From nmav at gnutls.org Mon Jul 1 22:48:32 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 01 Jul 2013 22:48:32 +0200 Subject: [gnutls-devel] Server sends incorrect extensions for resumption handshake? In-Reply-To: <51CF9D56.2030201@bouncycastle.org> References: <51CF9D56.2030201@bouncycastle.org> Message-ID: <51D1EB20.7060309@gnutls.org> On 06/30/2013 04:52 AM, Peter Dettman wrote: > Firstly, the ec_point_formats extension is included in the session > resumption ServerHello. This appears to violate RFC 3546 2.3. "If [...] > the older session is resumed, then the server MUST ignore extensions > appearing in the client hello, and send a server hello containing no > extensions[.]" (later RFC updates contain similar clauses) . Please > understand that the problem is probably broader than just the > ec_point_formats extension; the server shouldn't be sending any. The > only exception to that rule that I am aware of is from RFC 5746, > renegotiation_info, which appears to say that this extension is > per-connection, and can always be sent. This is the second issue I want > to raise: while gnutls-serv sends renegotiation_info during the initial > handshake, it does _not_ send it during a resumption handshake. > I am posting to the list instead of raising a bug report directly, > because it's at least true that 'openssl s_server' also sends > superfluous server extensions during resumption (it sends the > renegotiation_info correctly though) . I would appreciate if anyone can > enlighten me as to whether there is an unofficial standard in play here, > or whether this should be considered a bug. It looks like a bug, but if I remember well I refrained from being strict-RFC compliant there since most other implementations at the time weren't either. Thanks for letting know however, maybe it is time to fix that once I find some time. > Please contact me if you'd like replicate the problem, either via the > BouncyCastle test code itself, or in some other way. I'd appreciate if you sent replication instructions. Even if I cannot check it immediately, it will help when I will actually try... Thank you, Nikos From mrsam at courier-mta.com Thu Jul 4 00:25:56 2013 From: mrsam at courier-mta.com (Sam Varshavchik) Date: Wed, 03 Jul 2013 18:25:56 -0400 Subject: [gnutls-devel] Export/import of DH parameters grows by 4 bytes Message-ID: After upgrading from gnutls 2.12.23 to gnutls 3.1.11 one of my sanity check unit tests fails: * Generate DH parameter "A" via gnutls_dh_params_generate2(). * Export "A" via gnutls_dh_params_export_raw(). * Import the results into DH parameter "B", via gnutls_dh_params_import_raw(). * Call gnutls_dh_params_export_pkcs3() on both "A" and "B", using GNUTLS_X509_FMT_DER. * The output from gnutls_dh_params_export_pkcs3() from "B" is larger, by four bytes than the output from "A". Before I start looking for my own bugs, could this perhaps be a non-issue from this sequence of steps. Because comparing the binary output coming out of gnutls_dh_params_export_pkcs3(), and ignoring the excess four bytes from "B", the output is the same except for byte offset #3. It looks like a part of a length word, or something, and the extra four bytes look like spurious padding of some sort, to me. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From nmav at gnutls.org Thu Jul 4 23:30:55 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 04 Jul 2013 23:30:55 +0200 Subject: [gnutls-devel] Export/import of DH parameters grows by 4 bytes In-Reply-To: References: Message-ID: <51D5E98F.10500@gnutls.org> On 07/04/2013 12:25 AM, Sam Varshavchik wrote: > * Import the results into DH parameter "B", via > gnutls_dh_params_import_raw(). > > * Call gnutls_dh_params_export_pkcs3() on both "A" and "B", using > GNUTLS_X509_FMT_DER. > > * The output from gnutls_dh_params_export_pkcs3() from "B" is larger, by > four bytes than the output from "A". > > Before I start looking for my own bugs, could this perhaps be a > non-issue from this sequence of steps. Because comparing the binary > output coming out of gnutls_dh_params_export_pkcs3(), and ignoring the > excess four bytes from "B", the output is the same except for byte > offset #3. It looks like a part of a length word, or something, and the > extra four bytes look like spurious padding of some sort, to me. Hello Sam, It must be the privateValueLength which is set on gnutls 3.0 or later. It allows for certain optimizations on the server side. For rationale check: http://nmav.gnutls.org/2011/12/generating-diffie-hellman-parameters.html regards, Nikos From morgner at informatik.hu-berlin.de Fri Jul 5 11:46:36 2013 From: morgner at informatik.hu-berlin.de (Frank Morgner) Date: Fri, 5 Jul 2013 11:46:36 +0200 Subject: [gnutls-devel] RSA-PSK for GnuTLS Message-ID: <20130705094636.GA2974@gruenau1.informatik.hu-berlin.de> I ported a patch for RSA-PSK from Bundesdruckerei GmbH to the most recent version of GnuTLS. The patch revives some deletions from a8504e2 You may want to pull the commit from here: https://github.com/frankmorgner/gnutls/commit/1df1cfca0832cbe9c90cd5b309af28aa7b7ec133 The original patch can be found here: https://github.com/BeID-lab/eIDClientCore/blob/master/lib/eIDClientConnection/gnutls-2.10.2_add_rsa_psk.patch Among other implementation, RSA-PSK can be tested with OpenSSL: # generate keys openssl genrsa -aes256 -out privkey.pem.org 2048 # remove passprase openssl rsa -in privkey.pem.org -out privkey.pem # create self signed server certificate openssl req -new -key privkey.pem -out server.csr openssl x509 -req -days 365 -in server.csr -signkey privkey.pem -out server.crt # download openssl 1.0.0k and patch for RSA-PSK. See # http://blog.cj2s.de/archives/21-TLS-RSA-PSK-Cipher-Suites-for-OpenSSL.html # start server apps/openssl s_server -psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 -key privkey.pem -cipher RSA-PSK-AES256-CBC-SHA -debug -state -cert server.crt -WWW # run gnutls client src/gnutls-cli --pskusername Client_identity --pskkey c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 localhost -p 4433 --priority "+RSA-PSK:+AES-256-CBC:+SHA1" --insecure -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACE http://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc From nmav at gnutls.org Fri Jul 5 12:52:18 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 5 Jul 2013 12:52:18 +0200 Subject: [gnutls-devel] RSA-PSK for GnuTLS In-Reply-To: <20130705094636.GA2974@gruenau1.informatik.hu-berlin.de> References: <20130705094636.GA2974@gruenau1.informatik.hu-berlin.de> Message-ID: On Fri, Jul 5, 2013 at 11:46 AM, Frank Morgner wrote: > I ported a patch for RSA-PSK from Bundesdruckerei GmbH to the most > recent version of GnuTLS. The patch revives some deletions from a8504e2 > You may want to pull the commit from here: > https://github.com/frankmorgner/gnutls/commit/1df1cfca0832cbe9c90cd5b309af28aa7b7ec133 Hello Frank, My main issue with the previous patch was the copyright owner. It was not clear to the submitted at the time, to whom the copyright of the code belong to. If it is you, would you be willing to send a DCO (see http://elinux.org/Developer_Certificate_Of_Origin ), to the mailing list as well? regards, Nikos From nmav at gnutls.org Fri Jul 5 13:23:32 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 5 Jul 2013 13:23:32 +0200 Subject: [gnutls-devel] requiring a Developer Certificate Of Origin (DCO) Message-ID: Hello, Since some time we allow the copyright of contributions to be something else than FSF. To avoid any of the side-effects of that policy, I was thinking of requiring a developer to send a DCO [0] to the mailing list, and then using the signoff headers in git. This is similar to how the Linux-kernel and libgcrypt use now the DCO. That would be of course only needed if one hasn't already transferred the copyright to FSF. How does it look to you? I'm trying to minimize the hassle of contributing while still having some overview on the contributed code. The text could be something like: "When contributing code that is not assigned to FSF, you will need to assert that the contribution is in accordance to the "Developer's Certificate of Origin" as found in the file "doc/DCO.txt". That can be done by sending a mail with your real name to the gnutls-devel mailing list. Then just make sure that your contributions (patches), contain a "Signed-off-by" line, with your name and e-mail address." regards, Nikos [0]. http://gitorious.org/gnutls/gnutls/blobs/master/doc/DCO.txt From skiselkov at gmail.com Wed Jul 3 15:39:12 2013 From: skiselkov at gmail.com (Saso Kiselkov) Date: Wed, 03 Jul 2013 14:39:12 +0100 Subject: [gnutls-devel] Make check failure on gnutls-2.8.6 Message-ID: <51D42980.8070909@gmail.com> I'm trying to build 64-bit gnutls-2.8.6 on OpenIndiana oi_151a7 (SunOS 5.11) using GCC 4.6.3 and 4 out of 35 of the self-tests are failing when I do "gmake check". I've attached my config.log and build log of what happened. The failures appear to have been caused by a handshake problem like this one: ========== Self test `./openpgpself' finished with 1 errors server: Handshake has failed (A TLS packet with unexpected length was received.) ========== Are these fatal or can I use the library as-is anyway? Cheers, -- Saso -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls.log.gz Type: application/x-gzip Size: 44928 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: config.log.gz Type: application/x-gzip Size: 23362 bytes Desc: not available URL: From wiz at NetBSD.org Sun Jul 7 16:15:48 2013 From: wiz at NetBSD.org (Thomas Klausner) Date: Sun, 7 Jul 2013 16:15:48 +0200 Subject: [gnutls-devel] bugfix for gnutls-3.2.1 on NetBSD Message-ID: <20130707141548.GI12783@danbala.tuwien.ac.at> Hi! I've tried compiling gnutls-3.2.1 on NetBSD-6.99.22/amd64; it fails building because NetBSD provides clock_gettime() but not CLOCK_PROCESS_CPUTIME_ID. The attached patch fixes this. Cheers, Thomas -------------- next part -------------- $NetBSD$ --- src/benchmark.h.orig 2013-05-25 11:06:37.000000000 +0000 +++ src/benchmark.h @@ -24,7 +24,7 @@ # include #endif -#if defined(HAVE_CLOCK_GETTIME) +#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID) # undef gettime # define gettime(x) clock_gettime(CLOCK_PROCESS_CPUTIME_ID, x) #else From Gabor.Tatarka at ericsson.com Mon Jul 8 16:20:54 2013 From: Gabor.Tatarka at ericsson.com (=?iso-8859-1?Q?G=E1bor_Tat=E1rka?=) Date: Mon, 8 Jul 2013 14:20:54 +0000 Subject: [gnutls-devel] Incorrect handshake message if MKI is specified for SRTP extension Message-ID: <00F6397DC878754695E3FDE8D3F20944072C35@ESESSMB203.ericsson.se> Hi, I'm trying to use gnutls 3.2.1 for DTLS-SRTP. The handshake seems to work fine if no MKI (master key identifier) is set. However, if I set an MKI (master key identifier) via gnutls_srtp_set_mki, the encoded message contains an incorrect size for the use_srtp extension. The length of the MKI is not included. This makes the receiving entity fail to decode the handshake message. The error itself is in the function _gnutls_srtp_send_params found in lib/ext/srtp.c. This function returns total_size + 1, but it should return total_size + 1 + priv->mki_size. I've checked the gnutls git repository and this bug is still there. Please see the attached patch file for a fix. Regards, Gabor Tatarka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: srtp_mki.patch Type: application/octet-stream Size: 365 bytes Desc: srtp_mki.patch URL: From nmav at gnutls.org Tue Jul 9 08:33:27 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 09 Jul 2013 08:33:27 +0200 Subject: [gnutls-devel] Make check failure on gnutls-2.8.6 In-Reply-To: <51D42980.8070909@gmail.com> References: <51D42980.8070909@gmail.com> Message-ID: <51DBAEB7.5030407@gnutls.org> On 07/03/2013 03:39 PM, Saso Kiselkov wrote: > I'm trying to build 64-bit gnutls-2.8.6 on OpenIndiana oi_151a7 (SunOS > 5.11) using GCC 4.6.3 and 4 out of 35 of the self-tests are failing when > I do "gmake check". > > I've attached my config.log and build log of what happened. The failures > appear to have been caused by a handshake problem like this one: > > ========== > Self test `./openpgpself' finished with 1 errors > server: Handshake has failed (A TLS packet with unexpected length was > received.) > ========== > > Are these fatal or can I use the library as-is anyway? Hello, I have no idea. This version of gnutls was released more than 3 years ago. You may want to to try a more recent version. regards, Nikos From n.mavrogiannopoulos at gmail.com Tue Jul 9 08:35:03 2013 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 09 Jul 2013 08:35:03 +0200 Subject: [gnutls-devel] bugfix for gnutls-3.2.1 on NetBSD In-Reply-To: <20130707141548.GI12783@danbala.tuwien.ac.at> References: <20130707141548.GI12783@danbala.tuwien.ac.at> Message-ID: <51DBAF17.2010602@gmail.com> On 07/07/2013 04:15 PM, Thomas Klausner wrote: > Hi! > > I've tried compiling gnutls-3.2.1 on NetBSD-6.99.22/amd64; it fails > building because NetBSD provides clock_gettime() but not > CLOCK_PROCESS_CPUTIME_ID. > > The attached patch fixes this. Applied. Thank you. Nikos From nmav at gnutls.org Tue Jul 9 08:40:47 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 09 Jul 2013 08:40:47 +0200 Subject: [gnutls-devel] Incorrect handshake message if MKI is specified for SRTP extension In-Reply-To: <00F6397DC878754695E3FDE8D3F20944072C35@ESESSMB203.ericsson.se> References: <00F6397DC878754695E3FDE8D3F20944072C35@ESESSMB203.ericsson.se> Message-ID: <51DBB06F.9040204@gnutls.org> On 07/08/2013 04:20 PM, G?bor Tat?rka wrote: > Hi, > > I'm trying to use gnutls 3.2.1 for DTLS-SRTP. The handshake seems to work fine if no MKI (master key identifier) is set. However, if I set an MKI (master key identifier) via gnutls_srtp_set_mki, the encoded message contains an incorrect size for the use_srtp extension. The length of the MKI is not included. This makes the receiving entity fail to decode the handshake message. > > The error itself is in the function _gnutls_srtp_send_params found in lib/ext/srtp.c. This function returns total_size + 1, but it should return total_size + 1 + priv->mki_size. > I've checked the gnutls git repository and this bug is still there. Please see the attached patch file for a fix. Hello Gabor, Thanks for noticing that. I've applied a fix. regards, Nikos From nmav at gnutls.org Tue Jul 9 09:29:56 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 9 Jul 2013 09:29:56 +0200 Subject: [gnutls-devel] Server sends incorrect extensions for resumption handshake? In-Reply-To: <51CF9D56.2030201@bouncycastle.org> References: <51CF9D56.2030201@bouncycastle.org> Message-ID: On Sun, Jun 30, 2013 at 4:52 AM, Peter Dettman wrote: > Firstly, the ec_point_formats extension is included in the session > resumption ServerHello. This appears to violate RFC 3546 2.3. "If [...] the > older session is resumed, then the server MUST ignore extensions appearing > in the client hello, and send a server hello containing no extensions[.]" > (later RFC updates contain similar clauses) . Please understand that the > problem is probably broader than just the ec_point_formats extension; the > server shouldn't be sending any. The only exception to that rule that I am > aware of is from RFC 5746, renegotiation_info, which appears to say that > this extension is per-connection, and can always be sent. This is the second > issue I want to raise: while gnutls-serv sends renegotiation_info during the > initial handshake, it does _not_ send it during a resumption handshake. Hello Peter, I can verify that indeed serverhello may contain some extensions when resuming, but I cannot see how the renegotiation_info is not sent while resuming. Could you let me know how I can reproduce your test? regards, Nikos From joern.clausen at uni-bielefeld.de Wed Jul 10 13:15:56 2013 From: joern.clausen at uni-bielefeld.de (=?ISO-8859-1?Q?J=F6rn_Clausen?=) Date: Wed, 10 Jul 2013 13:15:56 +0200 Subject: [gnutls-devel] gnutls-3.2.1 does not build on Solaris 10 Message-ID: <51DD426C.1020104@uni-bielefeld.de> Building gnutls-3.2.1 fails on Solaris 10, because "nanosleep" is not found: CCLD psktool Undefined first referenced symbol in file nanosleep ../lib/.libs/libgnutls.so ld: fatal: Symbol referencing errors. No output written to .libs/psktool collect2: error: ld returned 1 exit status gmake[4]: *** [psktool] Error 1 This function is implemented in /usr/lib/librt.so: NAME nanosleep - high resolution sleep SYNOPSIS cc [ flag... ] file... -lrt [ library... ] #include -- J?rn Clausen joern.clausen at uni-bielefeld.de Hochschulrechenzentrum http://www.uni-bielefeld.de/hrz/ Universit?t Bielefeld From Alexander.von-Klinski at bardenheuer.de Wed Jul 10 16:28:08 2013 From: Alexander.von-Klinski at bardenheuer.de (von Klinski, Alexander (Bardenheuer)) Date: Wed, 10 Jul 2013 14:28:08 +0000 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The DCO Message-ID: <20C69A88F591DE4FA9456202570661A402B09AEA@svmail2.aed.dir> Dear all, On behalf of our client Bundesdruckerei GmbH and in the name of my colleague who did the job I would like to contribute a modification of the GnuTLS 2.10.2 where we added a RSA-PSK key exchange. Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. Best regards, Alexander Alexander von Klinski Gesch?ftsstellenleiter Berlin Vice President - Mobile Computing & eID Bardenheuer GmbH (ALTEN Group) Siemensdamm 50 D - 13629 Berlin Tel: +49 (0)30 - 43 09 45 9 - 0 Fax: +49 (0)30 - 43 09 45 9 - 9 Mobil: +49 (0)172- 388 75 06 E-Mail: alexander.von-klinski at bardenheuer.de Web: http://www.bardenheuer.de Gesch?ftsf?hrer: Yves-Antoine Brun Registergericht: M?nchen Registriernummer: HRB 107560 Umsatzsteuer-Identifikationsnummer: DE 1670 1468 5 Hauptsitz: Bardenheuer GmbH, Elsenheimerstra?e 47a, 80687 M?nchen Amtsgericht M?nchen, HRB 107560, Gesch?ftsf?hrer: Yves-Antoine Brun Diese Email und hiermit ?bertragene Dokumente sind vertraulich und nur f?r den Gebrauch der Person oder Organisation bestimmt, an die sie adressiert wurden. Es k?nnen vertrauliche oder von der Bekanntmachung ausgeschlossene Informationen enthalten sein. Falls Sie diese Email irrt?mlich erhalten haben, benachrichtigen Sie bitte den Absender und l?schen Sie diese Email aus Ihrem System ohne sie zu kopieren. Sie sind nicht zum Lesen, Kopieren oder Weitergeben dieser Email oder eines Teils dieser berechtigt. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may constitute information that is privileged or confidential or otherwise legally exempt from disclose. If you have received this email in error, please contact the sender and delete the email from your system without copying it. You are not authorized to read, copy or disseminate this message or any part of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.von-Klinski at bardenheuer.de Wed Jul 10 16:28:51 2013 From: Alexander.von-Klinski at bardenheuer.de (von Klinski, Alexander (Bardenheuer)) Date: Wed, 10 Jul 2013 14:28:51 +0000 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch Message-ID: <20C69A88F591DE4FA9456202570661A402B09B06@svmail2.aed.dir> Dear all, On behalf of our client Bundesdruckerei GmbH and in the name of my colleague who did the job I would like to contribute a modification of the GnuTLS 2.10.2 where we added a RSA-PSK key exchange. Copyright notice: Bundesdruckerei GmbH, as far as concerned, agrees in allowing redistribution of the componentes (auth_rsa.h, auth_rsa_psk.c and gnutls-patch-2.10.2.diff) under the terms of LGPL v2.1 (GNU Lesser general Public Licence) or a later version of that license. Bundesdruckerei GmbH has to be mentioned in respective copyright notices in the above contributed source components auth_rsa.h and auth_rsa_psk.c: "This file is contributed by Bardenheuer GmbH, M?nchen, Germany, on behalf of Bundesdruckerei GmbH, Berlin, Germany, 2013." Signed-Off-By: Bardenheuer GmbH, M?nchen, Germany, Alexander von Klinski Find attached the new source files auth_rsa.h and auth_rsa_psk.c, the gnutls.diff and the log files from validation. The diff must be performed with patch -p1 -c -l -R < gnutls.diff Thank you! Best regards, Alexander Alexander von Klinski Gesch?ftsstellenleiter Berlin Vice President - Mobile Computing & eID Bardenheuer GmbH (ALTEN Group) Siemensdamm 50 D - 13629 Berlin Tel: +49 (0)30 - 43 09 45 9 - 0 Fax: +49 (0)30 - 43 09 45 9 - 9 Mobil: +49 (0)172- 388 75 06 E-Mail: alexander.von-klinski at bardenheuer.de Web: http://www.bardenheuer.de Gesch?ftsf?hrer: Yves-Antoine Brun Registergericht: M?nchen Registriernummer: HRB 107560 Umsatzsteuer-Identifikationsnummer: DE 1670 1468 5 Hauptsitz: Bardenheuer GmbH, Elsenheimerstra?e 47a, 80687 M?nchen Amtsgericht M?nchen, HRB 107560, Gesch?ftsf?hrer: Yves-Antoine Brun Diese Email und hiermit ?bertragene Dokumente sind vertraulich und nur f?r den Gebrauch der Person oder Organisation bestimmt, an die sie adressiert wurden. Es k?nnen vertrauliche oder von der Bekanntmachung ausgeschlossene Informationen enthalten sein. Falls Sie diese Email irrt?mlich erhalten haben, benachrichtigen Sie bitte den Absender und l?schen Sie diese Email aus Ihrem System ohne sie zu kopieren. Sie sind nicht zum Lesen, Kopieren oder Weitergeben dieser Email oder eines Teils dieser berechtigt. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may constitute information that is privileged or confidential or otherwise legally exempt from disclose. If you have received this email in error, please contact the sender and delete the email from your system without copying it. You are not authorized to read, copy or disseminate this message or any part of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auth_rsa.h URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auth_rsa_psk.c URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls.diff Type: application/octet-stream Size: 14564 bytes Desc: gnutls.diff URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: serv.log Type: application/octet-stream Size: 6672 bytes Desc: serv.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cli.log Type: application/octet-stream Size: 6183 bytes Desc: cli.log URL: From gustavo at zacarias.com.ar Wed Jul 10 22:26:19 2013 From: gustavo at zacarias.com.ar (Gustavo Zacarias) Date: Wed, 10 Jul 2013 17:26:19 -0300 Subject: [gnutls-devel] [PATCH] Eliminate reset from cryptodev hashes and mac Message-ID: <1373487979-32003-1-git-send-email-gustavo@zacarias.com.ar> It wasn't done in 73ec74c2 and 6f0ecbf4 for cryptodev causing build failures. Signed-off-by: Gustavo Zacarias --- lib/accelerated/cryptodev.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/accelerated/cryptodev.c b/lib/accelerated/cryptodev.c index 63b0174..f3d8805 100644 --- a/lib/accelerated/cryptodev.c +++ b/lib/accelerated/cryptodev.c @@ -49,7 +49,6 @@ struct cryptodev_ctx struct session_op sess; struct crypt_op cryp; uint8_t iv[EALG_MAX_BLOCK_LEN]; - int reset; int cfd; }; @@ -356,7 +355,6 @@ static const gnutls_crypto_mac_st mac_struct = { .hash = NULL, .output = NULL, .deinit = NULL, - .reset = NULL, .fast = cryptodev_mac_fast }; @@ -407,7 +405,6 @@ static const gnutls_crypto_digest_st digest_struct = { .hash = NULL, .output = NULL, .deinit = NULL, - .reset = NULL, .fast = cryptodev_digest_fast }; -- 1.8.1.5 From n.mavrogiannopoulos at gmail.com Thu Jul 11 10:45:31 2013 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Thu, 11 Jul 2013 10:45:31 +0200 Subject: [gnutls-devel] [PATCH] Eliminate reset from cryptodev hashes and mac In-Reply-To: <1373487979-32003-1-git-send-email-gustavo@zacarias.com.ar> References: <1373487979-32003-1-git-send-email-gustavo@zacarias.com.ar> Message-ID: <51DE70AB.6080601@gmail.com> On 07/10/2013 10:26 PM, Gustavo Zacarias wrote: > It wasn't done in 73ec74c2 and 6f0ecbf4 for cryptodev causing build > failures. Applied. Thanks. From nmav at gnutls.org Sat Jul 13 10:59:54 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 13 Jul 2013 10:59:54 +0200 Subject: [gnutls-devel] gnutls-3.2.1 does not build on Solaris 10 In-Reply-To: <51DD426C.1020104@uni-bielefeld.de> References: <51DD426C.1020104@uni-bielefeld.de> Message-ID: <51E1170A.8050407@gnutls.org> On 07/10/2013 01:15 PM, J?rn Clausen wrote: > Building gnutls-3.2.1 fails on Solaris 10, because "nanosleep" is not > found: > > CCLD psktool > Undefined first referenced > symbol in file > nanosleep ../lib/.libs/libgnutls.so > ld: fatal: Symbol referencing errors. No output written to .libs/psktool > collect2: error: ld returned 1 exit status > gmake[4]: *** [psktool] Error 1 > This function is implemented in /usr/lib/librt.so: Thanks. I've added a configure-time check to link against this lib if nanosleep isn't in libc. regards, Nikos From nmav at gnutls.org Sat Jul 13 11:11:19 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 13 Jul 2013 11:11:19 +0200 Subject: [gnutls-devel] gnutls 3.1.13 Message-ID: <51E119B7.70101@gnutls.org> Hello, I've just released gnutls 3.1.13. This is a bug-fix release on the 3.1 stable branch. * Version 3.1.13 (released 2013-07-12) ** libgnutls: Ensure that gnutls_dtls_set_mtu() cannot exceed the maximum allowed DTLS size. ** libgnutls: Fixes in SRTP extension generation when MKI is being used. ** libgnutls: Fixes in discovery of trusted objects (CA certificates) PKCS #11 in tokens. Patch by Stef Walter. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.13.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.13.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.13.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.13.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sat Jul 13 11:13:59 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 13 Jul 2013 11:13:59 +0200 Subject: [gnutls-devel] gnutls 3.0.31 Message-ID: <51E11A57.904@gnutls.org> Hello, I've just released gnutls 3.0.31. This is a bug-fix release on the previous stable branch. * Version 3.0.31 (released 2013-07-12) ** libgnutls: Ensure that gnutls_dtls_set_mtu() cannot exceed the maximum allowed DTLS size. ** libgnutls: Fixes in discovery of trusted objects (CA certificates) PKCS #11 in tokens. Patch by Stef Walter. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.31.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.31.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.31.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.31.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sun Jul 14 11:03:26 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 14 Jul 2013 11:03:26 +0200 Subject: [gnutls-devel] gnutls 3.2.2 Message-ID: <51E2695E.4030009@gnutls.org> Hello, I've just released gnutls 3.2.2. This release adds features and fixes bugs on the current stable branch. * Version 3.2.2 (released 2013-07-14) ** libgnutls: Several optimizations in the related to packet processing subsystems. ** libgnutls: DTLS replay detection can now be disabled (to be used in certain transport layers like SCTP). ** libgnutls: Fixes in SRTP extension generation when MKI is being used. ** libgnutls: Added ability to set hooks before or after sending or receiving any handshake message with gnutls_handshake_set_hook_function(). ** API and ABI modifications: GNUTLS_NO_REPLAY_PROTECTION: Added gnutls_certificate_set_trust_list: Added gnutls_cipher_get_tag_size: Added gnutls_record_overhead_size: Added gnutls_est_record_overhead_size: Added gnutls_handshake_set_hook_function: Added gnutls_handshake_description_get_name: Added gnutls_digest_list: Added gnutls_digest_get_id: Added gnutls_digest_get_name: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.2.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.2.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.2.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.2.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From m at tthias.eu Sun Jul 14 13:52:22 2013 From: m at tthias.eu (Matthias Wimmer) Date: Sun, 14 Jul 2013 11:52:22 +0000 Subject: [gnutls-devel] Question regarding key exchange priorities Message-ID: <20130714115221.GA21179@doux.amessage.eu> Hi, I have seen that in february the priority of a pure RSA key exchange has been changed. In the SECURE* defaults GNUTLS_KX_RSA is now prefered over the DH key exchanges GNUTLS_KX_DHE_RSA and GNUTLS_KX_DHE_DSS. (https://gitorious.org/gnutls/gnutls/commit/eff2ae1606c7fea45dd1178de60b5cbf5c1012f9) Is this change related to the problem described in http://lists.gnutls.org/pipermail/gnutls-devel/2013-February/006128.html? Regards, Matthias -- Matthias Wimmer Contact details: http://matthias.wimmer.tel/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3921 bytes Desc: not available URL: From nmav at gnutls.org Sun Jul 14 17:30:33 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 14 Jul 2013 17:30:33 +0200 Subject: [gnutls-devel] Question regarding key exchange priorities In-Reply-To: <20130714115221.GA21179@doux.amessage.eu> References: <20130714115221.GA21179@doux.amessage.eu> Message-ID: <51E2C419.7080402@gnutls.org> On 07/14/2013 01:52 PM, Matthias Wimmer wrote: > Hi, > > I have seen that in february the priority of a pure RSA key exchange has > been changed. In the SECURE* defaults GNUTLS_KX_RSA is now prefered over > the DH key exchanges GNUTLS_KX_DHE_RSA and GNUTLS_KX_DHE_DSS. > (https://gitorious.org/gnutls/gnutls/commit/eff2ae1606c7fea45dd1178de60b5cbf5c1012f9) > Is this change related to the problem described in > http://lists.gnutls.org/pipermail/gnutls-devel/2013-February/006128.html? Yes indeed. The ECDHE ciphersuites now replace DHE to provide forward secrecy, because DHE had the compatibility issues discussed in the thread above. regards, Nikos From joern.clausen at uni-bielefeld.de Mon Jul 15 09:55:20 2013 From: joern.clausen at uni-bielefeld.de (=?ISO-8859-1?Q?J=F6rn_Clausen?=) Date: Mon, 15 Jul 2013 09:55:20 +0200 Subject: [gnutls-devel] gnutls-3.2.1 does not build on Solaris 10 In-Reply-To: <51E1170A.8050407@gnutls.org> References: <51DD426C.1020104@uni-bielefeld.de> <51E1170A.8050407@gnutls.org> Message-ID: <51E3AAE8.2050901@uni-bielefeld.de> Hello Nikos! Thanks, but I think the fix is not complete. librt is correctly found and LIBRT = -lrt is defined in all relevant Makefiles. But that symbol is not used any further, i.e. it does not end up in any LDFLAGS. I think this is the correct place to inject the definition: --- work.pkgsrc-i86/gnutls-3.2.2/lib/Makefile.in 2013/07/15 07:38:47 1.1 +++ work.pkgsrc-i86/gnutls-3.2.2/lib/Makefile.in 2013/07/15 07:39:22 @@ -1845,7 +1845,7 @@ auth/libgnutls_auth.la algorithms/libgnutls_alg.la \ extras/libgnutls_extras.la $(am__append_8) $(am__append_11) \ $(am__append_14) $(thirdparty_libadd) -thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) \ +thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LIBRT) \ $(LTLIBPTHREAD) $(LTLIBICONV) $(P11_KIT_LIBS) $(LIB_SELECT) \ $(TSS_LIBS) $(am__append_12) $(am__append_13) $(am__append_17) @HAVE_LD_OUTPUT_DEF_TRUE at defexecdir = $(bindir) At least with this change I can build the package. Regards, Joern On 13.07.13 10:59, Nikos Mavrogiannopoulos wrote: > On 07/10/2013 01:15 PM, J?rn Clausen wrote: >> Building gnutls-3.2.1 fails on Solaris 10, because "nanosleep" is not >> found: >> >> CCLD psktool >> Undefined first referenced >> symbol in file >> nanosleep ../lib/.libs/libgnutls.so >> ld: fatal: Symbol referencing errors. No output written to .libs/psktool >> collect2: error: ld returned 1 exit status >> gmake[4]: *** [psktool] Error 1 >> This function is implemented in /usr/lib/librt.so: > > Thanks. I've added a configure-time check to link against this lib if > nanosleep isn't in libc. > > regards, > Nikos > -- J?rn Clausen joern.clausen at uni-bielefeld.de Hochschulrechenzentrum http://www.uni-bielefeld.de/hrz/ Universit?t Bielefeld From nmav at gnutls.org Mon Jul 15 13:07:57 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Jul 2013 13:07:57 +0200 Subject: [gnutls-devel] gnutls-3.2.1 does not build on Solaris 10 In-Reply-To: <51E3AAE8.2050901@uni-bielefeld.de> References: <51DD426C.1020104@uni-bielefeld.de> <51E1170A.8050407@gnutls.org> <51E3AAE8.2050901@uni-bielefeld.de> Message-ID: <20130715130757.3c5d6dcd@aspire.lan> On Mon, 15 Jul 2013 09:55:20 +0200 J?rn Clausen wrote: > Hello Nikos! > > Thanks, but I think the fix is not complete. librt is correctly found > and > LIBRT = -lrt > is defined in all relevant Makefiles. But that symbol is not used any > further, i.e. it does not end up in any LDFLAGS. I think this is the > correct place to inject the definition: Thank you for checking it out. I'll apply a fix as soon. regards, Nikos From a.radke at arcor.de Mon Jul 15 18:22:20 2013 From: a.radke at arcor.de (Andreas Radke) Date: Mon, 15 Jul 2013 18:22:20 +0200 Subject: [gnutls-devel] gnutls 3.2.2 In-Reply-To: <51E2695E.4030009@gnutls.org> References: <51E2695E.4030009@gnutls.org> Message-ID: <20130715182220.2f59e7aa@workstation64.home> > Test suite completes well when run with -j1 This was only x86_64. The i686 build fails even -j1 with: Making check in dtls make[2]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' make dtls-stress \ dtls dtls-nb make[3]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' CC dtls-stress.o CCLD dtls-stress make[3]: Nothing to be done for `dtls'. make[3]: Nothing to be done for `dtls-nb'. make[3]: Leaving directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' make check-TESTS make[3]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' make[4]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' FAIL: dtls make[5]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' make[5]: Nothing to be done for `all'. make[5]: Leaving directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' ============================================================================ Testsuite summary for GnuTLS 3.2.2 ============================================================================ # TOTAL: 1 # PASS: 0 # SKIP: 0 # XFAIL: 0 # FAIL: 1 -Andy From a.radke at arcor.de Mon Jul 15 18:11:47 2013 From: a.radke at arcor.de (Andreas Radke) Date: Mon, 15 Jul 2013 18:11:47 +0200 Subject: [gnutls-devel] gnutls 3.2.2 In-Reply-To: <51E2695E.4030009@gnutls.org> References: <51E2695E.4030009@gnutls.org> Message-ID: <20130715181147.71e32c1c@workstation64.home> I see new test failures here x86_64 build when running the test suite in parallel mode (-j8): PASS: pgps2kgnu FAIL: x509self PASS: openpgp-auth FAIL: x509dn FAIL: anonself FAIL: pskself FAIL: dhepskself FAIL: resume PASS: setcredcrash FAIL: openpgpself PASS: rfc2253-escape-test ... Testsuite summary for GnuTLS 3.2.2 ============================================================================ # TOTAL: 74 # PASS: 67 # SKIP: 0 # XFAIL: 0 # FAIL: 7 # XPASS: 0 # ERROR: 0 make[2]: Leaving directory `/build/gnutls/src/gnutls-3.2.2/tests/openpgp-certs' make[1]: *** [check-recursive] Error 1 make[1]: Target `check' not remade because of errors. make[1]: Leaving directory `/build/gnutls/src/gnutls-3.2.2/tests' make[1]: Entering directory `/build/gnutls/src/gnutls-3.2.2' make[1]: Nothing to be done for `check-am'. make[1]: Leaving directory `/build/gnutls/src/gnutls-3.2.2' make: *** [check-recursive] Error 1 make: Target `check' not remade because of errors. Test suite completes well when run with -j1 -Andy ArchLinux From nmav at gnutls.org Mon Jul 15 19:29:10 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Jul 2013 19:29:10 +0200 Subject: [gnutls-devel] gnutls 3.2.2 In-Reply-To: <20130715181147.71e32c1c@workstation64.home> References: <51E2695E.4030009@gnutls.org> <20130715181147.71e32c1c@workstation64.home> Message-ID: <51E43166.5070604@gnutls.org> On 07/15/2013 06:11 PM, Andreas Radke wrote: > I see new test failures here x86_64 build when running the test suite > in parallel mode (-j8): > > PASS: pgps2kgnu > FAIL: x509self > PASS: openpgp-auth > FAIL: x509dn > FAIL: anonself > FAIL: pskself > FAIL: dhepskself > FAIL: resume > PASS: setcredcrash > FAIL: openpgpself > PASS: rfc2253-escape-test Indeed, unfortunately the tests can only be run serialized, unless fixed. They all use port 5556 or something and there are conflicts when run in parallel. regards, Nikos From nmav at gnutls.org Mon Jul 15 19:41:38 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Jul 2013 19:41:38 +0200 Subject: [gnutls-devel] gnutls 3.2.2 In-Reply-To: <20130715182220.2f59e7aa@workstation64.home> References: <51E2695E.4030009@gnutls.org> <20130715182220.2f59e7aa@workstation64.home> Message-ID: <51E43452.6040900@gnutls.org> On 07/15/2013 06:22 PM, Andreas Radke wrote: > > >> Test suite completes well when run with -j1 > > This was only x86_64. The i686 build fails even -j1 with: > Making check in dtls > make[2]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' > make dtls-stress \ > dtls dtls-nb > make[3]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' > CC dtls-stress.o > CCLD dtls-stress > make[3]: Nothing to be done for `dtls'. > make[3]: Nothing to be done for `dtls-nb'. > make[3]: Leaving directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' > make check-TESTS > make[3]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' > make[4]: Entering directory `/build/gnutls/src/gnutls-3.2.2/tests/dtls' > FAIL: dtls Thanks for reporting that. That's very interesting. Could you find out which command fails by running it manually? Is the error easily reproducible? If no, would the error be fixed if you replace SOCK_DGRAM with SOCK_STREAM in line 732 of dtls-stress.c? regards, Nikos From ats at offog.org Mon Jul 15 21:43:38 2013 From: ats at offog.org (Adam Sampson) Date: Mon, 15 Jul 2013 20:43:38 +0100 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 Message-ID: <20130715194338.GN30225@cartman.at.offog.org> Dear GnuTLS folks, In 3.2.2, there are a bunch of tests that all try to listen on the same TCP port -- grepping for PORT in tests/*.c will find several of these. The problem with this is that if you try to run the test suite in parallel (e.g. make -j8 check), a random subset of them will fail because one of the other tests already has the port bound... I guess allocating each test a different port number would be a simple fix for this. Thanks, -- Adam Sampson From Matthew.Tatar at jhuapl.edu Mon Jul 15 23:19:32 2013 From: Matthew.Tatar at jhuapl.edu (Tatar, Matthew B.) Date: Mon, 15 Jul 2013 17:19:32 -0400 Subject: [gnutls-devel] gnutls for android Message-ID: I cannot find a way to search the archives of the mail list. So at the risk of asking something oft asked. Has anyway successfully ported gnutls to Android? I'm in the process now of attempting this, I have ported nettle and gmp using cross compile with the ndk compiler. However now I cannot get gnutls to build with the same method. I'm running into an issue where the configure portion seems to fail because it cannot find install-sh or install.sh in build-aux -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Jul 16 10:35:05 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 16 Jul 2013 10:35:05 +0200 Subject: [gnutls-devel] gnutls for android In-Reply-To: References: Message-ID: <51E505B9.8070101@gnutls.org> On 07/15/2013 11:19 PM, Tatar, Matthew B. wrote: > I cannot find a way to search the archives of the mail list. So at > the risk of asking something oft asked. > > Has anyway successfully ported gnutls to Android? I'm in the process > now of attempting this, I have ported nettle and gmp using cross > compile with the ndk compiler. However now I cannot get gnutls to > build with the same method. I'm running into an issue where the > configure portion seems to fail because it cannot find install-sh or > install.sh in build-aux Hello, There is www.gmane.org where you can search this and other mailing lists. I have compiled gnutls on android using Cerbero [0]. regards, Nikos [0]. https://www.gitorious.org/gnutls/cerbero From nmav at gnutls.org Tue Jul 16 10:35:55 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 16 Jul 2013 10:35:55 +0200 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 In-Reply-To: <20130715194338.GN30225@cartman.at.offog.org> References: <20130715194338.GN30225@cartman.at.offog.org> Message-ID: <51E505EB.4090008@gnutls.org> On 07/15/2013 09:43 PM, Adam Sampson wrote: > Dear GnuTLS folks, > > In 3.2.2, there are a bunch of tests that all try to listen on the same > TCP port -- grepping for PORT in tests/*.c will find several of these. > The problem with this is that if you try to run the test suite in > parallel (e.g. make -j8 check), a random subset of them will fail > because one of the other tests already has the port bound... > > I guess allocating each test a different port number would be a simple > fix for this. Or using socketpair() for all tests. Any patches are appreciated. regards, Nikos From Matthew.Tatar at jhuapl.edu Tue Jul 16 17:17:54 2013 From: Matthew.Tatar at jhuapl.edu (Tatar, Matthew B.) Date: Tue, 16 Jul 2013 11:17:54 -0400 Subject: [gnutls-devel] gnutls for android In-Reply-To: <51E505B9.8070101@gnutls.org> References: <51E505B9.8070101@gnutls.org> Message-ID: I don't quite understand, is there any documentation as to why or how you would need/use cerbero over the standard practice of using the NDK compiler with configure scripts? The issue I'm running into is with compiling libnettle so that it recognizes the libgmp I built. -----Original Message----- From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos Sent: Tuesday, July 16, 2013 4:35 AM To: Tatar, Matthew B. Cc: gnutls-devel at lists.gnutls.org Subject: Re: [gnutls-devel] gnutls for android On 07/15/2013 11:19 PM, Tatar, Matthew B. wrote: > I cannot find a way to search the archives of the mail list. So at > the risk of asking something oft asked. > > Has anyway successfully ported gnutls to Android? I'm in the process > now of attempting this, I have ported nettle and gmp using cross > compile with the ndk compiler. However now I cannot get gnutls to > build with the same method. I'm running into an issue where the > configure portion seems to fail because it cannot find install-sh or > install.sh in build-aux Hello, There is www.gmane.org where you can search this and other mailing lists. I have compiled gnutls on android using Cerbero [0]. regards, Nikos [0]. https://www.gitorious.org/gnutls/cerbero From Matthew.Tatar at jhuapl.edu Tue Jul 16 22:46:00 2013 From: Matthew.Tatar at jhuapl.edu (Tatar, Matthew B.) Date: Tue, 16 Jul 2013 16:46:00 -0400 Subject: [gnutls-devel] gnutls for android In-Reply-To: <51E505B9.8070101@gnutls.org> References: <51E505B9.8070101@gnutls.org> Message-ID: I've been trying to work with the cerberos framework and it seems that the gnutls recipe for android reports that it is not supported on RedHat 6.4 or am I misunderstanding the error. ./cerbero-uninstalled -c config/cross-android.cbc bootstrap Traceback (most recent call last): File "./cerbero-uninstalled", line 8, in from cerbero.main import main File "./cerbero/main.py", line 34, in from cerbero import config, commands File "./cerbero/config.py", line 25, in from cerbero.utils import _, system_info, validate_packager, to_unixpath,\ File "./cerbero/utils/shell.py", line 40, in PLATFORM = system_info()[0] File "./cerbero/utils/__init__.py", line 173, in system_info raise FatalError("Distribution '%s' not supported" % str(d)) cerbero.errors.FatalError: Fatal Error: Distribution '('Red Hat Enterprise Linux Workstation', '6.4', 'Santiago')' not supported -----Original Message----- From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos Sent: Tuesday, July 16, 2013 4:35 AM To: Tatar, Matthew B. Cc: gnutls-devel at lists.gnutls.org Subject: Re: [gnutls-devel] gnutls for android On 07/15/2013 11:19 PM, Tatar, Matthew B. wrote: > I cannot find a way to search the archives of the mail list. So at > the risk of asking something oft asked. > > Has anyway successfully ported gnutls to Android? I'm in the process > now of attempting this, I have ported nettle and gmp using cross > compile with the ndk compiler. However now I cannot get gnutls to > build with the same method. I'm running into an issue where the > configure portion seems to fail because it cannot find install-sh or > install.sh in build-aux Hello, There is www.gmane.org where you can search this and other mailing lists. I have compiled gnutls on android using Cerbero [0]. regards, Nikos [0]. https://www.gitorious.org/gnutls/cerbero From ats at offog.org Tue Jul 16 17:45:29 2013 From: ats at offog.org (Adam Sampson) Date: Tue, 16 Jul 2013 16:45:29 +0100 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 In-Reply-To: <51E505EB.4090008@gnutls.org> References: <20130715194338.GN30225@cartman.at.offog.org> <51E505EB.4090008@gnutls.org> Message-ID: <20130716154529.GQ30225@cartman.at.offog.org> On Tue, Jul 16, 2013 at 10:35:55AM +0200, Nikos Mavrogiannopoulos wrote: > Or using socketpair() for all tests. Any patches are appreciated. Sounds like a good idea. Patches attached: - fix gdoc to make it work with Perl 5.18; - fix a typo in the old TCP error handling; - replace the TCP code with socketpair(). Note that while the socketpair() code only uses features in POSIX:2001, I've only tested it on Linux/glibc... DCO for Adam Sampson : Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. -- Adam Sampson -------------- next part -------------- From 24d15445a6851befcc7389493684856831a93c4c Mon Sep 17 00:00:00 2001 From: Adam Sampson Date: Tue, 16 Jul 2013 14:17:18 +0100 Subject: [PATCH 1/3] Avoid depending on hash order in gdoc. Previously, gdoc had a hash of regexp replacements for each output format, and applied the replacements in the order that "keys" returned for the hash. However, not all orders are safe -- and now that Perl 5.18 randomises hash order per-process, it only worked sometimes! For example, this order is OK: 'is a #gnutls_session_t structure.' '\@([A-Za-z0-9_]+)\s*' -> 'is a #gnutls_session_t structure.' '\%([A-Za-z0-9_]+)' -> 'is a #gnutls_session_t structure.' '\#([A-Za-z0-9_]+)' -> 'is a @code{gnutls_session_t} structure.' '([A-Za-z0-9_]+\(\))' -> 'is a @code{gnutls_session_t} structure.' This one, however, winds up producing invalid texinfo: 'is a #gnutls_session_t structure.' '\%([A-Za-z0-9_]+)' -> 'is a #gnutls_session_t structure.' '([A-Za-z0-9_]+\(\))' -> 'is a #gnutls_session_t structure.' '\#([A-Za-z0-9_]+)' -> 'is a @code{gnutls_session_t} structure.' '\@([A-Za-z0-9_]+)\s*' -> 'is a @code{code} {gnutls_session_t} structure.' This patch turns the hash into a list, so the replacements will always be done in the intended order. Signed-off-by: Adam Sampson --- doc/scripts/gdoc | 72 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/doc/scripts/gdoc b/doc/scripts/gdoc index 953cd57..dbe2efe 100755 --- a/doc/scripts/gdoc +++ b/doc/scripts/gdoc @@ -9,6 +9,8 @@ eval '(exit $?0)' && eval 'exec perl "$0" ${1+"$@"}' ## Copyright (c) 2001, 2002 Nikos Mavrogiannopoulos ## added -tex ## Copyright (c) 1998 Michael Zucchi +## Copyright (c) 2013 Adam Sampson +## made highlighting not depend on hash order, for Perl 5.18 # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -145,46 +147,46 @@ $type_env = "(\\\$[A-Za-z0-9_]+)"; # One for each output format # these work fairly well -%highlights_html = ( $type_constant, '"$1"', - $type_func, '"$1"', - $type_struct, '"$1"', - $type_param, '" $1 "' ); + at highlights_html = ( [$type_constant, '"$1"'], + [$type_func, '"$1"'], + [$type_struct, '"$1"'], + [$type_param, '" $1 "'] ); $blankline_html = "

"; -%highlights_texinfo = ( $type_param, '" \@code{$1} "', - $type_constant, '"\@code{$1} "', - $type_func, '"\@code{$1} "', - $type_struct, '"\@code{$1} "', + at highlights_texinfo = ( [$type_param, '" \@code{$1} "'], + [$type_constant, '"\@code{$1} "'], + [$type_func, '"\@code{$1} "'], + [$type_struct, '"\@code{$1} "'], ); $blankline_texinfo = ""; -%highlights_tex = ( $type_param, '" {\\\bf $1} "', - $type_constant, '"{\\\it $1}"', - $type_func, '"{\\\bf $1}"', - $type_struct, '"{\\\it $1}"', + at highlights_tex = ( [$type_param, '" {\\\bf $1} "'], + [$type_constant, '"{\\\it $1}"'], + [$type_func, '"{\\\bf $1}"'], + [$type_struct, '"{\\\it $1}"'], ); $blankline_tex = "\\\\"; # sgml, docbook format -%highlights_sgml = ( $type_constant, '"$1"', - $type_func, '"$1"', - $type_struct, '"$1"', - $type_env, '"$1"', - $type_param, '" $1 "' ); + at highlights_sgml = ( [$type_constant, '"$1"'], + [$type_func, '"$1"'], + [$type_struct, '"$1"'], + [$type_env, '"$1"'], + [$type_param, '" $1 "'] ); $blankline_sgml = "\n"; # these are pretty rough -%highlights_man = ( $type_constant, '"\\\fB$1\\\fP"', - $type_func, '"\\\fB$1\\\fP"', - $type_struct, '"\\\fB$1\\\fP"', - $type_param, '" \\\fI$1\\\fP "' ); + at highlights_man = ( [$type_constant, '"\\\fB$1\\\fP"'], + [$type_func, '"\\\fB$1\\\fP"'], + [$type_struct, '"\\\fB$1\\\fP"'], + [$type_param, '" \\\fI$1\\\fP "'] ); $blankline_man = ""; # text-mode -%highlights_text = ( $type_constant, '"$1"', - $type_func, '"$1"', - $type_struct, '"$1"', - $type_param, '"$1 "' ); + at highlights_text = ( [$type_constant, '"$1"'], + [$type_func, '"$1"'], + [$type_struct, '"$1"'], + [$type_param, '"$1 "'] ); $blankline_text = ""; my $lineprefix = ""; @@ -205,7 +207,7 @@ if ($#ARGV==-1) { $verbose = 0; $output_mode = "man"; -%highlights = %highlights_man; + at highlights = @highlights_man; $blankline = $blankline_man; $modulename = "API Documentation"; $sourceversion = strftime "%Y-%m-%d", localtime; @@ -214,27 +216,27 @@ while ($ARGV[0] =~ m/^-(.*)/) { $cmd = shift @ARGV; if ($cmd eq "-html") { $output_mode = "html"; - %highlights = %highlights_html; + @highlights = @highlights_html; $blankline = $blankline_html; } elsif ($cmd eq "-man") { $output_mode = "man"; - %highlights = %highlights_man; + @highlights = @highlights_man; $blankline = $blankline_man; } elsif ($cmd eq "-tex") { $output_mode = "tex"; - %highlights = %highlights_tex; + @highlights = @highlights_tex; $blankline = $blankline_tex; } elsif ($cmd eq "-texinfo") { $output_mode = "texinfo"; - %highlights = %highlights_texinfo; + @highlights = @highlights_texinfo; $blankline = $blankline_texinfo; } elsif ($cmd eq "-text") { $output_mode = "text"; - %highlights = %highlights_text; + @highlights = @highlights_text; $blankline = $blankline_text; } elsif ($cmd eq "-docbook") { $output_mode = "sgml"; - %highlights = %highlights_sgml; + @highlights = @highlights_sgml; $blankline = $blankline_sgml; } elsif ($cmd eq "-listfunc") { $output_mode = "listfunc"; @@ -308,9 +310,9 @@ sub just_highlight { my $line; my $ret = ""; - foreach $pattern (keys %highlights) { - #print "scanning pattern $pattern ($highlights{$pattern})\n"; - my $replace = $highlights{$pattern}; + foreach $highlight (@highlights) { + my ($pattern, $replace) = @$highlight; + #print "scanning pattern $pattern ($replace)\n"; $contents =~ s/$pattern/$replace/gees; } foreach $line (split "\n", $contents) { -- 1.8.3 -------------- next part -------------- From 3523df705f69d8fe38b6791e95c0c39871244822 Mon Sep 17 00:00:00 2001 From: Adam Sampson Date: Tue, 16 Jul 2013 15:16:22 +0100 Subject: [PATCH 2/3] Detect socket() error responses correctly. The code was testing the wrong variable... Signed-off-by: Adam Sampson --- tests/anonself.c | 2 +- tests/dhepskself.c | 2 +- tests/openpgpself.c | 2 +- tests/pskself.c | 2 +- tests/resume-dtls.c | 2 +- tests/resume.c | 2 +- tests/x509dn.c | 2 +- tests/x509self.c | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/anonself.c b/tests/anonself.c index 3aa8e6b..ef69d52 100644 --- a/tests/anonself.c +++ b/tests/anonself.c @@ -209,7 +209,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/dhepskself.c b/tests/dhepskself.c index 5ca7e99..18c0366 100644 --- a/tests/dhepskself.c +++ b/tests/dhepskself.c @@ -218,7 +218,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/openpgpself.c b/tests/openpgpself.c index fb30229..e904acc 100644 --- a/tests/openpgpself.c +++ b/tests/openpgpself.c @@ -493,7 +493,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/pskself.c b/tests/pskself.c index aa698df..e04914e 100644 --- a/tests/pskself.c +++ b/tests/pskself.c @@ -209,7 +209,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c index 7fbe7b0..89b88d0 100644 --- a/tests/resume-dtls.c +++ b/tests/resume-dtls.c @@ -305,7 +305,7 @@ global_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/resume.c b/tests/resume.c index 03b5164..a87e80f 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -296,7 +296,7 @@ global_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/x509dn.c b/tests/x509dn.c index ff79fb8..81402d1 100644 --- a/tests/x509dn.c +++ b/tests/x509dn.c @@ -389,7 +389,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); diff --git a/tests/x509self.c b/tests/x509self.c index 859a0b1..14b6f3b 100644 --- a/tests/x509self.c +++ b/tests/x509self.c @@ -351,7 +351,7 @@ server_start (void) /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (err == -1) + if (listen_sd == -1) { perror ("socket"); fail ("server: socket failed\n"); -- 1.8.3 -------------- next part -------------- From 32f522843dd6402a6b82bfd1b136df10c7eb0ea5 Mon Sep 17 00:00:00 2001 From: Adam Sampson Date: Tue, 16 Jul 2013 16:22:37 +0100 Subject: [PATCH 3/3] Use socketpair() rather than TCP connections. Besides simplifying the code, this also makes it possible to run "make check" in parallel -- previously this didn't work because several tests were trying to bind the same port. Signed-off-by: Adam Sampson --- tests/anonself.c | 92 ++++++--------------------------- tests/dhepskself.c | 96 ++++++---------------------------- tests/openpgpself.c | 145 +++++++++++++++++----------------------------------- tests/pskself.c | 96 ++++++---------------------------- tests/resume-dtls.c | 113 ++++++++++++---------------------------- tests/resume.c | 113 ++++++++++++---------------------------- tests/x509dn.c | 95 +++++++--------------------------- tests/x509self.c | 98 +++++++---------------------------- 8 files changed, 196 insertions(+), 652 deletions(-) diff --git a/tests/anonself.c b/tests/anonself.c index ef69d52..c76e8ba 100644 --- a/tests/anonself.c +++ b/tests/anonself.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -34,13 +35,10 @@ #include #if !defined(_WIN32) #include -#include #endif #include #include -#include "tcp.c" - #include "utils.h" static void @@ -56,9 +54,9 @@ tls_log_func (int level, const char *str) #define MSG "Hello TLS" static void -client (void) +client (int sd) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; @@ -83,10 +81,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); - /* connect to the peer - */ - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -139,7 +133,7 @@ client (void) end: - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -151,9 +145,7 @@ end: /* This is a sample TLS 1.0 echo server, for anonymous authentication only. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -193,59 +185,14 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; static void -server_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sd) { /* this must be called once in the program */ @@ -264,17 +211,8 @@ server (void) gnutls_anon_set_server_dh_params (anoncred, dh_params); - client_len = sizeof (sa_cli); - session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -295,7 +233,6 @@ server (void) /* see the Getting peer's information example */ /* print_info(session); */ - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -326,8 +263,6 @@ server (void) close (sd); gnutls_deinit (session); - close (listen_sd); - gnutls_anon_free_server_credentials (anoncred); gnutls_dh_params_deinit (dh_params); @@ -342,10 +277,15 @@ void doit (void) { pid_t child; + int sockets[2]; - server_start (); - if (error_count) - return; + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } child = fork (); if (child < 0) @@ -359,9 +299,9 @@ doit (void) { int status; /* parent */ - server (); + server (sockets[0]); wait (&status); } else - client (); + client (sockets[1]); } diff --git a/tests/dhepskself.c b/tests/dhepskself.c index 18c0366..854a711 100644 --- a/tests/dhepskself.c +++ b/tests/dhepskself.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -33,14 +34,10 @@ #include #if !defined(_WIN32) #include -#include -#include #endif #include #include -#include "tcp.c" - #include "utils.h" /* A very basic TLS client, with PSK authentication. @@ -56,9 +53,9 @@ tls_log_func (int level, const char *str) } static void -client (void) +client (int sd) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; @@ -85,10 +82,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); - /* connect to the peer - */ - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -134,7 +127,7 @@ client (void) end: - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -146,9 +139,7 @@ end: /* This is a sample TLS 1.0 echo server, for PSK authentication. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ /* These are global */ gnutls_psk_server_credentials_t server_pskcred; @@ -199,62 +190,14 @@ pskfunc (gnutls_session_t session, const char *username, gnutls_datum_t * key) return 0; } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; static void -server_start (void) -{ - if (debug) - success ("Launched, generating DH parameters...\n"); - - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sd) { /* this must be called once in the program */ @@ -270,17 +213,8 @@ server (void) gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); gnutls_psk_set_server_dh_params (server_pskcred, dh_params); - client_len = sizeof (sa_cli); - session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -296,7 +230,6 @@ server (void) /* see the Getting peer's information example */ /* print_info(session); */ - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -327,8 +260,6 @@ server (void) close (sd); gnutls_deinit (session); - close (listen_sd); - gnutls_psk_free_server_credentials (server_pskcred); gnutls_dh_params_deinit (dh_params); @@ -343,10 +274,15 @@ void doit (void) { pid_t child; + int sockets[2]; - server_start (); - if (error_count) - return; + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } child = fork (); if (child < 0) @@ -360,9 +296,9 @@ doit (void) { int status; /* parent */ - server (); + server (sockets[0]); wait (&status); } else - client (); + client (sockets[1]); } diff --git a/tests/openpgpself.c b/tests/openpgpself.c index e904acc..9c21117 100644 --- a/tests/openpgpself.c +++ b/tests/openpgpself.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -32,9 +33,7 @@ #include #include #if !defined(_WIN32) -#include #include -#include #endif #include #include @@ -44,7 +43,6 @@ #include "ex-session-info.c" #include "ex-x509-info.c" -#include "tcp.c" pid_t child; @@ -57,6 +55,7 @@ tls_log_func (int level, const char *str) /* A very basic TLS client, with anonymous authentication. */ +#define SESSIONS 2 #define MAX_BUF 1024 #define MSG "Hello TLS" @@ -132,9 +131,9 @@ const gnutls_datum_t key = { key_txt, sizeof (key_txt) }; static void -client (void) +client (int sds[]) { - int ret, sd, ii, j; + int ret, ii, j; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; @@ -160,9 +159,9 @@ client (void) return; } - for (j = 0; j < 2; j++) + for (j = 0; j < SESSIONS; j++) { - + int sd = sds[j]; /* Initialize TLS session */ @@ -175,12 +174,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - /* connect to the peer - */ - if (debug) - success ("Connecting...\n"); - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -234,8 +227,7 @@ client (void) gnutls_bye (session, GNUTLS_SHUT_RDWR); - - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -251,9 +243,7 @@ end: /* This is a sample TLS 1.0 echo server, using X.509 authentication. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -297,11 +287,7 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; @@ -488,48 +474,7 @@ const gnutls_datum_t key2048 = { key2048_txt, sizeof (key2048_txt) }; static void -server_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sds[]) { int j; /* this must be called once in the program @@ -545,25 +490,25 @@ server (void) generate_dh_params (); - client_len = sizeof (sa_cli); - - for (j = 0; j < 2; j++) + for (j = 0; j < SESSIONS; j++) { - if (j==0) - { - gnutls_certificate_allocate_credentials (&pgp_cred); - ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt, - &server_key, "auto", - GNUTLS_OPENPGP_FMT_BASE64); - } - else - { - gnutls_certificate_free_credentials (pgp_cred); - gnutls_certificate_allocate_credentials (&pgp_cred); - ret = - gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &cert2048, &key2048, - "auto", GNUTLS_OPENPGP_FMT_BASE64); - } + int sd = sds[j]; + + if (j == 0) + { + gnutls_certificate_allocate_credentials (&pgp_cred); + ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt, + &server_key, "auto", + GNUTLS_OPENPGP_FMT_BASE64); + } + else + { + gnutls_certificate_free_credentials (pgp_cred); + gnutls_certificate_allocate_credentials (&pgp_cred); + ret = + gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &cert2048, &key2048, + "auto", GNUTLS_OPENPGP_FMT_BASE64); + } if (ret < 0) { @@ -575,13 +520,6 @@ server (void) session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -604,7 +542,6 @@ server (void) if (debug) print_info (session); - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -637,8 +574,6 @@ server (void) } end: - close (listen_sd); - gnutls_certificate_free_credentials (pgp_cred); gnutls_dh_params_deinit (dh_params); @@ -649,13 +584,27 @@ end: success ("server: finished\n"); } - void doit (void) { - server_start (); - if (error_count) - return; + int client_sds[SESSIONS], server_sds[SESSIONS]; + int i; + + for (i = 0; i < SESSIONS; i++) + { + int sockets[2]; + + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } + + server_sds[i] = sockets[0]; + client_sds[i] = sockets[1]; + } child = fork (); if (child < 0) @@ -669,9 +618,9 @@ doit (void) { int status; /* parent */ - server (); + server (server_sds); wait (&status); } else - client (); + client (client_sds); } diff --git a/tests/pskself.c b/tests/pskself.c index e04914e..96ad965 100644 --- a/tests/pskself.c +++ b/tests/pskself.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -33,14 +34,10 @@ #include #if !defined(_WIN32) #include -#include -#include #endif #include #include -#include "tcp.c" - #include "utils.h" /* A very basic TLS client, with PSK authentication. @@ -58,9 +55,9 @@ tls_log_func (int level, const char *str) #define MSG "Hello TLS" static void -client (void) +client (int sd) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; @@ -89,10 +86,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); - /* connect to the peer - */ - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -140,7 +133,7 @@ client (void) end: - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -152,9 +145,7 @@ end: /* This is a sample TLS 1.0 echo server, for PSK authentication. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ /* These are global */ gnutls_psk_server_credentials_t server_pskcred; @@ -190,62 +181,14 @@ pskfunc (gnutls_session_t session, const char *username, gnutls_datum_t * key) return 0; } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; static void -server_start (void) -{ - if (debug) - success ("Launched...\n"); - - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sd) { /* this must be called once in the program */ @@ -259,17 +202,8 @@ server (void) gnutls_psk_allocate_server_credentials (&server_pskcred); gnutls_psk_set_server_credentials_function (server_pskcred, pskfunc); - client_len = sizeof (sa_cli); - session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -285,7 +219,6 @@ server (void) /* see the Getting peer's information example */ /* print_info(session); */ - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -316,8 +249,6 @@ server (void) close (sd); gnutls_deinit (session); - close (listen_sd); - gnutls_psk_free_server_credentials (server_pskcred); gnutls_global_deinit (); @@ -330,10 +261,15 @@ void doit (void) { pid_t child; + int sockets[2]; - server_start (); - if (error_count) - return; + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } child = fork (); if (child < 0) @@ -347,9 +283,9 @@ doit (void) { int status; /* parent */ - server (); + server (sockets[0]); wait (&status); } else - client (); + client (sockets[1]); } diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c index 89b88d0..aa28b74 100644 --- a/tests/resume-dtls.c +++ b/tests/resume-dtls.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Nikos Mavrogiannopoulos * @@ -33,8 +34,6 @@ #include #if !defined(_WIN32) #include -#include -#include #endif #include #include @@ -48,8 +47,6 @@ int main() #else -#include "tcp.c" - #include "utils.h" static void wrap_db_init (void); @@ -82,6 +79,7 @@ struct params_res resume_tests[] = { /* A very basic TLS client, with anonymous authentication. */ +#define SESSIONS 2 #define MAX_BUF 5*1024 #define MSG "Hello TLS" @@ -92,9 +90,9 @@ tls_log_func (int level, const char *str) } static void -client (struct params_res *params) +client (int sds[], struct params_res *params) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; @@ -114,11 +112,9 @@ client (struct params_res *params) gnutls_anon_allocate_client_credentials (&anoncred); - for (t = 0; t < 2; t++) - { /* connect 2 times to the server */ - /* connect to the peer - */ - sd = tcp_connect (); + for (t = 0; t < SESSIONS; t++) + { + int sd = sds[t]; /* Initialize TLS session */ @@ -223,8 +219,7 @@ client (struct params_res *params) gnutls_bye (session, GNUTLS_SHUT_RDWR); - - tcp_close (sd); + close (sd); gnutls_deinit (session); } @@ -236,8 +231,6 @@ end: /* This is a sample TLS 1.0 echo server, for anonymous authentication only. */ -#define SA struct sockaddr -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -289,58 +282,13 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; static void -global_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void global_stop (void) { if (debug) @@ -351,12 +299,10 @@ global_stop (void) gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); - - shutdown (listen_sd, SHUT_RDWR); } static void -server (struct params_res *params) +server (int sds[], struct params_res *params) { size_t t; @@ -386,19 +332,12 @@ server (struct params_res *params) if (params->enable_session_ticket_server) gnutls_session_ticket_key_generate (&session_ticket_key); - for (t = 0; t < 2; t++) + for (t = 0; t < SESSIONS; t++) { - client_len = sizeof (sa_cli); + int sd = sds[t]; session = initialize_tls_session (params); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -415,7 +354,6 @@ server (struct params_res *params) /* see the Getting peer's information example */ /* print_info(session); */ - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -448,8 +386,6 @@ server (struct params_res *params) gnutls_deinit (session); } - close (listen_sd); - if (params->enable_db) { wrap_db_deinit (); @@ -469,11 +405,26 @@ doit (void) for (i = 0; resume_tests[i].desc; i++) { + int client_sds[SESSIONS], server_sds[SESSIONS]; + int j; + printf ("%s\n", resume_tests[i].desc); - global_start (); - if (error_count) - return; + for (j = 0; j < SESSIONS; j++) + { + int sockets[2]; + + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } + + server_sds[j] = sockets[0]; + client_sds[j] = sockets[1]; + } child = fork (); if (child < 0) @@ -487,7 +438,7 @@ doit (void) { int status; /* parent */ - server (&resume_tests[i]); + server (server_sds, &resume_tests[i]); wait (&status); if (WEXITSTATUS(status) > 0) error_count++; @@ -495,7 +446,7 @@ doit (void) } else { - client (&resume_tests[i]); + client (client_sds, &resume_tests[i]); gnutls_global_deinit (); if (error_count) exit(1); diff --git a/tests/resume.c b/tests/resume.c index a87e80f..b0d137b 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -33,14 +34,10 @@ #include #if !defined(_WIN32) #include -#include -#include #endif #include #include -#include "tcp.c" - #include "utils.h" static void wrap_db_init (void); @@ -73,6 +70,7 @@ struct params_res resume_tests[] = { /* A very basic TLS client, with anonymous authentication. */ +#define SESSIONS 2 #define MAX_BUF 5*1024 #define MSG "Hello TLS" @@ -83,9 +81,9 @@ tls_log_func (int level, const char *str) } static void -client (struct params_res *params) +client (int sds[], struct params_res *params) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; @@ -105,11 +103,9 @@ client (struct params_res *params) gnutls_anon_allocate_client_credentials (&anoncred); - for (t = 0; t < 2; t++) - { /* connect 2 times to the server */ - /* connect to the peer - */ - sd = tcp_connect (); + for (t = 0; t < SESSIONS; t++) + { + int sd = sds[t]; /* Initialize TLS session */ @@ -214,8 +210,7 @@ client (struct params_res *params) gnutls_bye (session, GNUTLS_SHUT_RDWR); - - tcp_close (sd); + close (sd); gnutls_deinit (session); } @@ -227,8 +222,6 @@ end: /* This is a sample TLS 1.0 echo server, for anonymous authentication only. */ -#define SA struct sockaddr -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -280,58 +273,13 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; static void -global_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void global_stop (void) { if (debug) @@ -342,12 +290,10 @@ global_stop (void) gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); - - shutdown (listen_sd, SHUT_RDWR); } static void -server (struct params_res *params) +server (int sds[], struct params_res *params) { size_t t; @@ -377,19 +323,12 @@ server (struct params_res *params) if (params->enable_session_ticket_server) gnutls_session_ticket_key_generate (&session_ticket_key); - for (t = 0; t < 2; t++) + for (t = 0; t < SESSIONS; t++) { - client_len = sizeof (sa_cli); + int sd = sds[t]; session = initialize_tls_session (params); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -406,7 +345,6 @@ server (struct params_res *params) /* see the Getting peer's information example */ /* print_info(session); */ - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -439,8 +377,6 @@ server (struct params_res *params) gnutls_deinit (session); } - close (listen_sd); - if (params->enable_db) { wrap_db_deinit (); @@ -460,11 +396,26 @@ doit (void) for (i = 0; resume_tests[i].desc; i++) { + int client_sds[SESSIONS], server_sds[SESSIONS]; + int j; + printf ("%s\n", resume_tests[i].desc); - global_start (); - if (error_count) - return; + for (j = 0; j < SESSIONS; j++) + { + int sockets[2]; + + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } + + server_sds[j] = sockets[0]; + client_sds[j] = sockets[1]; + } child = fork (); if (child < 0) @@ -478,7 +429,7 @@ doit (void) { int status; /* parent */ - server (&resume_tests[i]); + server (server_sds, &resume_tests[i]); wait (&status); if (WEXITSTATUS(status) > 0) error_count++; @@ -486,7 +437,7 @@ doit (void) } else { - client (&resume_tests[i]); + client (client_sds, &resume_tests[i]); gnutls_global_deinit (); if (error_count) exit(1); diff --git a/tests/x509dn.c b/tests/x509dn.c index 81402d1..af41083 100644 --- a/tests/x509dn.c +++ b/tests/x509dn.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -32,9 +33,7 @@ #include #include #if !defined(_WIN32) -# include -# include -# include +#include #endif #include #include @@ -44,7 +43,6 @@ #include "ex-session-info.c" #include "ex-x509-info.c" -#include "tcp.c" pid_t child; @@ -181,9 +179,9 @@ cert_callback (gnutls_session_t session, static void -client (void) +client (int sd) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; @@ -213,10 +211,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - /* connect to the peer - */ - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -273,7 +267,7 @@ client (void) end: - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -285,9 +279,7 @@ end: /* This is a sample TLS 1.0 echo server, using X.509 authentication. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -331,11 +323,7 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; @@ -384,48 +372,7 @@ const gnutls_datum_t server_key = { server_key_pem, }; static void -server_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sd) { /* this must be called once in the program */ @@ -448,17 +395,8 @@ server (void) gnutls_certificate_set_dh_params (x509_cred, dh_params); - client_len = sizeof (sa_cli); - session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -480,7 +418,6 @@ server (void) if (debug) print_info (session); - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -511,8 +448,6 @@ server (void) close (sd); gnutls_deinit (session); - close (listen_sd); - gnutls_certificate_free_credentials (x509_cred); gnutls_dh_params_deinit (dh_params); @@ -527,9 +462,15 @@ server (void) void doit (void) { - server_start (); - if (error_count) - return; + int sockets[2]; + + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } child = fork (); if (child < 0) @@ -543,7 +484,7 @@ doit (void) { int status; /* parent */ - server (); + server (sockets[0]); wait (&status); #if defined WIFEXITED && defined WEXITSTATUS @@ -564,5 +505,5 @@ doit (void) } else - client (); + client (sockets[1]); } diff --git a/tests/x509self.c b/tests/x509self.c index 14b6f3b..e0b55f0 100644 --- a/tests/x509self.c +++ b/tests/x509self.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson * * Author: Simon Josefsson * @@ -30,11 +31,9 @@ #include #include #include -# include +#include #if !defined(_WIN32) -# include -# include -# include +#include #endif #include #include @@ -43,7 +42,6 @@ #include "ex-session-info.c" #include "ex-x509-info.c" -#include "tcp.c" pid_t child; @@ -110,9 +108,9 @@ static unsigned char key_pem[] = const gnutls_datum_t key = { key_pem, sizeof (key_pem) }; static void -client (void) +client (int sd) { - int ret, sd, ii; + int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; @@ -142,10 +140,6 @@ client (void) */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - /* connect to the peer - */ - sd = tcp_connect (); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake @@ -234,7 +228,7 @@ client (void) end: - tcp_close (sd); + close (sd); gnutls_deinit (session); @@ -246,9 +240,7 @@ end: /* This is a sample TLS 1.0 echo server, using X.509 authentication. */ -#define SA struct sockaddr #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ @@ -293,11 +285,7 @@ generate_dh_params (void) return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); } -int err, listen_sd, i; -int sd, ret; -struct sockaddr_in sa_serv; -struct sockaddr_in sa_cli; -socklen_t client_len; +int err, ret; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; @@ -346,48 +334,7 @@ const gnutls_datum_t server_key = { server_key_pem, }; static void -server_start (void) -{ - /* Socket operations - */ - listen_sd = socket (AF_INET, SOCK_STREAM, 0); - if (listen_sd == -1) - { - perror ("socket"); - fail ("server: socket failed\n"); - return; - } - - memset (&sa_serv, '\0', sizeof (sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons (PORT); /* Server Port number */ - - setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, - sizeof (int)); - - err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); - if (err == -1) - { - perror ("bind"); - fail ("server: bind failed\n"); - return; - } - - err = listen (listen_sd, 1024); - if (err == -1) - { - perror ("listen"); - fail ("server: listen failed\n"); - return; - } - - if (debug) - success ("server: ready. Listening to port '%d'.\n", PORT); -} - -static void -server (void) +server (int sd) { /* this must be called once in the program */ @@ -410,17 +357,8 @@ server (void) gnutls_certificate_set_dh_params (x509_cred, dh_params); - client_len = sizeof (sa_cli); - session = initialize_tls_session (); - sd = accept (listen_sd, (SA *) & sa_cli, &client_len); - - if (debug) - success ("server: connection from %s, port %d\n", - inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, - sizeof (topbuf)), ntohs (sa_cli.sin_port)); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) @@ -442,7 +380,6 @@ server (void) if (debug) print_info (session); - i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); @@ -498,8 +435,6 @@ server (void) close (sd); gnutls_deinit (session); - close (listen_sd); - gnutls_certificate_free_credentials (x509_cred); gnutls_dh_params_deinit (dh_params); @@ -514,10 +449,15 @@ server (void) void doit (void) { - /* parent */ - server_start (); - if (error_count) - return; + int sockets[2]; + + err = socketpair (AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) + { + perror ("socketpair"); + fail ("socketpair failed\n"); + return; + } child = fork (); if (child < 0) @@ -531,9 +471,9 @@ doit (void) { int status; - server (); + server (sockets[0]); wait (&status); } else - client (); + client (sockets[1]); } -- 1.8.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From nmav at gnutls.org Wed Jul 17 14:00:26 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jul 2013 14:00:26 +0200 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 In-Reply-To: <20130716154529.GQ30225@cartman.at.offog.org> References: <20130715194338.GN30225@cartman.at.offog.org> <51E505EB.4090008@gnutls.org> <20130716154529.GQ30225@cartman.at.offog.org> Message-ID: Thank you for the patches Adam. I'll verify and apply as soon. A comment, on the socketpair patch. That doesn't work in windows systems, so could you enhance this patch to return 77 on windows similarly to the other tests that do socketpair (77 is the code of test skipped)? I've tried to check how easy would be to use socketpair in windows as well, but the only emulation of it I found seems to have the main github issue, is under a custom license that does not seem to be compatible with the GPL, or LGPL. regards, Nikos On Tue, Jul 16, 2013 at 5:45 PM, Adam Sampson wrote: > On Tue, Jul 16, 2013 at 10:35:55AM +0200, Nikos Mavrogiannopoulos wrote: >> Or using socketpair() for all tests. Any patches are appreciated. > > Sounds like a good idea. Patches attached: > > - fix gdoc to make it work with Perl 5.18; > - fix a typo in the old TCP error handling; > - replace the TCP code with socketpair(). > > Note that while the socketpair() code only uses features in POSIX:2001, > I've only tested it on Linux/glibc... > > DCO for Adam Sampson : > > Developer's Certificate of Origin 1.1 > > By making a contribution to this project, I certify that: > > (a) The contribution was created in whole or in part by me and I > have the right to submit it under the open source license > indicated in the file; or > > (b) The contribution is based upon previous work that, to the best > of my knowledge, is covered under an appropriate open source > license and I have the right under that license to submit that > work with modifications, whether created in whole or in part > by me, under the same open source license (unless I am > permitted to submit under a different license), as indicated > in the file; or > > (c) The contribution was provided directly to me by some other > person who certified (a), (b) or (c) and I have not modified > it. > > (d) I understand and agree that this project and the contribution > are public and that a record of the contribution (including all > personal information I submit with it, including my sign-off) is > maintained indefinitely and may be redistributed consistent with > this project or the open source license(s) involved. > > -- > Adam Sampson > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From ats at offog.org Wed Jul 17 14:49:06 2013 From: ats at offog.org (Adam Sampson) Date: Wed, 17 Jul 2013 13:49:06 +0100 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 In-Reply-To: References: <20130715194338.GN30225@cartman.at.offog.org> <51E505EB.4090008@gnutls.org> <20130716154529.GQ30225@cartman.at.offog.org> Message-ID: <20130717124905.GT30225@cartman.at.offog.org> On Wed, Jul 17, 2013 at 02:00:26PM +0200, Nikos Mavrogiannopoulos wrote: > A comment, on the socketpair patch. That doesn't work in windows > systems, so could you enhance this patch to return 77 on windows > similarly to the other tests that do socketpair (77 is the code of > test skipped)? Sure -- here you go. I've just copied what the other tests that are disabled on _WIN32 do. It might be neater to add a make_socketpair wrapper to utils.c, and have it just exit(77) on Win32? Thanks, -- Adam Sampson -------------- next part -------------- >From 56457c3536d1c216b60c5a5f7f8a56e69f587727 Mon Sep 17 00:00:00 2001 From: Adam Sampson Date: Wed, 17 Jul 2013 13:44:03 +0100 Subject: [PATCH 1/1] Disable tests that use socketpair on _WIN32. socketpair isn't provided on Windows, so these tests should just exit 77. Note that resume-dtls.c already had a guard like this -- I've rewritten it to match the others, but socketpair (presumably!) isn't the only reason that test is disabled on Win32. Signed-off-by: Adam Sampson --- tests/anonself.c | 14 ++++++++++++++ tests/dhepskself.c | 14 ++++++++++++++ tests/openpgpself.c | 14 ++++++++++++++ tests/pskself.c | 14 ++++++++++++++ tests/resume-dtls.c | 22 ++++++++++++---------- tests/resume.c | 14 ++++++++++++++ tests/x509dn.c | 14 ++++++++++++++ tests/x509self.c | 14 ++++++++++++++ 8 files changed, 110 insertions(+), 10 deletions(-) diff --git a/tests/anonself.c b/tests/anonself.c index c76e8ba..8436471 100644 --- a/tests/anonself.c +++ b/tests/anonself.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -305,3 +317,5 @@ doit (void) else client (sockets[1]); } + +#endif /* _WIN32 */ diff --git a/tests/dhepskself.c b/tests/dhepskself.c index 854a711..ef7373b 100644 --- a/tests/dhepskself.c +++ b/tests/dhepskself.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -302,3 +314,5 @@ doit (void) else client (sockets[1]); } + +#endif /* _WIN32 */ diff --git a/tests/openpgpself.c b/tests/openpgpself.c index 9c21117..80b016d 100644 --- a/tests/openpgpself.c +++ b/tests/openpgpself.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -624,3 +636,5 @@ doit (void) else client (client_sds); } + +#endif /* _WIN32 */ diff --git a/tests/pskself.c b/tests/pskself.c index 96ad965..ed5229d 100644 --- a/tests/pskself.c +++ b/tests/pskself.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -289,3 +301,5 @@ doit (void) else client (sockets[1]); } + +#endif /* _WIN32 */ diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c index aa28b74..65cf3c2 100644 --- a/tests/resume-dtls.c +++ b/tests/resume-dtls.c @@ -29,6 +29,17 @@ #include #include + +#if defined(_WIN32) + +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -38,15 +49,6 @@ #include #include -#if defined(_WIN32) - -int main() -{ - exit(77); -} - -#else - #include "utils.h" static void wrap_db_init (void); @@ -626,4 +628,4 @@ wrap_db_delete (void *dbf, gnutls_datum_t key) } -#endif /* WIN32 */ +#endif /* _WIN32 */ diff --git a/tests/resume.c b/tests/resume.c index b0d137b..6156007 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -612,3 +624,5 @@ wrap_db_delete (void *dbf, gnutls_datum_t key) return -1; } + +#endif /* _WIN32 */ diff --git a/tests/x509dn.c b/tests/x509dn.c index af41083..1ecc519 100644 --- a/tests/x509dn.c +++ b/tests/x509dn.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -507,3 +519,5 @@ doit (void) else client (sockets[1]); } + +#endif /* _WIN32 */ diff --git a/tests/x509self.c b/tests/x509self.c index e0b55f0..e52c055 100644 --- a/tests/x509self.c +++ b/tests/x509self.c @@ -29,6 +29,18 @@ #include #include + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int +main (int argc, char** argv) +{ + exit (77); +} + +#else + #include #include #include @@ -477,3 +489,5 @@ doit (void) else client (sockets[1]); } + +#endif /* _WIN32 */ -- 1.8.3 From nmav at gnutls.org Wed Jul 17 21:43:29 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jul 2013 21:43:29 +0200 Subject: [gnutls-devel] Parallel test bug in gnutls-3.2.2 In-Reply-To: <20130717124905.GT30225@cartman.at.offog.org> References: <20130715194338.GN30225@cartman.at.offog.org> <51E505EB.4090008@gnutls.org> <20130716154529.GQ30225@cartman.at.offog.org> <20130717124905.GT30225@cartman.at.offog.org> Message-ID: <51E6F3E1.2090307@gnutls.org> On 07/17/2013 02:49 PM, Adam Sampson wrote: > On Wed, Jul 17, 2013 at 02:00:26PM +0200, Nikos Mavrogiannopoulos wrote: >> A comment, on the socketpair patch. That doesn't work in windows >> systems, so could you enhance this patch to return 77 on windows >> similarly to the other tests that do socketpair (77 is the code of >> test skipped)? > > Sure -- here you go. I've just copied what the other tests that are > disabled on _WIN32 do. Applied, thank you! > It might be neater to add a make_socketpair wrapper to utils.c, and have > it just exit(77) on Win32? It would be better if it would work there, so we could run the tests there too. For the moment I'll just ignore it. regards, Nikos From stbuehler at lighttpd.net Thu Jul 18 11:33:09 2013 From: stbuehler at lighttpd.net (Stefan =?UTF-8?B?QsO8aGxlcg==?=) Date: Thu, 18 Jul 2013 11:33:09 +0200 Subject: [gnutls-devel] GnuTLS priority string bug with *-ALL Message-ID: <20130718113309.4eca93b5@chromobil.localdomain> Hi, adding catch-alls doesn't add but replaces the list. Examples: * "NONE:+COMP-DEFLATE:+COMP-ALL" - no deflate, only COMP-NULL * "NONE:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-DTLS-ALL" - only DTLS1.0 and DTLS1.2 I think replacing _set_priority with _add_priority as bulk_fn in gnutls_priority_init (lib/gnutls_priority.c:~900) should fix this. Naming them "catch-alls" is misleading anyway, as not all *-ALL sets actually represent the complete list; sadly neither this fact nor the actual list a *-ALL represents is documented officially. Also the manual is outdated; it misses some keywords. The doc for gnutls_cipher_set_priority says that server order doesn't matter, but with %SERVER_PRECEDENCE it does. Also it would be nice if all lists would be accesible through the API (like gnutls_priority_protocol_list; missing cipher, mac and kx lists). See gnutls-priority.c at https://gist.github.com/stbuehler/5693466 http://blog.lighttpd.net/gnutls-priority-strings.html is an online version of gnutls-priority.c the way I think it should work :) regards, stefan From AvonKlinski at de.alten.com Thu Jul 18 17:04:33 2013 From: AvonKlinski at de.alten.com (von Klinski, Alexander) Date: Thu, 18 Jul 2013 15:04:33 +0000 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch Message-ID: <20C69A88F591DE4FA9456202570661A402B10751@svmail2.aed.dir> Dear all, please find attached a git-patch of our modifications to the gnutls 2.10.2. @Nikos: please let me know if it is fine now. Thanks! Best regards, Alexander von Klinski Von: von Klinski, Alexander (Bardenheuer) Gesendet: Mittwoch, 10. Juli 2013 16:29 An: 'gnutls-devel at lists.gnutls.org' Cc: 'Nikos Mavrogiannopoulos'; Morgner, Frank; Dietrich, Frank; Block, Dr., Oliver; Schindelhauer, Katja Betreff: Patch for GnuTLS 2.10.2 - The patch Dear all, On behalf of our client Bundesdruckerei GmbH and in the name of my colleague who did the job I would like to contribute a modification of the GnuTLS 2.10.2 where we added a RSA-PSK key exchange. Copyright notice: Bundesdruckerei GmbH, as far as concerned, agrees in allowing redistribution of the componentes (auth_rsa.h, auth_rsa_psk.c and gnutls-patch-2.10.2.diff) under the terms of LGPL v2.1 (GNU Lesser general Public Licence) or a later version of that license. Bundesdruckerei GmbH has to be mentioned in respective copyright notices in the above contributed source components auth_rsa.h and auth_rsa_psk.c: "This file is contributed by Bardenheuer GmbH, M?nchen, Germany, on behalf of Bundesdruckerei GmbH, Berlin, Germany, 2013." Signed-Off-By: Bardenheuer GmbH, M?nchen, Germany, Alexander von Klinski Find attached the new source files auth_rsa.h and auth_rsa_psk.c, the gnutls.diff and the log files from validation. The diff must be performed with patch -p1 -c -l -R < gnutls.diff Thank you! Best regards, Alexander Alexander von Klinski Gesch?ftsstellenleiter Berlin Vice President - Mobile Computing & eID Bardenheuer GmbH (ALTEN Group) Siemensdamm 50 D - 13629 Berlin Tel: +49 (0)30 - 43 09 45 9 - 0 Fax: +49 (0)30 - 43 09 45 9 - 9 Mobil: +49 (0)172- 388 75 06 E-Mail: alexander.von-klinski at bardenheuer.de Web: http://www.bardenheuer.de Gesch?ftsf?hrer: Yves-Antoine Brun Registergericht: M?nchen Registriernummer: HRB 107560 Umsatzsteuer-Identifikationsnummer: DE 1670 1468 5 Hauptsitz: ALTEN GmbH, Rosenauer Stra?e 27, 96450 Coburg Amtsgericht Coburg, HRB 4450, Gesch?ftsf?hrer: Yves-Antoine Brun Diese Email und hiermit ?bertragene Dokumente sind vertraulich und nur f?r den Gebrauch der Person oder Organisation bestimmt, an die sie adressiert wurden. Es k?nnen vertrauliche oder von der Bekanntmachung ausgeschlossene Informationen enthalten sein. Falls Sie diese Email irrt?mlich erhalten haben, benachrichtigen Sie bitte den Absender und l?schen Sie diese Email aus Ihrem System ohne sie zu kopieren. Sie sind nicht zum Lesen, Kopieren oder Weitergeben dieser Email oder eines Teils dieser berechtigt. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may constitute information that is privileged or confidential or otherwise legally exempt from disclose. If you have received this email in error, please contact the sender and delete the email from your system without copying it. You are not authorized to read, copy or disseminate this message or any part of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-our-modifications-of-gnutls-2.10.2.patch Type: application/octet-stream Size: 153213 bytes Desc: 0002-our-modifications-of-gnutls-2.10.2.patch URL: From nmav at gnutls.org Thu Jul 18 22:03:58 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 18 Jul 2013 22:03:58 +0200 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch In-Reply-To: <20C69A88F591DE4FA9456202570661A402B10751@svmail2.aed.dir> References: <20C69A88F591DE4FA9456202570661A402B10751@svmail2.aed.dir> Message-ID: <51E84A2E.4040809@gnutls.org> On 07/18/2013 05:04 PM, von Klinski, Alexander wrote: > Dear all, > > please find attached a git-patch of our modifications to the gnutls 2.10.2. > > @Nikos: please let me know if it is fine now. Thanks! Hello Alexander, How did you generate this patch? Have you checked its contents? It contains several changes on unrelated files and documentation. I'd expect a patch that _only_ contains your changes for RSA-PSK. Simply grab a 2_10_x branch, apply your changes there, commit and send the patch. regards, Nikos From nmav at gnutls.org Fri Jul 19 09:24:46 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Jul 2013 09:24:46 +0200 Subject: [gnutls-devel] gnutls for android In-Reply-To: References: <51E505B9.8070101@gnutls.org> Message-ID: <51E8E9BE.5050002@gnutls.org> On 07/16/2013 05:17 PM, Tatar, Matthew B. wrote: > I don't quite understand, is there any documentation as to why or how you would need/use cerbero over the standard practice of using the NDK compiler with configure scripts? Cerbero is just that. Uses NDK with configure scripts easily. > The issue I'm running into is with compiling libnettle so that it recognizes the libgmp I built. Could you be more specific? What is the error printed in configure, and what is logged in config.log about it? (this may be better discussed in nettle-bugs mailing list). regards, Nikos From stbuehler at lighttpd.net Fri Jul 19 09:54:37 2013 From: stbuehler at lighttpd.net (Stefan =?UTF-8?B?QsO8aGxlcg==?=) Date: Fri, 19 Jul 2013 09:54:37 +0200 Subject: [gnutls-devel] DCO Message-ID: <20130719095437.3326983f@chromobil.localdomain> Hi, here is my DCO: --- Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. --- regards, Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From tmraz at redhat.com Fri Jul 19 15:58:29 2013 From: tmraz at redhat.com (Tomas Mraz) Date: Fri, 19 Jul 2013 15:58:29 +0200 Subject: [gnutls-devel] Licensing problem LGPLv3+ vs. GPLv2only conflict Message-ID: <1374242309.8007.13.camel@vespa.frost.loc> Hello all, as was noticed by Debian and GNOME developers and reported here https://bugzilla.redhat.com/show_bug.cgi?id=986347 the GnuTLS 3.x is effectively LGPLv3+ because it links to gmp which is LGPLv3+ although the GnuTLS itself is LGPLv2+. The biggest problem it causes is that multiple software applications that are GPLv2 and use gnutls which creates the licensing conflict. Is there any way out of this mess? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From nmav at gnutls.org Fri Jul 19 17:29:43 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Jul 2013 17:29:43 +0200 Subject: [gnutls-devel] GnuTLS priority string bug with *-ALL In-Reply-To: <20130718113309.4eca93b5@chromobil.localdomain> References: <20130718113309.4eca93b5@chromobil.localdomain> Message-ID: <51E95B67.1040507@gnutls.org> On 07/18/2013 11:33 AM, Stefan B?hler wrote: > Hi, > > adding catch-alls doesn't add but replaces the list. > > Examples: > * "NONE:+COMP-DEFLATE:+COMP-ALL" - no deflate, only COMP-NULL > * "NONE:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-DTLS-ALL" - only DTLS1.0 and > DTLS1.2 > > I think replacing _set_priority with _add_priority as bulk_fn in > gnutls_priority_init (lib/gnutls_priority.c:~900) should fix this. Hello Stefan, I'm adding it to my todo list. I need to combine that with some automated tests that verify that priorities have been correctly been added/sorted. That would prevent any future introduction of bugs like this one, or the one you previously reported. > Naming them "catch-alls" is misleading anyway, as not all *-ALL sets > actually represent the complete list; sadly neither this fact nor the > actual list a *-ALL represents is documented officially. > > Also the manual is outdated; it misses some keywords. > The doc for gnutls_cipher_set_priority says that server order doesn't > matter, but with %SERVER_PRECEDENCE it does. Indeed. Please feel free to update the documentation and send any patches. I've added that to my todo list, but currently that's filled up with other unrelated stuff. > Also it would be nice if all lists would be accesible through the API > (like gnutls_priority_protocol_list; missing cipher, mac and kx lists). > See gnutls-priority.c at https://gist.github.com/stbuehler/5693466 I thought that having the actual ciphersuite list with gnutls_priority_get_cipher_suite_index() would be more interesting for the priority structure. I could add more functions to access this structure, but would they be more interesting than the ciphersuite? > http://blog.lighttpd.net/gnutls-priority-strings.html is an online > version of gnutls-priority.c the way I think it should work :) I think this agrees with the intention. regards, Nikos From nmav at gnutls.org Fri Jul 19 17:37:49 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Jul 2013 17:37:49 +0200 Subject: [gnutls-devel] Licensing problem LGPLv3+ vs. GPLv2only conflict In-Reply-To: <1374242309.8007.13.camel@vespa.frost.loc> References: <1374242309.8007.13.camel@vespa.frost.loc> Message-ID: <51E95D4D.7010900@gnutls.org> On 07/19/2013 03:58 PM, Tomas Mraz wrote: > Hello all, > > as was noticed by Debian and GNOME developers and reported here > https://bugzilla.redhat.com/show_bug.cgi?id=986347 the GnuTLS 3.x is > effectively LGPLv3+ because it links to gmp which is LGPLv3+ although > the GnuTLS itself is LGPLv2+. The biggest problem it causes is that > multiple software applications that are GPLv2 and use gnutls which > creates the licensing conflict. Is there any way out of this mess? A solution is to use gmp 4.2.1 which is LGPLv2+. Another is to have gmp allow linking with GPLv2 programs. My impression on last conversation with the gmp developers is that they do not consider that a serious problem to dual license gmp GPLv2/LGPLv3. I think bring the issue up to them and mentioning the projects that it affects, would help solve the issue. regards, Nikos From juhovh at iki.fi Fri Jul 19 17:31:58 2013 From: juhovh at iki.fi (=?utf-8?Q?Juho_V=C3=A4h=C3=A4-Herttua?=) Date: Fri, 19 Jul 2013 18:31:58 +0300 Subject: [gnutls-devel] Licensing problem LGPLv3+ vs. GPLv2only conflict In-Reply-To: <1374242309.8007.13.camel@vespa.frost.loc> References: <1374242309.8007.13.camel@vespa.frost.loc> Message-ID: On 19.7.2013, at 16.58, Tomas Mraz wrote: > to gmp which is LGPLv3+ although > the GnuTLS itself is LGPLv2+. The biggest problem it causes is that > multiple software applications that are GPLv2 and use gnutls which > creates the licensing conflict. Is there any way out of this mess? This seems to be adressed on the GnuTLS download page: 1. Gmplib is under LGPLv3. Older versions of gmplib under LGPLv2 are also supported. So I guess the easiest way would be to fork the LGPLv2 version of gmplib for gnutls use and GPLv2 programs should be in the clear. Juho -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at downhill.at.eu.org Fri Jul 19 18:35:02 2013 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Fri, 19 Jul 2013 18:35:02 +0200 Subject: [gnutls-devel] Licensing problem LGPLv3+ vs. GPLv2only conflict In-Reply-To: <1374242309.8007.13.camel@vespa.frost.loc> References: <1374242309.8007.13.camel@vespa.frost.loc> Message-ID: <20130719163502.GC3262@downhill.g.la> On 2013-07-19 Tomas Mraz wrote: > as was noticed by Debian and GNOME developers and reported here > https://bugzilla.redhat.com/show_bug.cgi?id=986347 the GnuTLS 3.x is > effectively LGPLv3+ because it links to gmp which is LGPLv3+ although > the GnuTLS itself is LGPLv2+. The biggest problem it causes is that > multiple software applications that are GPLv2 and use gnutls which > creates the licensing conflict. Is there any way out of this mess? Hello, I think the plan is to relicense GMP to GPLv2+/LGPLv3+, ending up with a dual licensed GnuTLS stack. ------ There is another minor issue: gnulib. Last time I checked it was possible to build the gnutls shared library on GNU/Linux just with LGPLv2.1+ licensed gnulib modules without obvious loss of functionality. However this requires manual checking - LGPLv2.1+ and other gnulib modules (no reason why the commandline utilities shouldn't use GPLv3-modules) are not kept separately in the gnutls source tree. And I assume that many of the LGPLv3 modules[1] might be necessary on other platforms. cu Andreas [1] /home/ametzler/GIT/gnulib/gnulib-tool: *** incompatible license on modules: alphasort LGPL argp LGPL closedir LGPL error LGPL fpieee LGPL fpucw LGPL frexp-nolibm LGPL frexpl-nolibm LGPL fseterr LGPL getsubopt LGPL iconv_open-utf LGPL isnand-nolibm LGPL isnanf-nolibm LGPL isnanl-nolibm LGPL opendir LGPL printf-frexp LGPL printf-frexpl LGPL printf-safe LGPL readdir LGPL scandir LGPL signbit LGPL version-etc LGPL version-etc-fsf LGPL vfprintf-posix LGPL vprintf-posix LGPL From AvonKlinski at de.alten.com Fri Jul 19 16:55:19 2013 From: AvonKlinski at de.alten.com (von Klinski, Alexander) Date: Fri, 19 Jul 2013 14:55:19 +0000 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch In-Reply-To: <51E84A2E.4040809@gnutls.org> References: <20C69A88F591DE4FA9456202570661A402B10751@svmail2.aed.dir> <51E84A2E.4040809@gnutls.org> Message-ID: <20C69A88F591DE4FA9456202570661A402B112DB@svmail2.aed.dir> Hello Nikos, better now? Regards, Alexander -----Urspr?ngliche Nachricht----- Von: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] Im Auftrag von Nikos Mavrogiannopoulos Gesendet: Donnerstag, 18. Juli 2013 22:04 An: von Klinski, Alexander Cc: gnutls-devel at lists.gnutls.org; Morgner, Frank; Dietrich, Frank; Block, Dr., Oliver; Schindelhauer, Katja Betreff: Re: AW: Patch for GnuTLS 2.10.2 - The patch On 07/18/2013 05:04 PM, von Klinski, Alexander wrote: > Dear all, > > please find attached a git-patch of our modifications to the gnutls 2.10.2. > > @Nikos: please let me know if it is fine now. Thanks! Hello Alexander, How did you generate this patch? Have you checked its contents? It contains several changes on unrelated files and documentation. I'd expect a patch that _only_ contains your changes for RSA-PSK. Simply grab a 2_10_x branch, apply your changes there, commit and send the patch. regards, Nikos Hauptsitz: ALTEN GmbH, Rosenauer Stra?e 27, 96450 Coburg Amtsgericht Coburg, HRB 4450, Gesch?ftsf?hrer: Yves-Antoine Brun Diese Email und hiermit ?bertragene Dokumente sind vertraulich und nur f?r den Gebrauch der Person oder Organisation bestimmt, an die sie adressiert wurden. Es k?nnen vertrauliche oder von der Bekanntmachung ausgeschlossene Informationen enthalten sein. Falls Sie diese Email irrt?mlich erhalten haben, benachrichtigen Sie bitte den Absender und l?schen Sie diese Email aus Ihrem System ohne sie zu kopieren. Sie sind nicht zum Lesen, Kopieren oder Weitergeben dieser Email oder eines Teils dieser berechtigt. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may constitute information that is privileged or confidential or otherwise legally exempt from disclose. If you have received this email in error, please contact the sender and delete the email from your system without copying it. You are not authorized to read, copy or disseminate this message or any part of it. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-our-modifications-to-gnutls-2.10.2.patch Type: application/octet-stream Size: 44290 bytes Desc: 0002-our-modifications-to-gnutls-2.10.2.patch URL: From INVALID.NOREPLY at gnu.org Mon Jul 22 13:09:49 2013 From: INVALID.NOREPLY at gnu.org (anonymous) Date: Mon, 22 Jul 2013 11:09:49 +0000 Subject: [gnutls-devel] [sr #108342] Some french translation fixes Message-ID: <20130722-110948.sv0.2663@savannah.gnu.org> URL: Summary: Some french translation fixes Project: GnuTLS Submitted by: None Submitted on: Mon 22 Jul 2013 11:09:48 AM UTC Category: None Priority: 5 - Normal Severity: 2 - Minor Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: None _______________________________________________________ Details: - Add spaces before ':' - Add accents on caps - Changed 'crypter/d?crypter' to 'chiffrer/d?chiffrer' _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Mon 22 Jul 2013 11:09:48 AM UTC Name: fr.patch Size: 16kB By: None _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From andyrtr at archlinux.org Sun Jul 21 11:41:09 2013 From: andyrtr at archlinux.org (Andreas Radke) Date: Sun, 21 Jul 2013 11:41:09 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets Message-ID: <20130721114109.6ed68e72@workstation64.home> New 3.2.2 gnutls seems to break certain webpages, see: https://bugs.archlinux.org/task/36212 https://bugs.archlinux.org/task/36207 Maybe you can reproduce it and offer a fix. Current Master fails the same way. -Andy ArchLinux -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From skottish97215 at gmail.com Sun Jul 21 17:10:58 2013 From: skottish97215 at gmail.com (skottish) Date: Sun, 21 Jul 2013 08:10:58 -0700 Subject: [gnutls-devel] gnutls 3.2.2 breaks sites Message-ID: Hi all, I didn't see anything on your mailing list, so hopefully this isn't a duplicate. gnutls 3.2.2 breaks sites. For instance, the browser that I use, dwb (a webkit based browser), allows me to use search shortcuts similar to what one may see in Firefox. One of them is for DuckDuckGo: https://duckduckgo.com/?q=_dwb_search_submit_&kd=-1&ke=-1&kf=-1&kj=%23DDDDDD&kp=-1&kq=-1&kr=-1&ks=m&kz=-1&k1=-1&k4=-1 where _dwb_search_submit is simply the search terms. DDG will produce a blank page unless it's just a definition, in which case it only shows that. Another example is the Arch Linux wiki (https://wiki.archlinux.org). With this version of gnutls, all of the page formatting is gone (styles and such). The page loads, but it's incomplete. Downgrading to gnutls 3.2.1 solves these issues. Please let me know if I can help in any way. And, thanks for the hard work on this software. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mlee24 at binghamton.edu Sun Jul 21 23:17:53 2013 From: mlee24 at binghamton.edu (Mark Lee) Date: Sun, 21 Jul 2013 17:17:53 -0400 Subject: [gnutls-devel] Upgrade to GNUTLS 3.2.2 breaks Epiphany's https access to outlook.com Message-ID: <1374441473.946.0.camel@localhost.localdomain> After upgrading to GNUTLS 3.2.2 on Arch Linux (64 bit), my Epiphany (3.8.2) fails to connect to outlook.com. I get the following error: Error reading data from TLS socket: Decryption has failed. I filed a bug report with Arch Linux as well; see . Any help folks? -- Mark Lee -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From stib at pureandapplied.com.au Mon Jul 22 07:41:14 2013 From: stib at pureandapplied.com.au (stib at pureandapplied.com.au) Date: Mon, 22 Jul 2013 15:41:14 +1000 Subject: [gnutls-devel] =?utf-8?q?is_ftp=3A//ftp=2Egnutls=2Eorg_down=3F?= Message-ID: <14412f4420fb6ea347c9f4601b49057f@pureandapplied.com.au> I haven't been able to access it all day. Thanks -stib -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugs at ttyhoney.com Mon Jul 22 13:18:49 2013 From: bugs at ttyhoney.com (bugs) Date: Mon, 22 Jul 2013 13:18:49 +0200 Subject: [gnutls-devel] =?utf-8?q?gnutls_=3E=3D_3=2E2=2E2_=22Error_reading?= =?utf-8?q?_data_from_TLS_socket=3A_Decryption_has_failed=2E=22?= Message-ID: Hello! > I can't find a bugtracker. It looks like release >=3.2.2 has broken TLS, see: https://bugs.archlinux.org/task/36212 https://bugs.archlinux.org/task/36207 Every application which is using TLS seem to be affected: ? Evolution (evolution-ews ~ MS-Exchange) ? WebKit/WebKit2 (smurf, Epiphany) As a simple example, you can try to access this bug report: https://bugzilla.gnome.org/show_bug.cgi?id=687509 Result with Epiphany: "Error reading data from TLS socket: Decryption has failed." $ gnutls-cli bugzilla.gnome.org -d 9999 -VVVVVV |<2>| Intel AES accelerator was detected > |<2>| Intel GCM accelerator was detected > |<2>| p11: loaded provider 'p11-kit-trust' > |<2>| p11: loaded provider 'gnome-keyring' > |<2>| ASSERT: pkcs11.c:425 > Processed 157 CA certificate(s). > Resolving 'bugzilla.gnome.org'... > Connecting to '209.132.180.171:443'... > Cannot connect to 209.132.180.171:443: Connection refused From ametzler at downhill.at.eu.org Mon Jul 22 17:25:28 2013 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 22 Jul 2013 17:25:28 +0200 Subject: [gnutls-devel] is ftp://ftp.gnutls.org down? In-Reply-To: <14412f4420fb6ea347c9f4601b49057f@pureandapplied.com.au> References: <14412f4420fb6ea347c9f4601b49057f@pureandapplied.com.au> Message-ID: <20130722152528.GC3271@downhill.g.la> On 2013-07-22 stib at pureandapplied.com.au wrote: > I haven't been able to access it all day. works for me. cu Andreas From nmav at gnutls.org Mon Jul 22 23:06:17 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Jul 2013 23:06:17 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <20130721114109.6ed68e72@workstation64.home> References: <20130721114109.6ed68e72@workstation64.home> Message-ID: On Sun, Jul 21, 2013 at 11:41 AM, Andreas Radke wrote: > New 3.2.2 gnutls seems to break certain webpages, see: > https://bugs.archlinux.org/task/36212 > https://bugs.archlinux.org/task/36207 > Maybe you can reproduce it and offer a fix. Current Master fails the > same way. Unfortunately I cannot reproduce it using gnutls-cli. I also do not see anything related in the changelog. Any way to reproduce for me, or could anyone who can reproduce it try git bisect with gnutls source? regards. Nikos From nmav at gnutls.org Mon Jul 22 23:14:20 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Jul 2013 23:14:20 +0200 Subject: [gnutls-devel] gnutls >= 3.2.2 "Error reading data from TLS socket: Decryption has failed." In-Reply-To: References: Message-ID: On Mon, Jul 22, 2013 at 1:18 PM, bugs wrote: > Every application which is using TLS seem to be affected: > ? Evolution (evolution-ews ~ MS-Exchange) > ? WebKit/WebKit2 (smurf, Epiphany) ... > $ gnutls-cli bugzilla.gnome.org -d 9999 -VVVVVV >> Resolving 'bugzilla.gnome.org'... >> Connecting to '209.132.180.171:443'... >> Cannot connect to 209.132.180.171:443: Connection refused Hello, It seems that your issue here (at least the one you list) is a connection problem rather than a problem in gnutls. regards, Nikos From nmav at gnutls.org Tue Jul 23 19:31:50 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Jul 2013 19:31:50 +0200 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch In-Reply-To: <20C69A88F591DE4FA9456202570661A402B112DB@svmail2.aed.dir> References: <20C69A88F591DE4FA9456202570661A402B10751@svmail2.aed.dir> <51E84A2E.4040809@gnutls.org> <20C69A88F591DE4FA9456202570661A402B112DB@svmail2.aed.dir> Message-ID: <51EEBE06.5090803@gnutls.org> On 07/19/2013 04:55 PM, von Klinski, Alexander wrote: > Hello Nikos, > better now? Unfortunately not. I really don't want to spend any more time on that. Your patch didn't contain the minimum necessary changes to add PSK-RSA. Your patch contains changes to a file that is untracked by git (Makefile.in), and a file that has nothing to do with your patch (gnutls_str.c) and had no description nor Signed-off-by line. Before submitting the best is to try to apply yourself your patch using git am. I'm tired of that, so I just fixed the above (except of the Sign-Off line) and committed it in the 2.10.x branch. https://www.gitorious.org/gnutls/gnutls/commit/f06ba1b71fa2cf9e1f3e33ea58cda94aaff88f20 regards, Nikos From INVALID.NOREPLY at gnu.org Tue Jul 23 22:22:20 2013 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Jul 2013 20:22:20 +0000 Subject: [gnutls-devel] [sr #108342] Some french translation fixes In-Reply-To: <20130722-110948.sv0.2663@savannah.gnu.org> References: <20130722-110948.sv0.2663@savannah.gnu.org> Message-ID: <20130723-232219.sv707.58597@savannah.gnu.org> Follow-up Comment #1, sr #108342 (project gnutls): Thank you for the translation. We use the translation project [0] for getting updates of the translations in gnutls, so may I suggest to submit your updated translations to the french team (or the previous translator of gnutls [1]), so that it is not overwritten on a scheduled update? best regards, Nikos [0]. http://translationproject.org/html/translators.html [1]. http://translationproject.org/team/fr.html _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Tue Jul 23 22:23:55 2013 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Jul 2013 20:23:55 +0000 Subject: [gnutls-devel] [sr #108321] crq_apis coredump on 32-bit build due to _gnutls_strdatum_to_buf NULL buf handling In-Reply-To: <20130610-130152.sv0.38725@savannah.gnu.org> References: <20130610-124716.sv0.1003@savannah.gnu.org> <20130610-130152.sv0.38725@savannah.gnu.org> Message-ID: <20130723-232355.sv707.31936@savannah.gnu.org> Update of sr #108321 (project gnutls): Status: None => Done Assigned to: None => nmav Open/Closed: Open => Closed _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From chrishas at gmail.com Tue Jul 23 17:36:07 2013 From: chrishas at gmail.com (Christoforos Hadjigeorgiou) Date: Tue, 23 Jul 2013 16:36:07 +0100 Subject: [gnutls-devel] Bug: Error reading data from TLS socket. Decryption has failed. Message-ID: <51EEA2E7.8080605@gmail.com> Hi, I'm using Archbang linux and in dwb browser I get this error message in some webpages and the content fails to load: Error reading data from TLS socket. Decryption has failed. This only happened after gnutls was upgraded to version 3.2.2-1. I've also come across a bug report on archlinux about this: https://bugs.archlinux.org/task/36212?project=1 Thanks, Chris From INVALID.NOREPLY at gnu.org Wed Jul 24 09:56:11 2013 From: INVALID.NOREPLY at gnu.org (Afri Qhdoe) Date: Wed, 24 Jul 2013 07:56:11 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." Message-ID: <20130724-075610.sv91992.79412@savannah.gnu.org> URL: Summary: gnutls 3.2.2 breaks tls decryption: "Decryption has failed." Project: GnuTLS Submitted by: qdoe Submitted on: Mi 24 Jul 2013 07:56:09 GMT Category: Core library Priority: 5 - Normal Severity: 4 - Important Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: An upgrade of gnutls to 3.2.2 breaks pretty much everything that uses TLS. I'm using archlinux. I discovered this issue using weechat, telling me: > irc: reading data on socket: error -24 Decryption has failed. The guys at #weechat told me there are more people complaining and it's a gnutls issue. see http://unix.stackexchange.com/q/84083/19062 downgrading gnutls "fixes" this. could you please look into it? Related broken projects: - epiphany https://bugs.archlinux.org/task/36207 - webkit https://bugs.archlinux.org/task/36212 > Error reading data from TLS socket: Decryption has failed. This bug was poorly reported on the mailing list some days ago (it looked like a connection error). Yet, I'm trying to do better but I'm sorry I don't know how to provide a better back trace or something. Maybe you can guide me? I tried to attach gnutls-cli or weechat to gdb but without success of extracting the error message. _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht gesendet von/durch Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jul 24 11:06:50 2013 From: INVALID.NOREPLY at gnu.org (Peter Weber) Date: Wed, 24 Jul 2013 09:06:50 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-075610.sv91992.79412@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> Message-ID: <20130724-090650.sv91994.98369@savannah.gnu.org> Follow-up Comment #1, sr #108343 (project gnutls): This bug was reported multiple times on the mailing list: http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/ I'm afraid we confused Nikos Mavrogiannopoulos a little bit. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jul 24 13:20:39 2013 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Wed, 24 Jul 2013 11:20:39 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-090650.sv91994.98369@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> <20130724-090650.sv91994.98369@savannah.gnu.org> Message-ID: <20130724-132039.sv20807.97604@savannah.gnu.org> Follow-up Comment #2, sr #108343 (project gnutls): Out of interest I have tried re-building Debian's (and Ubuntu's) glib-networking packages against gnutls 3.x. - While the build succeeded the testsuite failed for me. Are you running the testsuite in Archlinux, does it report any errors? cu Andreas _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht gesendet von/durch Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jul 24 16:27:48 2013 From: INVALID.NOREPLY at gnu.org (Peter Weber) Date: Wed, 24 Jul 2013 14:27:48 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-132039.sv20807.97604@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> <20130724-090650.sv91994.98369@savannah.gnu.org> <20130724-132039.sv20807.97604@savannah.gnu.org> Message-ID: <20130724-142748.sv91994.1946@savannah.gnu.org> Follow-up Comment #3, sr #108343 (project gnutls): The testsuite has some glitches: http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/006335.html _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Wed Jul 24 17:07:31 2013 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Wed, 24 Jul 2013 15:07:31 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-142748.sv91994.1946@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> <20130724-090650.sv91994.98369@savannah.gnu.org> <20130724-132039.sv20807.97604@savannah.gnu.org> <20130724-142748.sv91994.1946@savannah.gnu.org> Message-ID: <20130724-170731.sv20807.15487@savannah.gnu.org> Follow-up Comment #4, sr #108343 (project gnutls): On 2013-07-24 Peter Weber wrote: > The testsuite has some glitches: > http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/006335.html The gnutls testsuite works in non-parallel mode (i.e. make check withouut -jN with N>1). I was asking about the glib-networking testsuite, not the gnutls one., though. ;-) cu Andreas _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht gesendet von/durch Savannah http://savannah.gnu.org/ From nmav at gnutls.org Wed Jul 24 17:09:06 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 24 Jul 2013 17:09:06 +0200 Subject: [gnutls-devel] Bug: Error reading data from TLS socket. Decryption has failed. In-Reply-To: <51EEA2E7.8080605@gmail.com> References: <51EEA2E7.8080605@gmail.com> Message-ID: On Tue, Jul 23, 2013 at 5:36 PM, Christoforos Hadjigeorgiou wrote: > Hi, > I'm using Archbang linux and in dwb browser I get this error message in some > webpages and the content fails to load: > Error reading data from TLS socket. Decryption has failed. > This only happened after gnutls was upgraded to version 3.2.2-1. I've also > come across a bug report on archlinux about this: > https://bugs.archlinux.org/task/36212?project=1 Hello, That seems to be something in 3.2.2 that affects glib/gio (as far as I understand the browsers with the issue use webkit, which relies on libsoup, which uses glib/gio, and that should use gnutls). Unfortunately there is no way for me to test that, as in my system they are linked to gnutls 2.12.x. If someone could reproduce that and do a git bisect on gnutls source code to find the culprit would help a lot. regards, Nikos From Oliver.Block at BDR.de Wed Jul 24 09:59:22 2013 From: Oliver.Block at BDR.de (Block, Dr., Oliver) Date: Wed, 24 Jul 2013 09:59:22 +0200 Subject: [gnutls-devel] Patch for GnuTLS 2.10.2 - The patch /// Finalization of BD-A0152/12 - Prerequisite for BD-A0226/13 Message-ID: Hello Nikos, thank you very much for all your patience and holding your healing hands about the sources, this was a big step forward for all of us! @Mr. v. Klinski: Thank you very much for your effort. It seem, that this part is luckily finished right now! @Mr. Morgner: It seems that now you are free to contribute from your home made software whatever you want...of course under all legal margins & requirements that apply and that have to be obeyed. In case of any questions, please feel free to contact me! Enjoy the summer! Best regards, Oliver Block Mit freundlichen Gr??en, -- Dr. Oliver Block Patentanwalt Bundesdruckerei GmbH Phone: + 49 (0) 30 - 2598-1096 Fax: + 49 (0) 30 - 2598-6160 -----Urspr?ngliche Nachricht----- Von: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] Im Auftrag von Nikos Mavrogiannopoulos Gesendet: Dienstag, 23. Juli 2013 19:32 An: von Klinski, Alexander Cc: gnutls-devel at lists.gnutls.org; Morgner, Frank; Dietrich, Frank; Block, Dr., Oliver Betreff: Re: AW: AW: Patch for GnuTLS 2.10.2 - The patch On 07/19/2013 04:55 PM, von Klinski, Alexander wrote: > Hello Nikos, > better now? Unfortunately not. I really don't want to spend any more time on that. Your patch didn't contain the minimum necessary changes to add PSK-RSA. Your patch contains changes to a file that is untracked by git (Makefile.in), and a file that has nothing to do with your patch (gnutls_str.c) and had no description nor Signed-off-by line. Before submitting the best is to try to apply yourself your patch using git am. I'm tired of that, so I just fixed the above (except of the Sign-Off line) and committed it in the 2.10.x branch. https://www.gitorious.org/gnutls/gnutls/commit/f06ba1b71fa2cf9e1f3e33ea58cda94aaff88f20 regards, Nikos From n.mavrogiannopoulos at gmail.com Wed Jul 24 18:42:47 2013 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 24 Jul 2013 18:42:47 +0200 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-075610.sv91992.79412@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> Message-ID: <51F00407.5080802@gmail.com> On 07/24/2013 09:56 AM, Afri Qhdoe wrote: > An upgrade of gnutls to 3.2.2 breaks pretty much everything that uses TLS. I'm > using archlinux. I discovered this issue using weechat, telling me: >> irc: reading data on socket: error -24 Decryption has failed. > The guys at #weechat told me there are more people complaining and it's a > gnutls issue. see http://unix.stackexchange.com/q/84083/19062 > downgrading gnutls "fixes" this. could you please look into it? Well, I'd need to be able to reproduce it and, as I previously mentioned, there seems to be no easy way to do that. > Related broken projects: > - epiphany https://bugs.archlinux.org/task/36207 > - webkit https://bugs.archlinux.org/task/36212 > >> Error reading data from TLS socket: Decryption has failed. > > This bug was poorly reported on the mailing list some days ago (it looked like > a connection error). Yet, I'm trying to do better but I'm sorry I don't know > how to provide a better back trace or something. Maybe you can guide me? I > tried to attach gnutls-cli or weechat to gdb but without success of extracting > the error message. Using gdb wouldn't help much. The best would be to download the gnutls git repository, compile it, and then use git-bisect to find the exact commit that causes the problem. A way to use bisect is shown in [0] (binary search section). The known to work tag is gnutls_3_2_1. [0]. http://git-scm.com/book/en/Git-Tools-Debugging-with-Git regards, Nikos From INVALID.NOREPLY at gnu.org Thu Jul 25 10:04:47 2013 From: INVALID.NOREPLY at gnu.org (Peter Weber) Date: Thu, 25 Jul 2013 08:04:47 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130724-170731.sv20807.15487@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> <20130724-090650.sv91994.98369@savannah.gnu.org> <20130724-132039.sv20807.97604@savannah.gnu.org> <20130724-142748.sv91994.1946@savannah.gnu.org> <20130724-170731.sv20807.15487@savannah.gnu.org> Message-ID: <20130725-080447.sv91994.97846@savannah.gnu.org> Follow-up Comment #5, sr #108343 (project gnutls): Oh. Sorry! _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From danw at gnome.org Thu Jul 25 16:07:13 2013 From: danw at gnome.org (Dan Winship) Date: Thu, 25 Jul 2013 10:07:13 -0400 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: References: <20130721114109.6ed68e72@workstation64.home> Message-ID: <51F13111.1040409@gnome.org> On 07/22/2013 05:06 PM, Nikos Mavrogiannopoulos wrote: > On Sun, Jul 21, 2013 at 11:41 AM, Andreas Radke wrote: >> New 3.2.2 gnutls seems to break certain webpages, see: >> https://bugs.archlinux.org/task/36212 >> https://bugs.archlinux.org/task/36207 >> Maybe you can reproduce it and offer a fix. Current Master fails the >> same way. > > Unfortunately I cannot reproduce it using gnutls-cli. I also do not > see anything related in the changelog. Any way to reproduce for me, or > could anyone who can reproduce it try git bisect with gnutls source? 0665b9e Eliminated memory copy on decryption. (I can only reproduce the bug when running under gdb, and even then only like 20% of the time... Maybe it only happens when you're receiving data faster than you're reading it, and so you get back multiple TLS records in a single read?) -- Dan From nmav at gnutls.org Fri Jul 26 06:53:47 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Jul 2013 06:53:47 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <51F13111.1040409@gnome.org> References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> Message-ID: <51F200DB.8080808@gnutls.org> On 07/25/2013 04:07 PM, Dan Winship wrote: > On 07/22/2013 05:06 PM, Nikos Mavrogiannopoulos wrote: >> On Sun, Jul 21, 2013 at 11:41 AM, Andreas Radke wrote: >>> New 3.2.2 gnutls seems to break certain webpages, see: >>> https://bugs.archlinux.org/task/36212 >>> https://bugs.archlinux.org/task/36207 >>> Maybe you can reproduce it and offer a fix. Current Master fails the >>> same way. >> >> Unfortunately I cannot reproduce it using gnutls-cli. I also do not >> see anything related in the changelog. Any way to reproduce for me, or >> could anyone who can reproduce it try git bisect with gnutls source? > > 0665b9e Eliminated memory copy on decryption. > > (I can only reproduce the bug when running under gdb, and even then only > like 20% of the time... Maybe it only happens when you're receiving data > faster than you're reading it, and so you get back multiple TLS records > in a single read?) Thank you, From a quick glimpse it doesn't seem to be something obvious. May I ask how did you reproduce it? Did you connect to a server and downloaded data? Is it again with gio? What were the cipher and MAC being used? regards, Nikos From danw at gnome.org Fri Jul 26 15:03:46 2013 From: danw at gnome.org (Dan Winship) Date: Fri, 26 Jul 2013 09:03:46 -0400 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <51F200DB.8080808@gnutls.org> References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> Message-ID: <51F273B2.4020308@gnome.org> On 07/26/2013 12:53 AM, Nikos Mavrogiannopoulos wrote: > Thank you, From a quick glimpse it doesn't seem to be something obvious. > May I ask how did you reproduce it? Did you connect to a server and > downloaded data? Is it again with gio? What were the cipher and MAC > being used? Yes, with gio. I used the "get" test program from the libsoup sources (basically wget implemented via libsoup). And yes, the error occurred while reading the response. (So I guess you want to test against a large resource.) gio normally uses "NORMAL:%COMPAT", but I verified that the bug happens without %COMPAT too, and I don't think there's anything else especially unusual that gio does. So it *should* be possible to reproduce with gnutls-cli, maybe doing something like: (printf "GET / HTTP/1.1\r\nHost: $HOST:443\r\nConnection: close\r\n\r\n"; cat) | gnutls-cli $HOST I'm attaching a debug log of a failed connection (to trello.com, which was one of the sites mentioned in one of the bugs). -- Dan -------------- next part -------------- GTLS: REC[0x6d4800]: Allocating epoch #0 GTLS: Note that the security level of the Diffie-Hellman key exchange has been lowered to 256 bits and this may allow decryption of the session data GTLS: ASSERT: gnutls_constate.c:576 GTLS: REC[0x6d4800]: Allocating epoch #1 GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 (00.05) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_ARCFOUR_MD5 (00.04) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 (00.66) GTLS: EXT[0x6d4800]: Sending extension STATUS REQUEST (5 bytes) GTLS: EXT[0x6d4800]: Sending extension SERVER NAME (15 bytes) GTLS: EXT[0x6d4800]: Sending extension SAFE RENEGOTIATION (1 bytes) GTLS: EXT[0x6d4800]: Sending extension SESSION TICKET (0 bytes) GTLS: EXT[0x6d4800]: Sending extension SUPPORTED ECC (12 bytes) GTLS: EXT[0x6d4800]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) GTLS: EXT[0x6d4800]: sent signature algo (4.1) RSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (4.2) DSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (4.3) ECDSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (5.1) RSA-SHA384 GTLS: EXT[0x6d4800]: sent signature algo (5.3) ECDSA-SHA384 GTLS: EXT[0x6d4800]: sent signature algo (6.1) RSA-SHA512 GTLS: EXT[0x6d4800]: sent signature algo (6.3) ECDSA-SHA512 GTLS: EXT[0x6d4800]: sent signature algo (3.1) RSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (3.2) DSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (3.3) ECDSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (2.1) RSA-SHA1 GTLS: EXT[0x6d4800]: sent signature algo (2.2) DSA-SHA1 GTLS: EXT[0x6d4800]: sent signature algo (2.3) ECDSA-SHA1 GTLS: EXT[0x6d4800]: Sending extension SIGNATURE ALGORITHMS (28 bytes) GTLS: HSK[0x6d4800]: CLIENT HELLO was queued [216 bytes] GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 216 and target length: 216 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[1] Handshake(22) in epoch 0 and length: 221 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 57 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 57 GTLS: REC[0x6d4800]: Decrypted Packet[0] Handshake(22) with length: 57 GTLS: HSK[0x6d4800]: SERVER HELLO (2) was received. Length 53[53], frag offset 0, frag length: 53, sequence: 0 GTLS: HSK[0x6d4800]: Server's version: 3.3 GTLS: HSK[0x6d4800]: SessionID length: 0 GTLS: HSK[0x6d4800]: SessionID: 00 GTLS: HSK[0x6d4800]: Selected cipher suite: RSA_ARCFOUR_SHA1 GTLS: HSK[0x6d4800]: Selected compression method: NULL (0) GTLS: EXT[0x6d4800]: Parsing extension 'SERVER NAME/0' (0 bytes) GTLS: EXT[0x6d4800]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) GTLS: EXT[0x6d4800]: Parsing extension 'SESSION TICKET/35' (0 bytes) GTLS: HSK[0x6d4800]: Safe renegotiation succeeded GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 5720 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 5720 GTLS: REC[0x6d4800]: Decrypted Packet[1] Handshake(22) with length: 5720 GTLS: HSK[0x6d4800]: CERTIFICATE (11) was received. Length 5716[5716], frag offset 0, frag length: 5716, sequence: 0 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 4 GTLS: REC[0x6d4800]: Decrypted Packet[2] Handshake(22) with length: 4 GTLS: HSK[0x6d4800]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 GTLS: ASSERT: gnutls_buffers.c:1010 GTLS: ASSERT: gnutls_buffers.c:1195 GTLS: HSK[0x6d4800]: CLIENT KEY EXCHANGE was queued [262 bytes] GTLS: REC[0x6d4800]: Sent ChangeCipherSpec GTLS: INT: PREMASTER SECRET[48]: 03039be426c089982f88291dfcb156b70118b617ed685d60458038d380beb39e24615f4182bc238b901596add70a41d8 GTLS: INT: CLIENT RANDOM[32]: 51f121d6a1df5bb393da7239e98ce45bfd8c153df0a457e1df35221bcbafa3d4 GTLS: INT: SERVER RANDOM[32]: 51f121d63a2ec60c58b52127776a30193a46dc54fbc9a29bf554f4d9a3c34c0e GTLS: INT: MASTER SECRET: aef5ae11207a06a0235f09c0f681bc68ac90cdd9d5295809f7423bc256d19c2c4b14fb1914bf94b7ab0a9c35ce5c68ac GTLS: REC[0x6d4800]: Initializing epoch #1 GTLS: INT: KEY BLOCK[72]: 7a99985c445ed056f87f8c9a882174301fe8ffbabb763579a721c101f0cc29d6 GTLS: INT: CLIENT WRITE KEY [16]: e17ed568834beb08e208f36159eac283 GTLS: INT: SERVER WRITE KEY [16]: 4da8c8858e34e1fd7a64a1fb3f8b8547 GTLS: REC[0x6d4800]: Epoch #1 ready GTLS: HSK[0x6d4800]: Cipher Suite: RSA_ARCFOUR_SHA1 GTLS: HSK[0x6d4800]: Initializing internal [write] cipher sessions GTLS: HSK[0x6d4800]: recording tls-unique CB (send) GTLS: HSK[0x6d4800]: FINISHED was queued [16 bytes] GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 262 and target length: 262 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[2] Handshake(22) in epoch 0 and length: 267 GTLS: REC[0x6d4800]: Preparing Packet ChangeCipherSpec(20) with length: 1 and target length: 1 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 16 and target length: 16 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[1] Handshake(22) in epoch 1 and length: 41 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 186 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 186 GTLS: REC[0x6d4800]: Decrypted Packet[3] Handshake(22) with length: 186 GTLS: HSK[0x6d4800]: NEW SESSION TICKET (4) was received. Length 182[182], frag offset 0, frag length: 182, sequence: 0 GTLS: REC[0x6d4800]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1 GTLS: REC[0x6d4800]: Expected Packet ChangeCipherSpec(20) GTLS: REC[0x6d4800]: Received Packet ChangeCipherSpec(20) with length: 1 GTLS: REC[0x6d4800]: Decrypted Packet[4] ChangeCipherSpec(20) with length: 1 GTLS: HSK[0x6d4800]: Cipher Suite: RSA_ARCFOUR_SHA1 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 36 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 36 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[0] Handshake(22) with length: 16 GTLS: HSK[0x6d4800]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0 GTLS: REC[0x6d4800]: Start of epoch cleanup GTLS: REC[0x6d4800]: Epoch #0 freed GTLS: REC[0x6d4800]: End of epoch cleanup GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: mpi.c:246 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: mpi.c:246 GTLS: ASSERT: dn.c:991 GTLS: REC[0x6d4800]: Preparing Packet Application Data(23) with length: 158 and target length: 158 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[2] Application Data(23) in epoch 1 and length: 183 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 1449 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 1449 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[1] Application Data(23) with length: 1429 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 13052 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 13052 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[2] Application Data(23) with length: 13032 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 11604 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 11604 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[3] Application Data(23) with length: 11584 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 16404 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 16404 GTLS: ASSERT: mac.c:253 GTLS: ASSERT: gnutls_cipher.c:713 GTLS: ASSERT: gnutls_cipher.c:188 GTLS: ASSERT: gnutls_record.c:1217 GTLS: Discarded message[4] due to invalid decryption GTLS: ASSERT: gnutls_record.c:1393 GTLS: ASSERT: gnutls_buffers.c:613 GTLS: REC: Sending Alert[1|0] - Close notify GTLS: REC[0x6d4800]: Preparing Packet Alert(21) with length: 2 and target length: 2 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[3] Alert(21) in epoch 1 and length: 27 GTLS: REC[0x6d4800]: Start of epoch cleanup GTLS: REC[0x6d4800]: End of epoch cleanup GTLS: REC[0x6d4800]: Epoch #1 freed GTLS: REC[0x6d4800]: Allocating epoch #0 GTLS: Note that the security level of the Diffie-Hellman key exchange has been lowered to 256 bits and this may allow decryption of the session data GTLS: ASSERT: gnutls_constate.c:576 GTLS: REC[0x6d4800]: Allocating epoch #1 GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) GTLS: HSK[0x6d4800]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 (00.05) GTLS: HSK[0x6d4800]: Keeping ciphersuite: RSA_ARCFOUR_MD5 (00.04) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) GTLS: HSK[0x6d4800]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 (00.66) GTLS: EXT[0x6d4800]: Sending extension STATUS REQUEST (5 bytes) GTLS: EXT[0x6d4800]: Sending extension SERVER NAME (15 bytes) GTLS: EXT[0x6d4800]: Sending extension SAFE RENEGOTIATION (1 bytes) GTLS: EXT[0x6d4800]: Sending extension SESSION TICKET (0 bytes) GTLS: EXT[0x6d4800]: Sending extension SUPPORTED ECC (12 bytes) GTLS: EXT[0x6d4800]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) GTLS: EXT[0x6d4800]: sent signature algo (4.1) RSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (4.2) DSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (4.3) ECDSA-SHA256 GTLS: EXT[0x6d4800]: sent signature algo (5.1) RSA-SHA384 GTLS: EXT[0x6d4800]: sent signature algo (5.3) ECDSA-SHA384 GTLS: EXT[0x6d4800]: sent signature algo (6.1) RSA-SHA512 GTLS: EXT[0x6d4800]: sent signature algo (6.3) ECDSA-SHA512 GTLS: EXT[0x6d4800]: sent signature algo (3.1) RSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (3.2) DSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (3.3) ECDSA-SHA224 GTLS: EXT[0x6d4800]: sent signature algo (2.1) RSA-SHA1 GTLS: EXT[0x6d4800]: sent signature algo (2.2) DSA-SHA1 GTLS: EXT[0x6d4800]: sent signature algo (2.3) ECDSA-SHA1 GTLS: EXT[0x6d4800]: Sending extension SIGNATURE ALGORITHMS (28 bytes) GTLS: HSK[0x6d4800]: CLIENT HELLO was queued [216 bytes] GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 216 and target length: 216 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[1] Handshake(22) in epoch 0 and length: 221 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 57 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 57 GTLS: REC[0x6d4800]: Decrypted Packet[0] Handshake(22) with length: 57 GTLS: HSK[0x6d4800]: SERVER HELLO (2) was received. Length 53[53], frag offset 0, frag length: 53, sequence: 0 GTLS: HSK[0x6d4800]: Server's version: 3.3 GTLS: HSK[0x6d4800]: SessionID length: 0 GTLS: HSK[0x6d4800]: SessionID: 00 GTLS: HSK[0x6d4800]: Selected cipher suite: RSA_ARCFOUR_SHA1 GTLS: HSK[0x6d4800]: Selected compression method: NULL (0) GTLS: EXT[0x6d4800]: Parsing extension 'SERVER NAME/0' (0 bytes) GTLS: EXT[0x6d4800]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) GTLS: EXT[0x6d4800]: Parsing extension 'SESSION TICKET/35' (0 bytes) GTLS: HSK[0x6d4800]: Safe renegotiation succeeded GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 5720 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 5720 GTLS: REC[0x6d4800]: Decrypted Packet[1] Handshake(22) with length: 5720 GTLS: HSK[0x6d4800]: CERTIFICATE (11) was received. Length 5716[5716], frag offset 0, frag length: 5716, sequence: 0 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 4 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 4 GTLS: REC[0x6d4800]: Decrypted Packet[2] Handshake(22) with length: 4 GTLS: HSK[0x6d4800]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 GTLS: ASSERT: gnutls_buffers.c:1010 GTLS: ASSERT: gnutls_buffers.c:1195 GTLS: HSK[0x6d4800]: CLIENT KEY EXCHANGE was queued [262 bytes] GTLS: REC[0x6d4800]: Sent ChangeCipherSpec GTLS: INT: PREMASTER SECRET[48]: 0303df46651a2a972ad4a012d71b8be7a9ac44afa562f846481dc23d787ff4ad8e2a165eb5ef037a02a553acf1821f03 GTLS: INT: CLIENT RANDOM[32]: 51f121d6883b8172a35b4e0085010878a218159e4f3f7df3c699c227fb6d3e8a GTLS: INT: SERVER RANDOM[32]: 51f121d6ad79d869887e333d72fa64737fbd4695c9e7b565c2b073475703d78e GTLS: INT: MASTER SECRET: 29c5115dee9c934495f19582a1c1f0d96ad1cc66763e2389f7e65060e936bffbbd92c9feb0fa63192d90cffd8c0bb64f GTLS: REC[0x6d4800]: Initializing epoch #1 GTLS: INT: KEY BLOCK[72]: 65706fd236bb7aef09c5ce34c45931e58bea83aad123c4c4c4cbf745da0731e0 GTLS: INT: CLIENT WRITE KEY [16]: 61eec43c50d834e8765f5f2e67175e2f GTLS: INT: SERVER WRITE KEY [16]: bf1aac66bfe1aafcca28e9214c447df0 GTLS: REC[0x6d4800]: Epoch #1 ready GTLS: HSK[0x6d4800]: Cipher Suite: RSA_ARCFOUR_SHA1 GTLS: HSK[0x6d4800]: Initializing internal [write] cipher sessions GTLS: HSK[0x6d4800]: recording tls-unique CB (send) GTLS: HSK[0x6d4800]: FINISHED was queued [16 bytes] GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 262 and target length: 262 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[2] Handshake(22) in epoch 0 and length: 267 GTLS: REC[0x6d4800]: Preparing Packet ChangeCipherSpec(20) with length: 1 and target length: 1 GTLS: ENC[0x6d4800]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GTLS: REC[0x6d4800]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6 GTLS: REC[0x6d4800]: Preparing Packet Handshake(22) with length: 16 and target length: 16 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[1] Handshake(22) in epoch 1 and length: 41 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 186 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 186 GTLS: REC[0x6d4800]: Decrypted Packet[3] Handshake(22) with length: 186 GTLS: HSK[0x6d4800]: NEW SESSION TICKET (4) was received. Length 182[182], frag offset 0, frag length: 182, sequence: 0 GTLS: REC[0x6d4800]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1 GTLS: REC[0x6d4800]: Expected Packet ChangeCipherSpec(20) GTLS: REC[0x6d4800]: Received Packet ChangeCipherSpec(20) with length: 1 GTLS: REC[0x6d4800]: Decrypted Packet[4] ChangeCipherSpec(20) with length: 1 GTLS: HSK[0x6d4800]: Cipher Suite: RSA_ARCFOUR_SHA1 GTLS: ASSERT: gnutls_buffers.c:1018 GTLS: REC[0x6d4800]: SSL 3.3 Handshake packet received. Epoch 0, length: 36 GTLS: REC[0x6d4800]: Expected Packet Handshake(22) GTLS: REC[0x6d4800]: Received Packet Handshake(22) with length: 36 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[0] Handshake(22) with length: 16 GTLS: HSK[0x6d4800]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0 GTLS: REC[0x6d4800]: Start of epoch cleanup GTLS: REC[0x6d4800]: Epoch #0 freed GTLS: REC[0x6d4800]: End of epoch cleanup GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: common.c:906 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: mpi.c:246 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: dn.c:991 GTLS: ASSERT: mpi.c:246 GTLS: ASSERT: dn.c:991 GTLS: REC[0x6d4800]: Preparing Packet Application Data(23) with length: 173 and target length: 173 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[2] Application Data(23) in epoch 1 and length: 198 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 2897 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 2897 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[1] Application Data(23) with length: 2877 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 11604 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 11604 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[2] Application Data(23) with length: 11584 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 1468 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 1468 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Decrypted Packet[3] Application Data(23) with length: 1448 GTLS: REC[0x6d4800]: SSL 3.3 Application Data packet received. Epoch 0, length: 16404 GTLS: REC[0x6d4800]: Expected Packet Application Data(23) GTLS: REC[0x6d4800]: Received Packet Application Data(23) with length: 16404 GTLS: ASSERT: mac.c:253 GTLS: ASSERT: gnutls_cipher.c:713 GTLS: ASSERT: gnutls_cipher.c:188 GTLS: ASSERT: gnutls_record.c:1217 GTLS: Discarded message[4] due to invalid decryption GTLS: ASSERT: gnutls_record.c:1393 GTLS: ASSERT: gnutls_buffers.c:613 GTLS: REC: Sending Alert[1|0] - Close notify GTLS: REC[0x6d4800]: Preparing Packet Alert(21) with length: 2 and target length: 2 GTLS: ENC[0x6d4800]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1 GTLS: ASSERT: mac.c:253 GTLS: REC[0x6d4800]: Sent Packet[3] Alert(21) in epoch 1 and length: 27 GTLS: REC[0x6d4800]: Start of epoch cleanup GTLS: REC[0x6d4800]: End of epoch cleanup GTLS: REC[0x6d4800]: Epoch #1 freed /: 6 Error reading data from TLS socket: Decryption has failed. (0x0) From nmav at gnutls.org Fri Jul 26 15:17:49 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Jul 2013 15:17:49 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <51F273B2.4020308@gnome.org> References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> Message-ID: On Fri, Jul 26, 2013 at 3:03 PM, Dan Winship wrote: > On 07/26/2013 12:53 AM, Nikos Mavrogiannopoulos wrote: >> Thank you, From a quick glimpse it doesn't seem to be something obvious. >> May I ask how did you reproduce it? Did you connect to a server and >> downloaded data? Is it again with gio? What were the cipher and MAC >> being used? > Yes, with gio. I used the "get" test program from the libsoup sources > (basically wget implemented via libsoup). And yes, the error occurred > while reading the response. (So I guess you want to test against a large > resource.) > gio normally uses "NORMAL:%COMPAT", but I verified that the bug happens > without %COMPAT too, and I don't think there's anything else especially > unusual that gio does. So it *should* be possible to reproduce with > gnutls-cli, maybe doing something like: Thank you. I see that RSA_ARCFOUR_SHA1 is negotiated. Is it easy to check whether this occurs when AES128-CBC-SHA1 is used (e.g. by using NORMAL:-ARCFOUR-128 as the priority string)? If not then the issue is pretty much contained and I hope to fix it soon. regards, Nikos From nmav at gnutls.org Fri Jul 26 15:29:59 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Jul 2013 15:29:59 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> Message-ID: On Fri, Jul 26, 2013 at 3:17 PM, Nikos Mavrogiannopoulos wrote: >> Yes, with gio. I used the "get" test program from the libsoup sources >> (basically wget implemented via libsoup). And yes, the error occurred >> while reading the response. (So I guess you want to test against a large >> resource.) >> gio normally uses "NORMAL:%COMPAT", but I verified that the bug happens >> without %COMPAT too, and I don't think there's anything else especially >> unusual that gio does. So it *should* be possible to reproduce with >> gnutls-cli, maybe doing something like: > Thank you. I see that RSA_ARCFOUR_SHA1 is negotiated. Is it easy to > check whether this occurs when AES128-CBC-SHA1 is used (e.g. by using > NORMAL:-ARCFOUR-128 as the priority string)? If not then the issue is > pretty much contained and I hope to fix it soon. This patch should fix the issue. If I am correct on the interpretation of the issue, it seems that these particular servers exceed the maximum allowed number of bytes. The %COMPAT keyword should have allowed them nevertheless, and that is what the patch do. Please let me know if that fixes the issue, and if not, if possible let me know of the debugging output. regards, Nikos -------------- next part -------------- diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 198cb34..3caa5ac 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -710,7 +710,11 @@ ciphertext_to_compressed (gnutls_session_t session, return gnutls_assert_val(ret); if (unlikely((unsigned)length_to_decrypt > compressed->size)) - return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + { + _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", + (unsigned int)length_to_decrypt, (unsigned int)compressed->size); + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } ret = _gnutls_auth_cipher_decrypt2 (¶ms->read.cipher_state, diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 993ddb9..4795711 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -1193,8 +1193,8 @@ begin: /* We allocate the maximum possible to allow few compressed bytes to expand to a * full record. */ - decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session), - MAX_RECORD_RECV_SIZE(session)); + t.size = _gnutls_get_max_decrypted_data(session); + decrypted = _mbuffer_alloc(t.size, t.size); if (decrypted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); From danw at gnome.org Fri Jul 26 17:15:49 2013 From: danw at gnome.org (Dan Winship) Date: Fri, 26 Jul 2013 11:15:49 -0400 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> Message-ID: <51F292A5.2040402@gnome.org> On 07/26/2013 09:29 AM, Nikos Mavrogiannopoulos wrote: > This patch should fix the issue. If I am correct on the interpretation > of the issue, it seems that these particular servers exceed the > maximum allowed number of bytes. The %COMPAT keyword should have > allowed them nevertheless, and that is what the patch do. > > Please let me know if that fixes the issue, and if not, if possible > let me know of the debugging output. After applying that patch, I could no longer reproduce the bug. And adding some more debug showed a case where t.size was 18432 but MAX_RECORD_RECV_SIZE was 16384. So it looks like your interpretation is right. -- Dan From nmav at gnutls.org Fri Jul 26 18:18:17 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Jul 2013 18:18:17 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <51F292A5.2040402@gnome.org> References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> <51F292A5.2040402@gnome.org> Message-ID: <51F2A149.80401@gnutls.org> On 07/26/2013 05:15 PM, Dan Winship wrote: >> This patch should fix the issue. If I am correct on the interpretation >> of the issue, it seems that these particular servers exceed the >> maximum allowed number of bytes. The %COMPAT keyword should have >> allowed them nevertheless, and that is what the patch do. >> >> Please let me know if that fixes the issue, and if not, if possible >> let me know of the debugging output. > > After applying that patch, I could no longer reproduce the bug. And > adding some more debug showed a case where t.size was 18432 but > MAX_RECORD_RECV_SIZE was 16384. So it looks like your interpretation is > right. Thank you Dan and also Mark for trying that patch out. I've committed the fix to master, and I'll roll out a release one of the next few days. regards, Nikos PS. It is interesting to know that this type of broken server is so widespread. From tim.kosse at filezilla-project.org Fri Jul 26 18:24:44 2013 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Fri, 26 Jul 2013 18:24:44 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> Message-ID: <51F2A2CC.4040606@filezilla-project.org> Hi, I've also encountered this issue, I'm seeing it triggered in gnutls_cipher.c:748 On 2013-07-26 15:29, Nikos Mavrogiannopoulos wrote: > If I am correct on the interpretation > of the issue, it seems that these particular servers exceed the > maximum allowed number of bytes. The %COMPAT keyword should have > allowed them nevertheless, and that is what the patch do. I don't think this is the case. The ciphertext includes the following: compressed data (no bigger than plaintext length + 2048), padding, iv, mac. As per TLS1.2 RFC: > The encrypted data length (TLSCiphertext.length) is one more than the > sum of SecurityParameters.block_length, TLSCompressed.length, > SecurityParameters.mac_length, and padding_length. In gnutls_cipher.c:747, we're comparing the ciphertext size against the size of the output buffer. At this point, the ciphertext size still contains mac, padding, some tags (iv size has been subtracted before). Building on your patch, I think the correct approach is to use the following: t.size = _gnutls_get_max_decrypted_data(session) + MAX_PAD_SIZE + MAX_HASH_SIZE; I'm not quite sure if there's still some +1 or something else hiding there though. Sidenode: I'm not sure the check for allow_large_records in _gnutls_get_max_decrypted_data is working as intended in this case. Intuitively I would simply make the output buffer as large as the ciphertext if I were to allow over-sized records. Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mancha1 at hush.com Fri Jul 26 23:23:02 2013 From: mancha1 at hush.com (mancha) Date: Fri, 26 Jul 2013 21:23:02 +0000 Subject: [gnutls-devel] [PATCH] Tolerate unsorted certificate chains in GnuTLS 2.12.23 Message-ID: <20130726212302.BD0B9A00C7@smtp.hushmail.com> Hi. Per RFC 5246: "The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it." Unfortunately, many TLS servers provide their certificate chains out of order, violating RFC. GnuTLS 3.0.x+ now tolerates out-of-order certificate chains by default. Attached patch backports similar logic to GnuTLS 2.12.x. I post it for the benefit of others with systems staying on the 2.12.x branch who might find this enhancement valuable. Also, so other sets of eyes might take a quick look and make sure I didn't do anything too unruly. Comments welcome. --mancha P.S. A little bit of irony.... $ gnutls-cli lists.gnutls.org [Boring stuff skipped] - The hostname in the certificate does NOT match 'lists.gnutls.org' -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-2.12.23-cert-list-sort.diff Type: application/octet-stream Size: 4320 bytes Desc: not available URL: From steve.erhart at gmail.com Sun Jul 28 00:14:26 2013 From: steve.erhart at gmail.com (Steve Erhart) Date: Sat, 27 Jul 2013 18:14:26 -0400 Subject: [gnutls-devel] with-guile-site-dir configure error Message-ID: <2E8B1F4C-F03C-4EFB-ADBF-CE51A6B1D922@gmail.com> Hello, When trying to build with a different guile-site-dir I get the following error: ./configure --with-guile-site-dir=no configure: WARNING: unrecognized options: --with-guile-site-dir Doing a quick check I found that the configure.ac was generating the option as: __with__with_guile_site_dir I've created a patch to fix the configure.ac file to use the correct argument to AC_ARG_WITH. -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-guile-site-dir.diff Type: application/octet-stream Size: 404 bytes Desc: not available URL: From nmav at gnutls.org Sun Jul 28 09:12:15 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 28 Jul 2013 09:12:15 +0200 Subject: [gnutls-devel] 3.2.2 breaks TLS sockets In-Reply-To: <51F2A2CC.4040606@filezilla-project.org> References: <20130721114109.6ed68e72@workstation64.home> <51F13111.1040409@gnome.org> <51F200DB.8080808@gnutls.org> <51F273B2.4020308@gnome.org> <51F2A2CC.4040606@filezilla-project.org> Message-ID: <51F4C44F.9020703@gnutls.org> On 07/26/2013 06:24 PM, Tim Kosse wrote: > Hi, > > I've also encountered this issue, I'm seeing it triggered in > gnutls_cipher.c:748 [...] > As per TLS1.2 RFC: >> The encrypted data length (TLSCiphertext.length) is one more than the >> sum of SecurityParameters.block_length, TLSCompressed.length, >> SecurityParameters.mac_length, and padding_length. > > In gnutls_cipher.c:747, we're comparing the ciphertext size against the > size of the output buffer. At this point, the ciphertext size still > contains mac, padding, some tags (iv size has been subtracted before). > > Building on your patch, I think the correct approach is to use the > following: > > t.size = _gnutls_get_max_decrypted_data(session) + MAX_PAD_SIZE + > MAX_HASH_SIZE; > I'm not quite sure if there's still some +1 or something else hiding > there though. Hello Tim, You are correct. I've committed a slightly different fix. > Sidenode: I'm not sure the check for allow_large_records in > _gnutls_get_max_decrypted_data is working as intended in this case. > Intuitively I would simply make the output buffer as large as the > ciphertext if I were to allow over-sized records. Indeed, that is part of the new fix. regards, Nikos From nmav at gnutls.org Sun Jul 28 09:12:39 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 28 Jul 2013 09:12:39 +0200 Subject: [gnutls-devel] with-guile-site-dir configure error In-Reply-To: <2E8B1F4C-F03C-4EFB-ADBF-CE51A6B1D922@gmail.com> References: <2E8B1F4C-F03C-4EFB-ADBF-CE51A6B1D922@gmail.com> Message-ID: <51F4C467.20709@gnutls.org> On 07/28/2013 12:14 AM, Steve Erhart wrote: > Hello, > > When trying to build with a different guile-site-dir I get the following error: > > ./configure --with-guile-site-dir=no > configure: WARNING: unrecognized options: --with-guile-site-dir > > Doing a quick check I found that the configure.ac was generating the option as: > > __with__with_guile_site_dir > > I've created a patch to fix the configure.ac file to use the correct argument to AC_ARG_WITH. Applied, thank you! From nmav at gnutls.org Mon Jul 29 00:35:38 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 29 Jul 2013 00:35:38 +0200 Subject: [gnutls-devel] gnutls 3.2.3pre0 Message-ID: <51F59CBA.50506@gnutls.org> Hello, This is a pre-release of 3.2.3. This should fix all known issues introduced by 3.2.2. If there are no reported issues in this prerelease I'll rename the released files to 3.2.3. * Version 3.2.3pre0 (released 2013-07-28) ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler. ** libgnutls: Solve issue with received TLS packets that exceed 2^14. (this fixes a bug that was accidentally introduced in 3.2.2) ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be used by the library. ** API and ABI modifications: gnutls_priority_kx_list: Added gnutls_priority_mac_list: Added gnutls_priority_cipher_list: Added Getting the Software ==================== The pre-releases can be downloaded from: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/ regards, Nikos From mark at markelee.com Mon Jul 29 05:34:26 2013 From: mark at markelee.com (Mark E. Lee) Date: Sun, 28 Jul 2013 23:34:26 -0400 Subject: [gnutls-devel] gnutls 3.2.3pre0 Message-ID: <1375068866.1004.4.camel@localhost.localdomain> >Hello, > This is a pre-release of 3.2.3. This should fix all known issues >introduced by 3.2.2. If there are no reported issues in this prerelease >I'll rename the released files to 3.2.3. > >* Version 3.2.3pre0 (released 2013-07-28) > >** libgnutls: Fixes in parsing of priority strings. Patch by Stefan >Buehler. > >** libgnutls: Solve issue with received TLS packets that exceed 2^14. >(this fixes a bug that was accidentally introduced in 3.2.2) > >** libgnutls: Removed gnulib modules under LGPLv3 that could possibly >be >used by the library. > >** API and ABI modifications: >gnutls_priority_kx_list: Added >gnutls_priority_mac_list: Added >gnutls_priority_cipher_list: Added > > >Getting the Software >==================== > >The pre-releases can be downloaded from: > > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/ > >regards, >Nikos I managed to compile/run it just fine on Arch Linux 64 bit. From, Mark -- Mark E. Lee -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From nmav at gnutls.org Tue Jul 30 08:52:14 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 30 Jul 2013 08:52:14 +0200 Subject: [gnutls-devel] gnutls 3.2.3 Message-ID: <51F7629E.9060006@gnutls.org> Hello, I've just released gnutls 3.2.3. This is a bug-fix release on the current stable branch. * Version 3.2.3 (released 2013-07-30) ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler. ** libgnutls: Solve issue with received TLS packets that exceed 2^14. (this fixes a bug that was accidentally introduced in 3.2.2) ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be used by the library. ** libgnutls: Fixes in gnutls_record_send_range(). Report and initial fix by Alfredo Pironti. ** API and ABI modifications: gnutls_priority_kx_list: Added gnutls_priority_mac_list: Added gnutls_priority_cipher_list: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.3.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.3.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.3.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.3.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From INVALID.NOREPLY at gnu.org Wed Jul 31 21:11:38 2013 From: INVALID.NOREPLY at gnu.org (Afri Qhdoe) Date: Wed, 31 Jul 2013 19:11:38 +0000 Subject: [gnutls-devel] [sr #108343] gnutls 3.2.2 breaks tls decryption: "Decryption has failed." In-Reply-To: <20130725-080447.sv91994.97846@savannah.gnu.org> References: <20130724-075610.sv91992.79412@savannah.gnu.org> <20130724-090650.sv91994.98369@savannah.gnu.org> <20130724-132039.sv20807.97604@savannah.gnu.org> <20130724-142748.sv91994.1946@savannah.gnu.org> <20130724-170731.sv20807.15487@savannah.gnu.org> <20130725-080447.sv91994.97846@savannah.gnu.org> Message-ID: <20130731-191138.sv91992.39797@savannah.gnu.org> Follow-up Comment #6, sr #108343 (project gnutls): gnutls-3.2.3 fixes all issues for me. thanks. whatever that was :> _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht gesendet von/durch Savannah http://savannah.gnu.org/