From nmav at gnutls.org  Sun May  1 20:18:52 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 01 May 2011 20:18:52 +0200
Subject: Two minor doc fixes
In-Reply-To: <20110430135938.GA1956@downhill.g.la>
References: <20110430135938.GA1956@downhill.g.la>
Message-ID: <4DBDA40C.4040400@gnutls.org>

On 04/30/2011 03:59 PM, Andreas Metzler wrote:
> Hello,
> find attached two one-line patches for formatting/typo/grammar errors.
> 0001 for both master and gnutls_2_12_x
> 0002 only for gnutls_2_12_x (function is removed in master.)

Applied. Thank you.


Nikos



From nmav at gnutls.org  Tue May  3 13:36:20 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 3 May 2011 13:36:20 +0200
Subject: deprecated funtions without direct successor
In-Reply-To: <4DB4973C.4070501@gnutls.org>
References: <20110424112113.GA1977@downhill.g.la> <4DB4973C.4070501@gnutls.org>
Message-ID: <BANLkTimD0V0YdeRAiKAgQM+DdvNtj2oxzA@mail.gmail.com>

On Sun, Apr 24, 2011 at 11:33 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:

>> I have test-built most of the gnutls-depending packages, checking for
>> build errors with 2.12.
>> Afaict there are a couple of recently deprecated functions without
>> successor. Is this correct, do you have any pointer, suggestions?
>> gnutls_certificate_get_x509_cas (neon27, openldap)
> There is no direct successor to this function. It depended on internal
> data that are already non-existing in 2.99.x. I'll try to check
> those packages on how they use it, to see if there could be some
> alternative way to achieve that functionality.

Hello Andreas,
 I've checked and it seems both libraries use  gnutls_certificate_get_x509_cas()
in order to find the issuer in credentials of a given certificate.
I'll add a function
that does exactly that using the credentials and this would even optimize
things for those libraries. It would be something like:
int gnutls_certificate_get_issuer(gnutls_certificate_credentials_t cred,
  gnutls_x509_crt_t cert, const gnutls_x509_crt_t* issuer);

regards,
Nikos



From nmav at gnutls.org  Tue May  3 21:51:18 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 03 May 2011 21:51:18 +0200
Subject: deprecated funtions without direct successor
In-Reply-To: <20110424112113.GA1977@downhill.g.la>
References: <20110424112113.GA1977@downhill.g.la>
Message-ID: <4DC05CB6.2050106@gnutls.org>

On 04/24/2011 01:21 PM, Andreas Metzler wrote:
> Hello,
> 
> I have test-built most of the gnutls-depending packages, checking for
> build errors with 2.12. 
> Afaict there are a couple of recently deprecated functions without
> successor. Is this correct, do you have any pointer, suggestions?
> gnutls_certificate_get_x509_cas (neon27, openldap)

I've added gnutls_certificate_get_issuer() that would cover
the existing use cases. I've added it both to 2.12.4 and 2.99.x.

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=83ff33e7fdc369b8d4030f78633a6e279c51425f


regards,
Nikos



From kon at iki.fi  Tue May  3 22:53:03 2011
From: kon at iki.fi (Kalle Olavi Niemitalo)
Date: Tue, 03 May 2011 23:53:03 +0300
Subject: _gnutls_hostname_compare: toupper vs. c_toupper
Message-ID: <8739kvzets.fsf@Pulska.kon.iki.fi>

In GnuTLS 2.8.6 and 2.10.5, _gnutls_hostname_compare uses toupper
on the characters of the hostname:

  /* find the first different character */
  for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
       certname++, hostname++, certnamesize--)
    ;

I suspect this should be c_toupper instead, so that 'i' matches
'I' in hostnames even in a Turkish (or is that Turkic?) locale.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20110503/063ee125/attachment.pgp>

From veillard at redhat.com  Wed May  4 05:00:18 2011
From: veillard at redhat.com (Daniel Veillard)
Date: Wed, 4 May 2011 11:00:18 +0800
Subject: [libvirt] failure to build on rawhide
In-Reply-To: <4DC090B7.8020907@redhat.com>
References: <4DC090B7.8020907@redhat.com>
Message-ID: <20110504030018.GS21035@redhat.com>

On Tue, May 03, 2011 at 05:33:11PM -0600, Eric Blake wrote:
> I'm getting this when trying to build libvirt on rawhide (using the
> package gnutls-devel-2.12.3-1.fc16.x86_64):
> 
> remote/remote_driver.c: In function 'negotiate_gnutls_on_connection':
> remote/remote_driver.c:1361:9: error:
> 'gnutls_certificate_type_set_priority' is deprecated (declared at
> /usr/include/gnutls/compat.h:347) [-Werror=deprecated-declarations]

  Since we don't normally build with -werror we should not need to
fix this for 0.9.1

> but I can't find anything in the gnutls man pages that says why it is
> deprecated or what to use in its place.  Any ideas?

Curl seems to have hit the same, and suggest to use
gnutls_priority_set_direct():

  http://curl.haxx.se/mail/lib-2011-04/0162.html

But the 2 functions are completely different, however at
  http://hackipedia.org/Software/GNU/gnutls/gnutls%20-%20Transport%20Layer%20Security%20Library%20for%20the%20GNU%20system%20v2.8.5%20%282%20June%202009%29.pdf.raw-conversion.utf-8.txt

  there are examples of the use of that function, taking a description
string instead of a list of parameters

    gnutls_priority_set_direct (session, "PERFORMANCE:!ARCFOUR-128", NULL);
    ...
    gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-DSS:+SRP-RSA", NULL);
    ...
    const char *err;
    ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);

  Seems that instead of building a list of int, one need to build a
  string, and there is a better error reporting mechanism.


The main problem though is that we are gonna have to detect it in configure
because the replacement function gnutls_priority_set_direct is not
present in older release like gnutls-1.4.1 used to compile on RHEL-5 for
example.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/



From kon at iki.fi  Tue May  3 23:25:00 2011
From: kon at iki.fi (Kalle Olavi Niemitalo)
Date: Wed, 04 May 2011 00:25:00 +0300
Subject: _gnutls_hostname_compare: exponential slowdown with multiple wildcards
Message-ID: <87y62nxys3.fsf@Pulska.kon.iki.fi>

I tried a few _gnutls_hostname_compare calls in GnuTLS 2.8.6.
The implementation in 2.10.5 is identical.

_gnutls_hostname_compare("*************a", 14, "bbbbbbbbbbbbbbb")
  returns 0 in 1 second.

_gnutls_hostname_compare("**************a", 15, "bbbbbbbbbbbbbbbb")
  returns 0 in 5 seconds.

_gnutls_hostname_compare("***************a", 16, "bbbbbbbbbbbbbbbbb")
  returns 0 in 15 seconds.

_gnutls_hostname_compare("****************a", 17, "bbbbbbbbbbbbbbbbbb")
  returns 0 in 63 seconds.

_gnutls_hostname_compare("*****************a", 18, "bbbbbbbbbbbbbbbbbbb")
  returns 0 in 243 seconds.

As you can see, the time grows exponentially as more characters
and wildcards are added.

I think the worst case of this function could be made a lot faster.
After a wildcard has been reached, there is never any need to
backtrack to a previous wildcard.  I'll probably implement such
an algorithm in ELinks, for use with OpenSSL.

Alternatively, I suppose you could just reject the whole pattern
if it has more than ten wildcards.  :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20110504/17abbafb/attachment.pgp>

From eblake at redhat.com  Wed May  4 01:33:11 2011
From: eblake at redhat.com (Eric Blake)
Date: Tue, 03 May 2011 17:33:11 -0600
Subject: failure to build on rawhide
Message-ID: <4DC090B7.8020907@redhat.com>

I'm getting this when trying to build libvirt on rawhide (using the
package gnutls-devel-2.12.3-1.fc16.x86_64):

remote/remote_driver.c: In function 'negotiate_gnutls_on_connection':
remote/remote_driver.c:1361:9: error:
'gnutls_certificate_type_set_priority' is deprecated (declared at
/usr/include/gnutls/compat.h:347) [-Werror=deprecated-declarations]

but I can't find anything in the gnutls man pages that says why it is
deprecated or what to use in its place.  Any ideas?

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110503/5243f87a/attachment.pgp>

From nmav at gnutls.org  Thu May  5 22:18:57 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 05 May 2011 22:18:57 +0200
Subject: _gnutls_hostname_compare: toupper vs. c_toupper
In-Reply-To: <8739kvzets.fsf@Pulska.kon.iki.fi>
References: <8739kvzets.fsf@Pulska.kon.iki.fi>
Message-ID: <4DC30631.1000501@gnutls.org>

On 05/03/2011 10:53 PM, Kalle Olavi Niemitalo wrote:
> In GnuTLS 2.8.6 and 2.10.5, _gnutls_hostname_compare uses toupper
> on the characters of the hostname:
> 
>   /* find the first different character */
>   for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
>        certname++, hostname++, certnamesize--)
>     ;
> I suspect this should be c_toupper instead, so that 'i' matches
> 'I' in hostnames even in a Turkish (or is that Turkic?) locale.

You're right. This however makes it apparent that
gnutls_x509_crt_check_hostname() does not really support
internationalized DNS names...

Thank you for reporting that.

regards,
Nikos



From nmav at gnutls.org  Thu May  5 22:31:55 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 05 May 2011 22:31:55 +0200
Subject: _gnutls_hostname_compare: exponential slowdown with multiple
	wildcards
In-Reply-To: <87y62nxys3.fsf@Pulska.kon.iki.fi>
References: <87y62nxys3.fsf@Pulska.kon.iki.fi>
Message-ID: <4DC3093B.8060502@gnutls.org>

On 05/03/2011 11:25 PM, Kalle Olavi Niemitalo wrote:
> I tried a few _gnutls_hostname_compare calls in GnuTLS 2.8.6.
> The implementation in 2.10.5 is identical.
> 
> _gnutls_hostname_compare("*************a", 14, "bbbbbbbbbbbbbbb")
>   returns 0 in 1 second.
> 
> _gnutls_hostname_compare("**************a", 15, "bbbbbbbbbbbbbbbb")
>   returns 0 in 5 seconds.
> 
> _gnutls_hostname_compare("***************a", 16, "bbbbbbbbbbbbbbbbb")
>   returns 0 in 15 seconds.
> 
> _gnutls_hostname_compare("****************a", 17, "bbbbbbbbbbbbbbbbbb")
>   returns 0 in 63 seconds.
> 
> _gnutls_hostname_compare("*****************a", 18, "bbbbbbbbbbbbbbbbbbb")
>   returns 0 in 243 seconds.
> As you can see, the time grows exponentially as more characters
> and wildcards are added.
> I think the worst case of this function could be made a lot faster.
> After a wildcard has been reached, there is never any need to
> backtrack to a previous wildcard.  I'll probably implement such
> an algorithm in ELinks, for use with OpenSSL.
> Alternatively, I suppose you could just reject the whole pattern
> if it has more than ten wildcards.  :)

Ouch. I think something like 6 might be quite realistic. Thank you for
reporting that.

regards,
Nikos



From nisse at lysator.liu.se  Fri May  6 14:10:23 2011
From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=)
Date: Fri, 06 May 2011 14:10:23 +0200
Subject: Fwd: Problem with nettle 2.1 and gnutls 2.12.3 on Solaris
In-Reply-To: <7C623346-4D33-43A3-849A-1CF016C0B6F4@baltic-online.de> (Dagobert
	Michelsen's message of "Thu, 5 May 2011 14:38:39 +0200")
References: <mailman.2520.1304598929.7710.nettle-bugs@lists.lysator.liu.se>
	<7C623346-4D33-43A3-849A-1CF016C0B6F4@baltic-online.de>
Message-ID: <nn4o58kp1s.fsf@stalhein.lysator.liu.se>

Dagobert Michelsen <dam at baltic-online.de> writes:

>> I am trying to compile gnutls 2.12.3 with libnettle 2.1 and get the
>> following errors. From the output I assume an incompatibility between
>> different gnulib inclusions.

For the record, nettle does not use gnulib. It uses AX_CREATE_STDINT_H,
iirc I copied that from autoconf-archive, long ago.

>> "/opt/csw/include/nettle/nettle-stdint.h", line 237: identifier redeclared: gl_int_fast8_t
>>        current : signed char
>>        previous: long : "./../gl/stdint.h", line 241

This is puzzling. On Solaris, nettle-stdint.h is expected to contain

  /* generated using gnu compiler gcc (GCC) 3.4.5 */
  #define _STDINT_HAVE_STDINT_H 1
  
  /* ................... shortcircuit part ........................... */
  
  #if defined HAVE_STDINT_H || defined _STDINT_HAVE_STDINT_H
  #include <stdint.h>
  #else
  ... lots of irrelevant stuff...
  #endif

And there seems to be a /usr/include/stdint.h on the system I look, so I
don't think it's a gcc-specific include file. What does your
nettle-stdin.h look like? If it is different, something went wrong at
configure time when nettle was installed..

And what is "./../gl/stdint.h", that's from gnulib? nettle-stdint.h does
not refer gl_int_fast8_t as far as I can see, so I guess there's a
#define int_fast8_t gl_int_fast8_t somewhere.

The failures seem to all be related to the various *_fast_*_t type,
where the spec leaves a lot of room for the implementation. So if
different packages defines these them selves, it's not very surprising
that they might have different ideas about what they should be. But in
the Solaris case, the right thing is most likely to use the definitions
from /usr/include/stdint.h, and *no* others. I haven't looked at gnulib,
but I *hope* it has some short-circuit code like in nettle-stdint.h, to
fall back to the system's stdint.h or inttypes.h if one of them exists
and works.

/Niels

PS. Sorry the nettle-bugs list is members only, if you want to reply and
are not on that list, please use my personal address instead of
nettle-bugs at lists.lysator.liu.se.

-- 
Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.



From nmav at gnutls.org  Fri May  6 17:45:47 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 06 May 2011 17:45:47 +0200
Subject: gnutls 2.12.4
Message-ID: <4DC417AB.9070902@gnutls.org>

Hello,
 I've just released gnutls 2.12.4.

What's New
==========
** libgnutls: Added gnutls_certificate_get_issuer() to
compensate for the deprecated gnutls_certificate_get_x509_cas().

** libgnutls: Limited allowed wildcards to
gnutls_x509_crt_check_hostname() to prevent denial of service attacks.
Reported by Kalle Olavi Niemitalo.

** guile: Fix tests to match the `exit' behavior introduced in Guile
2.0.1. This fix makes tests behave correctly wrt. to the Guile bug fix
at
<http://git.sv.gnu.org/cgit/guile.git/commit/?id=e309f3bf9ee910c4772353ca3ff95f6f4ef466b5>.

** API and ABI modifications:
gnutls_certificate_get_issuer: ADDED


Getting the Software
====================

GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From <ftp://ftp.gnu.org/gnu/gnutls/?.  The list of GNU mirrors can be
found at <http://www.gnu.org/prep/ftp.html> and a list of GnuTLS mirrors
can be found at <http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.4.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.4.tar.bz2

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.4.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.4.tar.bz2.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From arfrever.fta at gmail.com  Sat May  7 00:12:15 2011
From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis)
Date: Sat, 7 May 2011 00:12:15 +0200
Subject: /tmp/rng-test
Message-ID: <201105070012.17695.Arfrever.FTA@gmail.com>

tests/rng-fork.c creates /tmp/rng-test. I suggest that rng-test be created in directory
referenced by TMPDIR environment variable if this variable is set.

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110507/712a9b2f/attachment.pgp>

From nmav at gnutls.org  Sat May  7 01:14:34 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 07 May 2011 01:14:34 +0200
Subject: /tmp/rng-test
In-Reply-To: <201105070012.17695.Arfrever.FTA@gmail.com>
References: <201105070012.17695.Arfrever.FTA@gmail.com>
Message-ID: <4DC480DA.2030609@gnutls.org>

On 05/07/2011 12:12 AM, Arfrever Frehtes Taifersar Arahesis wrote:
> tests/rng-fork.c creates /tmp/rng-test. I suggest that rng-test be created in directory
> referenced by TMPDIR environment variable if this variable is set.

Thanks for reporting that. No need for temporary directory at all.
I've corrected it to create the file into the same directory.

regards,
Nikos



From dam at baltic-online.de  Thu May  5 13:35:26 2011
From: dam at baltic-online.de (Dagobert Michelsen)
Date: Thu, 5 May 2011 13:35:26 +0200
Subject: Problem with nettle 2.1 and gnutls 2.12.3 on Solaris
Message-ID: <D7947BF2-D7D5-427D-A734-699E1227DF48@baltic-online.de>

Hi,

I am trying to compile gnutls 2.12.3 with libnettle 2.1 and get the
following errors. From the output I assume an incompatibility between
different gnulib inclusions.

dam at testing9s :/home/dam/mgar/pkg/gnutls/trunk/work/solaris9-sparc/build-isa-sparcv8/gnutls-2.12.3/lib/nettle > gmake V=1
\
source='pk.c' object='pk.lo' libtool=yes \
DEPDIR=.deps depmode=none /bin/bash ../build-aux/depcomp \
/bin/bash ../libtool  --tag=CC   --mode=compile /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I..  -I./../gl -I./../gl -I./../includes -I./../includes -I./..  -I/opt/csw/include    -xO3 -m32 -xarch=v8 -c -o pk.lo pk.c
libtool: compile:  /opt/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -I.. -I./../gl -I./../gl -I./../includes -I./../includes -I./.. -I/opt/csw/include -xO3 -m32 -xarch=v8 -c pk.c  -KPIC -DPIC -o .libs/pk.o
"/opt/csw/include/nettle/nettle-stdint.h", line 237: identifier redeclared: gl_int_fast8_t
        current : signed char
        previous: long : "./../gl/stdint.h", line 241
"/opt/csw/include/nettle/nettle-stdint.h", line 238: warning: modification of typedef with "int" ignored
"/opt/csw/include/nettle/nettle-stdint.h", line 238: identifier redeclared: gl_int_fast16_t
        current : int
        previous: long : "./../gl/stdint.h", line 243
"/opt/csw/include/nettle/nettle-stdint.h", line 239: warning: modification of typedef with "int" ignored
"/opt/csw/include/nettle/nettle-stdint.h", line 239: identifier redeclared: gl_int_fast32_t
        current : int
        previous: long : "./../gl/stdint.h", line 245
"/opt/csw/include/nettle/nettle-stdint.h", line 241: warning: typedef redeclared: int64_t
"/opt/csw/include/nettle/nettle-stdint.h", line 244: identifier redeclared: gl_uint_fast8_t
        current : unsigned char
        previous: unsigned long : "./../gl/stdint.h", line 242
"/opt/csw/include/nettle/nettle-stdint.h", line 245: identifier redeclared: gl_uint_fast16_t
        current : unsigned int
        previous: unsigned long : "./../gl/stdint.h", line 244
"/opt/csw/include/nettle/nettle-stdint.h", line 246: identifier redeclared: gl_uint_fast32_t
        current : unsigned int
        previous: unsigned long : "./../gl/stdint.h", line 246
"/opt/csw/include/nettle/nettle-stdint.h", line 248: warning: typedef redeclared: uint64_t
cc: acomp failed for pk.c
gmake: *** [pk.lo] Error 1
zsh: 9813 exit 2     gmake V=1


Platforms is Solaris 9 Sparc with Sun Studio 12 compiler.


Best regards

  -- Dago




From INVALID.NOREPLY at gnu.org  Sat May  7 22:56:09 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sat, 07 May 2011 20:56:09 +0000
Subject: [sr #107560] libextra/openssl.h conflicts with wincrypt.h
In-Reply-To: <20101230-124638.sv7213.2817@savannah.gnu.org>
References: <20101226-024025.sv74148.29875@savannah.gnu.org>
	<20101230-124638.sv7213.2817@savannah.gnu.org>
Message-ID: <20110507-235609.sv707.55075@savannah.gnu.org>

Update of sr #107560 (project gnutls):

             Open/Closed:                    Open => Closed                 


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107560>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From INVALID.NOREPLY at gnu.org  Sat May  7 23:43:04 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Sat, 07 May 2011 21:43:04 +0000
Subject: [sr #107674] GnuTLS produces an invalid gnutls.pc pkg-config script
	(@LTLIBPAKCHOIS@)
In-Reply-To: <20110425-004612.sv707.7246@savannah.gnu.org>
References: <20110423-135002.sv74987.92287@savannah.gnu.org>
	<20110425-004612.sv707.7246@savannah.gnu.org>
Message-ID: <20110508-004304.sv707.17644@savannah.gnu.org>

Update of sr #107674 (project gnutls):

             Open/Closed:                    Open => Closed                 


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107674>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From nmav at gnutls.org  Sat May 14 11:26:06 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 14 May 2011 11:26:06 +0200
Subject: gnutls 2.12.5
Message-ID: <4DCE4AAE.6030407@gnutls.org>

Hello,
 I've just released gnutls 2.12.5.

What's New
==========
** certtool: Can now load private keys and public keys from PKCS #11
tokens via URLs.

** libgnutls: PKCS #11 URLs conform to the latest draft
being http://tools.ietf.org/html/draft-pechanec-pkcs11uri-04.

** libgnutls: gnutls_pkcs11_privkey_import_url() will now correctly read
the public key algorithm of the key.

** libgnutls: Added gnutls_x509_crq_verify() to allow
verification of the self signature in a certificate request.
This allows verifying whether the owner of the private key
is the generator of the request.

** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
the self signature of the request.

** API and ABI modifications:
gnutls_x509_crq_verify: ADDED

Getting the Software
====================

GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From <ftp://ftp.gnu.org/gnu/gnutls/?.  The list of GNU mirrors can be
found at <http://www.gnu.org/prep/ftp.html> and a list of GnuTLS mirrors
can be found at <http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.5.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.5.tar.bz2

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.5.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.5.tar.bz2.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From novel at FreeBSD.org  Thu May 19 14:17:12 2011
From: novel at FreeBSD.org (Roman Bogorodskiy)
Date: Thu, 19 May 2011 16:17:12 +0400
Subject: gnutls 2.99.x ships ships gnulib without error.h.
Message-ID: <20110519121711.GB1024@ritual.srt.mirantis.net>

Hi,

I noticed that gnutls versions 2.99.x stopped shipping error.h include
file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
makes compilation fail on FreeBSD for example.

Any ideas how to fix that?

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: </pipermail/attachments/20110519/dc76da2f/attachment.pgp>

From nmav at gnutls.org  Fri May 20 12:51:24 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 20 May 2011 12:51:24 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <20110519121711.GB1024@ritual.srt.mirantis.net>
References: <20110519121711.GB1024@ritual.srt.mirantis.net>
Message-ID: <4DD647AC.5020000@gnutls.org>

On 05/19/2011 02:17 PM, Roman Bogorodskiy wrote:
> Hi,
> 
> I noticed that gnutls versions 2.99.x stopped shipping error.h include
> file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
> makes compilation fail on FreeBSD for example.

I've added in the git repository. Try getting it from:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git

regards,
Nikos



From simon at josefsson.org  Fri May 20 22:43:56 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 20 May 2011 22:43:56 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <4DD647AC.5020000@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Fri, 20 May 2011 12:51:24 +0200")
References: <20110519121711.GB1024@ritual.srt.mirantis.net>
	<4DD647AC.5020000@gnutls.org>
Message-ID: <87tycpm7ar.fsf@latte.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/19/2011 02:17 PM, Roman Bogorodskiy wrote:
>> Hi,
>> 
>> I noticed that gnutls versions 2.99.x stopped shipping error.h include
>> file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
>> makes compilation fail on FreeBSD for example.
>
> I've added in the git repository. Try getting it from:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git

I updated the gnulib files, they were a bit old too.

/Simon



From simon at josefsson.org  Fri May 20 22:48:04 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 20 May 2011 22:48:04 +0200
Subject: _gnutls_hostname_compare: toupper vs. c_toupper
In-Reply-To: <4DC30631.1000501@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Thu, 05 May 2011 22:18:57 +0200")
References: <8739kvzets.fsf@Pulska.kon.iki.fi> <4DC30631.1000501@gnutls.org>
Message-ID: <87pqndm73v.fsf@latte.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/03/2011 10:53 PM, Kalle Olavi Niemitalo wrote:
>> In GnuTLS 2.8.6 and 2.10.5, _gnutls_hostname_compare uses toupper
>> on the characters of the hostname:
>> 
>>   /* find the first different character */
>>   for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
>>        certname++, hostname++, certnamesize--)
>>     ;
>> I suspect this should be c_toupper instead, so that 'i' matches
>> 'I' in hostnames even in a Turkish (or is that Turkic?) locale.
>
> You're right. This however makes it apparent that
> gnutls_x509_crt_check_hostname() does not really support
> internationalized DNS names...

I think that is intentional -- it is IDN unaware domain name slot, and
hence should only contain a ASCII domain.

/Simon



From simon at josefsson.org  Fri May 20 22:51:34 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 20 May 2011 22:51:34 +0200
Subject: failure to build on rawhide
In-Reply-To: <4DC090B7.8020907__12908.4695283838$1304574663$gmane$org@redhat.com>
	(Eric Blake's message of "Tue, 03 May 2011 17:33:11 -0600")
References: <4DC090B7.8020907__12908.4695283838$1304574663$gmane$org@redhat.com>
Message-ID: <87liy1m6y1.fsf@latte.josefsson.org>

Eric Blake <eblake at redhat.com> writes:

> I'm getting this when trying to build libvirt on rawhide (using the
> package gnutls-devel-2.12.3-1.fc16.x86_64):
>
> remote/remote_driver.c: In function 'negotiate_gnutls_on_connection':
> remote/remote_driver.c:1361:9: error:
> 'gnutls_certificate_type_set_priority' is deprecated (declared at
> /usr/include/gnutls/compat.h:347) [-Werror=deprecated-declarations]
>
> but I can't find anything in the gnutls man pages that says why it is
> deprecated or what to use in its place.  Any ideas?

Try gnutls_priority_set.  What did you use
gnutls_certificate_type_set_priority for?  It is rare to really need it,
a call to gnutls_set_default_priority() is usually sufficient.

Ideally the GTK-DOC strings for the deprecated functions should be
updated to point at the newer functions.

/Simon



From nmav at gnutls.org  Sat May 21 09:15:24 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 May 2011 09:15:24 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <87tycpm7ar.fsf@latte.josefsson.org>
References: <20110519121711.GB1024@ritual.srt.mirantis.net>	<4DD647AC.5020000@gnutls.org>
	<87tycpm7ar.fsf@latte.josefsson.org>
Message-ID: <4DD7668C.5010803@gnutls.org>

On 05/20/2011 10:43 PM, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> 
>> On 05/19/2011 02:17 PM, Roman Bogorodskiy wrote:
>>> Hi,
>>>
>>> I noticed that gnutls versions 2.99.x stopped shipping error.h include
>>> file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
>>> makes compilation fail on FreeBSD for example.
>>
>> I've added in the git repository. Try getting it from:
>> http://git.savannah.gnu.org/gitweb/?p=gnutls.git
> 
> I updated the gnulib files, they were a bit old too.

This update reintroduces the problem with memxor. Could we avoid being
it used at all?



From simon at josefsson.org  Sat May 21 09:48:22 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Sat, 21 May 2011 09:48:22 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <4DD7668C.5010803@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Sat, 21 May 2011 09:15:24 +0200")
References: <20110519121711.GB1024@ritual.srt.mirantis.net>
	<4DD647AC.5020000@gnutls.org> <87tycpm7ar.fsf@latte.josefsson.org>
	<4DD7668C.5010803@gnutls.org>
Message-ID: <877h9kmr3t.fsf@latte.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/20/2011 10:43 PM, Simon Josefsson wrote:
>> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
>> 
>>> On 05/19/2011 02:17 PM, Roman Bogorodskiy wrote:
>>>> Hi,
>>>>
>>>> I noticed that gnutls versions 2.99.x stopped shipping error.h include
>>>> file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
>>>> makes compilation fail on FreeBSD for example.
>>>
>>> I've added in the git repository. Try getting it from:
>>> http://git.savannah.gnu.org/gitweb/?p=gnutls.git
>> 
>> I updated the gnulib files, they were a bit old too.
>
> This update reintroduces the problem with memxor. Could we avoid being
> it used at all?

I added gnulib override files, so we patch the memxor code (and the
valgrind check) during each gnulib import.  The code is only used in
libgnutls-extra.so, so it seems harmless -- and it can be useful if you
are on a system with libgcrypt in FIPS mode...

/Simon



From nmav at gnutls.org  Sat May 21 10:32:19 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 May 2011 10:32:19 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <877h9kmr3t.fsf@latte.josefsson.org>
References: <20110519121711.GB1024@ritual.srt.mirantis.net>	<4DD647AC.5020000@gnutls.org>
	<87tycpm7ar.fsf@latte.josefsson.org>	<4DD7668C.5010803@gnutls.org>
	<877h9kmr3t.fsf@latte.josefsson.org>
Message-ID: <4DD77893.3060808@gnutls.org>

On 05/21/2011 09:48 AM, Simon Josefsson wrote:

>> This update reintroduces the problem with memxor. Could we avoid being
>> it used at all?
> I added gnulib override files, so we patch the memxor code (and the
> valgrind check) during each gnulib import.  The code is only used in
> libgnutls-extra.so, so it seems harmless -- and it can be useful if you
> are on a system with libgcrypt in FIPS mode...

Thanks. Btw. the new valgrind.m4 adds the --leak-check=full. This makes
test programs to fail due to leaks in used libraries (pkcs11, libgcrypt
leak by design). Due to that however I've found a leak in libnettle, but
it might be better not to have it by default.

regards,
Nikos



From nmav at gnutls.org  Sat May 21 10:34:14 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 May 2011 10:34:14 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <4DD77893.3060808@gnutls.org>
References: <20110519121711.GB1024@ritual.srt.mirantis.net>	<4DD647AC.5020000@gnutls.org>
	<87tycpm7ar.fsf@latte.josefsson.org>	<4DD7668C.5010803@gnutls.org>
	<877h9kmr3t.fsf@latte.josefsson.org> <4DD77893.3060808@gnutls.org>
Message-ID: <4DD77906.1050203@gnutls.org>

On 05/21/2011 10:32 AM, Nikos Mavrogiannopoulos wrote:

> Thanks. Btw. the new valgrind.m4 adds the --leak-check=full. This makes
> test programs to fail due to leaks in used libraries (pkcs11, libgcrypt
> leak by design). Due to that however I've found a leak in libnettle, but
> it might be better not to have it by default.

I just saw that you already removed it, so ignore that. Thanks.

regards,
Nikos



From simon at josefsson.org  Sat May 21 12:26:10 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Sat, 21 May 2011 12:26:10 +0200
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <4DD77893.3060808@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Sat, 21 May 2011 10:32:19 +0200")
References: <20110519121711.GB1024@ritual.srt.mirantis.net>
	<4DD647AC.5020000@gnutls.org> <87tycpm7ar.fsf@latte.josefsson.org>
	<4DD7668C.5010803@gnutls.org> <877h9kmr3t.fsf@latte.josefsson.org>
	<4DD77893.3060808@gnutls.org>
Message-ID: <871uzs2vul.fsf@latte.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/21/2011 09:48 AM, Simon Josefsson wrote:
>
>>> This update reintroduces the problem with memxor. Could we avoid being
>>> it used at all?
>> I added gnulib override files, so we patch the memxor code (and the
>> valgrind check) during each gnulib import.  The code is only used in
>> libgnutls-extra.so, so it seems harmless -- and it can be useful if you
>> are on a system with libgcrypt in FIPS mode...
>
> Thanks. Btw. the new valgrind.m4 adds the --leak-check=full. This makes
> test programs to fail due to leaks in used libraries (pkcs11, libgcrypt
> leak by design). Due to that however I've found a leak in libnettle, but
> it might be better not to have it by default.

I removed it, but we could consider re-enabling it.  To work around
leaks in external parts, just add to ~/.valgrindrc:

--suppressions=/home/jas/src/gnutls/tests/libgcrypt.supp

If some pkcs11 library introduces memory leaks, you could write a
suppressions file for it too, and use it like that.  The libgcrypt.supp
file should silence the libgcrypt memory leak complaint.

However maybe valgrind --leak-check=full shouldn't be used by default.
Or valgrind at all.  It is mostly useful for developers.

/Simon



From novel at FreeBSD.org  Mon May 23 13:10:52 2011
From: novel at FreeBSD.org (Roman Bogorodskiy)
Date: Mon, 23 May 2011 15:10:52 +0400
Subject: gnutls 2.99.x ships ships gnulib without error.h.
In-Reply-To: <4DD647AC.5020000@gnutls.org>
References: <20110519121711.GB1024@ritual.srt.mirantis.net>
	<4DD647AC.5020000@gnutls.org>
Message-ID: <20110523111050.GC1024@ritual.srt.mirantis.net>

  Nikos Mavrogiannopoulos wrote:

> On 05/19/2011 02:17 PM, Roman Bogorodskiy wrote:
> > Hi,
> > 
> > I noticed that gnutls versions 2.99.x stopped shipping error.h include
> > file in gl/error.h. It doesn't affect Linux as glibc has error.h, but it
> > makes compilation fail on FreeBSD for example.
> 
> I've added in the git repository. Try getting it from:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git

Seems to work, thanks.

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: </pipermail/attachments/20110523/ebddf08d/attachment.pgp>

From gscrivano at gnu.org  Sun May 22 22:32:47 2011
From: gscrivano at gnu.org (Giuseppe Scrivano)
Date: Sun, 22 May 2011 22:32:47 +0200
Subject: gnutls_record_recv timeout with blocking sockets
Message-ID: <87mxiecw7k.fsf@gnu.org>

Hello,

In wget we are using something like the following pseudo-code to
check if a call to `gnutls_record_recv' will be blocking:

  gnutls_record_check_pending (session) || select_fd (fd, timeout);

I have noticed that even if the previous code returns a non-zero value,  
`gnutls_record_recv' can still block.

To trigger it, I have used iptables as:

  iptables -A INPUT -i lo -p tcp --destination-port 443 -j DROP

while I was downloading a file from an HTTPS server on the local
machine.  From a first look, it seems `read' is called multiple times
from `gnutls_record_recv' so probably all data is consumed by the first
calls.

I have used gnutls from Debian testing, I haven't tried with the
development version.

Is it possible to know in advance if `gnutls_record_recv' will block or
not?  Any suggestion how I could handle properly the --read-timeout in
wget when TLS is used?  Am I missing something?

Thanks,
Giuseppe



From berrange at redhat.com  Mon May 23 11:54:56 2011
From: berrange at redhat.com (Daniel P. Berrange)
Date: Mon, 23 May 2011 10:54:56 +0100
Subject: [libvirt] failure to build on rawhide
In-Reply-To: <87liy1m6y1.fsf@latte.josefsson.org>
References: <4DC090B7.8020907__12908.4695283838$1304574663$gmane$org@redhat.com>
	<87liy1m6y1.fsf@latte.josefsson.org>
Message-ID: <20110523095456.GC24143@redhat.com>

On Fri, May 20, 2011 at 10:51:34PM +0200, Simon Josefsson wrote:
> Eric Blake <eblake at redhat.com> writes:
> 
> > I'm getting this when trying to build libvirt on rawhide (using the
> > package gnutls-devel-2.12.3-1.fc16.x86_64):
> >
> > remote/remote_driver.c: In function 'negotiate_gnutls_on_connection':
> > remote/remote_driver.c:1361:9: error:
> > 'gnutls_certificate_type_set_priority' is deprecated (declared at
> > /usr/include/gnutls/compat.h:347) [-Werror=deprecated-declarations]
> >
> > but I can't find anything in the gnutls man pages that says why it is
> > deprecated or what to use in its place.  Any ideas?
> 
> Try gnutls_priority_set.  What did you use
> gnutls_certificate_type_set_priority for?  It is rare to really need it,
> a call to gnutls_set_default_priority() is usually sufficient.

Agreed, our current use of gnutls_certificate_type_set_priority is bogus
and can/should be removed, leaving just set_default_priority calls.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



From mrsam at courier-mta.com  Mon May 23 16:01:41 2011
From: mrsam at courier-mta.com (Sam Varshavchik)
Date: Mon, 23 May 2011 10:01:41 -0400
Subject: =?UTF-8?Q?gnutls=5Frecord=5Frecv?= timeout with blocking sockets
References: <87mxiecw7k.fsf@gnu.org>
Message-ID: <cone.1306159301.460613.23706.500@monster.email-scan.com>

Giuseppe Scrivano writes:

> Hello,
>
> In wget we are using something like the following pseudo-code to
> check if a call to `gnutls_record_recv' will be blocking:
>
>   gnutls_record_check_pending (session) || select_fd (fd, timeout);

You must use non-blocking sockets for this to work.

gnutls just read()s from the socket. If there's nothing to read, read()  
blocks until there's something to read. gnutls_record_recv() reads from the  
socket. If it has not received an entire record, it reads again, until it  
does, then you it returns and tells you what's been read. If the socket is  
empty before gnutls receives the entire record, gnutls_record_recv keeps  
reading, and it will block.

gnutls_record_check_pending() is just an indication that there's something  
still left over from the previous record that your app still hasn't  
retrieved using gnutls_record_recv(), yet. Your next call to  
gnutls_record_recv() will get that stuff, instead of reading from the socket.

Only if the socket is non-blocking, read() fails with EAGAIN/EWOULDBLOCK, and  
gnutls returns accordingly, but the socket must be non-blocking for that to  
happen.

Note that on Linux, select/poll on blocking sockets is not reliable. See  
BUGS in select(2) for more info. Neither gnutls, nor anything else, can  
reliably implement a no-delay read() from a blocking socket. select/poll  
only works "most" of the time. If "most" of the time is good enough for you,  
that's one thing, but rarely "most" of the time will be satisfactory.
 
> Is it possible to know in advance if `gnutls_record_recv' will block or
> not?  Any suggestion how I could handle properly the --read-timeout in
> wget when TLS is used?  Am I missing something?

You must use non-blocking sockets. You do not need to use  
gnutls_record_check_pending(). You just call gnutls_record_recv() first and  
foremost. With a non-blocking sockets it never blocks, and always returns  
without delay. If it gives you back a GNUTLS_E_INTERRUPTED or  
GNUTLS_E_AGAIN, you know that the socket must be readable before you have a  
reasonable expectation that gnutls_record_recv() will give you something  
when you call it again. It may still return  
GNUTLS_E_INTERRUPTED/GNUTLS_E_AGAIN the second time too; but you're  
guaranteed to get that again unless the socket becomes readable first.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110523/4ceb214e/attachment.pgp>

From nmav at gnutls.org  Mon May 23 16:43:01 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 23 May 2011 16:43:01 +0200
Subject: gnutls_record_recv timeout with blocking sockets
In-Reply-To: <87mxiecw7k.fsf@gnu.org>
References: <87mxiecw7k.fsf@gnu.org>
Message-ID: <4DDA7275.5030600@gnutls.org>

On 05/22/2011 10:32 PM, Giuseppe Scrivano wrote:
> Hello,
> 
> In wget we are using something like the following pseudo-code to
> check if a call to `gnutls_record_recv' will be blocking:
>   gnutls_record_check_pending (session) || select_fd (fd, timeout);
> I have noticed that even if the previous code returns a non-zero value,  
> `gnutls_record_recv' can still block.

Could you distinguish which was the function that triggered the
recv, (i.e. gnutls_record_check_pending() or select_fd()?).

If it was gnutls_record_check_pending() then it is a bug as it
would have returned you the pending data.

regards,
Nikos



From nmav at gnutls.org  Mon May 23 16:48:38 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 23 May 2011 16:48:38 +0200
Subject: [libvirt] failure to build on rawhide
In-Reply-To: <20110523095456.GC24143@redhat.com>
References: <4DC090B7.8020907__12908.4695283838$1304574663$gmane$org@redhat.com>	<87liy1m6y1.fsf@latte.josefsson.org>
	<20110523095456.GC24143@redhat.com>
Message-ID: <4DDA73C6.90006@gnutls.org>

On 05/23/2011 11:54 AM, Daniel P. Berrange wrote:

>> Try gnutls_priority_set.  What did you use 
>> gnutls_certificate_type_set_priority for?  It is rare to really
>> need it, a call to gnutls_set_default_priority() is usually
>> sufficient.
> Agreed, our current use of gnutls_certificate_type_set_priority is
> bogus and can/should be removed, leaving just set_default_priority
> calls.

If you expect random (other than gnutls/openssl/nss) TLS implementations
to connect to you (or you plan to connect to them), then the
set_default_priority() might not be enough. I tried to sketch the
reasons at:
http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-Issues.html#Compatibility-Issues

In those cases you might want to have some options configurable.

regards,
Nikos



From simon at josefsson.org  Mon May 23 16:56:26 2011
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 23 May 2011 16:56:26 +0200
Subject: [libvirt] failure to build on rawhide
In-Reply-To: <4DDA73C6.90006@gnutls.org> (Nikos Mavrogiannopoulos's message of
	"Mon, 23 May 2011 16:48:38 +0200")
References: <4DC090B7.8020907__12908.4695283838$1304574663$gmane$org@redhat.com>
	<87liy1m6y1.fsf@latte.josefsson.org>
	<20110523095456.GC24143@redhat.com> <4DDA73C6.90006@gnutls.org>
Message-ID: <877h9htqhx.fsf@latte.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/23/2011 11:54 AM, Daniel P. Berrange wrote:
>
>>> Try gnutls_priority_set.  What did you use 
>>> gnutls_certificate_type_set_priority for?  It is rare to really
>>> need it, a call to gnutls_set_default_priority() is usually
>>> sufficient.
>> Agreed, our current use of gnutls_certificate_type_set_priority is
>> bogus and can/should be removed, leaving just set_default_priority
>> calls.
>
> If you expect random (other than gnutls/openssl/nss) TLS implementations
> to connect to you (or you plan to connect to them), then the
> set_default_priority() might not be enough. I tried to sketch the
> reasons at:
> http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-Issues.html#Compatibility-Issues
>
> In those cases you might want to have some options configurable.

Yes, it would be nice if libvirt had a configuration knob for user to
specify the priority string.

However, as I understand it, libvirt only talks to its own
implementation, and doesn't need to be compatible with any browser SSL
legacy.  So you probably don't need to use any compatibility settings at
all.

/Simon



From gscrivano at gnu.org  Mon May 23 19:41:20 2011
From: gscrivano at gnu.org (Giuseppe Scrivano)
Date: Mon, 23 May 2011 19:41:20 +0200
Subject: gnutls_record_recv timeout with blocking sockets
In-Reply-To: <4DDA7275.5030600@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Mon, 23 May 2011 16:43:01 +0200")
References: <87mxiecw7k.fsf@gnu.org> <4DDA7275.5030600@gnutls.org>
Message-ID: <87ei3pco1r.fsf@gnu.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/22/2011 10:32 PM, Giuseppe Scrivano wrote:
>> Hello,
>> 
>> In wget we are using something like the following pseudo-code to
>> check if a call to `gnutls_record_recv' will be blocking:
>>   gnutls_record_check_pending (session) || select_fd (fd, timeout);
>> I have noticed that even if the previous code returns a non-zero value,  
>> `gnutls_record_recv' can still block.
>
> Could you distinguish which was the function that triggered the
> recv, (i.e. gnutls_record_check_pending() or select_fd()?).

Sorry that I haven't mentioned it before, `select_fd' triggers the read.

Giuseppe



From nmav at gnutls.org  Mon May 23 21:21:25 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 23 May 2011 21:21:25 +0200
Subject: gnutls_record_recv timeout with blocking sockets
In-Reply-To: <87ei3pco1r.fsf@gnu.org>
References: <87mxiecw7k.fsf@gnu.org> <4DDA7275.5030600@gnutls.org>
	<87ei3pco1r.fsf@gnu.org>
Message-ID: <4DDAB3B5.8090109@gnutls.org>

On 05/23/2011 07:41 PM, Giuseppe Scrivano wrote:

>>> In wget we are using something like the following pseudo-code to
>>> check if a call to `gnutls_record_recv' will be blocking:
>>>   gnutls_record_check_pending (session) || select_fd (fd, timeout);
>>> I have noticed that even if the previous code returns a non-zero value,  
>>> `gnutls_record_recv' can still block.
>>
>> Could you distinguish which was the function that triggered the
>> recv, (i.e. gnutls_record_check_pending() or select_fd()?).
> 
> Sorry that I haven't mentioned it before, `select_fd' triggers the read.

Then, as Sam mentioned, there is not much gnutls can do. That could
be either because of the bugs mentioned by Sam, or because gnutls is
blocked waiting for a TLS record. The ways to avoid this would be
either by using non-blocking sockets or by having a timeout in the
recv function provided to gnutls.

regards,
Nikos



From INVALID.NOREPLY at gnu.org  Tue May 24 17:02:56 2011
From: INVALID.NOREPLY at gnu.org (Michael Cronenworth)
Date: Tue, 24 May 2011 15:02:56 +0000
Subject: [sr #107696] GnuTLS 2.10 client cannot negotiate TLS 1.2 to GnuTLS
	2.8 server
Message-ID: <20110524-150255.sv82895.67461@savannah.gnu.org>

URL:
  <http://savannah.gnu.org/support/?107696>

                 Summary: GnuTLS 2.10 client cannot negotiate TLS 1.2 to
GnuTLS 2.8 server
                 Project: GnuTLS
            Submitted by: mooninite
            Submitted on: Tue 24 May 2011 03:02:55 PM GMT
                Category: Core library
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Details:

Copied from Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=707266

Description of problem:
Fedora 14 server - GnuTLS 2.8.6
Fedora 15 client - GnuTLS 2.10.5

The server is initialized with the following priorities:
"NONE:+VERS-TLS1.2:+AES-256-CBC:+RSA:+SHA1:+COMP-DEFLATE"

When the client attempts to connect the attempt fails with "handshake failed"
as the reason. When I change the server to be:
"NONE:+VERS-TLS1.1:+AES-256-CBC:+RSA:+SHA1:+COMP-DEFLATE"
the connection succeeds. TLS 1.0 also works.


Version-Release number of selected component (if applicable):
gnutls-2.8.6-2.fc14.x86_64
gnutls-2.10.5-1.fc15.x86_64


How reproducible: Always


Steps to Reproduce:
1. Setup GnuTLS 2.8.6 server with the priorities above.
2. Setup GnuTLS 2.10.5 client with the same priorities.
3. Attempt to connect to the server.

Actual results:
Handshake failure.


Expected results:
Connection succeeds.

Additional info:
If I connect to a 2.10.5 server with the 2.10.5 client, it succeeds. It seems
there is some incompatibility between 2.8 and 2.10.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From INVALID.NOREPLY at gnu.org  Tue May 24 17:38:25 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 24 May 2011 15:38:25 +0000
Subject: [sr #107696] GnuTLS 2.10 client cannot negotiate TLS 1.2 to GnuTLS
	2.8 server
In-Reply-To: <20110524-150255.sv82895.67461@savannah.gnu.org>
References: <20110524-150255.sv82895.67461@savannah.gnu.org>
Message-ID: <20110524-183825.sv707.62403@savannah.gnu.org>

Follow-up Comment #1, sr #107696 (project gnutls):

GnuTLS 2.8 TLS 1.2 support is not complete and disabled by default. GnuTLS
2.10 was the first release that added complete TLS 1.2 support.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From INVALID.NOREPLY at gnu.org  Tue May 24 17:38:47 2011
From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos)
Date: Tue, 24 May 2011 15:38:47 +0000
Subject: [sr #107696] GnuTLS 2.10 client cannot negotiate TLS 1.2 to GnuTLS
	2.8 server
In-Reply-To: <20110524-183825.sv707.62403@savannah.gnu.org>
References: <20110524-150255.sv82895.67461@savannah.gnu.org>
	<20110524-183825.sv707.62403@savannah.gnu.org>
Message-ID: <20110524-183846.sv707.60748@savannah.gnu.org>

Update of sr #107696 (project gnutls):

                  Status:                    None => Wont Do                
             Assigned to:                    None => nmav                   


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From INVALID.NOREPLY at gnu.org  Tue May 24 17:49:09 2011
From: INVALID.NOREPLY at gnu.org (Michael Cronenworth)
Date: Tue, 24 May 2011 15:49:09 +0000
Subject: [sr #107696] GnuTLS 2.10 client cannot negotiate TLS 1.2 to GnuTLS
	2.8 server
In-Reply-To: <20110524-183846.sv707.60748@savannah.gnu.org>
References: <20110524-150255.sv82895.67461@savannah.gnu.org>
	<20110524-183825.sv707.62403@savannah.gnu.org>
	<20110524-183846.sv707.60748@savannah.gnu.org>
Message-ID: <20110524-154908.sv82895.15836@savannah.gnu.org>

Follow-up Comment #2, sr #107696 (project gnutls):

OK. Thank you for the quick response.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




From gscrivano at gnu.org  Wed May 25 18:33:08 2011
From: gscrivano at gnu.org (Giuseppe Scrivano)
Date: Wed, 25 May 2011 18:33:08 +0200
Subject: PSK examples
Message-ID: <87r57mbv0b.fsf@gnu.org>

Hello,

I have tried to set up a connection using PSK but I get this error
message all the time:

*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

I took the examples from the documentation.

the server:

gnutls-serv -d 10 --pskpasswd psks.txt  \
   --pskhint psk_identity_hint


the client:

gnutls-cli -p 5556 localhost --pskusername psk_identity \
      --pskkey key

(where epsk_identity and key are the same as in the psks.txt file)

I have also tried to use "--priority +PSK:+DHE-PSK" both for the client
and for the server without any difference.

Do you have any idea?  What am I missing?

As proof that I have read the documentation, I have attached a small patch.

Thanks,
Giuseppe



>From 009ccba073016787084a28047b633841d6784e54 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivano at gnu.org>
Date: Wed, 25 May 2011 18:28:11 +0200
Subject: [PATCH] Fix example in the documentation.

---
 ChangeLog             |    5 +++++
 doc/cha-programs.texi |    2 +-
 2 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1ec8d74..faa93fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-05-25  Giuseppe Scrivano  <gscrivano at gnu.org>
+
+	* doc/cha-programs.texi (Example server PSK connection): Remove
+	non existing command line option.
+
 2011-04-09  Nikos Mavrogiannopoulos <nmav at gnutls.org>
 
 	* .gitignore, doc/cha-gtls-app.texi, doc/cha-intro-tls.texi,
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index 8b9aea5..3fa1575 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -760,7 +760,7 @@ password file (@pxref{Invoking psktool}).  In the example below, I
 type @code{password} at the prompt.
 
 @smallexample
-$ ./psktool -u psk_identity -p psks.txt -n psk_identity_hint
+$ ./psktool -u psk_identity -p psks.txt
 Enter password:
 Key stored to psks.txt
 $ cat psks.txt
-- 
1.7.5.1




From gscrivano at gnu.org  Wed May 25 23:00:23 2011
From: gscrivano at gnu.org (Giuseppe Scrivano)
Date: Wed, 25 May 2011 23:00:23 +0200
Subject: gnutls_record_recv timeout with blocking sockets
In-Reply-To: <4DDAB3B5.8090109@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Mon, 23 May 2011 21:21:25 +0200")
References: <87mxiecw7k.fsf@gnu.org> <4DDA7275.5030600@gnutls.org>
	<87ei3pco1r.fsf@gnu.org> <4DDAB3B5.8090109@gnutls.org>
Message-ID: <871uzmqyvs.fsf@gnu.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Then, as Sam mentioned, there is not much gnutls can do. That could
> be either because of the bugs mentioned by Sam, or because gnutls is
> blocked waiting for a TLS record. The ways to avoid this would be
> either by using non-blocking sockets or by having a timeout in the
> recv function provided to gnutls.

AFAICS, it wouldn't work with non-blocking sockets; while you can
respect the timeout, it will break any time consecutive `read' don't
have enough data to consume.  I guess the latter is the only reasonable
solution.

Cheers,
Giuseppe



From nmav at gnutls.org  Wed May 25 23:25:39 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 25 May 2011 23:25:39 +0200
Subject: PSK examples
In-Reply-To: <87r57mbv0b.fsf@gnu.org>
References: <87r57mbv0b.fsf@gnu.org>
Message-ID: <4DDD73D3.7000906@gnutls.org>

On 05/25/2011 06:33 PM, Giuseppe Scrivano wrote:
> Hello,
> 
> I have tried to set up a connection using PSK but I get this error
> message all the time:

If you add --priority NORMAL:+DHE-PSK:+PSK ?
In 2.12.x they are not automatically added and this might
be the issue. I should update the documentation further.

regards,
Nikos



From gscrivano at gnu.org  Thu May 26 09:27:53 2011
From: gscrivano at gnu.org (Giuseppe Scrivano)
Date: Thu, 26 May 2011 09:27:53 +0200
Subject: PSK examples
In-Reply-To: <4DDD73D3.7000906@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Wed, 25 May 2011 23:25:39 +0200")
References: <87r57mbv0b.fsf@gnu.org> <4DDD73D3.7000906@gnutls.org>
Message-ID: <87ipsxc45i.fsf@gnu.org>

Hi Nikos,

thanks for the hint.  If I specify "--priority NORMAL:+DHE-PSK:+PSK"
both on the server and on the client then it works as expected.

Cheers,
Giuseppe



Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> On 05/25/2011 06:33 PM, Giuseppe Scrivano wrote:
>> Hello,
>> 
>> I have tried to set up a connection using PSK but I get this error
>> message all the time:
>
> If you add --priority NORMAL:+DHE-PSK:+PSK ?
> In 2.12.x they are not automatically added and this might
> be the issue. I should update the documentation further.
>
> regards,
> Nikos



From nmav at gnutls.org  Thu May 26 19:05:43 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 26 May 2011 19:05:43 +0200
Subject: gnutls 2.99.2
Message-ID: <4DDE8867.6050102@gnutls.org>

Hello,
 I've just released gnutls 2.99.2. It's main addition is the
experimental support for Elliptic curves (ECDH and ECDSA).


The GnuTLS 2.99.x branch is NOT what you want for your stable system.
It is intended for developers and experienced users.
The changes since the development release are:

* Version 2.99.2 (released 2011-05-26)

** libgnutls: Added Elliptic curve support. This is not
enabled by default. Requires priority strings:
+CURVE-ALL: to add all supported curves
+ECDHE-RSA: to add ephemeral ECDHE with an RSA-signed certificate
+ECDHE-ECDSA: to add ephemeral ECDHE with an ECDSA-signed certificate
+ANON-ECDHE: to add anonymous ECDH

** libgnutls: PKCS #11 URLs conform to the latest draft
being http://tools.ietf.org/html/draft-pechanec-pkcs11uri-04.

** certtool: Can now load private keys and public keys from PKCS #11
tokens via URLs.

** libgnutls: Added gnutls_global_set_audit_log_function() that allows
to get important auditing information including the corresponding
session. That might be useful to block DoS or other attacker from
specific IPs.

** libgnutls: gnutls_pkcs11_privkey_import_url() will now correctly read
the public key algorithm of the key.

** libgnutls: Added gnutls_certificate_get_issuer() and
gnutls_x509_trust_list_get_issuer() to compensate for the
missing gnutls_certificate_get_x509_cas().

** libgnutls: Added gnutls_x509_crq_verify() to allow
verification of the self signature in a certificate request.
This allows verifying whether the owner of the private key
is the generator of the request.

** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
the self signature of the request.

** API and ABI modifications:
gnutls_certificate_get_issuer: ADDED
gnutls_x509_trust_list_get_issuer: ADDED
gnutls_x509_crq_verify: ADDED
gnutls_global_set_audit_log_function: ADDED
gnutls_ecc_curve_get_name: ADDED
gnutls_ecc_curve_get_size: ADDED
gnutls_x509_privkey_import_ecc_raw: ADDED
gnutls_x509_privkey_export_ecc_raw: ADDED
gnutls_global_set_time_function: ADDED

GNUTLS_E_ECC_NO_SUPPORTED_CURVES: New error code
GNUTLS_E_ECC_UNSUPPORTED_CURVE: New error code
GNUTLS_KX_ECDHE_RSA: New key exchange method
GNUTLS_KX_ECDHE_ECDSA: New key exchange method
GNUTLS_KX_ANON_ECDH: New key exchange method
GNUTLS_PK_ECC: New public key algorithm
GNUTLS_SIGN_ECDSA_SHA1: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA256: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA384: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA512: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA224: New signature algorithm
GNUTLS_ECC_CURVE_INVALID: New curve definition
GNUTLS_ECC_CURVE_SECP224R1: New curve definition
GNUTLS_ECC_CURVE_SECP256R1: New curve definition
GNUTLS_ECC_CURVE_SECP384R1: New curve definition
GNUTLS_ECC_CURVE_SECP521R1: New curve definition


Here are the compressed sources:
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.2.tar.bz2
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.2.tar.bz2

Here is the OpenPGP signature:
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.2.tar.bz2.sig
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.2.tar.bz2.sig

regards,
Nikos




From nmav at gnutls.org  Thu May 26 19:14:46 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 26 May 2011 19:14:46 +0200
Subject: gnutls 2.99.2
In-Reply-To: <4DDE8867.6050102@gnutls.org>
References: <4DDE8867.6050102@gnutls.org>
Message-ID: <4DDE8A86.1090508@gnutls.org>

On 05/26/2011 07:05 PM, Nikos Mavrogiannopoulos wrote:
> Hello,
>  I've just released gnutls 2.99.2. It's main addition is the
> experimental support for Elliptic curves (ECDH and ECDSA).

This version also drops support for libgcrypt.

regards,
Nikos



From vincent.torri at gmail.com  Thu May 26 20:28:48 2011
From: vincent.torri at gmail.com (Vincent Torri)
Date: Thu, 26 May 2011 20:28:48 +0200
Subject: gnutls 2.99.2
In-Reply-To: <4DDE8A86.1090508@gnutls.org>
References: <4DDE8867.6050102@gnutls.org>
	<4DDE8A86.1090508@gnutls.org>
Message-ID: <BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>

On Thu, May 26, 2011 at 7:14 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On 05/26/2011 07:05 PM, Nikos Mavrogiannopoulos wrote:
> > Hello,
> >  I've just released gnutls 2.99.2. It's main addition is the
> > experimental support for Elliptic curves (ECDH and ECDSA).
>
> This version also drops support for libgcrypt.
>
> I guess that nettle is used. Then I would like to mention that nettle does
no build a DLL when using MSYS/MinGW. I don't know if it's on purpose, and I
think that anyway such question should be asked in the nettle ML, but i
wanted to inform you.

regards

Vincent Torri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110526/febc1eb8/attachment.htm>

From nmav at gnutls.org  Thu May 26 20:36:47 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 26 May 2011 20:36:47 +0200
Subject: gnutls 2.99.2
In-Reply-To: <BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>
References: <4DDE8867.6050102@gnutls.org>	<4DDE8A86.1090508@gnutls.org>
	<BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>
Message-ID: <4DDE9DBF.7040400@gnutls.org>

On 05/26/2011 08:28 PM, Vincent Torri wrote:

>>> Hello,
>>>  I've just released gnutls 2.99.2. It's main addition is the
>>> experimental support for Elliptic curves (ECDH and ECDSA).
>> This version also drops support for libgcrypt.
>> I guess that nettle is used. Then I would like to mention that nettle does
> no build a DLL when using MSYS/MinGW. I don't know if it's on purpose, and I
> think that anyway such question should be asked in the nettle ML, but i
> wanted to inform you.

Hi,
 Is it because of some restriction (like inline assembly or so), or
because of some configuration? Does gnutls 2.99.2 build on windows?

regards,
Nikos



From vincent.torri at gmail.com  Thu May 26 20:49:53 2011
From: vincent.torri at gmail.com (Vincent Torri)
Date: Thu, 26 May 2011 20:49:53 +0200
Subject: gnutls 2.99.2
In-Reply-To: <4DDE9DBF.7040400@gnutls.org>
References: <4DDE8867.6050102@gnutls.org> <4DDE8A86.1090508@gnutls.org>
	<BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>
	<4DDE9DBF.7040400@gnutls.org>
Message-ID: <BANLkTi=VicJWV+w=6OBgDPXY3euXpf-oQg@mail.gmail.com>

On Thu, May 26, 2011 at 8:36 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On 05/26/2011 08:28 PM, Vincent Torri wrote:
>
> >>> Hello,
> >>>  I've just released gnutls 2.99.2. It's main addition is the
> >>> experimental support for Elliptic curves (ECDH and ECDSA).
> >> This version also drops support for libgcrypt.
> >> I guess that nettle is used. Then I would like to mention that nettle
> does
> > no build a DLL when using MSYS/MinGW. I don't know if it's on purpose,
> and I
> > think that anyway such question should be asked in the nettle ML, but i
> > wanted to inform you.
>
> Hi,
>  Is it because of some restriction (like inline assembly or so), or
> because of some configuration? Does gnutls 2.99.2 build on windows?
>

I actually don't know. I've not checked the autotools deeply (and I have
currently no time. Maybe in june).

I've not tried to compile gnutls 2.99 on Windows yet.

Btw, must nettle be statically linked to gnutls ?

Vincent Torri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110526/6cc7649e/attachment.htm>

From nmav at gnutls.org  Thu May 26 21:07:10 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 26 May 2011 21:07:10 +0200
Subject: gnutls 2.99.2
In-Reply-To: <BANLkTi=VicJWV+w=6OBgDPXY3euXpf-oQg@mail.gmail.com>
References: <4DDE8867.6050102@gnutls.org>
	<4DDE8A86.1090508@gnutls.org>	<BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>	<4DDE9DBF.7040400@gnutls.org>
	<BANLkTi=VicJWV+w=6OBgDPXY3euXpf-oQg@mail.gmail.com>
Message-ID: <4DDEA4DE.1080106@gnutls.org>

On 05/26/2011 08:49 PM, Vincent Torri wrote:

>> Hi,
>>  Is it because of some restriction (like inline assembly or so), or
>> because of some configuration? Does gnutls 2.99.2 build on windows?
>>
> 
> I actually don't know. I've not checked the autotools deeply (and I have
> currently no time. Maybe in june).
> I've not tried to compile gnutls 2.99 on Windows yet.
> Btw, must nettle be statically linked to gnutls ?

It could but it doesn't have. Maybe on windows static linking
would be better.

regards,
Nikos



From vincent.torri at gmail.com  Thu May 26 21:27:22 2011
From: vincent.torri at gmail.com (Vincent Torri)
Date: Thu, 26 May 2011 21:27:22 +0200
Subject: gnutls 2.99.2
In-Reply-To: <4DDEA4DE.1080106@gnutls.org>
References: <4DDE8867.6050102@gnutls.org> <4DDE8A86.1090508@gnutls.org>
	<BANLkTin4Vk1BiQLGJp4Jke_YSvZ0aYrrjA@mail.gmail.com>
	<4DDE9DBF.7040400@gnutls.org>
	<BANLkTi=VicJWV+w=6OBgDPXY3euXpf-oQg@mail.gmail.com>
	<4DDEA4DE.1080106@gnutls.org>
Message-ID: <BANLkTi=F0K9z8_PuS7poZbCsMLLeNgT0Qg@mail.gmail.com>

On Thu, May 26, 2011 at 9:07 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On 05/26/2011 08:49 PM, Vincent Torri wrote:
>
> >> Hi,
> >>  Is it because of some restriction (like inline assembly or so), or
> >> because of some configuration? Does gnutls 2.99.2 build on windows?
> >>
> >
> > I actually don't know. I've not checked the autotools deeply (and I have
> > currently no time. Maybe in june).
> > I've not tried to compile gnutls 2.99 on Windows yet.
> > Btw, must nettle be statically linked to gnutls ?
>
> It could but it doesn't have. Maybe on windows static linking
> would be better.
>

On the other hand, as usual with shared lib, if i have a dll or a .so of
nettle, and i upgrade it, i don't have to re-build gnutls.

anyway, I'll fix that nettle problem.

Vincent Torri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110526/b903a978/attachment.htm>

From stefw at collabora.co.uk  Fri May 27 11:08:03 2011
From: stefw at collabora.co.uk (Stef Walter)
Date: Fri, 27 May 2011 11:08:03 +0200
Subject: Problem building master
Message-ID: <4DDF69F3.8050307@collabora.co.uk>

I get the following error when building master. It's not clear to me how
to fix it:

aes-x86.c: In function 'check_optimized_aes':
aes-x86.c:153:3: error: can't find a register in class 'BREG' while
reloading 'asm'
make[4]: Leaving directory `/data/projects/gnutls/lib/accelerated/intel'
make[3]: Leaving directory `/data/projects/gnutls/lib/accelerated'
make[2]: Leaving directory `/data/projects/gnutls/lib'
make[1]: Leaving directory `/data/projects/gnutls'
aes-x86.c:153:3: error: 'asm' operand has impossible constraints

Cheers,

Stef



From nmav at gnutls.org  Sat May 28 16:29:13 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 28 May 2011 16:29:13 +0200
Subject: Problem building master
In-Reply-To: <4DDF69F3.8050307@collabora.co.uk>
References: <4DDF69F3.8050307@collabora.co.uk>
Message-ID: <4DE106B9.9090504@gnutls.org>

On 05/27/2011 11:08 AM, Stef Walter wrote:

> I get the following error when building master. It's not clear to me
> how to fix it: aes-x86.c: In function 'check_optimized_aes': 
> aes-x86.c:153:3: error: can't find a register in class 'BREG' while 
> reloading 'asm'

Hello Stef,
 This quite strange. Which compiler and which CPU do you build for? A
work-around would be to configure with --disable-hardware-acceleration.

regards,
Nikos



From nmav at gnutls.org  Sat May 28 20:28:52 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 28 May 2011 20:28:52 +0200
Subject: Problem building master
In-Reply-To: <4DE123E6.8090002@collabora.co.uk>
References: <4DDF69F3.8050307@collabora.co.uk> <4DE106B9.9090504@gnutls.org>
	<4DE123E6.8090002@collabora.co.uk>
Message-ID: <4DE13EE4.3000304@gnutls.org>

On 05/28/2011 06:33 PM, Stef Walter wrote:
> On 05/28/2011 04:29 PM, Nikos Mavrogiannopoulos wrote:
>> On 05/27/2011 11:08 AM, Stef Walter wrote:
>>
>>> I get the following error when building master. It's not clear to me
>>> how to fix it: aes-x86.c: In function 'check_optimized_aes': 
>>> aes-x86.c:153:3: error: can't find a register in class 'BREG' while 
>>> reloading 'asm'
>> Hello Stef,
>>  This quite strange. Which compiler and which CPU do you build for? 
> Here it is:
> stef at stef-laptop:~$ gcc --version
> gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2

Is it on x86-64 or x86 (32-bit)? Does the attached patch work around
the issue for you?


> And lastly, some very strange behavior occurred when building the
> documentation. It would just get stuck in a make loop and keep building
> the man pages over and over. I've included the output below.

I'll try to check it out. Thanks.

Nikos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: </pipermail/attachments/20110528/925d652c/attachment.txt>

From stefw at collabora.co.uk  Sat May 28 23:18:30 2011
From: stefw at collabora.co.uk (Stef Walter)
Date: Sat, 28 May 2011 17:18:30 -0400
Subject: Problem building master
In-Reply-To: <4DE106B9.9090504@gnutls.org>
References: <4DDF69F3.8050307@collabora.co.uk> <4DE106B9.9090504@gnutls.org>
Message-ID: <E1QQQty-0002oC-3G@fencepost.gnu.org>

On 05/28/2011 04:29 PM, Nikos Mavrogiannopoulos wrote:
> On 05/27/2011 11:08 AM, Stef Walter wrote:
> 
>> I get the following error when building master. It's not clear to me
>> how to fix it: aes-x86.c: In function 'check_optimized_aes': 
>> aes-x86.c:153:3: error: can't find a register in class 'BREG' while 
>> reloading 'asm'
> 
> Hello Stef,
>  This quite strange. Which compiler and which CPU do you build for? 

Here it is:

stef at stef-laptop:~$ gcc --version
gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

> A
> work-around would be to configure with --disable-hardware-acceleration.

Thanks, that did the trick.

In addition I needed to apply the attached patch in order to get gnutls
to build.

And lastly, some very strange behavior occurred when building the
documentation. It would just get stuck in a make loop and keep building
the man pages over and over. I've included the output below.

Thanks,

Stef


---------- 8< ------------- 8< ----------- 8< --------------

<snip>
...
  CC     ex-client-psk.o
  CCLD   ex-client-psk
  CC     ex-serv-psk.o
  CCLD   ex-serv-psk
  CC     ex-client-srp.o
  CCLD   ex-client-srp
  CC     ex-serv-srp.o
  CCLD   ex-serv-srp
make[4]: Leaving directory `/data/projects/gnutls/doc/examples'
Making all in cyclo
make[4]: Entering directory `/data/projects/gnutls/doc/cyclo'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/data/projects/gnutls/doc/cyclo'
Making all in scripts
make[4]: Entering directory `/data/projects/gnutls/doc/scripts'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/data/projects/gnutls/doc/scripts'
Making all in manpages
make[4]: Entering directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/..................................................................................................................................................................................................................................................................................................................
Creating man pages for libextra/...
Creating man pages for
lib/x509/................................................................................................................................................................................................................
Creating man pages for lib/x509/ (pkcs12)......................
Creating man pages for
lib/openpgp/.......................................................................
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make update-makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
FUNCS=`../../doc/scripts/gdoc -listfunc \
		../../{lib,libextra,lib/x509,lib/openpgp}/*.c`; \
	MANS=""; \
	SRPMANS=""; \
	for i in $FUNCS; do \
		if echo $i | grep gnutls_srp_ > /dev/null; then \
			SRPMANS="$SRPMANS\nSRPMANS += $i.3"; \
		else \
			MANS="$MANS\nAPIMANS += $i.3"; \
		fi \
	done; \
	grep -v -e '^APIMANS += ' -e '^SRPMANS += ' Makefile.am | \
		perl -p -e "s/^APIMANS =/APIMANS =$MANS/" | \
		perl -p -e "s/^SRPMANS =/SRPMANS =$SRPMANS/" > foo; \
	mv foo Makefile.am
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make Makefile
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
 cd ../.. && /bin/bash /data/projects/gnutls/build-aux/missing --run
automake-1.11 --gnu doc/manpages/Makefile
 cd ../.. && /bin/bash ./config.status doc/manpages/Makefile
config.status: creating doc/manpages/Makefile
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
make[5]: `Makefile' is up to date.
make[5]: Leaving directory `/data/projects/gnutls/doc/manpages'
make doit
make[5]: Entering directory `/data/projects/gnutls/doc/manpages'
Creating man pages for
lib/.............................................................................................................................................................................................................................................................^Z
[1]+  Stopped                 make
JHBUILD stef at stef-laptop:~/projects/gnutls$

... and so on ...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-warnings-with-GCC-4.5.2.patch
Type: text/x-patch
Size: 1120 bytes
Desc: not available
URL: </pipermail/attachments/20110528/e927f0de/attachment.bin>

From novel at FreeBSD.org  Mon May 30 12:27:26 2011
From: novel at FreeBSD.org (Roman Bogorodskiy)
Date: Mon, 30 May 2011 14:27:26 +0400
Subject: gnutls 2.99.2
In-Reply-To: <4DDE8867.6050102@gnutls.org>
References: <4DDE8867.6050102@gnutls.org>
Message-ID: <20110530102724.GC11328@ritual.srt.mirantis.net>

  Nikos Mavrogiannopoulos wrote:

>  I've just released gnutls 2.99.2. It's main addition is the
> experimental support for Elliptic curves (ECDH and ECDSA).

Hi,

I had to make few minor changes to get this release compiled
successfully on FreeBSD:

- Add #include <netinet/in.h> to udp-serv.c for sockaddr_in.

Without it I had a failure like that:

udp-serv.c: In function 'udp_server':
udp-serv.c:27: error: storage size of 'cli_addr' isn't known
udp-serv.c: In function 'pull_timeout_func':
udp-serv.c:154: error: storage size of 'cli_addr' isn't known
udp-serv.c: In function 'pull_func':
udp-serv.c:194: error: storage size of 'cli_addr' isn't known
gmake[3]: *** [udp-serv.o] Error 1
gmake[3]: Leaving directory `/usr/home/novel/opt/gnutls/src'

- Move '-I$(srcdir)/includes' from AM_CXXFLAGS to
  libgnutlsxx_la_CPPFLAGS to prevent including headers from
  locally installed gnutls

Without this change I had:

/usr/local/bin/bash ../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I/usr/local/include -I./includes -g -O2 -MT libgnutlsxx_la-gnutlsxx.lo -MD -MP -MF .deps/libgnutlsxx_la-gnutlsxx.Tpo -c -o libgnutlsxx_la-gnutlsxx.lo `test -f 'gnutlsxx.cpp' || echo './'`gnutlsxx.cpp
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I/usr/local/include -I./includes -g -O2 -MT libgnutlsxx_la-gnutlsxx.lo -MD -MP -MF .deps/libgnutlsxx_la-gnutlsxx.Tpo -c gnutlsxx.cpp  -fPIC -DPIC -o .libs/libgnutlsxx_la-gnutlsxx.o
In file included from /usr/local/include/gnutls/gnutlsxx.h:6,
                 from gnutlsxx.cpp:5:
/usr/local/include/gnutls/gnutls.h:767: error: expected ',' or '...' before '*' token
/usr/local/include/gnutls/gnutls.h:768: error: ISO C++ forbids declaration of 'gnutls_datum' with no type
gnutlsxx.cpp:17: error: prototype for 'gnutls::session::session(unsigned int)' does not match any in class 'gnutls::session'
/usr/local/include/gnutls/gnutlsxx.h:88: error: candidates are: gnutls::session::session(const gnutls::session&)
/usr/local/include/gnutls/gnutlsxx.h:92: error:                 gnutls::session::session(gnutls_connection_end_t)
gnutlsxx.cpp: In constructor 'gnutls::session::session(unsigned int)':
gnutlsxx.cpp:19: error: invalid conversion from 'unsigned int' to 'gnutls_connection_end_t'
gnutlsxx.cpp:19: error:   initializing argument 2 of 'int gnutls_init(gnutls_session_int**, gnutls_connection_end_t)'
gnutlsxx.cpp: At global scope:
gnutlsxx.cpp:681: error: variable or field 'set_retrieve_function' declared void
gnutlsxx.cpp:681: error: 'gnutls_certificate_retrieve_function' was not declared in this scope
gnutlsxx.cpp:681: error: 'func' was not declared in this scope
*** Error code 1

Stop in /usr/home/novel/opt/gnutls/lib.

Both diffs attached.

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_local_includes.diff
Type: text/x-diff
Size: 623 bytes
Desc: not available
URL: </pipermail/attachments/20110530/dc524b0a/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_missing_include.diff
Type: text/x-diff
Size: 476 bytes
Desc: not available
URL: </pipermail/attachments/20110530/dc524b0a/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: </pipermail/attachments/20110530/dc524b0a/attachment.pgp>

From nmav at gnutls.org  Mon May 30 18:40:49 2011
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 30 May 2011 18:40:49 +0200
Subject: gnutls 2.99.2
In-Reply-To: <20110530102724.GC11328@ritual.srt.mirantis.net>
References: <4DDE8867.6050102@gnutls.org>
	<20110530102724.GC11328@ritual.srt.mirantis.net>
Message-ID: <4DE3C891.5090403@gnutls.org>

On 05/30/2011 12:27 PM, Roman Bogorodskiy wrote:

> I had to make few minor changes to get this release compiled
> successfully on FreeBSD:
[...]
> Both diffs attached.

Thank you for the report and the patches. They will be applied.


regards,
Nikos