From stefw at collabora.co.uk Wed Jun 1 17:29:57 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Wed, 01 Jun 2011 17:29:57 +0200 Subject: Problem building master In-Reply-To: <4DE13EE4.3000304@gnutls.org> References: <4DDF69F3.8050307@collabora.co.uk> <4DE106B9.9090504@gnutls.org> <4DE123E6.8090002@collabora.co.uk> <4DE13EE4.3000304@gnutls.org> Message-ID: <4DE65AF5.4070400@collabora.co.uk> On 05/28/2011 08:28 PM, Nikos Mavrogiannopoulos wrote: > On 05/28/2011 06:33 PM, Stef Walter wrote: >> On 05/28/2011 04:29 PM, Nikos Mavrogiannopoulos wrote: >>> On 05/27/2011 11:08 AM, Stef Walter wrote: >>> >>>> I get the following error when building master. It's not clear to me >>>> how to fix it: aes-x86.c: In function 'check_optimized_aes': >>>> aes-x86.c:153:3: error: can't find a register in class 'BREG' while >>>> reloading 'asm' >>> Hello Stef, >>> This quite strange. Which compiler and which CPU do you build for? >> Here it is: >> stef at stef-laptop:~$ gcc --version >> gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2 > > Is it on x86-64 or x86 (32-bit)? Does the attached patch work around > the issue for you? This does fix it for me. I see that you included it in gnutls master. Thanks :) >> And lastly, some very strange behavior occurred when building the >> documentation. It would just get stuck in a make loop and keep building >> the man pages over and over. I've included the output below. > > I'll try to check it out. Thanks. Sadly the building of manpages still gets stuck in this loop. I think what happens is this: * doc/manpages/Makefile.am: gets updated by the build process (which is a strange way to do it) * The manpages then rebuild because a file was changed/touched. Ad infinitum. Every time I build gnutls I see this as a change: stef at stef-laptop:~/projects/gnutls$ git status # On branch master # Changes not staged for commit: # (use "git add ..." to update what will be committed) # (use "git checkout -- ..." to discard changes in working directory) # # modified: doc/manpages/Makefile.am # no changes added to commit (use "git add" and/or "git commit -a") Cheers, Stef From nmav at gnutls.org Wed Jun 1 17:04:44 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 01 Jun 2011 17:04:44 +0200 Subject: optimized AES GCM Message-ID: <4DE6550C.4060800@gnutls.org> Hello, I've ported Andy Polyakov's GCM code for intel processors using PCLMULQDQ instruction and benchmarked it. The difference is quite impressive: Nettle's AES and GCM: Testing DH_ANON_AES_128_GCM_SHA256 with 15360 packet size: Processed 259.65 Mb in 5.00 secs: 51.92 Mb/sec Testing ANON_DH_AES_128_CBC_SHA1 with 15360 packet size: Processed 274.53 Mb in 5.00 secs: 54.88 Mb/sec Andy's assembly code (AES-NI + PCLMULQDQ): Testing DH_ANON_AES_128_GCM_SHA256 with 15360 packet size: Processed 1.87 Gb in 5.00 secs: 0.37 Gb/sec Testing ANON_DH_AES_128_CBC_SHA1 with 15360 packet size: Processed 671.59 Mb in 5.00 secs: 134.29 Mb/sec The CPU was: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz regards, Nikos From vincent.torri at gmail.com Sat Jun 4 21:05:59 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Sat, 4 Jun 2011 21:05:59 +0200 Subject: gnutls 2.99.2 In-Reply-To: References: <4DDE8867.6050102@gnutls.org> <4DDE8A86.1090508@gnutls.org> <4DDE9DBF.7040400@gnutls.org> <4DDEA4DE.1080106@gnutls.org> Message-ID: On Thu, May 26, 2011 at 9:27 PM, Vincent Torri wrote: > > > On Thu, May 26, 2011 at 9:07 PM, Nikos Mavrogiannopoulos wrote: > >> On 05/26/2011 08:49 PM, Vincent Torri wrote: >> >> >> Hi, >> >> Is it because of some restriction (like inline assembly or so), or >> >> because of some configuration? Does gnutls 2.99.2 build on windows? >> >> >> > >> > I actually don't know. I've not checked the autotools deeply (and I have >> > currently no time. Maybe in june). >> > I've not tried to compile gnutls 2.99 on Windows yet. >> > Btw, must nettle be statically linked to gnutls ? >> >> It could but it doesn't have. Maybe on windows static linking >> would be better. >> > > On the other hand, as usual with shared lib, if i have a dll or a .so of > nettle, and i upgrade it, i don't have to re-build gnutls. > actually, the mingw support is in the repository, so that will be fixed in the next release. And one has to explicitely ask for the shared lib (--enable-shared to configure) Vincent Torri -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat Jun 4 22:51:51 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 04 Jun 2011 22:51:51 +0200 Subject: gnutls 2.12.6 Message-ID: <4DEA9AE7.9090205@gnutls.org> Hello, I've just released gnutls 2.12.6 * Version 2.12.6 (released 2011-06-4) ** libgnutls: Allow usage of DSA signatures with truncated hash. Following: http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00 ** libgnutls: Prevent the usage of write() and friends when no data are to be sent. ** libgnutls: Correctly set compression method when resuming sessions. Reported by Dash Shendy. ** libgnutls: gnutls_pubkey_get_pk_dsa_raw() and gnutls_pubkey_get_pk_rsa_raw add leading zeros to the exported values. ** libgnutls: Added gnutls_global_set_time_function() to allow overriding the default system time() function. ** API and ABI modifications: gnutls_global_set_time_function: ADDED Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From and a list of GnuTLS mirrors can be found at . Here are the BZIP2 compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From vincent.torri at gmail.com Sun Jun 5 00:05:46 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Sun, 5 Jun 2011 00:05:46 +0200 Subject: gnutls 2.12.6 In-Reply-To: <4DEA9AE7.9090205@gnutls.org> References: <4DEA9AE7.9090205@gnutls.org> Message-ID: On Sat, Jun 4, 2011 at 10:51 PM, Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 2.12.6 > I just want to mention that this release compiles with MSYS/MinGW, while it was not the case with the previous one regards Vincent Torri > > * Version 2.12.6 (released 2011-06-4) > > ** libgnutls: Allow usage of DSA signatures with truncated hash. > Following: http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00 > > ** libgnutls: Prevent the usage of write() and friends when no data > are to be sent. > > ** libgnutls: Correctly set compression method when resuming sessions. > Reported by Dash Shendy. > > ** libgnutls: gnutls_pubkey_get_pk_dsa_raw() and > gnutls_pubkey_get_pk_rsa_raw add leading zeros to the exported values. > > ** libgnutls: Added gnutls_global_set_time_function() to allow > overriding the default system time() function. > > ** API and ABI modifications: > gnutls_global_set_time_function: ADDED > > > Getting the Software > ==================== > > GnuTLS may be downloaded from one of the GNU mirror sites or directly > From found at and a list of GnuTLS mirrors > can be found at . > > Here are the BZIP2 compressed sources: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 > http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 > > Here are OpenPGP detached signatures signed using key 0x96865171: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig > http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig > > Note that it has been signed with my openpgp key: > pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] > uid Nikos Mavrogiannopoulos gnutls.org> > uid Nikos Mavrogiannopoulos > gmail.com> > sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] > sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] > > regards, > Nikos > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at gnu.org > https://lists.gnu.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arfrever.fta at gmail.com Sun Jun 5 00:33:24 2011 From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis) Date: Sun, 5 Jun 2011 00:33:24 +0200 Subject: gnutls 2.12.6 In-Reply-To: <4DEA9AE7.9090205@gnutls.org> References: <4DEA9AE7.9090205@gnutls.org> Message-ID: <201106050033.25387.Arfrever.FTA@gmail.com> Name of main library has been changed from libgnutls.so.26.20.0 to libgnutls.so.25.21.0, but libgnutls.so.26.21.0 was probably intended. -- Arfrever Frehtes Taifersar Arahesis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From nmav at gnutls.org Sun Jun 5 04:17:07 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Jun 2011 04:17:07 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <201106050033.25387.Arfrever.FTA@gmail.com> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> Message-ID: <4DEAE723.9030907@gnutls.org> On 06/05/2011 12:33 AM, Arfrever Frehtes Taifersar Arahesis wrote: > Name of main library has been changed from libgnutls.so.26.20.0 to libgnutls.so.25.21.0, > but libgnutls.so.26.21.0 was probably intended. Nice catch. I've uploaded gnutls 2.12.6.1 that fixes this issue. regards, Nikos From a.radke at arcor.de Sun Jun 5 14:16:02 2011 From: a.radke at arcor.de (Andreas Radke) Date: Sun, 5 Jun 2011 14:16:02 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <4DEAE723.9030907@gnutls.org> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> Message-ID: <20110605141602.16fb3277@workstation64.home> Am Sun, 05 Jun 2011 04:17:07 +0200 schrieb Nikos Mavrogiannopoulos : > On 06/05/2011 12:33 AM, Arfrever Frehtes Taifersar Arahesis wrote: > > Name of main library has been changed from libgnutls.so.26.20.0 to > > libgnutls.so.25.21.0, but libgnutls.so.26.21.0 was probably > > intended. > > Nice catch. I've uploaded gnutls 2.12.6.1 that fixes this issue. > > regards, > Nikos make[3]: Leaving directory `/build/src/gnutls-2.12.6.1/tests/safe-renegotiation' make[2]: Leaving directory `/build/src/gnutls-2.12.6.1/tests/safe-renegotiation' Making check in dsa make[2]: Entering directory `/build/src/gnutls-2.12.6.1/tests/dsa' make testdsa make[3]: Entering directory `/build/src/gnutls-2.12.6.1/tests/dsa' make[3]: Nothing to be done for `testdsa'. make[3]: Leaving directory `/build/src/gnutls-2.12.6.1/tests/dsa' make check-TESTS make[3]: Entering directory `/build/src/gnutls-2.12.6.1/tests/dsa' Checking various DSA key sizes Checking DSA-1024 with TLS 1.0 Checking server DSA-1024 with client DSA-1024 and TLS 1.0 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking server DSA-1024 with client DSA-2048 and TLS 1.0 Checking server DSA-1024 with client DSA-3072 and TLS 1.0 Checking DSA-1024 with TLS 1.2 Checking server DSA-1024 with client DSA-1024 and TLS 1.2 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking server DSA-1024 with client DSA-2048 and TLS 1.2 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking server DSA-1024 with client DSA-3072 and TLS 1.2 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking DSA-2048 with TLS 1.0 Failure: Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed! FAIL: testdsa =================================== 1 of 1 test failed Please report to bug-gnutls at gnu.org Is this expected? Till 2.12.5 afaik all test got past. -Andy From ametzler at downhill.at.eu.org Sun Jun 5 14:30:04 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 5 Jun 2011 14:30:04 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <20110605141602.16fb3277@workstation64.home> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> <20110605141602.16fb3277@workstation64.home> Message-ID: <20110605123004.GA2070@downhill.g.la> On 2011-06-05 Andreas Radke wrote: [...] > make[3]: Entering directory `/build/src/gnutls-2.12.6.1/tests/dsa' [...] > Checking DSA-2048 with TLS 1.0 > Failure: Succeeded connection to a server with DSA 2048 key and TLS > 1.0. Should have failed! FAIL: testdsa [...] > Is this expected? Till 2.12.5 afaik all test got past. Hello, I also see this (Debian sid, built against libgcrypt). 2.12.5 testsuite indeed still works. cu andreas From nmav at gnutls.org Sun Jun 5 14:36:52 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 5 Jun 2011 14:36:52 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <20110605123004.GA2070@downhill.g.la> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> <20110605141602.16fb3277@workstation64.home> <20110605123004.GA2070@downhill.g.la> Message-ID: On Sun, Jun 5, 2011 at 2:30 PM, Andreas Metzler wrote: >> Checking DSA-2048 with TLS 1.0 >> Failure: Succeeded connection to a server with DSA 2048 key and TLS >> 1.0. Should have failed! FAIL: testdsa > [...] >> Is this expected? Till 2.12.5 afaik all test got past. > Hello, > I also see this (Debian sid, built against libgcrypt). 2.12.5 > testsuite indeed still works. Ah, I didn't spot that because I test with nettle. It's not serious though, you can ignore it. regards, Nikos From ametzler at downhill.at.eu.org Sun Jun 5 15:25:42 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 5 Jun 2011 15:25:42 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <4DEAE723.9030907@gnutls.org> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> Message-ID: <20110605132542.GB2070@downhill.g.la> On 2011-06-05 Nikos Mavrogiannopoulos wrote: [...] > Nice catch. I've uploaded gnutls 2.12.6.1 that fixes this issue. [...] Hello, the auto-generated manpages seem to be out of date, there are two empty ones, that are regenernerated two non-empty ones on build, if I delete the empty files. (SID)ametzler at argenau:/tmp/GNUTLS/gnutls-2.12.6.1$ find -name '*.3' -size 0 ./doc/manpages/gnutls_alert_send.3 ./doc/manpages/gnutls_x509_crt_get_signature.3 cu andreas From ametzler at downhill.at.eu.org Sun Jun 5 15:51:22 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 5 Jun 2011 15:51:22 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> <20110605141602.16fb3277@workstation64.home> <20110605123004.GA2070@downhill.g.la> Message-ID: <20110605135122.GC2070@downhill.g.la> On 2011-06-05 Nikos Mavrogiannopoulos wrote: [...] > Ah, I didn't spot that because I test with nettle. It's not serious > though, you can ignore it. [...] Hello, Ok, I have disable the two succeeding tests in the Debian build. There is a small typo in testdsa: ------------------------------------ diff --git a/tests/dsa/testdsa b/tests/dsa/testdsa index de1b41b..a1236be 100755 --- a/tests/dsa/testdsa +++ b/tests/dsa/testdsa @@ -146,15 +146,15 @@ echo "Checking DSA-3072 with TLS 1.0" $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 & PID=$! trap "kill $PID" 1 15 2 # give the server a chance to initialize sleep 2 $CLI $DEBUG -p $PORT 127.0.0.1 --insecure /dev/null 2>&1 && \ - fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed!" + fail "Succeeded connection to a server with DSA 3072 key and TLS 1.0. Should have failed!" kill $PID wait # DSA 3072 + TLS 1.2 echo "Checking DSA-3072 with TLS 1.2" ------------------------------------ Also the combination of trap with "exit 1" (invoked from fail()) does not work. The gnutls-serv process is not killed but remains running, breaking later GnuTLS builds. How about switching from $CLI $DEBUG && fail to if $CLI $DEBUG -p $PORT 127.0.0.1 --insecure /dev/null 2>&1 ; then kill $PID fail "Succeeded connection ..." fi (I can post a patch, if you want me to.) cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sun Jun 5 21:00:10 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Jun 2011 21:00:10 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <20110605132542.GB2070@downhill.g.la> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> <20110605132542.GB2070@downhill.g.la> Message-ID: <4DEBD23A.5010105@gnutls.org> On 06/05/2011 03:25 PM, Andreas Metzler wrote: > On 2011-06-05 Nikos Mavrogiannopoulos wrote: [...] >> Nice catch. I've uploaded gnutls 2.12.6.1 that fixes this issue. > [...] > > Hello, > > the auto-generated manpages seem to be out of date, there are two > empty ones, that are regenernerated two non-empty ones on build, if I > delete the empty files. Thanks for reporting that. I cannot figure why they were 0 in the first place. Added to my todo list. regards, Nikos From nmav at gnutls.org Sun Jun 5 21:10:34 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Jun 2011 21:10:34 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <20110605135122.GC2070@downhill.g.la> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> <4DEAE723.9030907@gnutls.org> <20110605141602.16fb3277@workstation64.home> <20110605123004.GA2070@downhill.g.la> <20110605135122.GC2070@downhill.g.la> Message-ID: <4DEBD4AA.8090002@gnutls.org> On 06/05/2011 03:51 PM, Andreas Metzler wrote: > On 2011-06-05 Nikos Mavrogiannopoulos wrote: [...] >> Ah, I didn't spot that because I test with nettle. It's not >> serious though, you can ignore it. > [...] > > Hello, Ok, I have disable the two succeeding tests in the Debian > build. > > There is a small typo in testdsa: Corrected, thanks. > Also the combination of trap with "exit 1" (invoked from fail()) > does not work. The gnutls-serv process is not killed but remains > running, breaking later GnuTLS builds. How about switching from $CLI > $DEBUG && fail I've solved it but a bit differently in master. It should fix the issue you see. regards, Nikos From nmav at gnutls.org Sun Jun 5 21:11:23 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Jun 2011 21:11:23 +0200 Subject: gnutls 2.12.6 In-Reply-To: <87hb84dwe4.fsf@rho.meyering.net> References: <4DEA9AE7.9090205@gnutls.org> <87hb84dwe4.fsf@rho.meyering.net> Message-ID: <4DEBD4DB.1070806@gnutls.org> On 06/05/2011 07:24 PM, Jim Meyering wrote: > Congratulations on a new release. > Have you considered also releasing xz-compressed tarballs? > When I recompress that tarball using xz -8ev, the result > is 2/3 the size of the original, at 2.3MiB smaller: Thanks. I'll try that on the development releases and see how it goes. regards, Nikos From stefw at collabora.co.uk Mon Jun 6 19:12:01 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Mon, 06 Jun 2011 17:12:01 +0000 Subject: Patch: Fix build failure with GCC 4.6.0 Message-ID: <4DED0A61.9000808@collabora.co.uk> GCC 4.6.0 detects a new kind of unused variable: those that are set, but then not used. Gnutls fails to build with GCC 4.6.0 because of this. Attached is a patch which fixes the problem. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-unused-variables.patch Type: text/x-patch Size: 4892 bytes Desc: not available URL: From ametzler at downhill.at.eu.org Mon Jun 6 19:16:39 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 6 Jun 2011 19:16:39 +0200 Subject: Patch: Fix build failure with GCC 4.6.0 In-Reply-To: <4DED0A61.9000808@collabora.co.uk> References: <4DED0A61.9000808@collabora.co.uk> Message-ID: <20110606171638.GA2032@downhill.g.la> On 2011-06-06 Stef Walter wrote: > GCC 4.6.0 detects a new kind of unused variable: those that are set, > but then not used. Gnutls fails to build with GCC 4.6.0 because of > this. Attached is a patch which fixes the problem. Afaik: s/fails to build with GCC 4.6.0/& if -Werror is used/ cu andreas From stefw at collabora.co.uk Mon Jun 6 21:57:23 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Mon, 06 Jun 2011 19:57:23 +0000 Subject: eagain-cli needs more libraries linked Message-ID: <4DED3123.1040905@collabora.co.uk> Building gnutls master on Fedora 15... The program eagain-cli fails with the following: /usr/bin/ld: ./.libs/libecore.a(libecore_la-eina_module.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5' /usr/bin/ld: note: 'dlclose@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation Additionally once the dlclose symbol is found, pthread symbols are not found. The attached patch fixes this problem. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-tests-Build-eagain-cli-with-correct-libraries.patch Type: text/x-patch Size: 991 bytes Desc: not available URL: From jim at meyering.net Sun Jun 5 19:24:19 2011 From: jim at meyering.net (Jim Meyering) Date: Sun, 05 Jun 2011 19:24:19 +0200 Subject: gnutls 2.12.6 In-Reply-To: <4DEA9AE7.9090205@gnutls.org> (Nikos Mavrogiannopoulos's message of "Sat, 04 Jun 2011 22:51:51 +0200") References: <4DEA9AE7.9090205@gnutls.org> Message-ID: <87hb84dwe4.fsf@rho.meyering.net> Nikos Mavrogiannopoulos wrote: ... > Here are the BZIP2 compressed sources: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 > http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 Hello, Congratulations on a new release. Have you considered also releasing xz-compressed tarballs? When I recompress that tarball using xz -8ev, the result is 2/3 the size of the original, at 2.3MiB smaller: 6.9M gnutls-2.12.6.tar.bz2 4.6M gnutls-2.12.6.tar.xz If you're interested, just add "dist-xz" to the AM_INIT_AUTOMAKE line in configure.ac: diff --git a/configure.ac b/configure.ac index e02ed71..9547e1e 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,7 @@ AC_INIT([GnuTLS], [2.99.3], [bug-gnutls at gnu.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) -AM_INIT_AUTOMAKE([1.10 no-dist-gzip dist-bzip2 -Wall -Werror -Wno-override]) +AM_INIT_AUTOMAKE([1.10 no-dist-gzip dist-bzip2 dist-xz -Wall -Werror -Wno-override]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) AM_CONFIG_HEADER(config.h) From nmav at gnutls.org Mon Jun 6 21:57:15 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 06 Jun 2011 21:57:15 +0200 Subject: Patch: Fix build failure with GCC 4.6.0 In-Reply-To: <4DED0A61.9000808@collabora.co.uk> References: <4DED0A61.9000808@collabora.co.uk> Message-ID: <4DED311B.30406@gnutls.org> On 06/06/2011 07:12 PM, Stef Walter wrote: > GCC 4.6.0 detects a new kind of unused variable: those that are set, but > then not used. Gnutls fails to build with GCC 4.6.0 because of this. > Attached is a patch which fixes the problem. Applied. Thank you. regards, Nikos From stefw at collabora.co.uk Tue Jun 7 00:26:51 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Mon, 06 Jun 2011 22:26:51 +0000 Subject: Patch: Accept CKR_USER_ALREADY_LOGGED_IN as successful result for PAP Login Message-ID: <4DED542B.5070903@collabora.co.uk> When logging into a PKCS#11 token, the CKF_PROTECTED_AUTHENTICATION_PATH code path should also check for the CKR_USER_ALREADY_LOGGED_IN error code. It should treat this as success. This matches the behavior of the non CKF_PROTECTED_AUTHENTICATION_PATH code path. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-pkcs11-Accept-CKR_USER_ALREADY_LOGGED_IN-as-successf.patch Type: text/x-patch Size: 1184 bytes Desc: not available URL: From stefw at collabora.co.uk Tue Jun 7 00:27:58 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Mon, 06 Jun 2011 22:27:58 +0000 Subject: Patch: fix uninitialized variable in src/cli.c Message-ID: <4DED546E.3050200@collabora.co.uk> Fixes a variable in src/cli.c that's not initialized when PKCS#11 URIs are in use. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-gnutls-cli-Fix-uninitialized-variable-when-PKCS-11-u.patch Type: text/x-patch Size: 783 bytes Desc: not available URL: From vincent.torri at gmail.com Tue Jun 7 00:09:58 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Tue, 7 Jun 2011 00:09:58 +0200 Subject: gnutls 2.12.6 In-Reply-To: <87hb84dwe4.fsf@rho.meyering.net> References: <4DEA9AE7.9090205@gnutls.org> <87hb84dwe4.fsf@rho.meyering.net> Message-ID: On Sun, Jun 5, 2011 at 7:24 PM, Jim Meyering wrote: > Nikos Mavrogiannopoulos wrote: > ... > > Here are the BZIP2 compressed sources: > > > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 > > http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 > > Hello, > > Congratulations on a new release. > Have you considered also releasing xz-compressed tarballs? > When I recompress that tarball using xz -8ev, the result > is 2/3 the size of the original, at 2.3MiB smaller: > > 6.9M gnutls-2.12.6.tar.bz2 > 4.6M gnutls-2.12.6.tar.xz > > If you're interested, just add "dist-xz" to the AM_INIT_AUTOMAKE > line in configure.ac: > > diff --git a/configure.ac b/configure.ac > index e02ed71..9547e1e 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -26,7 +26,7 @@ AC_INIT([GnuTLS], [2.99.3], [bug-gnutls at gnu.org]) > AC_CONFIG_AUX_DIR([build-aux]) > AC_CONFIG_MACRO_DIR([m4]) > > -AM_INIT_AUTOMAKE([1.10 no-dist-gzip dist-bzip2 -Wall -Werror > -Wno-override]) > +AM_INIT_AUTOMAKE([1.10 no-dist-gzip dist-bzip2 dist-xz -Wall -Werror > -Wno-override]) > I don't know the gnutls policy about autotools, but dist-xz has been added in automake 1.11, which is not quite old Vincent Torri > m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) > AM_CONFIG_HEADER(config.h) > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at gnu.org > https://lists.gnu.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Jun 7 07:11:13 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 07 Jun 2011 07:11:13 +0200 Subject: Patch: Accept CKR_USER_ALREADY_LOGGED_IN as successful result for PAP Login In-Reply-To: <4DED542B.5070903@collabora.co.uk> References: <4DED542B.5070903@collabora.co.uk> Message-ID: <4DEDB2F1.1070907@gnutls.org> On 06/07/2011 12:26 AM, Stef Walter wrote: > When logging into a PKCS#11 token, the CKF_PROTECTED_AUTHENTICATION_PATH > code path should also check for the CKR_USER_ALREADY_LOGGED_IN error > code. It should treat this as success. > This matches the behavior of the non CKF_PROTECTED_AUTHENTICATION_PATH > code path. Thanks. I've applied the patches. regards, Nikos From nmav at gnutls.org Tue Jun 7 07:14:55 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 07 Jun 2011 07:14:55 +0200 Subject: gnutls 2.12.6 In-Reply-To: References: <4DEA9AE7.9090205@gnutls.org> <87hb84dwe4.fsf@rho.meyering.net> Message-ID: <4DEDB3CF.3050602@gnutls.org> On 06/07/2011 12:09 AM, Vincent Torri wrote: > I don't know the gnutls policy about autotools, but dist-xz has been added > in automake 1.11, which is not quite old I've added dependency on 1.11, then. regards, Nikos From stefw at collabora.co.uk Tue Jun 7 11:12:49 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Tue, 07 Jun 2011 09:12:49 +0000 Subject: Patch: PKCS#11 object is not found should return an error code Message-ID: <4DEDEB91.60800@collabora.co.uk> In pkcs11_find_object() no error is returned when no object is found. This leads the caller to try and go ahead with the results. This is even more of a problem when pakchois is not in use. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pkcs11-When-an-object-is-not-found-return-an-error-c.patch Type: text/x-patch Size: 714 bytes Desc: not available URL: From stefw at collabora.co.uk Tue Jun 7 19:15:30 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Tue, 07 Jun 2011 17:15:30 +0000 Subject: Patch: Only prompt for token insertion when cert not found Message-ID: <4DEE5CB2.7090207@collabora.co.uk> As it currently stands, no matter what the error when using a PKCS#11 certificate, we prompt the user to insert the right token. However this should only occur when the certificate is missing. If some other error occurs, then we should just break out of the FIND_OBJECT() loop. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Only-ask-for-token-to-be-inserted-if-certificate-is-.patch Type: text/x-patch Size: 953 bytes Desc: not available URL: From stefw at collabora.co.uk Tue Jun 7 19:36:56 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Tue, 07 Jun 2011 17:36:56 +0000 Subject: Using p11-kit for PKCS#11 support Message-ID: <4DEE61B8.3070105@collabora.co.uk> p11-kit is a library that loads and coordinates access to modules. The two selling points of the library are: * Allows multiple consumers of a PKCS#11 module within the same process to coordinate access to that module. Without such a coordinator the various consumers will finalize modules out from one another. [1] * Provides a solid configuration system for which PKCS#11 modules to load and initialize [2]. Of course there are other features too: * A solid reference implementation of the PKCS#11 URI spec. * Fixes forking problems, and eases loading of the modules. * Saves lots of code in gnutls. The attached patch ports gnutls to p11-kit. It's actually a combined set of patches, and these are available in branch form: http://cgit.collabora.com/git/user/stefw/gnutls.git/log/?h=p11-kit p11-kit is added as a dependency. p11-kit itself has no dependencies outside of basic libc stuff. The source code for p11-kit is available both in git and tarball form. [3] If the gnutls dependency on p11-kit is disabled (via a configure option) then the PKCS#11 support is disabled. This is useful in bare bones embedded systems or places where very minimal dependencies are limited. I'm working on integrating gnutls and PKCS#11 support into GLib. This patch is a prerequisite for that, so I'm looking forward to any feedback that would help get this change into gnutls. Cheers, Stef [1] http://p11-glue.freedesktop.org/doc/p11-kit/sharing.html [2] http://p11-glue.freedesktop.org/doc/p11-kit/config.html [3] http://p11-glue.freedesktop.org/p11-kit.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pkcs11-using-p11-kit.patch Type: text/x-patch Size: 274227 bytes Desc: not available URL: From nmav at gnutls.org Tue Jun 7 19:09:23 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 07 Jun 2011 19:09:23 +0200 Subject: Patch: Only prompt for token insertion when cert not found In-Reply-To: <4DEE5CB2.7090207@collabora.co.uk> References: <4DEE5CB2.7090207@collabora.co.uk> Message-ID: <4DEE5B43.7060705@gnutls.org> On 06/07/2011 07:15 PM, Stef Walter wrote: > As it currently stands, no matter what the error when using a PKCS#11 > certificate, we prompt the user to insert the right token. > > However this should only occur when the certificate is missing. If some > other error occurs, then we should just break out of the FIND_OBJECT() > loop. Thanks. I've applied the patch, but with a different error code. regards, Nikos From nmav at gnutls.org Tue Jun 7 20:22:32 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 07 Jun 2011 20:22:32 +0200 Subject: Using p11-kit for PKCS#11 support In-Reply-To: <4DEE61B8.3070105@collabora.co.uk> References: <4DEE61B8.3070105@collabora.co.uk> Message-ID: <4DEE6C68.4050405@gnutls.org> On 06/07/2011 07:36 PM, Stef Walter wrote: > The attached patch ports gnutls to p11-kit. It's actually a combined set > of patches, and these are available in branch form: Thank you Stef. I've just commited it. But could you try compiling with the --enable-gcc-warnings configure flag? I had some uninitialized variables in 1. pkcs11.c:311 and 312 2. pkcs11.c:875 which I have quickly solved, but probably not in a correct way. > [2] http://p11-glue.freedesktop.org/doc/p11-kit/config.html I installed p11-kit from the git and it tries to open "${prefix}/etc/pkcs11/pkcs11.conf" When I explicitly used: ./configure --sysconfdir=/etc/ it worked ok. btw. There is a typo in http://p11-glue.freedesktop.org/doc/p11-kit/config-module.html It should be: "module: The absolute path to the PKCS#11 module to load." regards, Nikos From n.mavrogiannopoulos at gmail.com Wed Jun 8 13:22:39 2011 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 8 Jun 2011 13:22:39 +0200 Subject: roadmap for 3.0.0 Message-ID: Hello, The last commit by Stef Walter concludes the list of changes I planned for gnutls 3.0.0. Those in brief were: * Addition of Datagram TLS 1.0 (RFC4347) * Addition of Elliptic curve ciphersuites (RFC4492) * Addition of ECDSA for X.509 certificates (RFC5480,RFC5758) * Addition of SuiteB profile (RFC5430) * Addition of AES-GCM cipher (RFC5288) * Addition of hardware optimized AES and AES-GCM on CPU's that support it * Addition of a simple X.509 certificate verification subsystem (gnutls_x509_trust_list_*) * Addition of an auditing subsystem (gnutls_global_set_audit_log_function()) * Addition of a certificate retrieval function that requires no processing from gnutls (gnutls_certificate_set_retrieve_function2()) * Usage of p11-kit for PKCS #11 support * Removal of several deprecated features The documentation has also been extended to discuss the new features, and was also reorganized. If you think something is missing from this list, or other things such as bug-fixes that should have made through, but didn't please let me know. As things stand and provided that there will be a release of nettle with the GCM support included, I'll release 2.99.3 within this month and that should be considered a prerelease of 3.0.0. The license of gnutls 3.0.0 would be GNU LGPL version 3. regards, Nikos From tzz at lifelogs.com Wed Jun 8 17:05:43 2011 From: tzz at lifelogs.com (Ted Zlatanov) Date: Wed, 08 Jun 2011 10:05:43 -0500 Subject: roadmap for 3.0.0 References: Message-ID: <87tyc0e52w.fsf@lifelogs.com> On Wed, 8 Jun 2011 13:22:39 +0200 Nikos Mavrogiannopoulos wrote: NM> The last commit by Stef Walter concludes the list of changes I NM> planned for gnutls 3.0.0. Those in brief were: NM> * Addition of a simple X.509 certificate verification subsystem NM> (gnutls_x509_trust_list_*) NM> * Addition of a certificate retrieval function that requires no NM> processing from gnutls (gnutls_certificate_set_retrieve_function2()) These will be appreciated for the Emacs GnuTLS interface. NM> The documentation has also been extended to discuss the new features, NM> and was also reorganized. If you think something is missing from this NM> list, or other things such as bug-fixes that should have made through, NM> but didn't please let me know. I would like to repeat my request for a string-based configuration system. Take the priority strings and extend them further, since almost everything in GnuTLS can be configured that way. You'll need a decent parser and it may end up as a multi-line format, but please consider that it's useful. Thanks Ted From stefw at collabora.co.uk Thu Jun 9 11:06:53 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Thu, 09 Jun 2011 11:06:53 +0200 Subject: Using p11-kit for PKCS#11 support In-Reply-To: <4DEE6C68.4050405@gnutls.org> References: <4DEE61B8.3070105@collabora.co.uk> <4DEE6C68.4050405@gnutls.org> Message-ID: <4DF08D2D.7070406@collabora.co.uk> On 06/07/2011 08:22 PM, Nikos Mavrogiannopoulos wrote: > On 06/07/2011 07:36 PM, Stef Walter wrote: > >> The attached patch ports gnutls to p11-kit. It's actually a combined set >> of patches, and these are available in branch form: > > Thank you Stef. I've just commited it. But could you try compiling with > the --enable-gcc-warnings configure flag? > I had some uninitialized variables in > 1. pkcs11.c:311 and 312 > 2. pkcs11.c:875 > > which I have quickly solved, but probably not in a correct way. Attached is another patch which fixes them a bit differently. Also fixes other warnings that GCC 4.6.0 complains about. That said, for some reason the file lib/pkcs11_spec.h is missing from master. At least for me. This prevents gnutls master from building. I've attached it too. >> [2] http://p11-glue.freedesktop.org/doc/p11-kit/config.html > > I installed p11-kit from the git and it tries to open > "${prefix}/etc/pkcs11/pkcs11.conf" > > When I explicitly used: > ../configure --sysconfdir=/etc/ > > it worked ok. Good catch. I've fixed that in p11-kit master. It now defaults to /etc/pkcs11. The directory can be changed by packagers if necessary with a --with-pkcs11-dir configure argument. > btw. There is a typo in > http://p11-glue.freedesktop.org/doc/p11-kit/config-module.html > It should be: "module: The absolute path to the PKCS#11 module to load." Thanks. Fixed. Cheers, Stef -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-up-compiler-warnings.patch Type: text/x-patch Size: 2935 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pkcs11_spec.h URL: From nmav at gnutls.org Thu Jun 9 11:44:44 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Jun 2011 11:44:44 +0200 Subject: roadmap for 3.0.0 In-Reply-To: <87tyc0e52w.fsf@lifelogs.com> References: <87tyc0e52w.fsf@lifelogs.com> Message-ID: 2011/6/8 Ted Zlatanov : > On Wed, 8 Jun 2011 13:22:39 +0200 Nikos Mavrogiannopoulos wrote: > NM> ?The last commit by Stef Walter concludes the list of changes I > NM> planned for gnutls 3.0.0. Those in brief were: > NM> * Addition of a simple X.509 certificate verification subsystem > NM> (gnutls_x509_trust_list_*) > NM> * Addition of a certificate retrieval function that requires no > NM> processing from gnutls (gnutls_certificate_set_retrieve_function2()) > These will be appreciated for the Emacs GnuTLS interface. If you have any comments on their usage, or think something is missing let me know. > I would like to repeat my request for a string-based configuration > system. ?Take the priority strings and extend them further, since almost > everything in GnuTLS can be configured that way. ?You'll need a decent > parser and it may end up as a multi-line format, but please consider > that it's useful. I can see its usefulness in your use-case, but not in a generic case for a typical C program or library that will not be able to utilized them anyway. I still believe that something like that should be built on top of gnutls. regards, Nikos From nmav at gnutls.org Thu Jun 9 18:02:36 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 09 Jun 2011 18:02:36 +0200 Subject: Using p11-kit for PKCS#11 support In-Reply-To: <4DF08D2D.7070406@collabora.co.uk> References: <4DEE61B8.3070105@collabora.co.uk> <4DEE6C68.4050405@gnutls.org> <4DF08D2D.7070406@collabora.co.uk> Message-ID: <4DF0EE9C.2080908@gnutls.org> On 06/09/2011 11:06 AM, Stef Walter wrote: >> which I have quickly solved, but probably not in a correct way. > Attached is another patch which fixes them a bit differently. Also fixes > other warnings that GCC 4.6.0 complains about. > That said, for some reason the file lib/pkcs11_spec.h is missing from > master. At least for me. This prevents gnutls master from building. I've > attached it too. Applied, thanks. regards, Nikos From nmav at gnutls.org Thu Jun 9 18:40:32 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 09 Jun 2011 18:40:32 +0200 Subject: Using p11-kit for PKCS#11 support In-Reply-To: <4DF08D2D.7070406@collabora.co.uk> References: <4DEE61B8.3070105@collabora.co.uk> <4DEE6C68.4050405@gnutls.org> <4DF08D2D.7070406@collabora.co.uk> Message-ID: <4DF0F780.9070801@gnutls.org> On 06/09/2011 11:06 AM, Stef Walter wrote: > That said, for some reason the file lib/pkcs11_spec.h is missing from > master. At least for me. This prevents gnutls master from building. I've > attached it too. Why is the pkcs11_spec.h required in gnutls? Shouldn't it be part of p11-kit headers? Btw. the file that you used is older than the one included in pakchois. It does not include algorithms from later PKCS #11 such as (for SHA-224 and CAMELLIA): /* Ammendments */ #define CKM_SHA224 (0x255) #define CKM_SHA224_HMAC (0x256) #define CKM_SHA224_HMAC_GENERAL (0x257) #define CKM_SHA224_RSA_PKCS (0x46) #define CKM_SHA224_RSA_PKCS_PSS (0x47) #define CKM_SHA224_KEY_DERIVATION (0x396) #define CKM_CAMELLIA_KEY_GEN (0x550) #define CKM_CAMELLIA_ECB (0x551) #define CKM_CAMELLIA_CBC (0x552) #define CKM_CAMELLIA_MAC (0x553) #define CKM_CAMELLIA_MAC_GENERAL (0x554) #define CKM_CAMELLIA_CBC_PAD (0x555) #define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556) #define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557) regards, Nikos From nmav at gnutls.org Thu Jun 9 19:45:21 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 09 Jun 2011 19:45:21 +0200 Subject: Using p11-kit for PKCS#11 support In-Reply-To: References: <4DEE61B8.3070105@collabora.co.uk> <4DEE6C68.4050405@gnutls.org> <4DF08D2D.7070406@collabora.co.uk> <4DF0F780.9070801@gnutls.org> Message-ID: <4DF106B1.8070401@gnutls.org> On 06/09/2011 06:53 PM, Martin Paljak wrote: > > On Jun 9, 2011, at 19:40 , Nikos Mavrogiannopoulos wrote: > >> On 06/09/2011 11:06 AM, Stef Walter wrote: >> >>> That said, for some reason the file lib/pkcs11_spec.h is missing from >>> master. At least for me. This prevents gnutls master from building. I've >>> attached it too. >> >> Why is the pkcs11_spec.h required in gnutls? Shouldn't it be part of >> p11-kit headers? Btw. the file that you used is older than the one >> included in pakchois. It does not include algorithms from later >> PKCS #11 such as (for SHA-224 and CAMELLIA): > PKCS#11 2.30 is still a Draft officially... They are described in 2.20 too as amendments. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h regards, Nikos From martin at martinpaljak.net Thu Jun 9 18:53:52 2011 From: martin at martinpaljak.net (Martin Paljak) Date: Thu, 9 Jun 2011 19:53:52 +0300 Subject: Using p11-kit for PKCS#11 support In-Reply-To: <4DF0F780.9070801@gnutls.org> References: <4DEE61B8.3070105@collabora.co.uk> <4DEE6C68.4050405@gnutls.org> <4DF08D2D.7070406@collabora.co.uk> <4DF0F780.9070801@gnutls.org> Message-ID: On Jun 9, 2011, at 19:40 , Nikos Mavrogiannopoulos wrote: > On 06/09/2011 11:06 AM, Stef Walter wrote: > >> That said, for some reason the file lib/pkcs11_spec.h is missing from >> master. At least for me. This prevents gnutls master from building. I've >> attached it too. > > Why is the pkcs11_spec.h required in gnutls? Shouldn't it be part of > p11-kit headers? Btw. the file that you used is older than the one > included in pakchois. It does not include algorithms from later > PKCS #11 such as (for SHA-224 and CAMELLIA): PKCS#11 2.30 is still a Draft officially... Just my 0.02? -- @MartinPaljak.net +3725156495 From tzz at lifelogs.com Thu Jun 9 22:57:50 2011 From: tzz at lifelogs.com (Ted Zlatanov) Date: Thu, 09 Jun 2011 15:57:50 -0500 Subject: roadmap for 3.0.0 References: <87tyc0e52w.fsf@lifelogs.com> Message-ID: <87fwnilo35.fsf@lifelogs.com> On Thu, 9 Jun 2011 11:44:44 +0200 Nikos Mavrogiannopoulos wrote: NM> 2011/6/8 Ted Zlatanov : >> I would like to repeat my request for a string-based configuration >> system. ?Take the priority strings and extend them further, since almost >> everything in GnuTLS can be configured that way. ?You'll need a decent >> parser and it may end up as a multi-line format, but please consider >> that it's useful. NM> I can see its usefulness in your use-case, but not in a generic case for NM> a typical C program or library that will not be able to utilized them anyway. NM> I still believe that something like that should be built on top of gnutls. (removing the general list from the CC) Surely it's useful for embedding in scripting languages (Perl, Python, Ruby, etc.)? I only see a Python binding out there. Easier configuration could help in this regard. I hope you think of GnuTLS as a useful library outside of a C context. In addition I think it would benefit everyone if they could show and modify their configuration easily without recompiling. Those who see that as a security issue can simply not use configuration files. If this was built on top of GnuTLS as you suggest I can't imagine who but the GnuTLS developers could do it. As a feature, it's very tightly coupled to the GnuTLS API and would have to track every release if it was external. Ted From mike at flyn.org Fri Jun 10 20:56:27 2011 From: mike at flyn.org (W. Michael Petullo) Date: Fri, 10 Jun 2011 13:56:27 -0500 Subject: Issue connecting to Army Knowledge Online website using GnuTLS Message-ID: <20110610185627.GA12091@imp.local> I am having trouble connecting to the Army Knowledge Online server (www.us.army.mil) using Epiphany/GnuTLS 2.10.5 (Firefox and OpenSSL's s_client work fine). I've brought this up with the AKO administrators, but thought I'd mention it here too. AKO requires an account, but the homepage is publically accessible. I tried troubleshooting using gnutls-cli and got: $ gnutls-cli -d 255 -p 443 www.us.army.mil [...] GET / HTTP/1.1 |<4>| REC[0x1195e50]: Sending Packet[1] Application Data(23) with length: 15 |<7>| WRITE: Will write 165 bytes to 0x4. |<7>| WRITE: wrote 165 bytes to 0x4. Left 0 bytes. Total 165 bytes. |<7>| 0000 - 17 03 01 00 a0 f6 b5 a9 d4 d0 b0 fd 0c c8 88 61 |<7>| 0001 - 92 31 34 5d a7 fe b0 44 b3 3d c5 95 e4 24 9b 37 |<7>| 0002 - de dc 31 bb d1 1f a7 67 4e 93 5c 60 b4 cd 67 ea |<7>| 0003 - 20 a6 97 8a b6 37 42 26 ab 62 f2 91 d9 6a 28 36 |<7>| 0004 - ce 0e cf c9 5f 8a 09 2c 5d ee 84 05 41 ab 82 7b |<7>| 0005 - 18 cc 4a f8 7b 6d 24 5d ba a7 cc 17 1a 72 5f 80 |<7>| 0006 - d8 55 f6 27 2e 70 87 84 1d 8e e3 77 71 9b 76 fc |<7>| 0007 - c2 f2 68 b7 13 37 90 ac 12 c3 f5 6a 71 7e f1 4d |<7>| 0008 - d0 a0 c0 57 41 7d 86 66 67 e5 68 3e 34 ec 4c 70 |<7>| 0009 - 94 c3 82 8c 17 5c b5 3b 22 6a 41 5d 17 1b 5c 9f |<7>| 000a - 5b 56 74 e4 50 |<4>| REC[0x1195e50]: Sent Packet[2] Application Data(23) with length: 165 |<7>| READ: Got 0 bytes from 0x4 |<7>| READ: read 0 bytes from 0x4 |<7>| 0000 - |<2>| ASSERT: gnutls_buffers.c:601 |<2>| ASSERT: gnutls_record.c:918 *** Fatal error: A TLS packet with unexpected length was received. *** Server has terminated the connection abnormally. random usage: poolsize=600 mixed=42 polls=25/107 added=564/21848 outmix=4 getlvl1=4/262 getlvl2=0/0 |<6>| BUF[HSK]: Cleared Data from buffer -- Mike :wq From nmav at gnutls.org Mon Jun 13 20:32:09 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 13 Jun 2011 20:32:09 +0200 Subject: Issue connecting to Army Knowledge Online website using GnuTLS In-Reply-To: <20110610185627.GA12091@imp.local> References: <20110610185627.GA12091@imp.local> Message-ID: On Fri, Jun 10, 2011 at 8:56 PM, W. Michael Petullo wrote: > I am having trouble connecting to the Army Knowledge Online server > (www.us.army.mil) using Epiphany/GnuTLS 2.10.5 (Firefox and OpenSSL's > s_client work fine). I've brought this up with the AKO administrators, > but thought I'd mention it here too. AKO requires an account, but > the homepage is publically accessible. I tried troubleshooting using > gnutls-cli and got: Could you try the compatibility priority string described in: http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html#Interoperability (it is for 2.12.x, for 2.10, it would be: "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT") regards, Nikos From mike at flyn.org Mon Jun 13 21:43:52 2011 From: mike at flyn.org (W. Michael Petullo) Date: Mon, 13 Jun 2011 14:43:52 -0500 Subject: Issue connecting to Army Knowledge Online website using GnuTLS In-Reply-To: References: <20110610185627.GA12091@imp.local> Message-ID: <20110613194352.GA20075@imp.local> >> I am having trouble connecting to the Army Knowledge Online server >> (www.us.army.mil) using Epiphany/GnuTLS 2.10.5 (Firefox and OpenSSL's >> s_client work fine). I've brought this up with the AKO administrators, >> but thought I'd mention it here too. AKO requires an account, but >> the homepage is publically accessible. I tried troubleshooting using >> gnutls-cli and got: > > Could you try the compatibility priority string described in: > http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html#Interoperability > > (it is for 2.12.x, for 2.10, it would be: > "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT") This seems to work: gnutls-cli -d 255 -p 443 www.us.army.mil --priority "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT" Is the an environment variable that will cause applications that use GnuTLS to behave in this manner? Or, does the application have to call gnutls_certificate_type_set_priority() explicitly? -- Mike :wq From rickard at opendnssec.org Tue Jun 14 12:35:17 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 14 Jun 2011 12:35:17 +0200 Subject: PKCS#11 bugs Message-ID: Hi I am testing SoftHSM together with GnuTLS, just to see if the certificate parts of SoftHSM works. I found some bugs in GnuTLS and I have attached a patch for them. 1. You should change the variable tval to an unsigned char. The attributes are of the type CK_BBOOL, which is equal to unsigned char. 2. I think you forgot to save the label for the private key, if it was given by the user. 3. The CKA_SUBJECT must be specified for a certificate. 4. The p11tool has an option to mark a certificate as trusted when importing it. The problem is that only the Security Officer can set it to true. I do not have a patch for it. But the program have to login as a SO and change the attribute of this object. Remember that the SO can only see public objects. You do not set the CKA_PRIVATE and the default value is "token-specific". SoftHSM sets the CKA_PRIVATE to true and thus not visible for the SO since it then is a private object. // Rickard Bellgrim -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Missing-information-in-the-PKCS-11-templates.patch Type: application/octet-stream Size: 2127 bytes Desc: not available URL: From rickard at opendnssec.org Tue Jun 14 13:56:20 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 14 Jun 2011 13:56:20 +0200 Subject: PKCS#11 bugs In-Reply-To: References: Message-ID: And it also applies to: rickard at fou:~/gnutls/lib$ grep -n "unsigned int tval" * pkcs11.c:1057: unsigned int tval; pkcs11_secret.c:61: unsigned int tval = 1; On Tue, Jun 14, 2011 at 12:35 PM, Rickard Bellgrim wrote: > Hi > > I am testing SoftHSM together with GnuTLS, just to see if the > certificate parts of SoftHSM works. I found some bugs in GnuTLS and I > have attached a patch for them. > > 1. > You should change the variable tval to an unsigned char. > The attributes are of the type CK_BBOOL, which is equal to unsigned char. > > 2. > I think you forgot to save the label for the private key, if it was > given by the user. > > 3. > The CKA_SUBJECT must be specified for a certificate. > > 4. > The p11tool has an option to mark a certificate as trusted when > importing it. The problem is that only the Security Officer can set it > to true. I do not have a patch for it. But the program have to login > as a SO and change the attribute of this object. Remember that the SO > can only see public objects. You do not set the CKA_PRIVATE and the > default value is "token-specific". SoftHSM sets the CKA_PRIVATE to > true and thus not visible for the SO since it then is a private > object. > > // Rickard Bellgrim > From nmav at gnutls.org Wed Jun 15 21:33:57 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Jun 2011 21:33:57 +0200 Subject: PKCS#11 bugs In-Reply-To: References: Message-ID: <4DF90925.2040900@gnutls.org> On 06/14/2011 12:35 PM, Rickard Bellgrim wrote: > Hi > I am testing SoftHSM together with GnuTLS, just to see if the > certificate parts of SoftHSM works. I found some bugs in GnuTLS and I > have attached a patch for them. Hello, Thank you for finding the bugs and the patch. > 1. > You should change the variable tval to an unsigned char. > The attributes are of the type CK_BBOOL, which is equal to unsigned char. > 2. > I think you forgot to save the label for the private key, if it was > given by the user. I've applied fixes for those: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=refs/heads/gnutls_2_12_x > 3. > The CKA_SUBJECT must be specified for a certificate. Why is this? I don't see anywhere in PKCS #11 such a requirement. > 4. > The p11tool has an option to mark a certificate as trusted when > importing it. The problem is that only the Security Officer can set it > to true. I do not have a patch for it. But the program have to login > as a SO and change the attribute of this object. Remember that the SO > can only see public objects. You do not set the CKA_PRIVATE and the > default value is "token-specific". SoftHSM sets the CKA_PRIVATE to > true and thus not visible for the SO since it then is a private > object. I think I've addressed it in the repository. regards, Nikos From nmav at gnutls.org Wed Jun 15 21:35:58 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Jun 2011 21:35:58 +0200 Subject: Issue connecting to Army Knowledge Online website using GnuTLS In-Reply-To: <20110613194352.GA20075@imp.local> References: <20110610185627.GA12091@imp.local> <20110613194352.GA20075@imp.local> Message-ID: <4DF9099E.2080104@gnutls.org> On 06/13/2011 09:43 PM, W. Michael Petullo wrote: >>> I am having trouble connecting to the Army Knowledge Online server >>> (www.us.army.mil) using Epiphany/GnuTLS 2.10.5 (Firefox and OpenSSL's >>> s_client work fine). I've brought this up with the AKO administrators, >>> but thought I'd mention it here too. AKO requires an account, but >>> the homepage is publically accessible. I tried troubleshooting using >>> gnutls-cli and got: >> >> Could you try the compatibility priority string described in: >> http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html#Interoperability >> >> (it is for 2.12.x, for 2.10, it would be: >> "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT") > > This seems to work: > > gnutls-cli -d 255 -p 443 www.us.army.mil --priority "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT" > > Is the an environment variable that will cause applications that use > GnuTLS to behave in this manner? Or, does the application have to call > gnutls_certificate_type_set_priority() explicitly? An application has to call gnutls_priority_set_direct(), to allow priority strings. regards, Nikos From rickard at opendnssec.org Thu Jun 16 08:15:18 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 16 Jun 2011 08:15:18 +0200 Subject: PKCS#11 bugs In-Reply-To: <4DF90925.2040900@gnutls.org> References: <4DF90925.2040900@gnutls.org> Message-ID: > I've applied fixes for those: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=refs/heads/gnutls_2_12_x Thanks >> 3. >> The CKA_SUBJECT must be specified for a certificate. > > Why is this? I don't see anywhere in PKCS #11 such a requirement. Table 24, Page 75 in ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf. CKA_SUBJECT [1] - Byte array - DER-encoding of the certificate subject name [1] Must be specified when the object is created. // Rickard From nmav at gnutls.org Thu Jun 16 08:46:30 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 16 Jun 2011 08:46:30 +0200 Subject: PKCS#11 bugs In-Reply-To: References: <4DF90925.2040900@gnutls.org> Message-ID: <4DF9A6C6.2090805@gnutls.org> On 06/16/2011 08:15 AM, Rickard Bellgrim wrote: > Table 24, Page 75 in > ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf. > CKA_SUBJECT [1] - Byte array - DER-encoding of the certificate subject name > [1] Must be specified when the object is created. Indeed. I've applied it. regards, Nikos From rickard at opendnssec.org Thu Jun 16 12:32:21 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 16 Jun 2011 12:32:21 +0200 Subject: PKCS#11 bugs In-Reply-To: <4DF90925.2040900@gnutls.org> References: <4DF90925.2040900@gnutls.org> Message-ID: On Wed, Jun 15, 2011 at 9:33 PM, Nikos Mavrogiannopoulos wrote: >> 4. >> The p11tool has an option to mark a certificate as trusted when >> importing it. The problem is that only the Security Officer can set it >> to true. I do not have a patch for it. But the program have to login >> as a SO and change the attribute of this object. Remember that the SO >> can only see public objects. You do not set the CKA_PRIVATE and the >> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to >> true and thus not visible for the SO since it then is a private >> object. > > I think I've addressed it in the repository. The first three items now work. But the CKA_TRUSTED is still set by the user and not the SO. // Rickard Output from pkcs11-spy: 9: C_OpenSession [in] slotID = 0x2 [in] flags = 0x6 pApplication=(nil) Notify=(nil) [out] *phSession = 0x1 Returned: 0 CKR_OK PIN required for token 'token2' with URL 'pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=token2' Enter PIN: 10: C_Login [in] hSession = 0x1 [in] userType = CKU_USER [in] pPin[ulPinLen] [size : 0x4 (4)] 31323334 Returned: 0 CKR_OK 11: C_CreateObject [in] hSession = 0x1 [in] pTemplate[8]: CKA_CLASS CKO_CERTIFICATE CKA_ID [size : 0x14 (20)] 0D388EB8 8076B822 9EFCCBCB 207EF27B 870854CA CKA_VALUE [size : 0x2A1 (673)] 3082029D 30820206 020900ED B2014041 B7ACCB30 0D06092A 864886F7 0D010105 05003081 92310B30 09060355 04061302 53453112 30100603 55040813 0953746F 636B686F 6C6D3112 30100603 55040713 0953746F 636B686F 6C6D310C 300A0603 55040A13 032E5345 310C300A 06035504 0B130346 6F553119 30170603 55040313 10526963 6B617264 2042656C 6C677269 6D312430 2206092A 864886F7 0D010901 16157269 636B6172 64624063 65727465 7A7A612E 6E657430 1E170D31 31303631 36313032 3233315A 170D3132 30363135 31303232 33315A30 8192310B 30090603 55040613 02534531 12301006 03550408 13095374 6F636B68 6F6C6D31 12301006 03550407 13095374 6F636B68 6F6C6D31 0C300A06 0355040A 13032E53 45310C30 0A060355 040B1303 466F5531 19301706 03550403 13105269 636B6172 64204265 6C6C6772 696D3124 30220609 2A864886 F70D0109 01161572 69636B61 72646240 63657274 657A7A61 2E6E6574 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B3664B DE864766 54105F12 2791E5E6 5E9368B5 3FAFAA21 9D0BFA7D E141CCA5 90BCE2A0 C8B3E836 6A070D8A E77FEA98 5964BC59 3FA75177 E6879E14 D591BDA9 4ECD0B2E 7AE34A78 A115B838 60200E72 19FE0312 1D419250 D4FECBCD 0EF7BEFB 1C0E6293 C4891955 6236E432 1C70D5FE 5DD00E83 748D2FE6 7CF19B21 34313C5B 01020301 0001300D 06092A86 4886F70D 01010505 00038181 0005C642 9D21D50B FD3C5957 EF8F0E16 C08CC216 FC9141DC 67AA452D A147EBE7 BF95B508 5E43A9EA D61B8CDF 9BC839A3 AF991540 7F552A28 90C4D756 FC33416C B2B3C83C 973851BC 61FA0F0D 6C3B2CC1 0F0AC266 E15F07CD B79010D8 BA2984C3 0708ECFF 49255890 BE84202C F3205AD5 85F19E87 9391F059 DEF749D0 F7FEF2B0 39 CKA_TOKEN True CKA_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT [size : 0x95 (149)] 30819231 0B300906 03550406 13025345 31123010 06035504 08130953 746F636B 686F6C6D 31123010 06035504 07130953 746F636B 686F6C6D 310C300A 06035504 0A13032E 5345310C 300A0603 55040B13 03466F55 31193017 06035504 03131052 69636B61 72642042 656C6C67 72696D31 24302206 092A8648 86F70D01 09011615 7269636B 61726462 40636572 74657A7A 612E6E65 74 DN: C=SE, ST=Stockholm, L=Stockholm, O=.SE, OU=FoU, CN=Rickard Bellgrim/emailAddress=rickardb at certezza.net CKA_LABEL [size : 0x6 (6)] 4D794365 7274 M y C e r t CKA_TRUSTED [size : 0x1 (1)] 01 Returned: 16 CKR_ATTRIBUTE_READ_ONLY 12: C_CloseSession [in] hSession = 0x1 Returned: 0 CKR_OK Error in pkcs11_write:574: PKCS #11 error in attribute From fweimer at bfk.de Thu Jun 16 16:05:33 2011 From: fweimer at bfk.de (Florian Weimer) Date: Thu, 16 Jun 2011 14:05:33 +0000 Subject: asn1_der_decoding API misuse Message-ID: <82fwn9oor6.fsf@mid.bfk.de> The comment in gnutls26-2.8.6/lib/minitasn1/decoding.c says this: * @errorDescription: null-terminated string contains details when an * error occurred. However, there are quite a few error returns without previous writes to the errorDescription buffer. Either the callers should be change to initialize the character buffer which is passed to asn1_der_decoding(), or asn1_der_decoding() should write an empty string to errorDescription if no description string is available. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From nmav at gnutls.org Thu Jun 16 20:51:40 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 16 Jun 2011 20:51:40 +0200 Subject: PKCS#11 bugs In-Reply-To: References: <4DF90925.2040900@gnutls.org> Message-ID: <4DFA50BC.5080109@gnutls.org> On 06/16/2011 12:32 PM, Rickard Bellgrim wrote: > On Wed, Jun 15, 2011 at 9:33 PM, Nikos Mavrogiannopoulos > wrote: >>> 4. >>> The p11tool has an option to mark a certificate as trusted when >>> importing it. The problem is that only the Security Officer can set it >>> to true. I do not have a patch for it. But the program have to login >>> as a SO and change the attribute of this object. Remember that the SO >>> can only see public objects. You do not set the CKA_PRIVATE and the >>> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to >>> true and thus not visible for the SO since it then is a private >>> object. >> I think I've addressed it in the repository. > The first three items now work. But the CKA_TRUSTED is still set by > the user and not the SO. Ooops. Should be fixed now. regards, Nikos From rickard at opendnssec.org Fri Jun 17 09:13:09 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 17 Jun 2011 09:13:09 +0200 Subject: PKCS#11 bugs In-Reply-To: <4DFA50BC.5080109@gnutls.org> References: <4DF90925.2040900@gnutls.org> <4DFA50BC.5080109@gnutls.org> Message-ID: On Thu, Jun 16, 2011 at 8:51 PM, Nikos Mavrogiannopoulos wrote: > On 06/16/2011 12:32 PM, Rickard Bellgrim wrote: >> On Wed, Jun 15, 2011 at 9:33 PM, Nikos Mavrogiannopoulos >> wrote: >>>> 4. >>>> The p11tool has an option to mark a certificate as trusted when >>>> importing it. The problem is that only the Security Officer can set it >>>> to true. I do not have a patch for it. But the program have to login >>>> as a SO and change the attribute of this object. Remember that the SO >>>> can only see public objects. You do not set the CKA_PRIVATE and the >>>> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to >>>> true and thus not visible for the SO since it then is a private >>>> object. >>> I think I've addressed it in the repository. >> The first three items now work. But the CKA_TRUSTED is still set by >> the user and not the SO. > > Ooops. Should be fixed now. Great, now it logs in as SO. Just one more thing. Also set the CKA_PRIVATE to false. As I noted above, the default value is "token-specific". Otherwise the SO cannot create the object. If this is fixed then it works. See table 6 (access rules) in the PKCS#11 API, page 22. I also noted that the library enters an eternal loop when wrong PIN has been entered. // Rickard From rickard at opendnssec.org Fri Jun 17 10:48:55 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 17 Jun 2011 10:48:55 +0200 Subject: PKCS#11 bugs In-Reply-To: References: <4DF90925.2040900@gnutls.org> <4DFA50BC.5080109@gnutls.org> Message-ID: On Fri, Jun 17, 2011 at 9:13 AM, Rickard Bellgrim wrote: > I also noted that the library enters an eternal loop when wrong PIN > has been entered. This was because I do not set PIN_COUNT_LOW or PIN_FINAL_TRY in SoftHSM. GnuTLS will thus keep using the cached PIN. I will see what I can do about that. // Rickard From rickard at opendnssec.org Fri Jun 17 13:53:34 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 17 Jun 2011 13:53:34 +0200 Subject: PKCS#11 bugs In-Reply-To: References: <4DF90925.2040900@gnutls.org> <4DFA50BC.5080109@gnutls.org> Message-ID: On Fri, Jun 17, 2011 at 10:48 AM, Rickard Bellgrim wrote: > On Fri, Jun 17, 2011 at 9:13 AM, Rickard Bellgrim > wrote: >> I also noted that the library enters an eternal loop when wrong PIN >> has been entered. > > This was because I do not set PIN_COUNT_LOW or PIN_FINAL_TRY in > SoftHSM. GnuTLS will thus keep using the cached PIN. I will see what I > can do about that. Yes, that did the trick. // Rickard From nmav at gnutls.org Fri Jun 17 20:41:31 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 17 Jun 2011 20:41:31 +0200 Subject: PKCS#11 bugs In-Reply-To: References: <4DF90925.2040900@gnutls.org> <4DFA50BC.5080109@gnutls.org> Message-ID: <4DFB9FDB.1030102@gnutls.org> On 06/17/2011 09:13 AM, Rickard Bellgrim wrote: > Great, now it logs in as SO. Just one more thing. Also set the > CKA_PRIVATE to false. As I noted above, the default value is > "token-specific". Otherwise the SO cannot create the object. If this > is fixed then it works. See table 6 (access rules) in the PKCS#11 > API, page 22. I've set it to false when the CKA_TRUSTED is set as well. > I also noted that the library enters an eternal loop when wrong PIN > has been entered. This was because I do not set PIN_COUNT_LOW or > PIN_FINAL_TRY in SoftHSM. GnuTLS will thus keep using the cached PIN. > I will see what I can do about that. I've also limited the number of attempts a PIN is used with p11tool. This would prevent such an infinite loop. regards, Nikos From nmav at gnutls.org Fri Jun 17 21:44:23 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 17 Jun 2011 21:44:23 +0200 Subject: asn1_der_decoding API misuse In-Reply-To: <82fwn9oor6.fsf@mid.bfk.de> References: <82fwn9oor6.fsf@mid.bfk.de> Message-ID: <4DFBAE97.1080803@gnutls.org> On 06/16/2011 04:05 PM, Florian Weimer wrote: > The comment in gnutls26-2.8.6/lib/minitasn1/decoding.c says this: > > * @errorDescription: null-terminated string contains details when an > * error occurred. > > However, there are quite a few error returns without previous writes to > the errorDescription buffer. Either the callers should be change to > initialize the character buffer which is passed to asn1_der_decoding(), > or asn1_der_decoding() should write an empty string to errorDescription > if no description string is available. Indeed. It should be fixed. I've added it to my todo list. regards, Nikos From nmav at gnutls.org Sat Jun 18 21:30:16 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Jun 2011 21:30:16 +0200 Subject: gnutls 2.99.3 Message-ID: <4DFCFCC8.1020707@gnutls.org> Hello, I've just released gnutls 2.99.3. Currently it depends on the cvs version of nettle (http://www.lysator.liu.se/~nisse/nettle/). The changes since last version are attached below. The GnuTLS 2.99.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. The changes since the development release are: * Version 2.99.3 (released 2011-06-18) ** libgnutls: Added new PKCS #11 flags to force an object being private or not. (GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE and GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) ** libgnutls: Added SUITEB128 and SUITEB192 priority strings to enable the NSA SuiteB cryptography ciphersuites. ** libgnutls: Added gnutls_pubkey_verify_data2() that will verify data provided the signature algorithm. ** libgnutls: Simplified the handling of handshake messages to be hashed. Instead of hashing during the handshake process we now keep the data until handshake is over and hash them on request. This uses more memory but eliminates issues with TLS 1.2 and simplifies code. ** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ instruction. Uses Andy Polyakov's assembly code. ** libgnutls: Added gnutls_x509_trust_list_add_named_crt() and gnutls_x509_trust_list_verify_named_crt() that allow having a list of certificates in the trusted list that will be associated with a name (e.g. server name) and will not be used as CAs. ** libgnutls: PKCS #11 back-end rewritten to use p11-kit http://p11-glue.freedesktop.org/p11-kit.html. Rewrite by Stef Walter. ** libgnutls: Added ECDHE-PSK ciphersuites for TLS (RFC 5489). ** API and ABI modifications: gnutls_pubkey_verify_data2: ADDED gnutls_ecc_curve_get: ADDED gnutls_x509_trust_list_add_named_crt: ADDED gnutls_x509_trust_list_verify_named_crt: ADDED gnutls_x509_privkey_verify_data: REMOVED gnutls_crypto_bigint_register: REMOVED gnutls_crypto_cipher_register: REMOVED gnutls_crypto_digest_register: REMOVED gnutls_crypto_mac_register: REMOVED gnutls_crypto_pk_register: REMOVED gnutls_crypto_rnd_register: REMOVED gnutls_crypto_single_cipher_register: REMOVED gnutls_crypto_single_digest_register: REMOVED gnutls_crypto_single_mac_register: REMOVED GNUTLS_KX_ECDHE_PSK: New key exchange method GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: New PKCS#11 object flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: New PKCS#11 object flag. Here are the compressed sources: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.3.tar.xz ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.3.tar.xz Here is the OpenPGP signature: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.3.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.3.tar.xz.sig regards, Nikos From nmav at gnutls.org Sat Jun 18 21:35:01 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Jun 2011 21:35:01 +0200 Subject: gnutls 2.12.7 Message-ID: <4DFCFDE5.3000505@gnutls.org> Hello, I've just released gnutls 2.12.7. * Version 2.12.7 (released 2011-06-18) ** p11tool: Require login as security officer if --trusted option is provided. Reported by Rickard Bellgrim. ** libgnutls: The CKA_SUBJECT field is specified when copying certificates in PKCS #11 smart-cards. Patch by Rickard Bellgrim. ** libgnutls: Write label when writing private keys in PKCS #11 tokens. Reported by Rickard Bellgrim. ** libgnutls: Accept CKR_USER_ALREADY_LOGGED_IN as a valid error code when logging in to PKCS #11 tokens. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From and a list of GnuTLS mirrors can be found at . Here are the BZIP2 compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From tmraz at redhat.com Mon Jun 20 09:35:05 2011 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 20 Jun 2011 09:35:05 +0200 Subject: gnutls 2.12.7 In-Reply-To: <4DFCFDE5.3000505@gnutls.org> References: <4DFCFDE5.3000505@gnutls.org> Message-ID: <1308555305.3370.423.camel@vespa.frost.loc> On Sat, 2011-06-18 at 21:35 +0200, Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 2.12.7. > GnuTLS may be downloaded from one of the GNU mirror sites or directly > From found at and a list of GnuTLS mirrors > can be found at . > > Here are the BZIP2 compressed sources: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 > http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 It seems to be missing here. It is only in the ftp://ftp.gnu.org/pub/gnutls/ -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From nmav at gnutls.org Mon Jun 20 18:00:43 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 20 Jun 2011 18:00:43 +0200 Subject: gnutls 2.12.7 In-Reply-To: <1308555305.3370.423.camel@vespa.frost.loc> References: <4DFCFDE5.3000505@gnutls.org> <1308555305.3370.423.camel@vespa.frost.loc> Message-ID: <4DFF6EAB.2060004@gnutls.org> On 06/20/2011 09:35 AM, Tomas Mraz wrote: >> GnuTLS may be downloaded from one of the GNU mirror sites or directly >> From > found at and a list of GnuTLS mirrors >> can be found at . >> >> Here are the BZIP2 compressed sources: >> >> ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 >> http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 > > It seems to be missing here. It is only in the > ftp://ftp.gnu.org/pub/gnutls/ Thanks, it seems I've uploaded it to alpha.gnu.org. It is now at the expected place. regards, Nikos From a.radke at arcor.de Tue Jun 21 00:03:52 2011 From: a.radke at arcor.de (Andreas Radke) Date: Tue, 21 Jun 2011 00:03:52 +0200 Subject: gnutls 2.12.7 In-Reply-To: <4DFF6EAB.2060004@gnutls.org> References: <4DFCFDE5.3000505@gnutls.org> <1308555305.3370.423.camel@vespa.frost.loc> <4DFF6EAB.2060004@gnutls.org> Message-ID: <20110621000352.73d07930@workstation64.home> Is this expected or similar to the failure in 2.12.6? Again built with libgcrypt. make check-TESTS make[3]: Entering directory `/build/src/gnutls-2.12.7/tests/dsa' Checking various DSA key sizes Checking DSA-1024 with TLS 1.0 Checking server DSA-1024 with client DSA-1024 and TLS 1.0 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking server DSA-1024 with client DSA-2048 and TLS 1.0 Checking server DSA-1024 with client DSA-3072 and TLS 1.0 ./testdsa: line 72: kill: (10708) - No such process Checking DSA-1024 with TLS 1.2 Checking server DSA-1024 with client DSA-1024 and TLS 1.2 Processed 1 client certificates... Processed 1 client X.509 certificates... Checking server DSA-1024 with client DSA-2048 and TLS 1.2 Processed 1 client certificates... Processed 1 client X.509 certificates... *** Fatal error: The given DSA key is incompatible with the selected TLS protocol. *** Handshake has failed GnuTLS error: The given DSA key is incompatible with the selected TLS protocol. Failure: Failed connection to a server with a client DSA 2048 key and TLS 1.2! FAIL: testdsa =================================== 1 of 1 test failed Please report to bug-gnutls at gnu.org =================================== make[3]: *** [check-TESTS] Error 1 make[3]: Leaving directory `/build/src/gnutls-2.12.7/tests/dsa' make[2]: *** [check-am] Error 2 make[2]: Leaving directory `/build/src/gnutls-2.12.7/tests/dsa' make[1]: *** [check-recursive] Error 1 make[1]: Leaving directory `/build/src/gnutls-2.12.7/tests' make: *** [check-recursive] Error 1 -Andy ArchLinux From sdl.web at gmail.com Tue Jun 21 09:55:09 2011 From: sdl.web at gmail.com (Leo) Date: Tue, 21 Jun 2011 15:55:09 +0800 Subject: gnutls 2.12.6 and zlib 1.2.3 Message-ID: [Please CC me on this bug] I compiled gnutls 2.12.6 from source on OSX (Mac OS X 10.6.7) and have the gnutls.pc like this: ,---- | prefix=/usr/local/unix/gnutls | exec_prefix=${prefix} | libdir=${exec_prefix}/lib | includedir=${prefix}/include | | Name: GnuTLS | Description: Transport Security Layer implementation for the GNU system | URL: http://www.gnu.org/software/gnutls/ | Version: 2.12.6 | Libs: -L${libdir} -lgnutls | Libs.private: -L/usr/local/unix/libgcrypt/lib -lgcrypt -L/usr/local/unix/libgpg-error/lib -L/usr/local/unix/gettext/lib -L/usr/local/unix/libiconv/lib -L/usr/local/unix/libgpg-er\ | ror/lib -lgpg-error -L/usr/local/unix/gettext/lib -lintl -L/usr/local/unix/libiconv/lib -liconv -lc -R/usr/local/unix/libgcrypt/lib -R/usr/local/unix/gettext/lib -R/usr/local/uni\ | x/libiconv/lib -R/usr/local/unix/libgpg-error/lib | Requires.private: zlib | Cflags: -I${includedir} `---- The line 'Requires.private: zlib' requires a file zlib.pc which is not provided by default on OSX. On OSX the zlib version: #define ZLIB_VERSION "1.2.3" Leo From vincent.torri at gmail.com Tue Jun 21 10:29:57 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Tue, 21 Jun 2011 10:29:57 +0200 Subject: gnutls 2.12.6 and zlib 1.2.3 In-Reply-To: References: Message-ID: On Tue, Jun 21, 2011 at 9:55 AM, Leo wrote: > [Please CC me on this bug] > > I compiled gnutls 2.12.6 from source on OSX (Mac OS X 10.6.7) and have > the gnutls.pc like this: > > ,---- > | prefix=/usr/local/unix/gnutls > | exec_prefix=${prefix} > | libdir=${exec_prefix}/lib > | includedir=${prefix}/include > | > | Name: GnuTLS > | Description: Transport Security Layer implementation for the GNU system > | URL: http://www.gnu.org/software/gnutls/ > | Version: 2.12.6 > | Libs: -L${libdir} -lgnutls > | Libs.private: -L/usr/local/unix/libgcrypt/lib -lgcrypt > -L/usr/local/unix/libgpg-error/lib -L/usr/local/unix/gettext/lib > -L/usr/local/unix/libiconv/lib -L/usr/local/unix/libgpg-er\ > | ror/lib -lgpg-error -L/usr/local/unix/gettext/lib -lintl > -L/usr/local/unix/libiconv/lib -liconv -lc -R/usr/local/unix/libgcrypt/lib > -R/usr/local/unix/gettext/lib -R/usr/local/uni\ > | x/libiconv/lib -R/usr/local/unix/libgpg-error/lib > | Requires.private: zlib > | Cflags: -I${includedir} > `---- > > The line 'Requires.private: zlib' requires a file zlib.pc which is not > provided by default on OSX. > > On OSX the zlib version: #define ZLIB_VERSION "1.2.3" > if there is no zlib.pc in your computer, then it's a bug in the gnutls autotools one should add zlib to Requires.private only if zlib.pc is detected. not just if zlib is detected. Vincent Torri -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Jun 21 19:25:03 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 21 Jun 2011 19:25:03 +0200 Subject: gnutls 2.12.7 In-Reply-To: <20110621000352.73d07930@workstation64.home> References: <4DFCFDE5.3000505@gnutls.org> <1308555305.3370.423.camel@vespa.frost.loc> <4DFF6EAB.2060004@gnutls.org> <20110621000352.73d07930@workstation64.home> Message-ID: <4E00D3EF.7020209@gnutls.org> On 06/21/2011 12:03 AM, Andreas Radke wrote: > Is this expected or similar to the failure in 2.12.6? > Again built with libgcrypt. It is the same issue. We recommend using gnutls with nettle. regards, Nikos From ametzler at downhill.at.eu.org Tue Jun 21 19:36:01 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Tue, 21 Jun 2011 19:36:01 +0200 Subject: gnutls 2.12.6 and zlib 1.2.3 In-Reply-To: References: Message-ID: <20110621173601.GA3130@downhill.g.la> On 2011-06-21 Vincent Torri wrote: > On Tue, Jun 21, 2011 at 9:55 AM, Leo wrote: [...] > > The line 'Requires.private: zlib' requires a file zlib.pc which is not > > provided by default on OSX. > > On OSX the zlib version: #define ZLIB_VERSION "1.2.3" [...] Hello, that is an ancient version. (18 July 2005), zlib has included a pkg-config script since 1.2.3.1 (16 August 2006). cu andreas From vincent.torri at gmail.com Tue Jun 21 23:19:38 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Tue, 21 Jun 2011 23:19:38 +0200 Subject: gnutls 2.12.6 and zlib 1.2.3 In-Reply-To: <20110621173601.GA3130@downhill.g.la> References: <20110621173601.GA3130@downhill.g.la> Message-ID: On Tue, Jun 21, 2011 at 7:36 PM, Andreas Metzler < ametzler at downhill.at.eu.org> wrote: > On 2011-06-21 Vincent Torri wrote: > > On Tue, Jun 21, 2011 at 9:55 AM, Leo wrote: > [...] > > > The line 'Requires.private: zlib' requires a file zlib.pc which is not > > > provided by default on OSX. > > > > On OSX the zlib version: #define ZLIB_VERSION "1.2.3" > [...] > > Hello, > that is an ancient version. (18 July 2005), zlib has included a > pkg-config script since 1.2.3.1 (16 August 2006). > But anyway, a distro may or may not provide the .pc file. zlib tests must always : 1) check first the .pc (if yes one fill Requires.private) 2) if not, check header and lib (if yes, fill Libs.private) Vincent -------------- next part -------------- An HTML attachment was scrubbed... URL: From cjl at laptop.org Thu Jun 23 09:08:36 2011 From: cjl at laptop.org (Chris Leonard) Date: Thu, 23 Jun 2011 03:08:36 -0400 Subject: gnutls i18n / l10N Message-ID: There seems to have been a breakdown in updating the POT files available for localization (L10n). This page: http://translationproject.org/domain/gnutls.html Shows that the latest available version fo the POT is: gnutls-2.5.7.pot This page: http://translationproject.org/domain/libgnutls.html Shows that the latest available version of the POT is: libgnutls-2.8.5.pot There is no reference for where L10n is supposed to happen on the main page: http://www.gnu.org/software/gnutls/ >From the NEWS file, there is mention of new i18n/L10n since 2.5.7, but it is not clear where this is happening. http://git.savannah.gnu.org/cgit/gnutls.git/tree/NEWS?h=gnutls_2_12_x * Version 2.7.7 (released 2009-04-20) ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. * Version 2.8.6 (released 2010-03-15) ** i18n: Updated Czech, Dutch, French, Polish, Swedish and Vietnamese ** translations. Added Simplified Chinese translation. * Version 2.9.8 (released 2009-11-05) ** i18n: Vietnamese translation updated. Thanks to Clytie Siddall. * Version 2.11.4 (released 2010-10-15) ** i18n: Update translations. Please update the Translation Project . If the Translation Project is no longer in use, please mark it as deprecated and provide links for where L10n gets done. Thank you for your attention to this matter. cjl volunteer Sugar Labs / OLPC / eToys Pootle admin From ametzler at downhill.at.eu.org Fri Jun 24 17:58:36 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Fri, 24 Jun 2011 17:58:36 +0200 Subject: gnutls 2.12.6 and zlib 1.2.3 In-Reply-To: References: <20110621173601.GA3130@downhill.g.la> Message-ID: <20110624155836.GC1928@downhill.g.la> On 2011-06-21 Vincent Torri wrote: > On Tue, Jun 21, 2011 at 7:36 PM, Andreas Metzler < > ametzler at downhill.at.eu.org> wrote: >> On 2011-06-21 Vincent Torri wrote: [...] >> that is an ancient version. (18 July 2005), zlib has included a >> pkg-config script since 1.2.3.1 (16 August 2006). > But anyway, a distro may or may not provide the .pc file. zlib tests must > always : > 1) check first the .pc (if yes one fill Requires.private) > 2) if not, check header and lib (if yes, fill Libs.private) Hello, FWIW I disagree, we should not be required too work around a) ancient library versions, or b) distributors who cannot make up their mind about shipping pkg-config files (zlib no, gnutls yes). However, patch attached. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-zlib-handling-in-gnutls.pc.patch Type: text/x-diff Size: 1786 bytes Desc: not available URL: From novel at FreeBSD.org Sat Jun 25 16:00:11 2011 From: novel at FreeBSD.org (Roman Bogorodskiy) Date: Sat, 25 Jun 2011 18:00:11 +0400 Subject: gnutls 2.12.6 and zlib 1.2.3 In-Reply-To: <20110624155836.GC1928@downhill.g.la> References: <20110621173601.GA3130@downhill.g.la> <20110624155836.GC1928@downhill.g.la> Message-ID: <20110625140009.GA1083@kloomba> Andreas Metzler wrote: [..] > > But anyway, a distro may or may not provide the .pc file. zlib tests must > > always : > > > 1) check first the .pc (if yes one fill Requires.private) > > 2) if not, check header and lib (if yes, fill Libs.private) > > Hello, > > FWIW I disagree, we should not be required too work around a) ancient > library versions, or b) distributors who cannot make up their mind > about shipping pkg-config files (zlib no, gnutls yes). However, patch > attached. Andreas, sometimes it's not about distributors deciding shipping pkg-config files for some packages and not shipping for other. For example, FreeBSD has zlib in a base system, in other words it's not an installable package and there's no pkg-config files for software in the base system. Roman Bogorodskiy From dam at opencsw.org Wed Jun 29 16:10:55 2011 From: dam at opencsw.org (Dagobert Michelsen) Date: Wed, 29 Jun 2011 16:10:55 +0200 Subject: Problem compiling gnutls 2.12.7 on Solaris 9 Message-ID: Hi, I am trying to compile gnutls 2.12.7 with libnettle 2.1 on Solaris 9 Sparc with Sun Studio 12 and get the following error: gmake[6]: Entering directory `/home/dam/mgar/pkg/gnutls/trunk/work/solaris9-sparc/build-isa-sparcv8/gnutls-2.12.7/lib/nettle' CC pk.lo "/opt/csw/include/nettle/nettle-stdint.h", line 237: identifier redeclared: gl_int_fast8_t current : signed char previous: long : "./../gl/stdint.h", line 241 "/opt/csw/include/nettle/nettle-stdint.h", line 238: warning: modification of typedef with "int" ignored "/opt/csw/include/nettle/nettle-stdint.h", line 238: identifier redeclared: gl_int_fast16_t current : int previous: long : "./../gl/stdint.h", line 243 "/opt/csw/include/nettle/nettle-stdint.h", line 239: warning: modification of typedef with "int" ignored "/opt/csw/include/nettle/nettle-stdint.h", line 239: identifier redeclared: gl_int_fast32_t current : int previous: long : "./../gl/stdint.h", line 245 "/opt/csw/include/nettle/nettle-stdint.h", line 241: warning: typedef redeclared: int64_t "/opt/csw/include/nettle/nettle-stdint.h", line 244: identifier redeclared: gl_uint_fast8_t current : unsigned char previous: unsigned long : "./../gl/stdint.h", line 242 "/opt/csw/include/nettle/nettle-stdint.h", line 245: identifier redeclared: gl_uint_fast16_t current : unsigned int previous: unsigned long : "./../gl/stdint.h", line 244 "/opt/csw/include/nettle/nettle-stdint.h", line 246: identifier redeclared: gl_uint_fast32_t current : unsigned int previous: unsigned long : "./../gl/stdint.h", line 246 "/opt/csw/include/nettle/nettle-stdint.h", line 248: warning: typedef redeclared: uint64_t cc: acomp failed for pk.c It looks like a gnulib incompatibility. Best regards -- Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From INVALID.NOREPLY at gnu.org Wed Jun 29 21:36:18 2011 From: INVALID.NOREPLY at gnu.org (Petr Pisar) Date: Wed, 29 Jun 2011 19:36:18 +0000 Subject: [sr #107729] certtool --generate-request crashes when generating key on-the-fly Message-ID: <20110629-193617.sv60014.19095@savannah.gnu.org> URL: Summary: certtool --generate-request crashes when generating key on-the-fly Project: GnuTLS Submitted by: petrp Submitted on: Wed 29 Jun 2011 07:36:17 PM GMT Category: Included programs Priority: 5 - Normal Severity: 3 - Normal Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: Running $ certtool --generate-request --hash SHA256 --bits 2048 --outfile pisar-q.req from gnutls-2.12.7 or git HEAD I get segfault: (gdb) run Starting program: /tmp/gnutls-devel/src/.libs/certtool --generate-request --hash SHA256 --bits 2048 --outfile pisar-q.req [Thread debugging using libthread_db enabled] Generating a PKCS #10 certificate request... ** Note: Please use the --sec-param instead of --bits Generating a 2048 bit RSA private key... Program received signal SIGSEGV, Segmentation fault. 0xb7f46e34 in check_if_clean (key=0x0) at gnutls_privkey.c:296 296 if (key->type != 0) (gdb) bt #0 0xb7f46e34 in check_if_clean (key=0x0) at gnutls_privkey.c:296 #1 0xb7f46e65 in gnutls_privkey_import_x509 (pkey=0x0, key=0x8080e00, flags=1) at gnutls_privkey.c:363 #2 0x08050849 in generate_request (cinfo=0xbfffeaf8) at certtool.c:1843 #3 0x0804ed86 in gaa_parser (argc=8, argv=0xbfffebe4) at certtool.c:1128 #4 0x0804c88d in main (argc=8, argv=0xbfffebe4) at certtool.c:102 As you can see NULL pointer `key' is dereferenced at gnutls_privkey.c:296. Apparently, the key is not initialized properly. The `key' is `pkey' from certtol.c:1830: ret = gnutls_privkey_init (&pkey); if (ret < 0) error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret)); /* Load the private key. */ pkey = load_private_key (0, cinfo); if (!pkey) { xkey = generate_private_key_int (); print_private_key (xkey); ret = gnutls_privkey_import_x509(pkey, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); Or first two arguments of gnutls_privkey_import_x509() should be pointers. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jun 29 22:09:00 2011 From: INVALID.NOREPLY at gnu.org (Petr Pisar) Date: Wed, 29 Jun 2011 20:09:00 +0000 Subject: [sr #107729] certtool --generate-request crashes when generating key on-the-fly In-Reply-To: <20110629-193617.sv60014.19095@savannah.gnu.org> References: <20110629-193617.sv60014.19095@savannah.gnu.org> Message-ID: <20110629-200900.sv60014.65985@savannah.gnu.org> Follow-up Comment #1, sr #107729 (project gnutls): Attached patch should fix it. (file #23590) _______________________________________________________ Additional Item Attachment: File name: 0001-Fix-private-key-initialization-when-generating-reque.patch Size:1 KB _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jun 29 22:44:53 2011 From: INVALID.NOREPLY at gnu.org (Petr Pisar) Date: Wed, 29 Jun 2011 20:44:53 +0000 Subject: [sr #107730] certtool --generate-certificate segfaults Message-ID: <20110629-204453.sv60014.33313@savannah.gnu.org> URL: Summary: certtool --generate-certificate segfaults Project: GnuTLS Submitted by: petrp Submitted on: Wed 29 Jun 2011 08:44:53 PM GMT Category: None Priority: 5 - Normal Severity: 3 - Normal Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: None _______________________________________________________ Details: When signing certificate request by CA, certtool (from git HEAD) segfaults: Starting program: /tmp/gnutls-devel/src/.libs/certtool --generate-certificate --hash SHA256 --bits 2048 --load-ca-privkey /home/petr/projekty/libisds/libisds-devel/server/tls/ca.key --load-ca-certificate /home/petr/projekty/libisds/libisds-devel/server/tls/ca.cert --load-request pisar-q.req --outfile pisar-q.crt [Thread debugging using libthread_db enabled] Generating a signed certificate... [...] Signing certificate... Program received signal SIGSEGV, Segmentation fault. 0xb7f46de2 in gnutls_privkey_deinit (key=0x0) at gnutls_privkey.c:272 272 if (key->flags & GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE) (gdb) bt full #0 0xb7f46de2 in gnutls_privkey_deinit (key=0x0) at gnutls_privkey.c:272 No locals. #1 0x0804e463 in generate_signed_certificate (cinfo=0xbfffea28) at certtool.c:910 crt = 0x80780e0 key = 0x0 size = 1200 result = 0 ca_key = 0x8080708 ca_crt = 0x8077ad8 #2 0x0804ed96 in gaa_parser (argc=14, argv=0xbfffeb14) at certtool.c:1131 ret = 0 cinfo = {secret_key = 0x0, privkey = 0x0, pubkey = 0x0, pkcs8 = 0, incert_format = 1, cert = 0x0, request = 0xbfffee2d "pisar-q.req", ca = 0xbfffede1 "/home/petr/projekty/libisds/libisds-devel/server/tls/ca.cert", ca_privkey = 0xbfffed8f "/home/petr/projekty/libisds/libisds-devel/server/tls/ca.key"} #3 0x0804c88d in main (argc=14, argv=0xbfffeb14) at certtool.c:102 No locals. It tries to deinitialize private key from request that's NULL because request does not contain private key usually. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jun 29 23:00:00 2011 From: INVALID.NOREPLY at gnu.org (Petr Pisar) Date: Wed, 29 Jun 2011 21:00:00 +0000 Subject: [sr #107730] certtool --generate-certificate segfaults In-Reply-To: <20110629-204453.sv60014.33313@savannah.gnu.org> References: <20110629-204453.sv60014.33313@savannah.gnu.org> Message-ID: <20110629-210000.sv60014.56857@savannah.gnu.org> Follow-up Comment #1, sr #107730 (project gnutls): Attached should fix this problem. (file #23591) _______________________________________________________ Additional Item Attachment: File name: 0001-Honor-uninitialized-private-key-in-destructor.patch Size:0 KB _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/