From nmav at gnutls.org Sat Apr 2 10:40:30 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 02 Apr 2011 10:40:30 +0200
Subject: gnutls 2.12.1
Message-ID: <4D96E0FE.10200@gnutls.org>
I've just released gnutls 2.12.1. It is a bugfix release.
What's New
==========
** certtool: Generated certificate request with stricter permissions.
Reported by Luca Capello.
** libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
** libgnutls: Corrected windows system_errno() function prototype.
** libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.
** libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From . The list of GNU mirrors can be
found at and a list of GnuTLS mirrors
can be found at .
Here are the BZIP2 compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.1.tar.bz2
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.1.tar.bz2
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.1.tar.bz2.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.1.tar.bz2.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos
uid Nikos Mavrogiannopoulos
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sun Apr 3 01:42:10 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 03 Apr 2011 01:42:10 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To: <437hbgql64.wl%bjg@gnu.org>
References: <437hbgql64.wl%bjg@gnu.org>
Message-ID: <4D97B452.9080100@gnutls.org>
On 03/31/2011 12:48 AM, Brian Gough wrote:
> Hi, now that GNU TLS is using nettle I notice there is a difference
> between the --libdir for the two packages on 64 bit.
> Nettle installs to $prefix/lib64/ and GNU TLS looks for it in
> $prefix/lib/ -- so it fails and the standard configure/install to a
> prefix doesn't work.
Indeed it seems nettle for some reason uses the /usr/lib64. Niels,
is there really a reason for that? As I understand from the FHS[0]
/usr/lib is the system library directory. /usr/lib64 and /usr/lib32
might not even be there.
regards,
Nikos
[0].
http://www.pathname.com/fhs/pub/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA
From dbreiser at gmail.com Sat Apr 2 17:42:30 2011
From: dbreiser at gmail.com (David Reiser)
Date: Sat, 2 Apr 2011 11:42:30 -0400
Subject: gnutls 2.12.1 won't build for me on OS X
Message-ID:
Under 'Making all in examples' the build quits a little later with:
CCLD ex-cert-select
libtool: link: warning: `-no-install' is ignored for i386-apple-darwin10.7.0
libtool: link: warning: assuming `-no-fast-install' instead
libtool: link: warning: library `/sw/lib/libgmp.la' was moved.
ld: duplicate symbol _main in ./.libs/libexamples.a(ex-cert-select-pkcs11.o) and ex-cert-select.o
collect2: ld returned 1 exit status
make[4]: *** [ex-cert-select] Error 1
And while I'm here, if nettle is replacing libgcrypt, why does lib/nettle/init.c still #include ?
--
David Reiser
dbreiser at gmail.com
From nmav at gnutls.org Sun Apr 3 23:47:39 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 03 Apr 2011 23:47:39 +0200
Subject: gnutls 2.12.1 won't build for me on OS X
In-Reply-To:
References:
Message-ID: <4D98EAFB.3010406@gnutls.org>
On 04/02/2011 05:42 PM, David Reiser wrote:
> Under 'Making all in examples' the build quits a little later with:
> CCLD ex-cert-select
> libtool: link: warning: `-no-install' is ignored for i386-apple-darwin10.7.0
> libtool: link: warning: assuming `-no-fast-install' instead
> libtool: link: warning: library `/sw/lib/libgmp.la' was moved.
> ld: duplicate symbol _main in ./.libs/libexamples.a(ex-cert-select-pkcs11.o) and ex-cert-select.o
> collect2: ld returned 1 exit status
> make[4]: *** [ex-cert-select] Error 1
Thanks for reporting that. I've committed a fix.
> And while I'm here, if nettle is replacing libgcrypt, why does lib/nettle/init.c still #include ?
It shouldn't have been there. I've removed that. Apart from these
did you have any issues using gnutls 2.12 in OSX?
regards,
Nikos
From lrn1986 at gmail.com Mon Apr 4 03:04:57 2011
From: lrn1986 at gmail.com (LRN)
Date: Mon, 04 Apr 2011 05:04:57 +0400
Subject: W32 testsuite results
Message-ID: <4D991939.6040701@gmail.com>
Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
W32 (i would prefer native W32, but the ones from Wine are better than
nothing at all)? Built against libgcrypt.
I'm building gnutls myself (with some minor patches) and i'm not sure
whether my mixed testsuite results are expected (known bugs or unported
features) or not (i broke something).
From INVALID.NOREPLY at gnu.org Mon Apr 4 14:49:31 2011
From: INVALID.NOREPLY at gnu.org (LRN)
Date: Mon, 04 Apr 2011 12:49:31 +0000
Subject: [sr #107647] Gnutls fails several tests - A TLS packet with
unexpected length was received.
Message-ID: <20110404-124930.sv74148.75292@savannah.gnu.org>
URL:
Summary: Gnutls fails several tests - A TLS packet with
unexpected length was received.
Project: GnuTLS
Submitted by: lrn
Submitted on: Mon 04 Apr 2011 12:49:30 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: Microsoft Windows
_______________________________________________________
Details:
Probable cause might be located by this line in the log:
|<7>| WRITE: enqueued 83 bytes for ffffffff. Total 83 bytes.
Which, AFAIU, means that transport_send_ptr is -1. transport_recv_ptr is also
-1, and reading from it suddenly fails. Makes me wonder.
AFAIU, transport_*_ptr are set by gnutls_transport_set_ptr() or
gnutls_transport_set_ptr2(). The only in-library functions that call any of
these are weirdly-defined s_scm_gnutls_set_session_transport_fd_x and
s_scm_gnutls_set_session_transport_port_x. These two are not used by mini.c,
and neither are transport_*_ptr.
Log is attached.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Mon 04 Apr 2011 12:49:30 PM GMT Name: gdb.log.tar.xz Size: 3kB By:
lrn
Log of a debugging session
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From nmav at gnutls.org Mon Apr 4 16:15:26 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 04 Apr 2011 16:15:26 +0200
Subject: W32 testsuite results
In-Reply-To: <4D991939.6040701@gmail.com>
References: <4D991939.6040701@gmail.com>
Message-ID: <4D99D27E.7030002@gnutls.org>
On 04/04/2011 03:04 AM, LRN wrote:
> Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
> W32 (i would prefer native W32, but the ones from Wine are better than
> nothing at all)? Built against libgcrypt.
> I'm building gnutls myself (with some minor patches) and i'm not sure
> whether my mixed testsuite results are expected (known bugs or unported
> features) or not (i broke something).
Not me. Which tests failed? Do gnutls-cli and gnutls-serv operate?
regards,
Nikos
From lrn1986 at gmail.com Mon Apr 4 18:01:12 2011
From: lrn1986 at gmail.com (LRN)
Date: Mon, 04 Apr 2011 20:01:12 +0400
Subject: W32 testsuite results
In-Reply-To: <4D99D27E.7030002@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
Message-ID: <4D99EB48.9030200@gmail.com>
On 04.04.2011 18:15, Nikos Mavrogiannopoulos wrote:
> On 04/04/2011 03:04 AM, LRN wrote:
>> Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
>> W32 (i would prefer native W32, but the ones from Wine are better than
>> nothing at all)? Built against libgcrypt.
>> I'm building gnutls myself (with some minor patches) and i'm not sure
>> whether my mixed testsuite results are expected (known bugs or unported
>> features) or not (i broke something).
> Not me. Which tests failed? Do gnutls-cli and gnutls-serv operate?
>
make[7]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/lib/gl/tests'
PASS: test-alloca-opt.exe
FAIL: test-binary-io.sh
PASS: test-byteswap.exe
PASS: test-c-ctype.exe
PASS: test-errno.exe
PASS: test-fcntl-h.exe
PASS: test-fseeko.sh
PASS: test-fseeko2.sh
PASS: test-ftello.sh
PASS: test-ftello2.sh
PASS: test-ftello3.exe
PASS: test-func.exe
PASS: test-memchr.exe
PASS: test-netdb.exe
PASS: test-read-file.exe
PASS: test-snprintf.exe
PASS: test-sockets.exe
PASS: test-stdbool.exe
PASS: test-stddef.exe
PASS: test-stdint.exe
PASS: test-stdio.exe
PASS: test-stdlib.exe
PASS: test-string.exe
PASS: test-strings.exe
PASS: test-strverscmp.exe
PASS: test-sys_socket.exe
PASS: test-sys_stat.exe
PASS: test-time.exe
PASS: test-unistd.exe
PASS: test-vasnprintf.exe
PASS: test-vasprintf.exe
PASS: test-verify.exe
PASS: test-verify.sh
PASS: test-vsnprintf.exe
===================================
1 of 34 tests failed
Please report to bug-gnutls at gnu.org
===================================
make[6]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/gl/tests'
PASS: test-alignof.exe
PASS: test-alloca-opt.exe
PASS: test-arpa_inet.exe
FAIL: test-binary-io.sh
PASS: test-c-ctype.exe
PASS: test-errno.exe
PASS: test-fcntl-h.exe
PASS: test-fseeko.sh
PASS: test-fseeko2.sh
PASS: test-ftello.sh
PASS: test-ftello2.sh
PASS: test-ftello3.exe
PASS: test-getaddrinfo.exe
PASS: test-getdelim.exe
PASS: test-getline.exe
PASS: test-gettimeofday.exe
PASS: test-inet_ntop.exe
PASS: test-inet_pton.exe
PASS: test-lseek.sh
PASS: test-memchr.exe
PASS: test-netdb.exe
PASS: test-netinet_in.exe
PASS: test-perror.sh
PASS: test-pipe.exe
PASS: test-read-file.exe
Unconnected socket test... passed
Connected sockets test... passed
General socket test with fork... passed
Pipe test... passed
PASS: test-select.exe
PASS: test-select-in.sh
PASS: test-select-out.sh
PASS: test-snprintf.exe
PASS: test-sockets.exe
PASS: test-stdbool.exe
PASS: test-stddef.exe
PASS: test-stdint.exe
PASS: test-stdio.exe
PASS: test-stdlib.exe
PASS: test-strerror.exe
PASS: test-string.exe
PASS: test-sys_ioctl.exe
PASS: test-sys_select.exe
PASS: test-sys_socket.exe
PASS: test-sys_stat.exe
PASS: test-sys_time.exe
PASS: test-time.exe
PASS: test-unistd.exe
PASS: test-update-copyright.sh
PASS: test-vasnprintf.exe
PASS: test-vc-list-files-git.sh
PASS: test-vc-list-files-cvs.sh
PASS: test-verify.exe
PASS: test-verify.sh
PASS: test-version-etc.sh
===================================
1 of 51 tests failed
Please report to bug-gnutls at gnu.org
===================================
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests'
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/simple.exe'
finished with 0 errors
PASS: simple.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/gc.exe' finished
with 0 errors
PASS: gc.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/set_pkcs12_cred.exe'
finished with 0 errors
PASS: set_pkcs12_cred.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/certder.exe'
finished with 0 errors
PASS: certder.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/certuniqueid.exe'
finished with 0 errors
PASS: certuniqueid.exe
mpi ops ok
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/mpi.exe' finished
with 0 errors
PASS: mpi.exe
PASS: certificate_set_x509_crl.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/dn.exe' finished
with 0 errors
PASS: dn.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/parse_ca.exe'
finished with 0 errors
PASS: parse_ca.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/moredn.exe'
finished with 0 errors
PASS: moredn.exe
rng registered ok
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/crypto_rng.exe'
finished with 0 errors
PASS: crypto_rng.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/mini.exe'
finished with 2 errors
server: error: The specified session has been invalidated for some reason.
client: Error: The specified session has been invalidated for some reason.
FAIL: mini.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/hostname-check.exe'
finished with 2 errors
gnutls_openpgp_crt_import: -59
Hostname incorrectly does not match (0)
FAIL: hostname-check.exe
PASS: cve-2008-4989.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/pkcs12_s2k.exe'
finished with 0 errors
PASS: pkcs12_s2k.exe
chain[cacertrsamd5 ok]: verify_status: 1026 expected: 0
FAIL: chainverify.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/crq_key_id.exe'
finished with 0 errors
PASS: crq_key_id.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/x509sign-verify.exe'
finished with 0 errors
PASS: x509sign-verify.exe
PASS: cve-2009-1415.exe
success!
PASS: cve-2009-1416.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/crq_apis.exe'
finished with 0 errors
PASS: crq_apis.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/init_roundtrip.exe'
finished with 0 errors
PASS: init_roundtrip.exe
PASS: pkcs12_s2k_pem.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/dn2.exe' finished
with 0 errors
PASS: dn2.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/mini-eagain.exe'
finished with 1 errors
server: error: The specified session has been invalidated for some reason.
FAIL: mini-eagain.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/nul-in-x509-names.exe'
finished with 0 errors
PASS: nul-in-x509-names.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/x509_altname.exe'
finished with 0 errors
PASS: x509_altname.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/pkcs12_encode.exe' finished
with 0 errors
PASS: pkcs12_encode.exe
FAIL: mini-x509.exe
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
FAIL: mini-x509-rehandshake.exe
SKIP: rng-fork.exe
Self test `f:/src/for-mingwmsys/gnutls/bld/tests/.libs/openssl.exe'
finished with 0 errors
PASS: openssl.exe
SKIP: openpgp-auth.exe
Self test
`f:/src/for-mingwmsys/gnutls/bld/tests/.libs/openpgp-keyring.exe'
finished with 0 errors
PASS: openpgp-keyring.exe
gnutls_openpgp_privkey_import rc -59: GnuTLS internal error.
FAIL: pgps2kgnu.exe
PASS: rfc2253-escape-test
===================================
7 of 34 tests failed
(2 tests were not run)
Please report to bug-gnutls at gnu.org
===================================
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/rsa-md5-collision'
Verification output: Not verified, Insecure algorithm.
Chain verification output: Not verified, Insecure algorithm.
Verification output: Not verified, Insecure algorithm.
Chain verification output: Not verified, Insecure algorithm.
PASS: rsa-md5-collision
=============
1 test passed
=============
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/pkcs1-padding'
./pkcs1-pad: line 28: datefudge: command not found
Cannot fake timestamps, please install datefudge...
SKIP: pkcs1-pad
====================
All 0 tests passed
(1 test was not run)
====================
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/pkcs8-decode'
PKCS8 OK encpkcs8.pem foobar
PKCS8 OK unencpkcs8.pem
PKCS8 OK enc2pkcs8.pem baz
PKCS8 DONE (rc 0)
PASS: pkcs8
=============
1 test passed
=============
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/pkcs12-decode'
NEON PKCS12 OK client.p12 foobar
NEON PKCS12 OK noclient.p12
NEON PKCS12 OK unclient.p12
NEON PKCS12 OK pkcs12_2certs.p12
NEON PKCS12 DONE (rc 0)
PASS: pkcs12
=============
1 test passed
=============
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests/userid'
PASS: userid
=============
1 test passed
=============
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests/pathlen'
PASS: pathlen
=============
1 test passed
=============
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests/key-id'
PASS: key-id
=============
1 test passed
=============
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests/sha2'
PASS: sha2
PASS: sha2-dsa
==================
All 2 tests passed
==================
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/safe-renegotiation'
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
|<0>| Session not using safe renegotiation!
FAIL: srn0.exe
PASS: srn1.exe
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
Client or server not using safe renegotiation extension?
FAIL: srn2.exe
FAIL: srn3.exe
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
FAIL: srn4.exe
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
FAIL: srn5.exe
===================================
5 of 6 tests failed
Please report to bug-gnutls at gnu.org
===================================
make[3]: Entering directory `/f/src/for-mingwmsys/gnutls/bld/tests/dsa'
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
Failure: Failed connection to a server with DSA 1024 key and TLS 1.0!
FAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
make[3]: Entering directory
`/f/src/for-mingwmsys/gnutls/bld/tests/openpgp-certs'
Checking OpenPGP certificate self verification
certtool.exe: import error: The scanning of a large integer has failed.
Failure: Self sig Verification should have succeeded!
certtool.exe: import error: The scanning of a large integer has failed.
Failure: Self sig Verification should have failed!
certtool.exe: import error: The scanning of a large integer has failed.
Failure: Self sig Verification should have failed!
certtool.exe: import error: The scanning of a large integer has failed.
Failure: Self sig Verification should have failed!
FAIL: testselfsigs
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
I'm blaming test-binary-io.sh on libtool (the test itself, the one in
.libs subdirectory, exits with 0 and writes the right 6-byte string into
stdout, but when it is run by a libtool wrapper, _spawn() returns 3).
Hangs up at "Checking DSA-1024 with TLS 1.0" (or, rather, enters
infinite loop; consumes very little resources though, so it must either
use a timer or some kind of wait function), have to kill the server to
kick it going again (or kill the client. Twice. And then kill the
server, also twice, because it just keeps waiting for a client to connect).
Also, obviously, i've had to skip rng-fork (because it uses fork()) and
openpgp-auth (because it uses socketpair(), and with unix domain sockets
at that!) tests. Other tests had to be patched to NOT to include
#include and some other headers not provided by MinGW.
I've also submitted a bug report about mini.exe (see the bug tracker),
because its cause seemed obvious to me (writes/reads to/from
fd==0xffffffff).
From INVALID.NOREPLY at gnu.org Tue Apr 5 03:52:45 2011
From: INVALID.NOREPLY at gnu.org (Christopher Head)
Date: Tue, 05 Apr 2011 01:52:45 +0000
Subject: [sr #107648] Misleading documentation for
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
Message-ID: <20110405-015244.sv82329.53884@savannah.gnu.org>
URL:
Summary: Misleading documentation for
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
Project: GnuTLS
Submitted by: hawk777
Submitted on: Tue 05 Apr 2011 01:52:44 AM GMT
Category: None
Priority: 5 - Normal
Severity: 2 - Minor
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT option has as its first documentation
sentence "Allow only trusted CA certificates that have version 1.".
This is misleading. The first time I read it, I thought it meant it would
reject V3 CA certificates, allowing only V1 CA certificates! It might read
better as "Allow only trusted CA certificates *to be* version 1."
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From nmav at gnutls.org Tue Apr 5 09:52:21 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 05 Apr 2011 09:52:21 +0200
Subject: W32 testsuite results
In-Reply-To: <4D99EB48.9030200@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com>
Message-ID: <4D9ACA35.1080000@gnutls.org>
On 04/04/2011 06:01 PM, LRN wrote:
> On 04.04.2011 18:15, Nikos Mavrogiannopoulos wrote:
>> On 04/04/2011 03:04 AM, LRN wrote:
>>> Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
>>> W32 (i would prefer native W32, but the ones from Wine are better than
>>> nothing at all)? Built against libgcrypt.
>>> I'm building gnutls myself (with some minor patches) and i'm not sure
>>> whether my mixed testsuite results are expected (known bugs or unported
>>> features) or not (i broke something).
>> Not me. Which tests failed? Do gnutls-cli and gnutls-serv operate?
> FAIL: test-binary-io.sh
> FAIL: mini.exe
> FAIL: hostname-check.exe
> FAIL: chainverify.exe
> FAIL: mini-eagain.exe
> FAIL: mini-x509.exe
> FAIL: mini-x509-rehandshake.exe
> FAIL: pgps2kgnu.exe
Did these tests succeed in previous gnutls versions at win32?
Unfortunately I cannot debug them, but if you run individual tests
with the -v option, they will provide more information about the
actual point of failure.
> I'm blaming test-binary-io.sh on libtool (the test itself, the one in
> .libs subdirectory, exits with 0 and writes the right 6-byte string into
> stdout, but when it is run by a libtool wrapper, _spawn() returns 3).
I have no idea about this test. It is a gnulib test. It should have
been introduced on the previous gnulib update.
> Hangs up at "Checking DSA-1024 with TLS 1.0" (or, rather, enters
> infinite loop; consumes very little resources though, so it must either
> use a timer or some kind of wait function), have to kill the server to
> kick it going again (or kill the client. Twice. And then kill the
> server, also twice, because it just keeps waiting for a client to connect).
>
> Also, obviously, i've had to skip rng-fork (because it uses fork()) and
> openpgp-auth (because it uses socketpair(), and with unix domain sockets
> at that!) tests. Other tests had to be patched to NOT to include
> #include and some other headers not provided by MinGW.
Could you send me those changes?
> I've also submitted a bug report about mini.exe (see the bug tracker),
> because its cause seemed obvious to me (writes/reads to/from
> fd==0xffffffff).
This shouldn't be a problem. The mini-* programs use fd==0xfffffff
because they emulate the communication and don't really use an fd.
regards,
Nikos
From lrn1986 at gmail.com Tue Apr 5 10:20:39 2011
From: lrn1986 at gmail.com (LRN)
Date: Tue, 05 Apr 2011 12:20:39 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9ACA35.1080000@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
Message-ID: <4D9AD0D7.8030602@gmail.com>
On 05.04.2011 11:52, Nikos Mavrogiannopoulos wrote:
> On 04/04/2011 06:01 PM, LRN wrote:
>> On 04.04.2011 18:15, Nikos Mavrogiannopoulos wrote:
>>> On 04/04/2011 03:04 AM, LRN wrote:
>>>> Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
>>>> W32 (i would prefer native W32, but the ones from Wine are better than
>>>> nothing at all)? Built against libgcrypt.
>>>> I'm building gnutls myself (with some minor patches) and i'm not sure
>>>> whether my mixed testsuite results are expected (known bugs or unported
>>>> features) or not (i broke something).
>>> Not me. Which tests failed? Do gnutls-cli and gnutls-serv operate?
>> FAIL: test-binary-io.sh
>> FAIL: mini.exe
>> FAIL: hostname-check.exe
>> FAIL: chainverify.exe
>> FAIL: mini-eagain.exe
>> FAIL: mini-x509.exe
>> FAIL: mini-x509-rehandshake.exe
>> FAIL: pgps2kgnu.exe
> Did these tests succeed in previous gnutls versions at win32?
No idea. This is the first time i'm building and testing it by myself
(used pre-built binaries from http://josefsson.org/gnutls4win/ until
recently)
> Unfortunately I cannot debug them, but if you run individual tests
> with the -v option, they will provide more information about the
> actual point of failure.
Would you want me to make a new entry in bug tracker? One for each
failing test, or just a single entry with debug logs for all failing
tests? Or just keep discussing it here?
>
>> I'm blaming test-binary-io.sh on libtool (the test itself, the one in
>> .libs subdirectory, exits with 0 and writes the right 6-byte string into
>> stdout, but when it is run by a libtool wrapper, _spawn() returns 3).
> I have no idea about this test. It is a gnulib test. It should have
> been introduced on the previous gnulib update.
That's what i thought. Anyway, i'm not very concerned about it.
>
>> Hangs up at "Checking DSA-1024 with TLS 1.0" (or, rather, enters
>> infinite loop; consumes very little resources though, so it must either
>> use a timer or some kind of wait function), have to kill the server to
>> kick it going again (or kill the client. Twice. And then kill the
>> server, also twice, because it just keeps waiting for a client to connect).
>>
>> Also, obviously, i've had to skip rng-fork (because it uses fork()) and
>> openpgp-auth (because it uses socketpair(), and with unix domain sockets
>> at that!) tests. Other tests had to be patched to NOT to include
>> #include and some other headers not provided by MinGW.
> Could you send me those changes?
Attached (these, and some other patches not related to the testsuite;
you might want to NOT to push these upstream, in particular sigalrm
patch is completely untested, and testsuite-makefile patch is only
necessary because some files are missing (?) from the release tarball).
>
>> I've also submitted a bug report about mini.exe (see the bug tracker),
>> because its cause seemed obvious to me (writes/reads to/from
>> fd==0xffffffff).
> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
> because they emulate the communication and don't really use an fd.
>
Oh. Well, anyway, the log is in bug report. If you need anything else -
just ask.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 02-mingw32-don't-look-for-non-existing-makefile.mingw32.patch
URL:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 03-mingw32-fix-includes-on-windows.mingw32.patch
URL:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 01-mingw32-fix-sigalrm-on-windows.mingw32.patch
URL:
From nmav at gnutls.org Tue Apr 5 10:40:46 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 5 Apr 2011 10:40:46 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9AD0D7.8030602@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9AD0D7.8030602@gmail.com>
Message-ID:
On Tue, Apr 5, 2011 at 10:20 AM, LRN wrote:
> Would you want me to make a new entry in bug tracker? One for each failing
> test, or just a single entry with debug logs for all failing tests? Or just
> keep discussing it here?
I'd prefer the list.
regards,
Nikos
From lrn1986 at gmail.com Tue Apr 5 14:27:16 2011
From: lrn1986 at gmail.com (LRN)
Date: Tue, 05 Apr 2011 16:27:16 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9ACA35.1080000@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
Message-ID: <4D9B0AA4.7000405@gmail.com>
On 05.04.2011 11:52, Nikos Mavrogiannopoulos wrote:
> On 04/04/2011 06:01 PM, LRN wrote:
>> On 04.04.2011 18:15, Nikos Mavrogiannopoulos wrote:
>>> On 04/04/2011 03:04 AM, LRN wrote:
>>>> Does anyone have testsuite (make -k check) results for gnutls-2.12.1 on
>>>> W32 (i would prefer native W32, but the ones from Wine are better than
>>>> nothing at all)? Built against libgcrypt.
>>>> I'm building gnutls myself (with some minor patches) and i'm not sure
>>>> whether my mixed testsuite results are expected (known bugs or unported
>>>> features) or not (i broke something).
>>> Not me. Which tests failed? Do gnutls-cli and gnutls-serv operate?
>> I've also submitted a bug report about mini.exe (see the bug tracker),
>> because its cause seemed obvious to me (writes/reads to/from
>> fd==0xffffffff).
> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
> because they emulate the communication and don't really use an fd.
I think i've found the problem. The code in client_pull() in mini.c
calls gnutls_transport_set_global_errno (EAGAIN); to tell gnutls library
code that the pull operation should be postponed. However, gnutls
library code in _gnutls_read() in gnutls_buffers.c:306 calls int err =
get_errno (session); to obain errno, which, in turn, returns
session->internals.errno_func (session->internals.transport_recv_ptr);,
which is the same as system_errno(session->internals.transport_recv_ptr)
at system.c:55, which simply calls WSAGetLastError(), switch'es over its
value and sets errno.
That is, the problem is in the fact that on Windows gnutls assumes that
underlying read() implementation is incapable of setting errno and is,
in fact, a socket (since gnutls uses WSAGetLastError()).
Possible fixes:
A) Fix gnutls_transport_set_global_errno() to call SetLastError() (note
that there's no difference between WSAGLE and GLE, unless you're writing
for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
with NT since NT 4.0). And maybe set errno too, just to be safe.
B) Fix system_errno() to also check errno itself and use it instead of
the result of GLE if errno is not 0. This way both WinAPI and CRT I/O
functions can be used as read() implementation, and system_errno would
work for both (although errno bleeding from previous calls could, in
theory, cause false negatives).
C) Call SetLastError(0) more often. In this particular case
WSAGetLastError() returns error 3, which is ERROR_PATH_NOT_FOUND, and is
likely not related to this particular problem - it is probably just a
leftover from some earlier WinAPI call. SetLastError(0) should clean
that (OTOH that wouldn't fix this particular problem, since
WSAGetLastError() will just return 0, and that would STILL result in
system_error setting errno to EIO - by the way, that's a bit extreme, it
should set errno to 0 if GLE is 0; consider getting yourself a better
GLE-handling routine, generrmap.c from Python or win32error.c from
PostgreSQL would be a good start).
P.S. All fixes are theoretical, i have not tried to implement any of
that yet.
From INVALID.NOREPLY at gnu.org Tue Apr 5 16:36:28 2011
From: INVALID.NOREPLY at gnu.org (Daniel Kahn Gillmor)
Date: Tue, 05 Apr 2011 14:36:28 +0000
Subject: [sr #107648] Misleading documentation for
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
In-Reply-To: <20110405-015244.sv82329.53884@savannah.gnu.org>
References: <20110405-015244.sv82329.53884@savannah.gnu.org>
Message-ID: <20110405-103628.sv57531.47577@savannah.gnu.org>
Follow-up Comment #1, sr #107648 (project gnutls):
Or perhaps just drop the "only".
how about:
"Allow version 1 X.509 certificates in the list of trusted CAs"
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From lrn1986 at gmail.com Tue Apr 5 21:08:26 2011
From: lrn1986 at gmail.com (LRN)
Date: Tue, 05 Apr 2011 23:08:26 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9B668B.5070703@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
Message-ID: <4D9B68AA.507@gmail.com>
On 05.04.2011 22:59, Nikos Mavrogiannopoulos wrote:
> On 04/05/2011 02:27 PM, LRN wrote:
>
>>> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
>>> because they emulate the communication and don't really use an fd.
>> I think i've found the problem. The code in client_pull() in mini.c
>> calls gnutls_transport_set_global_errno (EAGAIN); to tell gnutls library
>> code that the pull operation should be postponed. However, gnutls
>> library code in _gnutls_read() in gnutls_buffers.c:306 calls int err =
>> get_errno (session); to obain errno, which, in turn, returns
>> session->internals.errno_func (session->internals.transport_recv_ptr);,
>> which is the same as system_errno(session->internals.transport_recv_ptr)
>> at system.c:55, which simply calls WSAGetLastError(), switch'es over its
>> value and sets errno.
>> That is, the problem is in the fact that on Windows gnutls assumes that
>> underlying read() implementation is incapable of setting errno and is,
>> in fact, a socket (since gnutls uses WSAGetLastError()).
>> Possible fixes:
>> A) Fix gnutls_transport_set_global_errno() to call SetLastError() (note
>> that there's no difference between WSAGLE and GLE, unless you're writing
>> for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
>> with NT since NT 4.0). And maybe set errno too, just to be safe.
> I think I'll switch it to gnutls_transport_set_errno(), fix and
> deprecate the set_global_errno() function. I don't see any point
> in it as a function.
How do you access a session object in pull function?
From nmav at gnutls.org Tue Apr 5 20:59:23 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 05 Apr 2011 20:59:23 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9B0AA4.7000405@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com>
Message-ID: <4D9B668B.5070703@gnutls.org>
On 04/05/2011 02:27 PM, LRN wrote:
>> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
>> because they emulate the communication and don't really use an fd.
> I think i've found the problem. The code in client_pull() in mini.c
> calls gnutls_transport_set_global_errno (EAGAIN); to tell gnutls library
> code that the pull operation should be postponed. However, gnutls
> library code in _gnutls_read() in gnutls_buffers.c:306 calls int err =
> get_errno (session); to obain errno, which, in turn, returns
> session->internals.errno_func (session->internals.transport_recv_ptr);,
> which is the same as system_errno(session->internals.transport_recv_ptr)
> at system.c:55, which simply calls WSAGetLastError(), switch'es over its
> value and sets errno.
> That is, the problem is in the fact that on Windows gnutls assumes that
> underlying read() implementation is incapable of setting errno and is,
> in fact, a socket (since gnutls uses WSAGetLastError()).
> Possible fixes:
> A) Fix gnutls_transport_set_global_errno() to call SetLastError() (note
> that there's no difference between WSAGLE and GLE, unless you're writing
> for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
> with NT since NT 4.0). And maybe set errno too, just to be safe.
I think I'll switch it to gnutls_transport_set_errno(), fix and
deprecate the set_global_errno() function. I don't see any point
in it as a function.
regards,
Nikos
From lrn1986 at gmail.com Wed Apr 6 00:16:14 2011
From: lrn1986 at gmail.com (LRN)
Date: Wed, 06 Apr 2011 02:16:14 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9B68AA.507@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com>
Message-ID: <4D9B94AE.3040208@gmail.com>
On 05.04.2011 23:08, LRN wrote:
> On 05.04.2011 22:59, Nikos Mavrogiannopoulos wrote:
>> On 04/05/2011 02:27 PM, LRN wrote:
>>
>>>> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
>>>> because they emulate the communication and don't really use an fd.
>>> I think i've found the problem. The code in client_pull() in mini.c
>>> calls gnutls_transport_set_global_errno (EAGAIN); to tell gnutls
>>> library
>>> code that the pull operation should be postponed. However, gnutls
>>> library code in _gnutls_read() in gnutls_buffers.c:306 calls int err =
>>> get_errno (session); to obain errno, which, in turn, returns
>>> session->internals.errno_func (session->internals.transport_recv_ptr);,
>>> which is the same as
>>> system_errno(session->internals.transport_recv_ptr)
>>> at system.c:55, which simply calls WSAGetLastError(), switch'es over
>>> its
>>> value and sets errno.
>>> That is, the problem is in the fact that on Windows gnutls assumes that
>>> underlying read() implementation is incapable of setting errno and is,
>>> in fact, a socket (since gnutls uses WSAGetLastError()).
>>> Possible fixes:
>>> A) Fix gnutls_transport_set_global_errno() to call SetLastError() (note
>>> that there's no difference between WSAGLE and GLE, unless you're
>>> writing
>>> for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
>>> with NT since NT 4.0). And maybe set errno too, just to be safe.
>> I think I'll switch it to gnutls_transport_set_errno(), fix and
>> deprecate the set_global_errno() function. I don't see any point
>> in it as a function.
> How do you access a session object in pull function?
Anyway, i've fixed it in my local copy (patch is attached; since i don't
know how to access session in pull(), my patch is a bit crude)
FAIL: hostname-check.exe
FAIL: chainverify.exe
FAIL: pgps2kgnu.exe
FAIL: testdsa
FAIL: testselfsigs
Obviously, the improvement is considerable. Half of safe-renegotiation
tests failed previously, now they all pass. Mini and its variants all pass.
hostname check might fail because function_to_get_host_by_ip(127.0.0.1)
!= "localhost" (known winsock bug).
chainverify fails because 2 certificates have expired in January 2011. A
patch fixes that (although it would be better to get some new
certificates for this test, no?)
pgps2kgnu fails because of unexplainable (and quiet!) strstr() failure
in armor_decode:
Starting program:
f:\src\for-mingwmsys\gnutls\bld\tests/./.libs/pgps2kgnu.exe -v
[New Thread 7464.0x1524]
[New Thread 7464.0x3dc8]
[New Thread 7464.0x450c]
Breakpoint 9, armor_decode (data=0x21547f0, in=0x75f92960,
out=0x75f92980) at armor.c:488
488 armor_filter_t *afx = data;
(gdb) n
492 u32 crc2 = 0;
(gdb)
493 ssize_t nread = 0;
(gdb)
494 int i, pgp_data = 0;
(gdb)
495 cdk_error_t rc = 0;
(gdb)
497 if (!afx)
(gdb)
503 _gnutls_buffers_log ("armor filter: decode\n");
(gdb)
505 fseek (in, 0, SEEK_SET);
(gdb)
507 while (!feof (in) && !pgp_data)
(gdb)
509 s = fgets (buf, DIM (buf) - 1, in);
(gdb)
510 if (!s)
(gdb)
512 afx->idx = search_header (buf, armor_begin);
(gdb)
513 if (afx->idx >= 0)
(gdb)
514 pgp_data = 1;
(gdb)
507 while (!feof (in) && !pgp_data)
(gdb)
517 if (feof (in) || !pgp_data)
(gdb)
524 while (!feof (in))
(gdb)
526 s = fgets (buf, DIM (buf) - 1, in);
(gdb)
527 if (!s)
(gdb)
529 if (strlen (s) == strlen (LF))
(gdb)
537 if (!strstr (buf, ": "))
(gdb) p buf
$68 = "Version: GnuPG v1.4.9
(GNU/Linux)\n\000--\n\000?:?u(\000\003\000\000\000\000\000\000\000??(\000B??u:??w6?-u\f\001\000\000$?(\000,?(\000\b\000\000\00
0\016\000\000\000\000\000\000\000\003\000\000\000\000\005?uj\000\000 at l\000\000\000|\n=\000\066?-u\f\001\000\000T?("
(gdb) call strstr(buf, ": ")
$69 = 0
(gdb) call strstr(buf, ":")
$70 = 0
(gdb) p strstr
$71 = {} 0x77d79715
(gdb) s
542 rc = CDK_General_Error;
(gdb) call strstr(buf, ":")
$72 = 0
(gdb) call strstr(buf, "V")
$73 = 0
(gdb) call strstr("V", buf)
$74 = 0
(gdb) call strstr("123","1")
$75 = 0
I have no explanation whatsoever. Gnulib does not override this
function, it is imported from msvcrt.
mbsstr works correctly (at least when called from gdb). Also, gnulib
warns about strstr() not working with multibyte charsets. This is not
the case here, but makes me wonder. I'll dig further.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 04-mingw32-fix-global-error-processing.mingw32.patch
URL:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 05-fix-expired-certs.all.patch
URL:
From nmav at gnutls.org Wed Apr 6 00:29:28 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 06 Apr 2011 00:29:28 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9B68AA.507@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com>
Message-ID: <4D9B97C8.3040604@gnutls.org>
On 04/05/2011 09:08 PM, LRN wrote:
>>> A) Fix gnutls_transport_set_global_errno() to call SetLastError() (note
>>> that there's no difference between WSAGLE and GLE, unless you're writing
>>> for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
>>> with NT since NT 4.0). And maybe set errno too, just to be safe.
>> I think I'll switch it to gnutls_transport_set_errno(), fix and
>> deprecate the set_global_errno() function. I don't see any point
>> in it as a function.
> How do you access a session object in pull function?
The pull or push functions receive a pointer. This pointer need not
to be the actual descriptor. It can be any private structure that
contains the session.
regards,
Nikos
From lrn1986 at gmail.com Wed Apr 6 20:17:17 2011
From: lrn1986 at gmail.com (LRN)
Date: Wed, 06 Apr 2011 22:17:17 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9B94AE.3040208@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
Message-ID: <4D9CAE2D.3090903@gmail.com>
On 06.04.2011 2:16, LRN wrote:
> On 05.04.2011 23:08, LRN wrote:
>> On 05.04.2011 22:59, Nikos Mavrogiannopoulos wrote:
>>> On 04/05/2011 02:27 PM, LRN wrote:
>>>
>>>>> This shouldn't be a problem. The mini-* programs use fd==0xfffffff
>>>>> because they emulate the communication and don't really use an fd.
>>>> I think i've found the problem. The code in client_pull() in mini.c
>>>> calls gnutls_transport_set_global_errno (EAGAIN); to tell gnutls
>>>> library
>>>> code that the pull operation should be postponed. However, gnutls
>>>> library code in _gnutls_read() in gnutls_buffers.c:306 calls int err =
>>>> get_errno (session); to obain errno, which, in turn, returns
>>>> session->internals.errno_func
>>>> (session->internals.transport_recv_ptr);,
>>>> which is the same as
>>>> system_errno(session->internals.transport_recv_ptr)
>>>> at system.c:55, which simply calls WSAGetLastError(), switch'es
>>>> over its
>>>> value and sets errno.
>>>> That is, the problem is in the fact that on Windows gnutls assumes
>>>> that
>>>> underlying read() implementation is incapable of setting errno and is,
>>>> in fact, a socket (since gnutls uses WSAGetLastError()).
>>>> Possible fixes:
>>>> A) Fix gnutls_transport_set_global_errno() to call SetLastError()
>>>> (note
>>>> that there's no difference between WSAGLE and GLE, unless you're
>>>> writing
>>>> for WinSock 1.x, which is crazy, because WinSock 2.x has been shipped
>>>> with NT since NT 4.0). And maybe set errno too, just to be safe.
>>> I think I'll switch it to gnutls_transport_set_errno(), fix and
>>> deprecate the set_global_errno() function. I don't see any point
>>> in it as a function.
>> How do you access a session object in pull function?
> Anyway, i've fixed it in my local copy (patch is attached; since i
> don't know how to access session in pull(), my patch is a bit crude)
>
> FAIL: hostname-check.exe
> FAIL: chainverify.exe
> FAIL: pgps2kgnu.exe
> FAIL: testdsa
> FAIL: testselfsigs
>
> Obviously, the improvement is considerable. Half of safe-renegotiation
> tests failed previously, now they all pass. Mini and its variants all
> pass.
>
> hostname check might fail because
> function_to_get_host_by_ip(127.0.0.1) != "localhost" (known winsock bug).
>
> chainverify fails because 2 certificates have expired in January 2011.
> A patch fixes that (although it would be better to get some new
> certificates for this test, no?)
>
> pgps2kgnu fails because of unexplainable (and quiet!) strstr() failure
> in armor_decode:
>
> I have no explanation whatsoever. Gnulib does not override this
> function, it is imported from msvcrt.
> mbsstr works correctly (at least when called from gdb). Also, gnulib
> warns about strstr() not working with multibyte charsets. This is not
> the case here, but makes me wonder. I'll dig further.
>
The newest batch of patches (no pun intended) is attached.
Fixes:
hostname-check - as a side-effect of fixing pgps2kgnu, i think
test-binary-io - as i have thought, it's a libtool wrapper bug: instead
of exec()'ing it spawnv()'s its child, and because of that it keeps
sitting on top of stdout FD, blocking it, which prevents its child from
stat()'ing it later to get its size. Hacking the script to run
.libs/test-binary-io.exe instead solves the problem
pgps2kgnu - armor.c had a weird notion that on Windows all text files
have CRLF EOLs, while on other systems all files have LF EOLs, no
exceptions. Obviously this is not the case in objective reality (you can
get certificates from wide variety of sources, some of them originate
from different OSes), particularly in this testcase (in which the
certificate has only LF EOLs). I've modified the code to try to match an
empty line to both \n and \r\n. Also modified it to strip (when
stripping EOLs) \n first, and then strip \r if it is present.
It should be noted that gdb lied about the string contents. I've been
able to find the source of the problem only by inserting debug logging
statements all over the place. Never trust gdb! :)
testselfsigs - Probably I/O-related. Running certtool with --infile
"filename" appears to be working, while running with <"filename" fails
(certtool.exe: import error: The scanning of a large integer has
failed). I've fixed the test script to use --infile (much easier than
hacking the source yet again to be able to debug it with gdb while
feeding data from stdin; might be related to the way msys does its piping).
Now the only problem left is:
FAIL: testdsa
still hangs. Not sure why, too complex for me to debug. Logs are attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patches.tar.xz
Type: application/octet-stream
Size: 5760 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testdsa.logs.tar.xz
Type: application/octet-stream
Size: 3996 bytes
Desc: not available
URL:
From nmav at gnutls.org Thu Apr 7 09:47:18 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 07 Apr 2011 09:47:18 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9CAE2D.3090903@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com>
Message-ID: <4D9D6C06.4080308@gnutls.org>
On 04/06/2011 08:17 PM, LRN wrote:
Thank you.
> Now the only problem left is:
> FAIL: testdsa
> still hangs. Not sure why, too complex for me to debug. Logs are attached.
It might be that the included gnutls-cli and gnutls-serv don't operate
well in windows. I remember some issues with select() but I don't know
if the issue is the same. I'll see how I could disable this test
at windows.
regards,
Nikos
From lrn1986 at gmail.com Thu Apr 7 12:23:02 2011
From: lrn1986 at gmail.com (LRN)
Date: Thu, 07 Apr 2011 14:23:02 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9D6C06.4080308@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9D6C06.4080308@gnutls.org>
Message-ID: <4D9D9086.8020906@gmail.com>
On 07.04.2011 11:47, Nikos Mavrogiannopoulos wrote:
> On 04/06/2011 08:17 PM, LRN wrote:
>
> Thank you.
>
>> Now the only problem left is:
>> FAIL: testdsa
>> still hangs. Not sure why, too complex for me to debug. Logs are attached.
> It might be that the included gnutls-cli and gnutls-serv don't operate
> well in windows. I remember some issues with select() but I don't know
> if the issue is the same. I'll see how I could disable this test
> at windows.
>
Oh, that's easy - just check for a Windows-only envvar in the shell
script that governs the test and return 77 on positive result.
From dbreiser at gmail.com Thu Apr 7 20:54:28 2011
From: dbreiser at gmail.com (David Reiser)
Date: Thu, 7 Apr 2011 14:54:28 -0400
Subject: gnutls 2.12.1 won't build for me on OS X
In-Reply-To: <4D98EAFB.3010406@gnutls.org>
References:
<4D98EAFB.3010406@gnutls.org>
Message-ID:
On Sun, Apr 3, 2011 at 5:47 PM, Nikos Mavrogiannopoulos wrote:
> On 04/02/2011 05:42 PM, David Reiser wrote:
> > Under 'Making all in examples' the build quits a little later with:
> > CCLD ex-cert-select
> > libtool: link: warning: `-no-install' is ignored for
> i386-apple-darwin10.7.0
> > libtool: link: warning: assuming `-no-fast-install' instead
> > libtool: link: warning: library `/sw/lib/libgmp.la' was moved.
> > ld: duplicate symbol _main in
> ./.libs/libexamples.a(ex-cert-select-pkcs11.o) and ex-cert-select.o
> > collect2: ld returned 1 exit status
> > make[4]: *** [ex-cert-select] Error 1
>
> Thanks for reporting that. I've committed a fix.
>
> > And while I'm here, if nettle is replacing libgcrypt, why does
> lib/nettle/init.c still #include ?
>
> It shouldn't have been there. I've removed that. Apart from these
> did you have any issues using gnutls 2.12 in OSX?
>
> regards,
> Nikos
>
Those changes did allow 2.12.1+ to build for me. I found a packaging problem
I created in nettle trying to build nettle as shared libraries. I think I
have that one fixed. Gnutls with the mods seems to work for me with https
connections (via gwenhywfar for connections to bank data streams). I'm
trying to get some friends at fink to test my packaging more thoroughly with
some other packages. But so far it looks good.
Thanks for the fixes.
--
Dave Reiser
dbreiser at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Thu Apr 7 23:55:35 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 07 Apr 2011 23:55:35 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9B94AE.3040208@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
Message-ID: <4D9E32D7.6060102@gnutls.org>
On 04/06/2011 12:16 AM, LRN wrote:
> chainverify fails because 2 certificates have expired in January 2011. A
> patch fixes that (although it would be better to get some new
> certificates for this test, no?)
chainverify hardcodes the time by defining the time() function. It
seems in windows the system one is used. It seems the windows loader
operates differently than the Linux one. If you don't know of any
way to override a system function in windows it might be better
to disable those tests there.
regards,
Nikos
From nmav at gnutls.org Fri Apr 8 00:06:14 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Apr 2011 00:06:14 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9CAE2D.3090903@gmail.com>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com>
Message-ID: <4D9E3556.1090504@gnutls.org>
On 04/06/2011 08:17 PM, LRN wrote:
Does this in configure.ac cause a problem in windows?
-if test -d tests/suite;then
-AC_CONFIG_FILES([tests/suite/Makefile])
-fi
We use it to run extra tests on the git branch. Is test
the problem?
regards,
Nikos
From INVALID.NOREPLY at gnu.org Fri Apr 8 01:27:40 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Thu, 07 Apr 2011 23:27:40 +0000
Subject: [sr #107648] Misleading documentation for
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
In-Reply-To: <20110405-103628.sv57531.47577@savannah.gnu.org>
References: <20110405-015244.sv82329.53884@savannah.gnu.org>
<20110405-103628.sv57531.47577@savannah.gnu.org>
Message-ID: <20110408-022740.sv707.99394@savannah.gnu.org>
Update of sr #107648 (project gnutls):
Status: None => Done
Assigned to: None => nmav
Open/Closed: Open => Closed
_______________________________________________________
Follow-up Comment #2:
You are correct. It will be fixed in the next version.
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From vincent.torri at gmail.com Fri Apr 8 07:58:07 2011
From: vincent.torri at gmail.com (Vincent Torri)
Date: Fri, 8 Apr 2011 07:58:07 +0200
Subject: W32 testsuite results
In-Reply-To: <4D9E3556.1090504@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9E3556.1090504@gnutls.org>
Message-ID:
On Fri, Apr 8, 2011 at 12:06 AM, Nikos Mavrogiannopoulos wrote:
> On 04/06/2011 08:17 PM, LRN wrote:
>
> Does this in configure.ac cause a problem in windows?
> -if test -d tests/suite;then
> -AC_CONFIG_FILES([tests/suite/Makefile])
> -fi
>
> We use it to run extra tests on the git branch. Is test
> the problem?
>
It's not the correct way to do what you want . Do that instead:
AM_CONDITIONAL([WANT_TEST_SUITE], [test -d tests/suite])
and in tests/Makefile.am, remove 'suite' from SUBDIRS and add:
if WANT_TEST_SUITE
SUBDIRS += suite
endif
Vincent Torri
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From lrn1986 at gmail.com Fri Apr 8 08:24:22 2011
From: lrn1986 at gmail.com (LRN)
Date: Fri, 08 Apr 2011 10:24:22 +0400
Subject: W32 testsuite results
In-Reply-To: <4D9E3556.1090504@gnutls.org>
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9E3556.1090504@gnutls.org>
Message-ID: <4D9EAA16.8030209@gmail.com>
On 08.04.2011 2:06, Nikos Mavrogiannopoulos wrote:
> On 04/06/2011 08:17 PM, LRN wrote:
>
> Does this in configure.ac cause a problem in windows?
> -if test -d tests/suite;then
> -AC_CONFIG_FILES([tests/suite/Makefile])
> -fi
>
> We use it to run extra tests on the git branch. Is test
> the problem?
>
Yes, it is the problem, because tests/suite/Makefile does not exist in
the source tarball, which makes it impossible to run `autoreconf` on it.
Reconfiguring might not be strictly necessary though, i'll try to make
do without it and will get back to you on this if that works.
From nmav at gnutls.org Fri Apr 8 10:00:31 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 8 Apr 2011 10:00:31 +0200
Subject: W32 testsuite results
In-Reply-To:
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9E3556.1090504@gnutls.org>
Message-ID:
On Fri, Apr 8, 2011 at 7:58 AM, Vincent Torri wrote:
>> Does this in configure.ac cause a problem in windows?
>> -if test -d tests/suite;then
>> -AC_CONFIG_FILES([tests/suite/Makefile])
>> -fi
>> We use it to run extra tests on the git branch. Is test
>> the problem?
> It's not the correct way to do what you want . Do that instead:
> AM_CONDITIONAL([WANT_TEST_SUITE], [test -d tests/suite])
> and in tests/Makefile.am, remove 'suite' from SUBDIRS and add:
> if WANT_TEST_SUITE
> SUBDIRS += suite
> endif
The problem is that I don't want to distribute that directory. If I use
this approach the directory is being included in the distribution.
regards,
Nikos
From lrn1986 at gmail.com Fri Apr 8 10:12:18 2011
From: lrn1986 at gmail.com (LRN)
Date: Fri, 08 Apr 2011 12:12:18 +0400
Subject: W32 testsuite results
In-Reply-To:
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9E3556.1090504@gnutls.org>
Message-ID: <4D9EC362.2040707@gmail.com>
On 08.04.2011 12:00, Nikos Mavrogiannopoulos wrote:
> On Fri, Apr 8, 2011 at 7:58 AM, Vincent Torri wrote:
>
>>> Does this in configure.ac cause a problem in windows?
>>> -if test -d tests/suite;then
>>> -AC_CONFIG_FILES([tests/suite/Makefile])
>>> -fi
>>> We use it to run extra tests on the git branch. Is test
>>> the problem?
>> It's not the correct way to do what you want . Do that instead:
>> AM_CONDITIONAL([WANT_TEST_SUITE], [test -d tests/suite])
>> and in tests/Makefile.am, remove 'suite' from SUBDIRS and add:
>> if WANT_TEST_SUITE
>> SUBDIRS += suite
>> endif
> The problem is that I don't want to distribute that directory. If I use
> this approach the directory is being included in the distribution.
>
The problem is that you should make this conditional.
WANT_TEST_SUITE automake conditional variable will be TRUE if
tests/suite exists and FALSE otherwise.
Then while processing Makefile.am Automake will add 'suite' to the list
of subdirs if it exists and will not add it otherwise.
You'd also need to put AC_CONFIG_FILES into
AM_COND_IF([WANT_TEST_SUITE],
[AC_CONFIG_FILES([tests/suite/Makefile])])
Well, that's my theory anyway.
From vincent.torri at gmail.com Fri Apr 8 11:05:59 2011
From: vincent.torri at gmail.com (Vincent Torri)
Date: Fri, 8 Apr 2011 11:05:59 +0200
Subject: W32 testsuite results
In-Reply-To:
References: <4D991939.6040701@gmail.com> <4D99D27E.7030002@gnutls.org>
<4D99EB48.9030200@gmail.com> <4D9ACA35.1080000@gnutls.org>
<4D9B0AA4.7000405@gmail.com> <4D9B668B.5070703@gnutls.org>
<4D9B68AA.507@gmail.com> <4D9B94AE.3040208@gmail.com>
<4D9CAE2D.3090903@gmail.com> <4D9E3556.1090504@gnutls.org>
Message-ID:
On Fri, Apr 8, 2011 at 10:00 AM, Nikos Mavrogiannopoulos wrote:
> On Fri, Apr 8, 2011 at 7:58 AM, Vincent Torri
> wrote:
>
> >> Does this in configure.ac cause a problem in windows?
> >> -if test -d tests/suite;then
> >> -AC_CONFIG_FILES([tests/suite/Makefile])
> >> -fi
> >> We use it to run extra tests on the git branch. Is test
> >> the problem?
> > It's not the correct way to do what you want . Do that instead:
> > AM_CONDITIONAL([WANT_TEST_SUITE], [test -d tests/suite])
> > and in tests/Makefile.am, remove 'suite' from SUBDIRS and add:
> > if WANT_TEST_SUITE
> > SUBDIRS += suite
> > endif
>
> The problem is that I don't want to distribute that directory. If I use
> this approach the directory is being included in the distribution.
>
http://sources.redhat.com/automake/automake.html#Fine_002dgrained-Distribution-Control
Vincent Torri
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Fri Apr 8 18:43:07 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Apr 2011 18:43:07 +0200
Subject: gnutls 2.12.2
Message-ID: <4D9F3B1B.8030301@gnutls.org>
I've just released gnutls 2.12.2. No new features, but several
bug fixes.
What's New
==========
* Version 2.12.2 (released 2011-04-08)
** libgnutls: Several updates and fixes for win32. Patches by LRN.
** libgnutls: Several bug and memory leak fixes.
** srptool: Accepts the -d option to enable debugging.
** libgnutls: Corrected bug in gnutls_srp_verifier() that prevented
the allocation of a verifier. Reported by Andrew Wiseman.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From and a list of GnuTLS mirrors
can be found at .
Here are the BZIP2 compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.2.tar.bz2
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.2.tar.bz2
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.2.tar.bz2.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.2.tar.bz2.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sat Apr 9 10:05:56 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 09 Apr 2011 10:05:56 +0200
Subject: gnutls 2.99.0
Message-ID: <4DA01364.3010306@gnutls.org>
Hello,
The GnuTLS 2.99.x branch is NOT what you want for your stable system.
It is intended for developers and experienced users.
This is an update release that includes features such as Datagram TLS
AES-GCM and more.
This release includes documentation for the usage of DTLS as part
of the main GnuTLS manual, but the major changes are summarized by
this commit:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=08a1b04b3d049a4a44132c0bce0c017c0c70f892
The changes since the last stable branch are:
* Version 2.99.0 (released 2011-04-09)
** libgnutls: Added Datagram TLS support.
** libgnutls: Uses a single configure file and a single
gnulib library to save space.
** libgnutls: Several bug fixes.
** libgnutls: gnutls_transport_set_lowat() is no more.
** libgnutls-openssl: modified to use modern gnutls' functions.
This introduces an ABI incompatibility with previous versions.
** libgnutls: Corrected signature generation and verification
in the Certificate Verify message when in TLS 1.2. Reported
by Todd A. Ouska.
** libgnutlsxx: The C++ interface returns exception on
every error and not only on fatal ones. This allows easier
handling of errors.
** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored
the PSK callback.
** libgnutls: SRP and PSK are no longer set on the default priorities.
They have to be explicitly set.
** libgnutls: During handshake message verification using DSS
use the hash algorithm required by it.
** libgnutls: gnutls_recv() return GNUTLS_E_PREMATURE_TERMINATION
on unexpected EOF, instead of GNUTLS_E_UNEXPECTED_PACKET_LENGTH.
** libgnutls: Added GCM mode (interoperates with tls.secg.org)
** libgnutls-extra: Inner application extension was removed.
It was never standardized nor published as an RFC.
** libgnutls: Added new certificate verification functions, that
can provide more details and are more efficient. Check
gnutls_x509_trust_list_*.
** certtool: Uses the new certificate verification functions for
--verify-chain.
** certtool: Added new certificate verification functionality
using the --verify option. Combined with --load-ca-certificate
it can verify a certificate chain against a list of certificates.
** API and ABI modifications:
gnutls_dtls_set_timeouts: ADDED
gnutls_dtls_get_mtu: ADDED
gnutls_dtls_get_data_mtu: ADDED
gnutls_dtls_set_mtu: ADDED
gnutls_dtls_cookie_send: ADDED
gnutls_dtls_cookie_verify: ADDED
gnutls_dtls_prestate_set: ADDED
gnutls_x509_trust_list_verify_crt: ADDED
gnutls_x509_trust_list_add_crls: ADDED
gnutls_x509_trust_list_add_cas: ADDED
gnutls_x509_trust_list_init: ADDED
gnutls_x509_trust_list_deinit: ADDED
gnutls_cipher_add_auth: ADDED
gnutls_cipher_tag: ADDED
gnutls_psk_netconf_derive_key: REMOVED
gnutls_certificate_verify_peers: REMOVED
gnutls_session_set_finished_function: REMOVED
gnutls_ext_register: REMOVED
gnutls_certificate_get_x509_crls: REMOVED
gnutls_certificate_get_x509_cas: REMOVED
gnutls_certificate_get_openpgp_keyring: REMOVED
gnutls_session_get_server_random: REMOVED
gnutls_session_get_client_random: REMOVED
gnutls_session_get_master_secret: REMOVED
gnutls_ia_allocate_client_credentials: REMOVED
gnutls_ia_allocate_server_credentials: REMOVED
gnutls_ia_enable: REMOVED
gnutls_ia_endphase_send: REMOVED
gnutls_ia_extract_inner_secret: REMOVED
gnutls_ia_free_client_credentials: REMOVED
gnutls_ia_free_server_credentials: REMOVED
gnutls_ia_generate_challenge: REMOVED
gnutls_ia_get_client_avp_ptr: REMOVED
gnutls_ia_get_server_avp_ptr: REMOVED
gnutls_ia_handshake: REMOVED
gnutls_ia_handshake_p: REMOVED
gnutls_ia_permute_inner_secret: REMOVED
gnutls_ia_recv: REMOVED
gnutls_ia_send: REMOVED
gnutls_ia_set_client_avp_function: REMOVED
gnutls_ia_set_client_avp_ptr: REMOVED
gnutls_ia_set_server_avp_function: REMOVED
gnutls_ia_set_server_avp_ptr: REMOVED
gnutls_ia_verify_endphase: REMOVED
Here are the compressed sources:
ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.0.tar.bz2
ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.0.tar.bz2
Here is the OpenPGP signature:
ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.0.tar.bz2.sig
ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.0.tar.bz2.sig
regards,
Nikos
From nmav at gnutls.org Sat Apr 9 11:41:55 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 09 Apr 2011 11:41:55 +0200
Subject: gnutls 2.99.0
In-Reply-To: <4DA01364.3010306@gnutls.org>
References: <4DA01364.3010306@gnutls.org>
Message-ID: <4DA029E3.8090607@gnutls.org>
On 04/09/2011 10:05 AM, Nikos Mavrogiannopoulos wrote:
> This is an update release that includes features such as Datagram TLS
> AES-GCM and more.
For the support of AES-GCM you need the libnettle library from
the cvs. There are instructions to obtain it at:
http://www.lysator.liu.se/~nisse/nettle/
regards,
Nikos
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:44:59 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:44:59 +0000
Subject: [sr #107647] Gnutls fails several tests - A TLS packet with
unexpected length was received.
In-Reply-To: <20110404-124930.sv74148.75292@savannah.gnu.org>
References: <20110404-124930.sv74148.75292@savannah.gnu.org>
Message-ID: <20110410-214459.sv707.60867@savannah.gnu.org>
Update of sr #107647 (project gnutls):
Status: None => Done
Assigned to: None => nmav
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:45:39 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:45:39 +0000
Subject: [sr #107606] Use of uninitialized variable kid in
_gnutls_check_key_cert_match
In-Reply-To: <20110226-025435.sv81876.52067@savannah.gnu.org>
References: <20110226-025435.sv81876.52067@savannah.gnu.org>
Message-ID: <20110410-214539.sv707.7140@savannah.gnu.org>
Update of sr #107606 (project gnutls):
Status: None => Done
Assigned to: None => nmav
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:45:49 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:45:49 +0000
Subject: [sr #107605] Uninitialized variable "md" use in
file_verify_clearsign()
In-Reply-To: <20110325-195035.sv81876.96911@savannah.gnu.org>
References: <20110226-024147.sv81876.49001@savannah.gnu.org>
<20110325-213725.sv707.86817@savannah.gnu.org>
<20110325-195035.sv81876.96911@savannah.gnu.org>
Message-ID: <20110410-214548.sv707.31797@savannah.gnu.org>
Update of sr #107605 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:46:29 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:46:29 +0000
Subject: [sr #107527] Use of dangerous/banned functions (Analysis)
In-Reply-To: <20101119-085011.sv73003.11981@savannah.gnu.org>
References: <20101119-030342.sv80862.45182@savannah.gnu.org>
<20101119-063507.sv7213.93644@savannah.gnu.org>
<20101119-085011.sv73003.11981@savannah.gnu.org>
Message-ID: <20110410-214629.sv707.61435@savannah.gnu.org>
Update of sr #107527 (project gnutls):
Status: None => Need Info
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:46:45 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:46:45 +0000
Subject: [sr #107525] Use of dangerous/banned functions (Particular
Instances)
In-Reply-To: <20101119-062638.sv7213.29249@savannah.gnu.org>
References: <20101119-000016.sv80862.1214@savannah.gnu.org>
<20101119-062638.sv7213.29249@savannah.gnu.org>
Message-ID: <20110410-214645.sv707.53906@savannah.gnu.org>
Update of sr #107525 (project gnutls):
Status: None => Done
Assigned to: None => nmav
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:47:15 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:47:15 +0000
Subject: [sr #107524] Test suite: gnutls_global_init/gnutls_global_deinit
In-Reply-To: <20101119-062258.sv7213.84357@savannah.gnu.org>
References: <20101118-100108.sv80862.92544@savannah.gnu.org>
<20101118-115752.sv80862.70845@savannah.gnu.org>
<20101118-115955.sv80862.42903@savannah.gnu.org>
<20101119-062258.sv7213.84357@savannah.gnu.org>
Message-ID: <20110410-214715.sv707.33925@savannah.gnu.org>
Update of sr #107524 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:47:36 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:47:36 +0000
Subject: [sr #107522] Use of dangerous/banned functions
In-Reply-To: <20101118-032144.sv80862.63609@savannah.gnu.org>
References: <20101116-233010.sv80862.81354@savannah.gnu.org>
<20101117-000900.sv80862.28538@savannah.gnu.org>
<20101117-004941.sv80862.38538@savannah.gnu.org>
<20101117-035230.sv80862.66785@savannah.gnu.org>
<20101117-143404.sv7213.15048@savannah.gnu.org>
<20101117-231851.sv80862.84166@savannah.gnu.org>
<20101118-032144.sv80862.63609@savannah.gnu.org>
Message-ID: <20110410-214736.sv707.74473@savannah.gnu.org>
Update of sr #107522 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:47:53 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:47:53 +0000
Subject: [sr #107521] Lint encountered during compile
In-Reply-To: <20101117-143607.sv7213.47574@savannah.gnu.org>
References: <20101116-175050.sv80862.34609@savannah.gnu.org>
<20101116-212719.sv7213.99920@savannah.gnu.org>
<20101117-071759.sv80862.73064@savannah.gnu.org>
<20101117-072435.sv80862.19583@savannah.gnu.org>
<20101117-075640.sv80862.14088@savannah.gnu.org>
<20101117-120638.sv0.32188@savannah.gnu.org>
<20101117-143607.sv7213.47574@savannah.gnu.org>
Message-ID: <20110410-214753.sv707.93451@savannah.gnu.org>
Update of sr #107521 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:48:04 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:48:04 +0000
Subject: [sr #107409] The lack of built-in threading support is a critical
design flaw
In-Reply-To: <20100712-165922.sv79072.50027@savannah.gnu.org>
References: <20100624-155547.sv79072.29581@savannah.gnu.org>
<20100703-133746.sv707.92700@savannah.gnu.org>
<20100703-134327.sv707.35926@savannah.gnu.org>
<20100712-165922.sv79072.50027@savannah.gnu.org>
Message-ID: <20110410-214804.sv707.6897@savannah.gnu.org>
Update of sr #107409 (project gnutls):
Status: In Progress => Done
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:48:13 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:48:13 +0000
Subject: [sr #107312] Problem compiling gnutls 2.8.6
In-Reply-To: <20100703-134415.sv707.54929@savannah.gnu.org>
References: <20100316-180040.sv12134.88040@savannah.gnu.org>
<20100316-183817.sv12134.66826@savannah.gnu.org>
<20100317-064939.sv7213.48926@savannah.gnu.org>
<20100317-083531.sv15145.74631@savannah.gnu.org>
<20100703-134415.sv707.54929@savannah.gnu.org>
Message-ID: <20110410-214813.sv707.6787@savannah.gnu.org>
Update of sr #107312 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:48:26 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:48:26 +0000
Subject: [sr #107300] configure.in doesn't detect guile-devel pkg absence
In-Reply-To: <20100316-090002.sv7213.72787@savannah.gnu.org>
References: <20100309-210859.sv77719.90813@savannah.gnu.org>
<20100315-091951.sv7213.61366@savannah.gnu.org>
<20100316-014311.sv77719.79142@savannah.gnu.org>
<20100316-090002.sv7213.72787@savannah.gnu.org>
Message-ID: <20110410-214826.sv707.60254@savannah.gnu.org>
Update of sr #107300 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:49:12 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:49:12 +0000
Subject: [sr #106869] [2.6.6 darwin] duplicate symbols '___gmpz_abs' in
'libguile_gnutls'
In-Reply-To: <20090718-044510.sv67508.44723@savannah.gnu.org>
References: <20090604-030050.sv67508.82037@savannah.gnu.org>
<20090604-064139.sv15145.13955@savannah.gnu.org>
<20090604-064809.sv15145.56805@savannah.gnu.org>
<20090615-023832.sv67508.9215@savannah.gnu.org>
<20090621-135017.sv15145.47097@savannah.gnu.org>
<20090718-044510.sv67508.44723@savannah.gnu.org>
Message-ID: <20110410-214911.sv707.55742@savannah.gnu.org>
Update of sr #106869 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Sun Apr 10 20:49:35 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 10 Apr 2011 18:49:35 +0000
Subject: [sr #107634] Change to nettle breaks compatibility (2.11.7)
In-Reply-To: <20110322-195425.sv707.22504@savannah.gnu.org>
References: <20110322-165133.sv82170.13113@savannah.gnu.org>
<20110322-195425.sv707.22504@savannah.gnu.org>
Message-ID: <20110410-214935.sv707.43824@savannah.gnu.org>
Update of sr #107634 (project gnutls):
Open/Closed: Open => Closed
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From nisse at lysator.liu.se Tue Apr 12 11:27:42 2011
From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=)
Date: Tue, 12 Apr 2011 11:27:42 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To: <4D97B452.9080100@gnutls.org> (Nikos Mavrogiannopoulos's message
of "Sun, 03 Apr 2011 01:42:10 +0200")
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
Message-ID:
Nikos Mavrogiannopoulos writes:
> Indeed it seems nettle for some reason uses the /usr/lib64. Niels,
> is there really a reason for that? As I understand from the FHS[0]
> /usr/lib is the system library directory. /usr/lib64 and /usr/lib32
> might not even be there.
Sorry for the late reply. A bit down in the same document,
http://www.pathname.com/fhs/pub/fhs-2.3.html, it says
/lib64 and /lib32 : 64/32-bit libraries (architecture dependent)
The 64-bit architectures PPC64, s390x, sparc64 and AMD64 must place
64-bit libraries in /lib64, and 32-bit (or 31-bit on s390) libraries in
/lib.
If you believe this, then it's wrong to install 64-bit libraries in lib.
And I believed so when I wrote this part of the nettle configure.ac...
But then it turned out that at least debian on x86_64 ignores this part
of the FHS, and puts the 64-bit libraries in lib, and 32-bit libraries
in lib32. Which seems to also be the freebsd way of doing it.
In the debian case, lib64 is a symlink to lib, so it doesn't matter for
a 64-bit builds (they will be installed in lib64, which is a symlink to
lib, which is tye right place), while a build with ./configure CC="gcc
-m32" && make && make install will install the 32-bit library files in
the wrong place.
I'm not sure what the right thing is. Is there any distribution which
actuallly does what the FHS says? If so, I guess configure needs to
check what directories exists, and install in lib$ABI whenever that
directory exists, otherwise in lib. I haven't got around to fixing that.
Regards,
/Niels
--
Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
From INVALID.NOREPLY at gnu.org Tue Apr 12 14:26:23 2011
From: INVALID.NOREPLY at gnu.org (Michael Hellwig)
Date: Tue, 12 Apr 2011 12:26:23 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
Message-ID: <20110412-122623.sv82434.96453@savannah.gnu.org>
URL:
Summary: gnutls update to 2.12 branch breaks programs in ARCH
and Debian squeeze
Project: GnuTLS
Submitted by: mhellwig
Submitted on: Tue 12 Apr 2011 12:26:19 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
I don't really have much more info than "before the update, things worked, now
they don't".
bugs at
https://bugs.archlinux.org/task/23678
(note: in that bug somebody mentions that it also breaks claws-mail, not just
bitlbee)
http://bugs.bitlbee.org/bitlbee/ticket/779
at least in the case of bitlbee, I've tested that the problem goes away when I
downgrade to gnutls 2.10.5 or link the program against openssl instead.
Bitlbee developers also recommend linking against nss but when I do that, I
get another problem (although there the connection doesn't hang, it just dies
right away).
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Tue Apr 12 14:34:38 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 12 Apr 2011 12:34:38 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-122623.sv82434.96453@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
Message-ID: <20110412-153438.sv707.56854@savannah.gnu.org>
Update of sr #107660 (project gnutls):
Status: None => Need Info
Assigned to: None => nmav
_______________________________________________________
Follow-up Comment #1:
Hello,
If you revert the patch in unpatch.txt, do the issues go away?
(file #23212)
_______________________________________________________
Additional Item Attachment:
File name: unpatch.txt Size:0 KB
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Tue Apr 12 14:58:48 2011
From: INVALID.NOREPLY at gnu.org (Michael Hellwig)
Date: Tue, 12 Apr 2011 12:58:48 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-153438.sv707.56854@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
Message-ID: <20110412-125848.sv82434.87468@savannah.gnu.org>
Follow-up Comment #2, sr #107660 (project gnutls):
indeed yes, at least for the bitlbee case. the claws-mail case was reported by
somebody else, can't test for that.
So hooray, reverting the patch fixes things. Does that mean gnutls has a
slight problem that will now be fixed? or that other software does and some
workaround broke due to that patch? Or .. other options?
thanks!
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From bjg at gnu.org Tue Apr 12 15:31:36 2011
From: bjg at gnu.org (Brian Gough)
Date: Tue, 12 Apr 2011 14:31:36 +0100
Subject: different lib directories for gnutls and nettle
In-Reply-To:
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
Message-ID: <43y63fppdz.wl%bjg@gnu.org>
At Tue, 12 Apr 2011 11:27:42 +0200,
Niels M?ller wrote:
> I'm not sure what the right thing is. Is there any distribution which
> actuallly does what the FHS says? If so, I guess configure needs to
> check what directories exists, and install in lib$ABI whenever that
> directory exists, otherwise in lib. I haven't got around to fixing that.
Hi Niels.
I don't know what is the correct interpretation of the FHS, but by
default all other autoconf'ed and GNU packages always use
libdir=$prefix/lib (with the --libdir option allowing it to be
overridden if someone wants to use lib64 or whatever).
So I'd recommend to use the autoconf default of $prefix/lib, as you
will be in the good company of hundreds of other packages that way.
The distributions already have their own ways of using --libdir on
autoconf'ed packages so you don't need to worry about it yourself.
--
Brian Gough
From INVALID.NOREPLY at gnu.org Tue Apr 12 15:38:53 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 12 Apr 2011 13:38:53 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-125848.sv82434.87468@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
Message-ID: <20110412-163853.sv707.39141@savannah.gnu.org>
Update of sr #107660 (project gnutls):
Status: Need Info => Wont Do
_______________________________________________________
Follow-up Comment #3:
Unfortunately not :( I just wanted to test what was the issue. gnutls 2.12.0
changed the semantics of gnutls_transport_set_lowat() and the default value is
zero.
There are two solutions.
1. Quick fix. Programs that require another value must explicitly call:
gnutls_transport_set_lowat (session, 1);
after (gnutls_init()).
2. Long-term fix. Because later versions of gnutls abolish the functionality
of using the system call select() to check for gnutls pending data, the
function
gnutls_record_check_pending()
has to be used to achieve the same functionality.
regards,
Nikos
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Tue Apr 12 15:49:45 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 12 Apr 2011 13:49:45 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-164715.sv707.89667@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
<20110412-163853.sv707.39141@savannah.gnu.org>
<20110412-134516.sv82434.5097@savannah.gnu.org>
<20110412-164715.sv707.89667@savannah.gnu.org>
Message-ID: <20110412-164945.sv707.39713@savannah.gnu.org>
Follow-up Comment #6, sr #107660 (project gnutls):
If more information on how to use the gnutls_record_check_pending() is
required, here is our modification of gnutls-cli to use it:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=20e0e448a2f3685cc6244f7c052b32f3f0719f73
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Tue Apr 12 15:47:15 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 12 Apr 2011 13:47:15 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-134516.sv82434.5097@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
<20110412-163853.sv707.39141@savannah.gnu.org>
<20110412-134516.sv82434.5097@savannah.gnu.org>
Message-ID: <20110412-164715.sv707.89667@savannah.gnu.org>
Follow-up Comment #5, sr #107660 (project gnutls):
Thank you. We could fix it in gnutls 2.12.x and restore the old default, but
we'll just postpone the inevitable for the next release that abolishes that
functionality.
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Tue Apr 12 15:45:17 2011
From: INVALID.NOREPLY at gnu.org (Michael Hellwig)
Date: Tue, 12 Apr 2011 13:45:17 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-163853.sv707.39141@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
<20110412-163853.sv707.39141@savannah.gnu.org>
Message-ID: <20110412-134516.sv82434.5097@savannah.gnu.org>
Follow-up Comment #4, sr #107660 (project gnutls):
ok .. well I'll try and communicate that to the bitlbee people .. as for other
projects .. who knows. at least now you'll know what all those bugs will be
about ;)
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From nisse at lysator.liu.se Tue Apr 12 16:48:21 2011
From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=)
Date: Tue, 12 Apr 2011 16:48:21 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To: <43y63fppdz.wl%bjg@gnu.org> (Brian Gough's message of "Tue, 12
Apr 2011 14:31:36 +0100")
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
<43y63fppdz.wl%bjg@gnu.org>
Message-ID:
Brian Gough writes:
> I don't know what is the correct interpretation of the FHS, but by
> default all other autoconf'ed and GNU packages always use
> libdir=$prefix/lib (with the --libdir option allowing it to be
> overridden if someone wants to use lib64 or whatever).
And the default is broken for multi-abi systems, since it means that a
plain ./configure && make && make install may well overwrite a working
library in /usr/local/lib with a library for a different ABI. With
autoconf defaults, this will happen, e.g., if you compile on Solaris (or
on some gnu/linux siystem which actually obeys the FHS), using a
compiler which by default generates 64-bit code).
Now, most packages are not aware of what ABI they are being compiled
for, but nettle is. It has to figure it out, in order to select the
right assembly files.
> The distributions already have their own ways of using --libdir on
> autoconf'ed packages so you don't need to worry about it yourself.
I don't worry so much for distributors. To use a sane libdir default is
intended to help people who compile nettle from source themselves,
rather than installing their distribution's nettle package.
I'd be happy to have autoconf solve this problem for me, but currently
it doesn't. Library installation is a bit complex, with various
workarounds. Another issue not currently solved by autoconf (nor by
nettle's build system) is w*ndows dlls, which should usually be
installed in bin rather than lib. I've heard that automake (or maybe it
was libtool) uses the workaround to install dlls in $libdir/../bin.
Which is really really ugly, but which appears to work most of the time.
Autoconf simply doesn't solve everything.
Finally: If the current hack doesn't work, I'd appreciate a complete bug
report. What system is it? Which library directories exists (incluing
symlinks)? Which directory is expected to hold libraries for which ABI?
Regards,
/Niels
--
Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
From ludo at gnu.org Tue Apr 12 23:37:29 2011
From: ludo at gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=)
Date: Tue, 12 Apr 2011 23:37:29 +0200
Subject: Don't include when not necessary
Message-ID: <8739lnw3qe.fsf@gnu.org>
Hello,
For the record I just pushed this patch, which allows compilation
without libgcrypt:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=da7563294b63d006a15c8bdcbb3d6d4d87b72558
Thanks,
Ludo?.
From nmav at gnutls.org Wed Apr 13 17:29:20 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 13 Apr 2011 17:29:20 +0200
Subject: Don't include when not necessary
In-Reply-To: <8739lnw3qe.fsf@gnu.org>
References: <8739lnw3qe.fsf@gnu.org>
Message-ID: <4DA5C150.2070407@gnutls.org>
On 04/12/2011 11:37 PM, Ludovic Court?s wrote:
> Hello,
>
> For the record I just pushed this patch, which allows compilation
> without libgcrypt:
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=da7563294b63d006a15c8bdcbb3d6d4d87b72558
Thanks. I've applied it to master as well.
regards,
Nikos
From bjg at gnu.org Thu Apr 14 02:36:14 2011
From: bjg at gnu.org (Brian Gough)
Date: Thu, 14 Apr 2011 01:36:14 +0100
Subject: different lib directories for gnutls and nettle
In-Reply-To:
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
<43y63fppdz.wl%bjg@gnu.org>
Message-ID: <438vvdpt35.wl%bjg@gnu.org>
At Tue, 12 Apr 2011 16:48:21 +0200,
Niels M?ller wrote:
>
> Finally: If the current hack doesn't work, I'd appreciate a complete bug
> report. What system is it? Which library directories exists (incluing
> symlinks)? Which directory is expected to hold libraries for which ABI?
Not actually a bug as such, but differing standards. The GNU Coding
Standards specify lib/ as the default library install directory on any
system. The FHS and GNU Coding Standards are different on this point.
Nettle should work better with other GNU packages if it follows the
GNU standards, as the assumption of lib/ as a default is a common one
in other configure scripts.
For comparison the GMP library has ABI detection via configure but
keeps the library directory as lib/ by default.
From nisse at lysator.liu.se Thu Apr 14 10:25:48 2011
From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=)
Date: Thu, 14 Apr 2011 10:25:48 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To: <438vvdpt35.wl%bjg@gnu.org> (Brian Gough's message of "Thu, 14
Apr 2011 01:36:14 +0100")
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
<43y63fppdz.wl%bjg@gnu.org>
<438vvdpt35.wl%bjg@gnu.org>
Message-ID:
Brian Gough writes:
> Nettle should work better with other GNU packages if it follows the
> GNU standards, as the assumption of lib/ as a default is a common one
> in other configure scripts.
I don't change the default lightly, but I still think it's the right
thing to do when
1. The user has not provided --libdir explicitly.
2. One is building on a multi-abi system, which is a case where the
autoconf default doesn't even try to do the right thing.
3. The autoconf default is known to be wrong.
> For comparison the GMP library has ABI detection via configure but
> keeps the library directory as lib/ by default.
I'm reasonably familiar with the gmp configure script. It's true that it
currently always uses lib/ as the default, regardless of ABI, but it's
ABI related hacks can also cause other nasty surprises. So it's a good
example to exhibit the complexity of the problem, but it's not currently
solving it.
As for linux on x86_64, it appears that debian (and derivatives, I
imagine) put 64-bit libraries in lib/, while the distributions with
roots in redhat (at least rhel 5 and fedora 14) and gentoo follow the
fhs conventions and put 32-bit libraries in lib/. So to do the right
thing, configure has to distinguish between these two cases. What a mess
(but just the type of mess configure.ac is intended to help sort out).
Regards,
/Niels
--
Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
From nmav at gnutls.org Thu Apr 14 10:55:33 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 14 Apr 2011 10:55:33 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To:
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
<43y63fppdz.wl%bjg@gnu.org>
<438vvdpt35.wl%bjg@gnu.org>
Message-ID:
On Thu, Apr 14, 2011 at 10:25 AM, Niels M?ller wrote:
>> Nettle should work better with other GNU packages if it follows the
>> GNU standards, as the assumption of lib/ as a default is a common one
>> in other configure scripts.
> I don't change the default lightly, but I still think it's the right
> thing to do when
> 1. The user has not provided --libdir explicitly.
> 2. One is building on a multi-abi system, which is a case where the
> ? autoconf default doesn't even try to do the right thing.
> 3. The autoconf default is known to be wrong.
I don't really find this a serious problem because libdir can be
provided by the one performing compilation and fix any issues,
anyway.
As a matter of policy though, I think the FHS way of
storing in /usr/lib 32-bit binaries, even if the default system compiler
outputs 64-bit binaries, is quite absurd, and looks like a relic from
the era that binary only programs came with 32-bit intel code only.
Systems like debian correctly for me do not follow this approach
because it has no benefit for the user of a multi-lib system and only
causes confusion, as programs in /usr/bin do not use libraries in
/usr/lib. What you call a multi-lib system
is actually a system with a native word size and a compatibility
mode with another (smaller) word size. Why one not using
the compatibility mode have an empty /usr/lib? This requirement
is intended only for the one distributing ancient 32-bit binaries and
I see no compelling reason for free software or open systems to
follow that by default.
regards,
Nikos
From tmraz at redhat.com Thu Apr 14 11:05:12 2011
From: tmraz at redhat.com (Tomas Mraz)
Date: Thu, 14 Apr 2011 11:05:12 +0200
Subject: different lib directories for gnutls and nettle
In-Reply-To:
References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org>
<43y63fppdz.wl%bjg@gnu.org>
<438vvdpt35.wl%bjg@gnu.org>
Message-ID: <1302771912.24643.4.camel@vespa.frost.loc>
On Thu, 2011-04-14 at 10:55 +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, Apr 14, 2011 at 10:25 AM, Niels M?ller wrote:
> >> Nettle should work better with other GNU packages if it follows the
> >> GNU standards, as the assumption of lib/ as a default is a common one
> >> in other configure scripts.
> > I don't change the default lightly, but I still think it's the right
> > thing to do when
> > 1. The user has not provided --libdir explicitly.
> > 2. One is building on a multi-abi system, which is a case where the
> > autoconf default doesn't even try to do the right thing.
> > 3. The autoconf default is known to be wrong.
>
> I don't really find this a serious problem because libdir can be
> provided by the one performing compilation and fix any issues,
> anyway.
>
> As a matter of policy though, I think the FHS way of
> storing in /usr/lib 32-bit binaries, even if the default system compiler
> outputs 64-bit binaries, is quite absurd, and looks like a relic from
> the era that binary only programs came with 32-bit intel code only.
> Systems like debian correctly for me do not follow this approach
> because it has no benefit for the user of a multi-lib system and only
> causes confusion, as programs in /usr/bin do not use libraries in
> /usr/lib. What you call a multi-lib system
> is actually a system with a native word size and a compatibility
> mode with another (smaller) word size. Why one not using
> the compatibility mode have an empty /usr/lib? This requirement
> is intended only for the one distributing ancient 32-bit binaries and
> I see no compelling reason for free software or open systems to
> follow that by default.
There is one big compelling reason - the packages for 32-bit native
installation and 32bit compatibility on 64-bit native system are the
same. And that's the reason RPM based distros use lib for 32bit and
lib64 for 64bit libraries.
Nevertheless I think the upstream makefiles should use the autoconf
default and do not try to detect it as it makes more confusion if the
detection is not 100% correct.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
From ametzler at downhill.at.eu.org Sat Apr 16 17:54:55 2011
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sat, 16 Apr 2011 17:54:55 +0200
Subject: Bug#623001: libgnutls26: fails to handshake on a number of
sites (firefox works)
In-Reply-To: <20110416144822.10679.35723.reportbug@goiaba.horta>
References: <20110416144822.10679.35723.reportbug@goiaba.horta>
Message-ID: <20110416155455.GH2011@downhill.g.la>
On 2011-04-16 Gustavo Noronha Silva wrote:
> Package: libgnutls26
> Version: 2.12.2-1
[...]
> I've been seeing this problem mostly in Epiphany - the web page
> renders with the layout totally broken because the CSS failed to
> download because of this issue. Some big sites like github.com are
> affected.
[...]
> The reason reported is 'Peer failed to perform TLS handshake'. Here's
> a test with gnutls-cli:
> kov at goiaba:~$ gnutls-cli d3nwyuy0nl342s.cloudfront.net
> Resolving 'd3nwyuy0nl342s.cloudfront.net'...
> Connecting to '204.246.175.60:443'...
> *** Fatal error: A TLS fatal alert has been received.
> *** Received alert [40]: Handshake failed
> *** Handshake has failed
> GnuTLS error: A TLS fatal alert has been received.
[...]
> ii libgcrypt11 1.5.0~beta1-1 LGPL Crypto library - runtime libr
[...]
Hello,
thank you for taking the time to test the packages in experimental. I
can reproduce the bug.
For clarification it is not caused by libgcrypt11 from experimental,
libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached
verbose log is not a lot more enlightening.
cu andreas
-------------- next part --------------
|<4>| REC[0x9ddaf60]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x9ddaf60]: Allocating epoch #1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9ddaf60]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<2>| EXT[0x9ddaf60]: Sending extension CERT TYPE (3 bytes)
|<2>| EXT[0x9ddaf60]: Sending extension SERVER NAME (34 bytes)
|<2>| EXT[0x9ddaf60]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x9ddaf60]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x9ddaf60]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x9ddaf60]: CLIENT HELLO was sent [159 bytes]
|<6>| BUF[HSK]: Inserted 159 bytes of Data
|<7>| HWRITE: enqueued 159. Total 159 bytes.
|<7>| HWRITE FLUSH: 159 bytes in buffer.
|<4>| REC[0x9ddaf60]: Sending Packet[0] Handshake(22) with length: 159
|<7>| WRITE: enqueued 164 bytes for 0x4. Total 164 bytes.
|<4>| REC[0x9ddaf60]: Sent Packet[1] Handshake(22) with length: 164
|<7>| HWRITE: wrote 159 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 164 bytes in buffer.
|<7>| WRITE: wrote 164 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x9ddaf60]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x9ddaf60]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x9ddaf60]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x9ddaf60]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2761
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS fatal alert has been received.
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0x9ddaf60]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x9ddaf60]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x9ddaf60]: Epoch #0 freed
|<4>| REC[0x9ddaf60]: Epoch #1 freed
Resolving 'd3nwyuy0nl342s.cloudfront.net'...
Connecting to '216.137.61.145:443'...
*** Received alert [40]: Handshake failed
From nmav at gnutls.org Sat Apr 16 18:05:07 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 16 Apr 2011 18:05:07 +0200
Subject: Bug#623001: libgnutls26: fails to handshake on a number of sites
(firefox works)
In-Reply-To: <20110416155455.GH2011@downhill.g.la>
References: <20110416144822.10679.35723.reportbug@goiaba.horta>
<20110416155455.GH2011@downhill.g.la>
Message-ID: <4DA9BE33.8030405@gnutls.org>
On 04/16/2011 05:54 PM, Andreas Metzler wrote:
> thank you for taking the time to test the packages in experimental. I
> can reproduce the bug.
>
> For clarification it is not caused by libgcrypt11 from experimental,
> libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached
> verbose log is not a lot more enlightening.
d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite.
That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default
set in 2.12.0 because it is not really trusted as an HMAC any more.
If however this is widespread issue I'll reinstate HMAC-MD5 and
remove it when a real attack is known.
regards,
Nikos
From ametzler at downhill.at.eu.org Sat Apr 16 19:19:49 2011
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sat, 16 Apr 2011 19:19:49 +0200
Subject: AES-NI
Message-ID: <20110416171949.GI2011@downhill.g.la>
Hello,
watching gnutls-commits I have been wondering about
-------------------------------------------
** libgnutls: Added support for AES-NI if detected. Uses
Andy Polyakov's AES-NI code.
-------------------------------------------
Isn't this something that belongs in the crypto backend? Gcrypt (1.5
beta) already supports it.
I am not critizing, just wondering whether I understand things
correctly.
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Sat Apr 16 19:42:07 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 16 Apr 2011 19:42:07 +0200
Subject: AES-NI
In-Reply-To: <20110416171949.GI2011@downhill.g.la>
References: <20110416171949.GI2011@downhill.g.la>
Message-ID: <4DA9D4EF.1000506@gnutls.org>
On 04/16/2011 07:19 PM, Andreas Metzler wrote:
> watching gnutls-commits I have been wondering about
> ------------------------------------------- ** libgnutls: Added
> support for AES-NI if detected. Uses Andy Polyakov's AES-NI code.
> -------------------------------------------
>
> Isn't this something that belongs in the crypto backend? Gcrypt (1.5
> beta) already supports it. I am not critizing, just wondering whether
> I understand things correctly.
Indeed. Ideally this should have been handled in the cryptographic
back-end. However nettle (due to being very low level) doesn't have any
interface to override ciphers on run-time. Libgcrypt also doesn't have
such an interface, thus anyone wanting to contribute such optimized
code has to do within ifdefs in the existing code. For these two reasons
the run-time detection of cryptographic capabilities is kept in
gnutls[0]. That way and by keeping that code separate and independent,
we can use external contributions of optimized implementations quite
easily, even if the code is not under LGPL (but under some other
compatible license).
regards,
Nikos
[0]. I tried to sketch this architecture at:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/gnutls-crypto-layers.png;h=f25c8a1d687e0bd0601bfbcebadd758a9d64886d;hb=HEAD
From kov at debian.org Sat Apr 16 22:19:32 2011
From: kov at debian.org (Gustavo Noronha Silva)
Date: Sat, 16 Apr 2011 17:19:32 -0300
Subject: Bug#623001: libgnutls26: fails to handshake on a number of
sites (firefox works)
In-Reply-To: <4DA9BE33.8030405@gnutls.org>
References: <20110416144822.10679.35723.reportbug@goiaba.horta>
<20110416155455.GH2011@downhill.g.la> <4DA9BE33.8030405@gnutls.org>
Message-ID: <1302985186.2420.65.camel@couve.horta>
On Sat, 2011-04-16 at 18:05 +0200, Nikos Mavrogiannopoulos wrote:
> On 04/16/2011 05:54 PM, Andreas Metzler wrote:
>
> > thank you for taking the time to test the packages in experimental. I
> > can reproduce the bug.
> >
> > For clarification it is not caused by libgcrypt11 from experimental,
> > libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached
> > verbose log is not a lot more enlightening.
>
> d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite.
> That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default
> set in 2.12.0 because it is not really trusted as an HMAC any more.
> If however this is widespread issue I'll reinstate HMAC-MD5 and
> remove it when a real attack is known.
I've seen the issue in quite a few prominent web sites, though the only
one I have off the top of my mind currently is github, so I think
restoring HMAC-MD5 is probably wise for the time being, for
compatibility, indeed.
Cheers,
--
Gustavo Noronha Silva
Debian Project
From simon at josefsson.org Sun Apr 17 09:45:43 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 17 Apr 2011 09:45:43 +0200
Subject: Bug#623001: libgnutls26: fails to handshake on a number of sites
(firefox works)
In-Reply-To: <4DA9BE33.8030405@gnutls.org> (Nikos Mavrogiannopoulos's message
of "Sat, 16 Apr 2011 18:05:07 +0200")
References: <20110416144822.10679.35723.reportbug@goiaba.horta>
<20110416155455.GH2011@downhill.g.la> <4DA9BE33.8030405@gnutls.org>
Message-ID: <878vv92ue0.fsf@latte.josefsson.org>
Nikos Mavrogiannopoulos writes:
> On 04/16/2011 05:54 PM, Andreas Metzler wrote:
>
>> thank you for taking the time to test the packages in experimental. I
>> can reproduce the bug.
>>
>> For clarification it is not caused by libgcrypt11 from experimental,
>> libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached
>> verbose log is not a lot more enlightening.
>
> d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite.
> That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default
> set in 2.12.0 because it is not really trusted as an HMAC any more.
> If however this is widespread issue I'll reinstate HMAC-MD5 and
> remove it when a real attack is known.
I thought there weren't any attacks on HMAC-MD5, have I missed anything?
/Simon
From nmav at gnutls.org Sun Apr 17 10:06:20 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 17 Apr 2011 10:06:20 +0200
Subject: Bug#623001: libgnutls26: fails to handshake on a number of sites
(firefox works)
In-Reply-To: <878vv92ue0.fsf@latte.josefsson.org>
References: <20110416144822.10679.35723.reportbug@goiaba.horta> <20110416155455.GH2011@downhill.g.la>
<4DA9BE33.8030405@gnutls.org> <878vv92ue0.fsf@latte.josefsson.org>
Message-ID: <4DAA9F7C.8040301@gnutls.org>
On 04/17/2011 09:45 AM, Simon Josefsson wrote:
>>> thank you for taking the time to test the packages in experimental. I
>>> can reproduce the bug.
>>>
>>> For clarification it is not caused by libgcrypt11 from experimental,
>>> libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached
>>> verbose log is not a lot more enlightening.
>>
>> d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite.
>> That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default
>> set in 2.12.0 because it is not really trusted as an HMAC any more.
>> If however this is widespread issue I'll reinstate HMAC-MD5 and
>> remove it when a real attack is known.
> I thought there weren't any attacks on HMAC-MD5, have I missed anything?
That's what I say above. No real attacks exist although its security
is questioned (ECRYPT II report on algorithms and key sizes). The text
mentions: "The recent advances in the cryptanalysis of MD5 (see Section
10.3), and speci?cally HMAC-MD5 (e.g. [58, 143, 213, 83, 256]), suggest
that implementers should move away from HMAC-MD5 as soon as possible."
regards,
Nikos
From nmav at gnutls.org Fri Apr 22 14:10:30 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 22 Apr 2011 14:10:30 +0200
Subject: gnutls 2.12.3
Message-ID: <4DB17036.2080504@gnutls.org>
Hello,
I've just released gnutls 2.12.3.
What's New
==========
* libgnutls: Several minor bugfixes.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered
weak, several sites require it for connection. It is enabled for
"NORMAL" and "PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
* libgnutls: gnutls_transport_set_global_errno() was deprecated.
Use your system's errno fascility or gnutls_transport_set_errno().
* gnutls-cli: Correction with usage of select to check for
pending data in gnutls sessions. It now uses
gnutls_record_check_pending(). Reported by Herbert J. Skuhra.
* tests: More fixes and updates for win32. Patches by LRN.
* libgnutls: Several files unnecessarily included ; this has
been fixed.
** API and ABI modifications:
gnutls_transport_set_global_errno: DEPRECATED
Getting the Software
====================
GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From and a list of GnuTLS mirrors
can be found at .
Here are the BZIP2 compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.3.tar.bz2
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.3.tar.bz2
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.3.tar.bz2.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.3.tar.bz2.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sat Apr 23 11:12:25 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 23 Apr 2011 11:12:25 +0200
Subject: gnutls 2.99.1
Message-ID: <4DB297F9.3060809@gnutls.org>
Hello,
The GnuTLS 2.99.x branch is NOT what you want for your stable system.
It is intended for developers and experienced users.
The changes since the development release are:
* Version 2.99.1 (released 2011-04-23)
** libgnutls: Added support for AES-NI if detected. Uses
Andy Polyakov's AES-NI code.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered
weak, several sites require it for connection. It is enabled for
"NORMAL" and "PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
** libgnutls-extra: Dropped support of LZO compression via liblzo.
** libgnutls: gnutls_transport_set_global_errno() was removed. This
function required GnuTLS to access system specific data, for no reason.
Use gnutls_transport_set_errno(), or your system's errno fascility
instead.
** libgnutls: Added gnutls_certificate_set_retrieve_function2()
to set a callback to retrieve a certificate. The certificate is
received in a format that requires no processing from gnutls thus
it is suitable when performance is required.
** API and ABI modifications:
gnutls_transport_set_global_errno: REMOVED
gnutls_certificate_set_retrieve_function2: ADDED
Here are the compressed sources:
ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.1.tar.bz2
ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.1.tar.bz2
Here is the OpenPGP signature:
ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.1.tar.bz2.sig
ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.1.tar.bz2.sig
regards,
Nikos
From INVALID.NOREPLY at gnu.org Sat Apr 23 15:50:03 2011
From: INVALID.NOREPLY at gnu.org (Volker Grabsch)
Date: Sat, 23 Apr 2011 13:50:03 +0000
Subject: [sr #107674] GnuTLS produces an invalid gnutls.pc pkg-config script
(@LTLIBPAKCHOIS@)
Message-ID: <20110423-135002.sv74987.92287@savannah.gnu.org>
URL:
Summary: GnuTLS produces an invalid gnutls.pc pkg-config
script (@LTLIBPAKCHOIS@)
Project: GnuTLS
Submitted by: vog
Submitted on: Sat 23 Apr 2011 01:50:02 PM GMT
Category: None
Priority: 5 - Normal
Severity: 5 - Blocker
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
GnuTLS 2.12.3 produces an invalid "Libs.private" line in its gnutls.pc
pkg-config script:
Libs.private: @LTLIBPAKCHOIS@ -lgcrypt -lgpg-error
That bug makes it unusable for static linking. I was able to reproduce this on
a Debian/Squeeze system via the following configuration:
./configure --disable-nls --disable-guile --with-included-libtasn1
--with-included-libcfg --with-libgcrypt --without-lzo
The pakchois is _not_ installed here, but the ./configure output also doesn't
mention "pakchois" anywhere.
Maybe there is a bug in the pakchois detection?
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From ametzler at downhill.at.eu.org Sun Apr 24 13:21:13 2011
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sun, 24 Apr 2011 13:21:13 +0200
Subject: deprecated funtions without direct successor
Message-ID: <20110424112113.GA1977@downhill.g.la>
Hello,
I have test-built most of the gnutls-depending packages, checking for
build errors with 2.12.
Afaict there are a couple of recently deprecated functions without
successor. Is this correct, do you have any pointer, suggestions?
gnutls_certificate_get_x509_cas (neon27, openldap)
gnutls_sign_callback_set (neon27)
gnutls_transport_set_lowat (curl, filezilla, gnustep-base,
libgwenhywfar, net6, openvas-libraries, samba4,
xfce4-mailwatch-plugin)
thanks, cu andreas
From nmav at gnutls.org Sun Apr 24 23:33:48 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 24 Apr 2011 23:33:48 +0200
Subject: deprecated funtions without direct successor
In-Reply-To: <20110424112113.GA1977@downhill.g.la>
References: <20110424112113.GA1977@downhill.g.la>
Message-ID: <4DB4973C.4070501@gnutls.org>
On 04/24/2011 01:21 PM, Andreas Metzler wrote:
> Hello,
>
> I have test-built most of the gnutls-depending packages, checking for
> build errors with 2.12.
> Afaict there are a couple of recently deprecated functions without
> successor. Is this correct, do you have any pointer, suggestions?
> gnutls_certificate_get_x509_cas (neon27, openldap)
There is no direct successor to this function. It depended on internal
data that are already non-existing in 2.99.x. I'll try to check
those packages on how they use it, to see if there could be some
alternative way to achieve that functionality.
> gnutls_sign_callback_set (neon27)
The gnutls pkcs11 API. We have deprecated this API in favor of the
pkcs11 API but this callback will be present even in 3.0.0.
> gnutls_transport_set_lowat (curl, filezilla, gnustep-base,
> libgwenhywfar, net6, openvas-libraries, samba4,
> xfce4-mailwatch-plugin)
If they use set_lowat() with value of 0 then just removing
the call would do. If other value than zero is being
used then directions in
https://savannah.gnu.org/support/?107660
apply.
regards,
Nikos
From nmav at gnutls.org Sun Apr 24 23:38:14 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 24 Apr 2011 23:38:14 +0200
Subject: gnutls 2.99.1 drops LZO support
In-Reply-To: <87zkngwsgy.fsf@gnu.org>
References: <4DB297F9.3060809@gnutls.org> <87zkngwsgy.fsf@gnu.org>
Message-ID: <4DB49846.3010709@gnutls.org>
On 04/23/2011 11:47 PM, Ludovic Court?s wrote:
> Hello,
>> ** libgnutls-extra: Dropped support of LZO compression via liblzo.
> Out of curiosity, what were the reasons for this decision?
No reason to have it either. It was an experimental custom extension
that had no chance of becoming standard due to LZO being described only
by source code. There are better compression algorithms to use today,
but as it seems compression with TLS in general never took off.
regards,
Nikos
From INVALID.NOREPLY at gnu.org Sun Apr 24 23:46:12 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sun, 24 Apr 2011 21:46:12 +0000
Subject: [sr #107674] GnuTLS produces an invalid gnutls.pc pkg-config script
(@LTLIBPAKCHOIS@)
In-Reply-To: <20110423-135002.sv74987.92287@savannah.gnu.org>
References: <20110423-135002.sv74987.92287@savannah.gnu.org>
Message-ID: <20110425-004612.sv707.7246@savannah.gnu.org>
Update of sr #107674 (project gnutls):
Status: None => Done
Assigned to: None => nmav
_______________________________________________________
Follow-up Comment #1:
Thank you for reporting that. I've committed a fix.
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From derleader at abv.bg Mon Apr 25 00:02:05 2011
From: derleader at abv.bg (derleader mail)
Date: Mon, 25 Apr 2011 01:02:05 +0300 (EEST)
Subject: Optimize GNUTLS for performance
Message-ID: <1141392392.950170.1303682525377.JavaMail.apache@mail22.abv.bg>
Hi,
I'm interested is it possible to optimize GNUTLS for performance?
Regards
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ludo at gnu.org Mon Apr 25 16:11:04 2011
From: ludo at gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=)
Date: Mon, 25 Apr 2011 16:11:04 +0200
Subject: gnutls 2.99.1 drops LZO support
In-Reply-To: <4DB49846.3010709@gnutls.org> (Nikos Mavrogiannopoulos's message
of "Sun, 24 Apr 2011 23:38:14 +0200")
References: <4DB297F9.3060809@gnutls.org> <87zkngwsgy.fsf@gnu.org>
<4DB49846.3010709@gnutls.org>
Message-ID: <87sjt6l8uf.fsf@gnu.org>
Hi Nikos,
Nikos Mavrogiannopoulos writes:
> On 04/23/2011 11:47 PM, Ludovic Court?s wrote:
>> Hello,
>>> ** libgnutls-extra: Dropped support of LZO compression via liblzo.
>> Out of curiosity, what were the reasons for this decision?
>
> No reason to have it either.
It?s an interesting trade-off in the compression ratio vs. compression
time space.
> It was an experimental custom extension that had no chance of becoming
> standard due to LZO being described only by source code.
Like zlib used to be. :-)
> There are better compression algorithms to use today, but as it seems
> compression with TLS in general never took off.
OK.
Thanks,
Ludo?.
From INVALID.NOREPLY at gnu.org Mon Apr 25 19:52:08 2011
From: INVALID.NOREPLY at gnu.org (Dan Winship)
Date: Mon, 25 Apr 2011 17:52:08 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110412-164945.sv707.39713@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
<20110412-163853.sv707.39141@savannah.gnu.org>
<20110412-134516.sv82434.5097@savannah.gnu.org>
<20110412-164715.sv707.89667@savannah.gnu.org>
<20110412-164945.sv707.39713@savannah.gnu.org>
Message-ID: <20110425-175208.sv73763.11918@savannah.gnu.org>
Follow-up Comment #7, sr #107660 (project gnutls):
Is it correct that gnutls_record_check_pending() only returns non-0 when there
is a complete TLS record buffered? ie, if gnutls_record_check_pending()
returns non-0, is it guaranteed that an immediately following call to
gnutls_record_recv() will not return GNUTLS_E_AGAIN?
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From INVALID.NOREPLY at gnu.org Mon Apr 25 21:01:16 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Mon, 25 Apr 2011 19:01:16 +0000
Subject: [sr #107660] gnutls update to 2.12 branch breaks programs in ARCH and
Debian squeeze
In-Reply-To: <20110425-175208.sv73763.11918@savannah.gnu.org>
References: <20110412-122623.sv82434.96453@savannah.gnu.org>
<20110412-153438.sv707.56854@savannah.gnu.org>
<20110412-125848.sv82434.87468@savannah.gnu.org>
<20110412-163853.sv707.39141@savannah.gnu.org>
<20110412-134516.sv82434.5097@savannah.gnu.org>
<20110412-164715.sv707.89667@savannah.gnu.org>
<20110412-164945.sv707.39713@savannah.gnu.org>
<20110425-175208.sv73763.11918@savannah.gnu.org>
Message-ID: <20110425-220116.sv707.16419@savannah.gnu.org>
Follow-up Comment #8, sr #107660 (project gnutls):
gnutls_record_check_pending() will return non-zero when there are data that
have not been read by the application. It might be less than a complete record
(i.e. 1 byte). If it is non-zero any access to gnutls_record_recv() will not
involve the network so it will never return GNUTLS_E_AGAIN.
_______________________________________________________
Reply to this item at:
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
From fweimer at bfk.de Tue Apr 26 16:18:49 2011
From: fweimer at bfk.de (Florian Weimer)
Date: Tue, 26 Apr 2011 14:18:49 +0000
Subject: Bug#623001: libgnutls26: fails to handshake on a number of sites
(firefox works)
In-Reply-To: <4DAA9F7C.8040301@gnutls.org> (Nikos Mavrogiannopoulos's message
of "Sun\, 17 Apr 2011 10\:06\:20 +0200")
References: <20110416144822.10679.35723.reportbug@goiaba.horta>
<20110416155455.GH2011@downhill.g.la> <4DA9BE33.8030405@gnutls.org>
<878vv92ue0.fsf@latte.josefsson.org> <4DAA9F7C.8040301@gnutls.org>
Message-ID: <82r58pf646.fsf@mid.bfk.de>
* Nikos Mavrogiannopoulos:
> That's what I say above. No real attacks exist although its security
> is questioned (ECRYPT II report on algorithms and key sizes). The text
> mentions: "The recent advances in the cryptanalysis of MD5 (see Section
> 10.3), and speci?cally HMAC-MD5 (e.g. [58, 143, 213, 83, 256]), suggest
> that implementers should move away from HMAC-MD5 as soon as possible."
Apparently, it's not yet possible. And there have been claims tha
tthe MD5 attacks do not apply at all to HMAC-MD5. The way HMAC-MD5 is
used in TLS does not appear to be very demanding, either (a commitment
scheme could be worse, for instance).
--
Florian Weimer
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra?e 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
From ludo at gnu.org Thu Apr 28 20:15:03 2011
From: ludo at gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=)
Date: Thu, 28 Apr 2011 20:15:03 +0200
Subject: Test suite fixed for Guile 2.0.1
Message-ID: <871v0mfdjs.fsf@gnu.org>
Hello,
I just pushed this fix to 2.12 and ?master?:
http://git.sv.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=ccbd77f6dc0b8440e7d80bddce2c8f950674eb46
It turns out that the unit tests under ?guile/tests? were relying on a
long-standing bug, which was fixed in Guile 2.0.1 [0]. With Guile 2.0.0
and 1.8.x, the tests would exit with 0 on success and 1 on failure; with
Guile 2.0.1, they would always exit with 1, which is what the above
commit fixes.
Consequently, using one of the GnuTLS tarball released to date with
Guile 2.0.1 will systematically result in tests failures under
?guile/tests?.
Thanks,
Ludo?.
[0] http://git.sv.gnu.org/cgit/guile.git/commit/?id=e309f3bf9ee910c4772353ca3ff95f6f4ef466b5
From ametzler at downhill.at.eu.org Sat Apr 30 15:59:38 2011
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sat, 30 Apr 2011 15:59:38 +0200
Subject: Two minor doc fixes
Message-ID: <20110430135938.GA1956@downhill.g.la>
Hello,
find attached two one-line patches for formatting/typo/grammar errors.
0001 for both master and gnutls_2_12_x
0002 only for gnutls_2_12_x (function is removed in master.)
thanks, cu andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-escape-dashes-in-manpage.patch
Type: text/x-diff
Size: 1383 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Grammar-fix-allows-one-to.patch
Type: text/x-diff
Size: 896 bytes
Desc: not available
URL: