usr/local/lib >> MAKE=gmake >> PATH=/usr/bin:/bin:/usr/sbin:/sbin:.:/usr/local/bin >> >> And this is all I have for configure: >> >> ./configure \ >> --prefix=/usr/local \ >> --enable-gtk-doc-html=no \ >> --verbose >> >> I turn off the compiler warnings with -w but if you wanted to clean up a few >> more things, I could re-run the build without it and send you that log. >> This should give you a pretty good look into tru64's building of tasn1 now. >> It's working nicely out of the box now, aside from a few small details such >> as the "cannot open ./.prev-version" and maybe some compiler warnings, it's >> looking good. > > Please do a -w compile. The .prev-version is harmless. Ok, I rebuilt from scratch with the warnings turned on, and there are many warnings. Make log attached. I will re-test if you find fixes and you wish to get this tested again on my platform. Thanks, -- Didier Godefroy mailto:dg at ulysium.net Support anti-Spam legislation. Join the fight http://www.cauce.org/ From simon at josefsson.org Thu May 28 23:08:14 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 23:08:14 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Thu, 28 May 2009 22:54:14 +0200") References: Message-ID: <87k541ndfl.fsf@mocca.josefsson.org> Didier Godefroy writes: > Ok, I rebuilt from scratch with the warnings turned on, and there are many > warnings. > > Make log attached. Thanks, all warnings were of the 'ptrmismatch1' type which are rather harmless. Patches welcome. ;) /Simon From dg at ulysium.net Thu May 28 23:12:16 2009 From: dg at ulysium.net (Didier Godefroy) Date: Thu, 28 May 2009 23:12:16 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: <87k541ndfl.fsf@mocca.josefsson.org> Message-ID: on 5/28/09 11:08 PM, Simon Josefsson at simon at josefsson.org uttered the following: > Didier Godefroy writes: > >> Ok, I rebuilt from scratch with the warnings turned on, and there are many >> warnings. >> >> Make log attached. > > Thanks, all warnings were of the 'ptrmismatch1' type which are rather > harmless. Patches welcome. ;) I wouldn't know how to fix that, so patches wouldn't come from me unfortunately. I'm not a C programmer and I would be too afraid of screwing something up if I changed some code... :-/ -- Didier Godefroy mailto:dg at ulysium.net Support anti-Spam legislation. Join the fight http://www.cauce.org/ From simon at josefsson.org Thu May 28 23:24:08 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 23:24:08 +0200 Subject: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Thu, 28 May 2009 23:12:16 +0200") References: <87k541ndfl.fsf@mocca.josefsson.org> Message-ID: <87fxeoor9j.fsf@mocca.josefsson.org> Didier Godefroy writes: > on 5/28/09 11:08 PM, Simon Josefsson at simon at josefsson.org uttered the > following: > >> Didier Godefroy writes: >> >>> Ok, I rebuilt from scratch with the warnings turned on, and there are many >>> warnings. >>> >>> Make log attached. >> >> Thanks, all warnings were of the 'ptrmismatch1' type which are rather >> harmless. Patches welcome. ;) > > I wouldn't know how to fix that, so patches wouldn't come from me > unfortunately. I'm not a C programmer and I would be too afraid of screwing > something up if I changed some code... Until someone else steps up to work on this, don't worry, as I believe the warnings are harmless. /Simon From matej at svrcek.org Sat May 30 21:41:25 2009 From: matej at svrcek.org (=?iso-8859-2?q?Mat=ECj_=A9vr=E8ek?=) Date: Sat, 30 May 2009 21:41:25 +0200 Subject: Libtasn1 Message-ID: <200905302141.25676.matej@svrcek.org> Hallo, I would like to report a broken link on your site http://www.gnu.org/software/gnutls/download.html I tried several links to download libtasn1, but none of the links worked for me, it seems as libtasn1 is no longer part of GNU project. Hope it helps Matthew -- Matej Svrcek gsm 777711818 skype matejsvrcek jabber prom at jabbim.cz From nmav at gnutls.org Sun May 31 09:04:10 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 31 May 2009 10:04:10 +0300 Subject: gnutls_dh_get_prime_bits() returns wrong values In-Reply-To: <20090528182531.1883.qmail@wiredyne.com> References: <20090528182531.1883.qmail@wiredyne.com> Message-ID: <4A222BEA.1020107@gnutls.org> Peter Hendrickson wrote: > When I run gnutls_dh_get_prime_bits() it returns a value 8 bits larger > than the actual length of the prime. For example, if I load a > Diffie-Hellman parameter with 4096 bits, I am told after the > negotiation that the prime was 4104 bits long. > > It looks like it's getting something from dh->prime.size and > multiplying it by 8 and that prime.size is one larger than is correct. > > In the debugger I watched gnutls_dh_params_import_pkcs3() load the > parameters and it looks like one-larger prime.size is getting set in > the process of ASN.1 parsing and MPI construction. Probably that's > correct and dh_get_prime_bits() should be doing a little more work to > report the right value. For one thing, if it's reporting the number > of bits, it can't multiply an integer by 8 and always be correct. Indeed you are right and thank you for the bug report. The number is being rounded on byte level. I have noted it down as bug. regards, Nikos From nmav at gnutls.org Sun May 31 08:57:04 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 31 May 2009 09:57:04 +0300 Subject: Libtasn1 In-Reply-To: <200905302141.25676.matej@svrcek.org> References: <200905302141.25676.matej@svrcek.org> Message-ID: <4A222A40.20308@gnutls.org> Mat?j ?vr?ek wrote: > Hallo, > > I would like to report a broken link on your site > http://www.gnu.org/software/gnutls/download.html > > I tried several links to download libtasn1, but none of the links worked for > me, it seems as libtasn1 is no longer part of GNU project. Until the link is fixed. You can download it from the gnutls directory: http://ftp.gnu.org/pub/gnu/gnutls/ regards, Nikos