From nmav at gnutls.org Mon Mar 3 07:21:25 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 03 Mar 2014 07:21:25 +0100
Subject: [gnutls-devel] gnutls 3.1.22
Message-ID: <53141F65.2090204@gnutls.org>
Hello,
I've just released gnutls 3.1.22. This is an important bug-fix release
on the previous stable branch which addresses GNUTLS-SA-2014-2
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
* Version 3.1.22 (released 2014-03-03)
** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.
** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.
** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.
** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Mon Mar 3 07:22:41 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 03 Mar 2014 07:22:41 +0100
Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2
Message-ID: <53141FB1.3040809@gnutls.org>
Hello,
I've just released gnutls 3.2.12. This is an important bug-fix release
on the current stable branch which addresses GNUTLS-SA-2014-2
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
This fixes is an important (and at the same time embarrassing) bug
discovered during an audit for Red Hat. Everyone is urged to upgrade.
The git branches of older releases (e.g., 2.12.x), were also updated
with patches to the issue as they are also vulnerable. I'll provide more
information on the issue the next few days.
* Version 3.2.12 (released 2014-03-03)
** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.
** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.
** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.
** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.
** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.
** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.
** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From ametzler at bebt.de Tue Mar 4 19:43:02 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Tue, 4 Mar 2014 19:43:02 +0100
Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2
In-Reply-To: <53141FB1.3040809@gnutls.org>
References: <53141FB1.3040809@gnutls.org>
Message-ID: <20140304184302.GB3248@downhill.g.la>
On 2014-03-03 Nikos Mavrogiannopoulos wrote:
> Hello,
> I've just released gnutls 3.2.12.
[...]
> ** API and ABI modifications:
> No changes since last version.
[...]
Hello,
3.2.12 broke the ABI in 1972eaa216489512dd73db52f9fca473ef859e33 which
drops all symbols depending on ENABLE_RSA_EXPORT:
GNUTLS_1_4 gnutls_rsa_export_get_pubkey
GNUTLS_1_4 gnutls_rsa_export_get_modulus_bits
GNUTLS_1_4 gnutls_certificate_set_rsa_export_params
GNUTLS_1_4 gnutls_rsa_params_import_raw
GNUTLS_1_4 gnutls_rsa_params_init
GNUTLS_1_4 gnutls_rsa_params_deinit
GNUTLS_1_4 gnutls_rsa_params_cpy
GNUTLS_1_4 gnutls_rsa_params_generate2
GNUTLS_1_4 gnutls_rsa_params_import_pkcs1
GNUTLS_1_4 gnutls_rsa_params_export_pkcs1
GNUTLS_1_4 gnutls_rsa_params_export_raw
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Tue Mar 4 20:24:05 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 04 Mar 2014 20:24:05 +0100
Subject: [gnutls-devel] gnutls 3.2.12.1 (abi change fix)
In-Reply-To: <20140304184302.GB3248@downhill.g.la>
References: <53141FB1.3040809@gnutls.org> <20140304184302.GB3248@downhill.g.la>
Message-ID: <1393961045.15100.2.camel@nomad.lan>
On Tue, 2014-03-04 at 19:43 +0100, Andreas Metzler wrote:
> 3.2.12 broke the ABI in 1972eaa216489512dd73db52f9fca473ef859e33 which
> drops all symbols depending on ENABLE_RSA_EXPORT:
You are correct. I've reintroduced the option in:
https://www.gitorious.org/gnutls/gnutls/commit/9a3fb4b5fdc285e39a6c106ab9889342ff0d5c23
I've released 3.2.12.1 which reverts the ABI change.
* Version 3.2.12.1 (released 2014-03-04)
** libgnutls: Reverted change that broke ABI. Reported by Andreas
Metzler.
** API and ABI modifications:
No changes since last version.
From ludo at gnu.org Wed Mar 5 00:26:41 2014
From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Date: Wed, 05 Mar 2014 00:26:41 +0100
Subject: [gnutls-devel] Moving away from the RSA-export API
Message-ID: <87r46h1r66.fsf@gnu.org>
Hello,
The inadvertent removal of the --disable-rsa-export configure option led
to test failures in the Guile bindings [0], which made me realize that
this is actually a deprecated API.
However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and
document (e.g., the OpenPGP example in the manual) this API.
What would be the recommended way to upgrade?
Thanks,
Ludo?.
[0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html
From nmav at gnutls.org Wed Mar 5 09:44:41 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 5 Mar 2014 09:44:41 +0100
Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2
In-Reply-To: <53141FB1.3040809@gnutls.org>
References: <53141FB1.3040809@gnutls.org>
Message-ID:
On Mon, Mar 3, 2014 at 7:22 AM, Nikos Mavrogiannopoulos wrote:
> This fixes is an important (and at the same time embarrassing) bug
> discovered during an audit for Red Hat. Everyone is urged to upgrade.
> The git branches of older releases (e.g., 2.12.x), were also updated
> with patches to the issue as they are also vulnerable. I'll provide more
> information on the issue the next few days.
Hello,
It seems that this bug got quite some publicity and I even started
receiving mail from random people. If anyone has any suggestions on
gnutls project workflow please post it here, and (more important)
volunteer to take up some work. Judging is easy, doing the actual work
isn't.
So here are few more words on the specific issue. The bug was
introduced around the 1.0.0 version, and went for quite long time
undetected, I believe for the following reason mainly:
1. This bug cannot be detected by any certificate validation tests;
prior to any release gnutls is tested against a certificate validation
path suite (developed to test X.509 path validation for USA's DoD),
but that couldn't help detect the issue. It didn't help with any of
the other issues that had been detected in the X.509 path validation
code of gnutls, so we have an additional suite developed in-house.
That didn't help with the issue either because it requires a specially
crafted certificate (and I'm not revealing more details on that yet).
2. This bug can only be detected by code audit, which doesn't happen
often (it's not a fun thing to do).
3. As this code was on a critical part of the library it was touched
and thus read, very rarely. Moreover, the code in question followed
the usual form of error checking in the library 'if(err<0) return
err', making it look correct, unless one would notice that the
function returned a boolean value (and we have very few such functions
in the library).
Of course the bug was introduced by me and I am fully responsible for it.
That's my last mail on the topic. Shit happens; we flush and go on.
regards,
Nikos
From nmav at gnutls.org Wed Mar 5 09:46:52 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 5 Mar 2014 09:46:52 +0100
Subject: [gnutls-devel] Moving away from the RSA-export API
In-Reply-To: <87r46h1r66.fsf@gnu.org>
References: <87r46h1r66.fsf@gnu.org>
Message-ID:
On Wed, Mar 5, 2014 at 12:26 AM, Ludovic Court?s wrote:
> Hello,
> The inadvertent removal of the --disable-rsa-export configure option led
> to test failures in the Guile bindings [0], which made me realize that
> this is actually a deprecated API.
> However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and
> document (e.g., the OpenPGP example in the manual) this API.
> What would be the recommended way to upgrade?
Deprecate it as well? Binary compatibility will remain, but these
functions are defunc anyway.
> [0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html
Does gnutls 3.2.12.1 fix that issue?
regards,
Nikos
From ludo at gnu.org Wed Mar 5 14:06:51 2014
From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Date: Wed, 05 Mar 2014 14:06:51 +0100
Subject: [gnutls-devel] Moving away from the RSA-export API
In-Reply-To:
(Nikos Mavrogiannopoulos's message of "Wed, 5 Mar 2014 09:46:52
+0100")
References: <87r46h1r66.fsf@gnu.org>
Message-ID: <878uso23ro.fsf@gnu.org>
Nikos Mavrogiannopoulos skribis:
> On Wed, Mar 5, 2014 at 12:26 AM, Ludovic Court?s wrote:
>> Hello,
>> The inadvertent removal of the --disable-rsa-export configure option led
>> to test failures in the Guile bindings [0], which made me realize that
>> this is actually a deprecated API.
>> However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and
>> document (e.g., the OpenPGP example in the manual) this API.
>> What would be the recommended way to upgrade?
>
> Deprecate it as well? Binary compatibility will remain, but these
> functions are defunc anyway.
And replace it with gnutls_x509_privkey, right?
The equivalence between rsa_params and x509_privkey alluded to in NEWS
doesn?t seem natural at first sight, because RSA parameters and X.509
private keys are different things.
Or am I missing something?
>> [0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html
>
> Does gnutls 3.2.12.1 fix that issue?
I think so, though I had just fixed it differently in the meantime:
http://git.savannah.gnu.org/cgit/guix.git/commit/?id=9b521a678b6a9bb1e27d7379f70e467ececbe6d1
Thanks,
Ludo?.
From nmav at gnutls.org Wed Mar 5 14:10:04 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 5 Mar 2014 14:10:04 +0100
Subject: [gnutls-devel] Moving away from the RSA-export API
In-Reply-To: <878uso23ro.fsf@gnu.org>
References: <87r46h1r66.fsf@gnu.org>
<878uso23ro.fsf@gnu.org>
Message-ID:
On Wed, Mar 5, 2014 at 2:06 PM, Ludovic Court?s wrote:
>>> However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and
>>> document (e.g., the OpenPGP example in the manual) this API.
>>> What would be the recommended way to upgrade?
>> Deprecate it as well? Binary compatibility will remain, but these
>> functions are defunc anyway.
> And replace it with gnutls_x509_privkey, right?
> The equivalence between rsa_params and x509_privkey alluded to in NEWS
> doesn't seem natural at first sight, because RSA parameters and X.509
> private keys are different things.
The RSA params for rsa-export were just a 512-bit rsa private key.
regards,
Nikos
From ramkumar.chinchani at gmail.com Mon Mar 3 06:43:44 2014
From: ramkumar.chinchani at gmail.com (Ramkumar Chinchani)
Date: Mon, 3 Mar 2014 05:43:44 +0000
Subject: [gnutls-devel] gnutls_openpgp_keyring_import() doesn't report the
proper error if incorrect armor is used
Message-ID:
If the "data" argument to gnutls_openpgp_keyring_import() is really in RAW
format and "format" is incorrectly specified as BASE64, then the following
snippet of code fails silently with "err" = EOF in the very first iteration
and it falls through.
So the caller cannot detect this and retry a different armor/format.
169 do {
170 err =
171 cdk_stream_read(input, raw_data + written,
172 raw_len - written);
173
174 if (err > 0)
175 written += err;
176 }
177 while (written < raw_len && err != EOF && err > 0);
Suggesting the following patch.
diff --git a/lib/openpgp/extras.c b/lib/openpgp/extras.c
index 65bb488..d2a854f 100644
--- a/lib/openpgp/extras.c
+++ b/lib/openpgp/extras.c
@@ -177,6 +177,11 @@ gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t
keyring,
while (written < raw_len && err != EOF && err > 0);
raw_len = written;
+ if (raw_len == 0) {
+ gnutls_assert();
+ err = GNUTLS_E_BASE64_DECODING_ERROR;
+ goto error;
+ }
} else { /* RAW */
raw_len = data->size;
raw_data = data->data;
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From colin at colino.net Wed Mar 5 11:09:07 2014
From: colin at colino.net (Colin Leroy)
Date: Wed, 5 Mar 2014 11:09:07 +0100
Subject: [gnutls-devel] [PATCH] Fix xssl build without HAVE_VASPRINTF
Message-ID: <20140305110907.39d808eb@colin>
Hello,
I hit an "undefined symbol _gnutls_vasprintf" error when building the
newest GnuTLS without HAVE_VASPRINTF defined.
Attached is a patch which fixes it.
Thanks,
--
Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xssl_build_fix.patch
Type: text/x-patch
Size: 421 bytes
Desc: not available
URL:
From nullprogrammer at gmail.com Thu Mar 6 02:08:00 2014
From: nullprogrammer at gmail.com (Jason Spafford)
Date: Wed, 5 Mar 2014 17:08:00 -0800
Subject: [gnutls-devel] Patch for checking string length on a potentially
null string
Message-ID:
I read the guidelines and have satisfied all the requirements as far as I
know. I agree to the Developer's Certificate of Origin.
The instructions never say where to include the patch, so I've attached it
to this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_null_string_length.patch
Type: application/octet-stream
Size: 990 bytes
Desc: not available
URL:
From nmav at gnutls.org Thu Mar 6 19:26:31 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 06 Mar 2014 19:26:31 +0100
Subject: [gnutls-devel] gnutls_openpgp_keyring_import() doesn't report
the proper error if incorrect armor is used
In-Reply-To:
References:
Message-ID: <1394130391.4163.10.camel@nomad.lan>
On Mon, 2014-03-03 at 05:43 +0000, Ramkumar Chinchani wrote:
> raw_len = written;
> + if (raw_len == 0) {
> + gnutls_assert();
> + err = GNUTLS_E_BASE64_DECODING_ERROR;
> + goto error;
> + }
Applied, thank you.
Nikos
From nmav at gnutls.org Thu Mar 6 19:13:53 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 06 Mar 2014 19:13:53 +0100
Subject: [gnutls-devel] Patch for checking string length on a
potentially null string
In-Reply-To:
References:
Message-ID: <1394129633.4163.9.camel@nomad.lan>
On Wed, 2014-03-05 at 17:08 -0800, Jason Spafford wrote:
> I read the guidelines and have satisfied all the requirements as far
> as I know. I agree to the Developer's Certificate of Origin.
Applied, thank you.
Nikos
From matthew.d.wood at intel.com Fri Mar 7 00:26:10 2014
From: matthew.d.wood at intel.com (Wood, Matthew D)
Date: Thu, 6 Mar 2014 23:26:10 +0000
Subject: [gnutls-devel] Quick questions re: creating new crypto acceleration
patch
Message-ID:
I?m investigating creating a patch that would add support for the upcoming
Intel(R) SHA Extensions acceleration
(http://software.intel.com/en-us/articles/intel-sha-extensions) to GuTLS.
The instructions accelerate SHA-1 and SHA-256 in upcoming processors (e.g.
Goldmont). I wanted to confirm my strategy and get your advice prior to
heavy investment.
1. Create patch from the git master vs. the current stable branch
(gnutls_3_2_x). I want to confirm this because I have not been able to
successfully build the master without changes, while the stable branch
builds without issues. I am using Ubuntu 13.10 64bit with all patches.
note: The build on master fails related to ocsptool-args.h not having a
build rule. Porting the src/Makefile.in change to the BUILT_SOURCES
variable in the latest stable branch (removing headers in the list) solves
the issue.
2. It appears that much of the assembly is linked in from OpenSSL. It
doesn?t appear that the Intel SHA Extensions contributions to OpenSSL have
made it into their release tree yet. Would you prefer to wait for a patch
that follows this inclusion pattern or to have GnuTLS specific assembly
code submitted? There is reference code from Intel at
http://software.intel.com/en-us/articles/intel-sha-extensions-implementatio
ns that would serve as my starting point if I were to create GnuTLS
specific assembly.
3. When registering the optimized SHA implementations, the priority would
be 70. The implementations optimized for SSE3 are currently 80, and the
versions using the SHA extensions would be preferred.
I would also need to make the following adjustment to current code:
- gnutls_cpuid() would change to set ECX=0 prior to the cpuid instruction.
Detecting support for the SHA instructions uses CPUID leaf 7, sub-leaf 0
(eax=7,ecx=0) and any other value in ecx returns zeros in all response
registers. It would not change the interface to gnutls_cpuid(), just make
it more robust.
The timing of the patch would be sometime after the release of GCC 4.9.x
and prior to the release of the supporting hardware. GCC 4.9.x supports
the new SHA extensions, and is estimated to be released sometime around
the end of this month.
Thanks,
Matt Wood
From nmav at gnutls.org Fri Mar 7 08:07:49 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:07:49 +0100
Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures
In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394176069.4157.19.camel@nomad.lan>
On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote:
> This fixes two problems:
>
> 1) read-file build failure on Android (upstream commit cb3c90598c1)
>
> 2) Missing inet_pton.c error during GnuTLS "make bootstrap":
>
> touch ChangeLog
> test -f ./configure || AUTOPOINT=true autoreconf --install
> missing file gl/tests/inet_pton.c
> configure.ac:189: error: expected source file, required through AC_LIBSOURCES, not found
> gl/m4/gnulib-comp.m4:203: gl_INIT is expanded from...
> configure.ac:189: the top level
> autom4te: /usr/bin/m4 failed with exit status: 1
> aclocal: error: echo failed with exit status: 1
> autoreconf: aclocal failed with exit status: 1
> make: *** [autoreconf] Error 1
Hello Kevin,
Is that on latest master? I fixed some issue yesterday that was related
to that. I'd like to remove all the gnulib networking code from gl/ and
move it to src/gl/ as gl overwrites many system functions and makes it
impossible the library to work in windows systems properly if the
application using the library doesn't use gnulib too.
btw. I do not have commit nr: cb3c90598c1
regards,
Nikos
From nmav at gnutls.org Fri Mar 7 08:11:34 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:11:34 +0100
Subject: [gnutls-devel] [PATCH 2/5] Fix build failures on autogen'ed docs
In-Reply-To: <1394174109-661-2-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
<1394174109-661-2-git-send-email-cernekee@gmail.com>
Message-ID: <1394176294.4157.22.camel@nomad.lan>
On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote:
> This change uses a '%'-style pattern to avoid duplication of similar
> rules. '%' patterns are a GNU-ism but there is precedent in
> guile/src/Makefile.am.
Could we avoid the gnu-ism for that fix? I think the main library should
be able to compile in a many systems as possible -meaning we have to use
ugly makefile directives :(.
regards,
Nikos
From nmav at gnutls.org Fri Mar 7 08:14:40 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:14:40 +0100
Subject: [gnutls-devel] [PATCH 3/5] doc: Fix enums.texi failure on
out-of-tree builds
In-Reply-To: <1394174109-661-3-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
<1394174109-661-3-git-send-email-cernekee@gmail.com>
Message-ID: <1394176480.4157.24.camel@nomad.lan>
On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote:
> enums.texi is a generated file so we should not look for it in $(srcdir).
> When we do, chaos ensues:
Thank you. Applied (3-4).
From nmav at gnutls.org Fri Mar 7 08:20:36 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:20:36 +0100
Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving
doc/invoke-*.texi
In-Reply-To: <1394174109-661-5-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
<1394174109-661-5-git-send-email-cernekee@gmail.com>
Message-ID: <1394176836.4157.27.camel@nomad.lan>
On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote:
> Several problems were found in this area:
>
> 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with
> no input file and it will hang forever waiting for content from stdin:
> +$(AUTOGENED_GNUTLS_DOC) : invoke-gnutls-%.texi : $(top_srcdir)/src/%-args.def
> + $(call autogen_common,$<,$@)
I like the change, but I am thinking whether it makes sense to have
gnu-isms for the documentation part.
From nmav at gnutls.org Fri Mar 7 08:29:39 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:29:39 +0100
Subject: [gnutls-devel] Quick questions re: creating new crypto
acceleration patch
In-Reply-To:
References:
Message-ID: <1394177379.4157.36.camel@nomad.lan>
On Thu, 2014-03-06 at 23:26 +0000, Wood, Matthew D wrote:
> I?m investigating creating a patch that would add support for the upcoming
> Intel(R) SHA Extensions acceleration
> (http://software.intel.com/en-us/articles/intel-sha-extensions) to GuTLS.
> The instructions accelerate SHA-1 and SHA-256 in upcoming processors (e.g.
> Goldmont). I wanted to confirm my strategy and get your advice prior to
> heavy investment.
Hello Matthew,
I think the best would be to have the additions in nettle directly, so
that other projects using nettle benefit as well. If I remember well,
the idea there was to have a constructor that will check for specific
processor capabilities and set a variable (e.g., cpuid flags) which will
be used during the execution to divert to the assembly optimized
version.
But for details you'll have to talk directly with the author (Niels).
> 3. When registering the optimized SHA implementations, the priority would
> be 70. The implementations optimized for SSE3 are currently 80, and the
> versions using the SHA extensions would be preferred.
The cipher overriding part in gnutls was created as an interim solution
until nettle supports overriding ciphers at runtime. I'd like to add new
ciphers in that, only if adding that capability to nettle isn't possible
(or practical). In that case we can fallback to using the cipher
overriding api in gnutls for the SHA optimizations.
regards,
Nikos
From nmav at gnutls.org Fri Mar 7 08:50:21 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 07 Mar 2014 08:50:21 +0100
Subject: [gnutls-devel] auditing gnutls
Message-ID: <1394178621.4157.55.camel@nomad.lan>
Hello,
It seems there are more eyes looking at gnutls now, so to make things
easier, here is a list of the parts of gnutls (and also libtasn1) that
are exposed to network/untrusted data and have more need for auditing.
If you are able to audit the code please check the master branch (see
instructions at http://www.gnutls.org/devel.html ), and in case you are
able to successfully audit one of the following paths, please edit
the files reviewed and add a header under the author:
'Reviewed-By: Your Name (date)'
or 'Reviewed X.509 certificate verfication: Your name (date)'
Then make a patch with any changes you see fit (e.g. fixes or
simplifications of complex code) and send it to this list (preferably)
or to me directly.
If you cannot audit, but you know others that want and can, please
forward that mail to them. The reward for significant flaw finders is
eternal fame, and a @gnutls.org email address.
Note that there are people that have requested access to the coverity
gnutls logs. These are for a very old gnutls version and they don't
reveal anything that isn't also visible by clang's scan-build.
*********
The list:
*********
1. X.509 certificate verification starting from
gnutls_certificate_verify_peers3() - gnutls_cert.c
(may require PKIX details from RFC5280)
2. X.509 certificate verification starting from
gnutls_x509_trust_list_verify_crt() - x509/verify-high.c
3. X.509 certificate verification starting from
gnutls_x509_trust_list_verify_named_crt() - x509/verify-high.c
4. TOFU certificate verification starting from
gnutls_verify_stored_pubkey() - verify-tofu.c
5. TLS record parsing starting from gnutls_record_recv() to
gnutls_decrypt() - gnutls_record.c / gnutls_cipher.c
(may require TLS record details from RFC2246)
6. TLS handshake for RSA key exchange - gnutls_handshake() from
gnutls_handshake.c and auth/rsa.c.
(may require TLS details from rfc5246)
7. TLS handshake for DHE-RSA key exchange - gnutls_handshake() from
gnutls_handshake.c and auth/dhe.c.
(may require TLS details from rfc5246)
8. TLS handshake for ECDHE-ECDSA key exchange - gnutls_handshake() from
gnutls_handshake.c and auth/ecdhe.c.
(may require TLS details from rfc4492)
9 TLS handshake as a state machine starting from gnutls_handshake in
gnutls_handshake.c.
10. Random generator starting from gnutls_rnd() / random.c, and
nettle/rnd.c. This generator should work on multi-threaded systems and
after fork.
11. X.509 certificate parsing at x509/x509.c.
(may require PKIX details from RFC5280)
12. (X.509 certificate) DER decoding at libtasn1's asn1_der_decoding.
Check code from the upstream repository at:
https://www.gnu.org/software/libtasn1/
(that's a task for the brave)
regards,
Nikos
From cernekee at gmail.com Fri Mar 7 07:35:08 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 22:35:08 -0800
Subject: [gnutls-devel] [PATCH 4/5] Rename psk-args.def to psktool-args.def
In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394174109-661-4-git-send-email-cernekee@gmail.com>
Other utilities generate invoke-%.texi from %-args.def, but currently
invoke-psktool.texi is generated from psk-args.def. If we make psktool
conform to the same convention as the other utilities, we can use a
generic pattern to handle all of them the same way.
Signed-off-by: Kevin Cernekee
---
.gitignore | 4 ++--
doc/manpages/Makefile.am | 2 +-
src/Makefile.am | 4 ++--
src/psk.c | 2 +-
src/{psk-args.def => psktool-args.def} | 0
5 files changed, 6 insertions(+), 6 deletions(-)
rename src/{psk-args.def => psktool-args.def} (100%)
diff --git a/.gitignore b/.gitignore
index 31bc5f6..6b50937 100644
--- a/.gitignore
+++ b/.gitignore
@@ -662,8 +662,8 @@ src/ocsptool-args.c
src/ocsptool-args.h
src/p11tool-args.c
src/p11tool-args.h
-src/psk-args.c
-src/psk-args.h
+src/psktool-args.c
+src/psktool-args.h
src/serv-args.c
src/serv-args.h
src/srptool-args.c
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 31d0d56..dfdf9ab 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -84,7 +84,7 @@ tpmtool.1: ../../src/tpmtool-args.def
autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
rm -f "$<".tmp
-psktool.1: ../../src/psk-args.def
+psktool.1: ../../src/psktool-args.def
-sed 's/@subheading \(.*\)/@*\n at var{\1}\n@*/' $< > "$<".tmp && \
autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
rm -f "$<".tmp
diff --git a/src/Makefile.am b/src/Makefile.am
index a14c021..fcb8e84 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -20,7 +20,7 @@
SUBDIRS = gl
BUILT_SOURCES = srptool-args.c srptool-args.h \
- psk-args.c psk-args.h ocsptool-args.h ocsptool-args.c \
+ psktool-args.c psktool-args.h ocsptool-args.h ocsptool-args.c \
serv-args.c serv-args.h cli-args.c cli-args.h \
cli-debug-args.c cli-debug-args.h certtool-args.c certtool-args.h \
danetool-args.c danetool-args.h p11tool-args.c p11tool-args.h \
@@ -90,7 +90,7 @@ psktool_LDADD = ../lib/libgnutls.la libcmd-psk.la $(LIBOPTS) ../gl/libgnu.la
psktool_LDADD += $(LTLIBINTL) gl/libgnu_gpl.la
noinst_LTLIBRARIES += libcmd-psk.la
libcmd_psk_la_CFLAGS =
-libcmd_psk_la_SOURCES = psk-args.def psk-args.c psk-args.h
+libcmd_psk_la_SOURCES = psktool-args.def psktool-args.c psktool-args.h
if ENABLE_OCSP
diff --git a/src/psk.c b/src/psk.c
index 7bf7ae7..e7dba82 100644
--- a/src/psk.c
+++ b/src/psk.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
#include
#include
#include
-#include
+#include
#include /* for random */
diff --git a/src/psk-args.def b/src/psktool-args.def
similarity index 100%
rename from src/psk-args.def
rename to src/psktool-args.def
--
1.8.3.2
From cernekee at gmail.com Fri Mar 7 07:35:06 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 22:35:06 -0800
Subject: [gnutls-devel] [PATCH 2/5] Fix build failures on autogen'ed docs
In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394174109-661-2-git-send-email-cernekee@gmail.com>
autogen needs to be invoked with $(srcdir)/-args.def or else it
will not be able to find the input file if GnuTLS is built out of tree,
e.g.
mkdir build
cd build
../configure
make
Also, add missing targets for %-args.h, to avoid this error:
make[2]: Entering directory `/home/user/gnutls/src'
autogen srptool-args.def
autogen psk-args.def
make[2]: *** No rule to make target `ocsptool-args.h', needed by `all'. Stop.
make[2]: Leaving directory `/home/user/gnutls/src'
make[1]: *** [all-recursive] Error 1
This change uses a '%'-style pattern to avoid duplication of similar
rules. '%' patterns are a GNU-ism but there is precedent in
guile/src/Makefile.am.
Signed-off-by: Kevin Cernekee
---
src/Makefile.am | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index a768f57..a14c021 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -213,23 +213,5 @@ libcmd_tpmtool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIM
endif # ENABLE_TROUSERS
-danetool-args.c: $(srcdir)/args-std.def $(srcdir)/danetool-args.def
- -$(AUTOGEN) danetool-args.def
-ocsptool-args.c: $(srcdir)/args-std.def $(srcdir)/ocsptool-args.def
- -$(AUTOGEN) ocsptool-args.def
-tpmtool-args.c: $(srcdir)/args-std.def $(srcdir)/tpmtool-args.def
- -$(AUTOGEN) tpmtool-args.def
-p11tool-args.c: $(srcdir)/args-std.def $(srcdir)/p11tool-args.def
- -$(AUTOGEN) p11tool-args.def
-psk-args.c: $(srcdir)/args-std.def $(srcdir)/psk-args.def
- -$(AUTOGEN) psk-args.def
-cli-debug-args.c: $(srcdir)/args-std.def $(srcdir)/cli-debug-args.def
- -$(AUTOGEN) cli-debug-args.def
-cli-args.c: $(srcdir)/args-std.def $(srcdir)/cli-args.def
- -$(AUTOGEN) cli-args.def
-serv-args.c: $(srcdir)/args-std.def $(srcdir)/serv-args.def
- -$(AUTOGEN) serv-args.def
-srptool-args.c: $(srcdir)/args-std.def $(srcdir)/srptool-args.def
- -$(AUTOGEN) srptool-args.def
-certtool-args.c: $(srcdir)/args-std.def $(srcdir)/certtool-args.def
- -$(AUTOGEN) certtool-args.def
+%-args.c %-args.h: $(srcdir)/%-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
--
1.8.3.2
From cernekee at gmail.com Fri Mar 7 07:35:05 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 22:35:05 -0800
Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures
Message-ID: <1394174109-661-1-git-send-email-cernekee@gmail.com>
This fixes two problems:
1) read-file build failure on Android (upstream commit cb3c90598c1)
2) Missing inet_pton.c error during GnuTLS "make bootstrap":
touch ChangeLog
test -f ./configure || AUTOPOINT=true autoreconf --install
missing file gl/tests/inet_pton.c
configure.ac:189: error: expected source file, required through AC_LIBSOURCES, not found
gl/m4/gnulib-comp.m4:203: gl_INIT is expanded from...
configure.ac:189: the top level
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal: error: echo failed with exit status: 1
autoreconf: aclocal failed with exit status: 1
make: *** [autoreconf] Error 1
Signed-off-by: Kevin Cernekee
---
gl/tests/arpa_inet.in.h | 140 +++++++++++++++++++++++++
gl/tests/fd-hook.c | 116 +++++++++++++++++++++
gl/tests/fd-hook.h | 119 +++++++++++++++++++++
gl/tests/inet_pton.c | 268 ++++++++++++++++++++++++++++++++++++++++++++++++
gl/tests/sockets.c | 154 ++++++++++++++++++++++++++++
gl/tests/sockets.h | 62 +++++++++++
src/gl/stdint.in.h | 3 +-
src/gl/sys_types.in.h | 2 +
8 files changed, 862 insertions(+), 2 deletions(-)
create mode 100644 gl/tests/arpa_inet.in.h
create mode 100644 gl/tests/fd-hook.c
create mode 100644 gl/tests/fd-hook.h
create mode 100644 gl/tests/inet_pton.c
create mode 100644 gl/tests/sockets.c
create mode 100644 gl/tests/sockets.h
diff --git a/gl/tests/arpa_inet.in.h b/gl/tests/arpa_inet.in.h
new file mode 100644
index 0000000..b8c2e18
--- /dev/null
+++ b/gl/tests/arpa_inet.in.h
@@ -0,0 +1,140 @@
+/* A GNU-like .
+
+ Copyright (C) 2005-2006, 2008-2014 Free Software Foundation, Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3, or (at your option)
+ any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, see . */
+
+#ifndef _ at GUARD_PREFIX@_ARPA_INET_H
+
+#if __GNUC__ >= 3
+ at PRAGMA_SYSTEM_HEADER@
+#endif
+ at PRAGMA_COLUMNS@
+
+#if @HAVE_FEATURES_H@
+# include /* for __GLIBC__ */
+#endif
+
+/* Gnulib's sys/socket.h is responsible for defining socklen_t (used below) and
+ for pulling in winsock2.h etc. under MinGW.
+ But avoid namespace pollution on glibc systems. */
+#ifndef __GLIBC__
+# include
+#endif
+
+/* On NonStop Kernel, inet_ntop and inet_pton are declared in .
+ But avoid namespace pollution on glibc systems. */
+#if defined __TANDEM && !defined __GLIBC__
+# include
+#endif
+
+#if @HAVE_ARPA_INET_H@
+
+/* The include_next requires a split double-inclusion guard. */
+# @INCLUDE_NEXT@ @NEXT_ARPA_INET_H@
+
+#endif
+
+#ifndef _ at GUARD_PREFIX@_ARPA_INET_H
+#define _ at GUARD_PREFIX@_ARPA_INET_H
+
+/* The definitions of _GL_FUNCDECL_RPL etc. are copied here. */
+
+/* The definition of _GL_ARG_NONNULL is copied here. */
+
+/* The definition of _GL_WARN_ON_USE is copied here. */
+
+
+#if @GNULIB_INET_NTOP@
+/* Converts an internet address from internal format to a printable,
+ presentable format.
+ AF is an internet address family, such as AF_INET or AF_INET6.
+ SRC points to a 'struct in_addr' (for AF_INET) or 'struct in6_addr'
+ (for AF_INET6).
+ DST points to a buffer having room for CNT bytes.
+ The printable representation of the address (in numeric form, not
+ surrounded by [...], no reverse DNS is done) is placed in DST, and
+ DST is returned. If an error occurs, the return value is NULL and
+ errno is set. If CNT bytes are not sufficient to hold the result,
+ the return value is NULL and errno is set to ENOSPC. A good value
+ for CNT is 46.
+
+ For more details, see the POSIX:2001 specification
+ . */
+# if @REPLACE_INET_NTOP@
+# if !(defined __cplusplus && defined GNULIB_NAMESPACE)
+# undef inet_ntop
+# define inet_ntop rpl_inet_ntop
+# endif
+_GL_FUNCDECL_RPL (inet_ntop, const char *,
+ (int af, const void *restrict src,
+ char *restrict dst, socklen_t cnt)
+ _GL_ARG_NONNULL ((2, 3)));
+_GL_CXXALIAS_RPL (inet_ntop, const char *,
+ (int af, const void *restrict src,
+ char *restrict dst, socklen_t cnt));
+# else
+# if !@HAVE_DECL_INET_NTOP@
+_GL_FUNCDECL_SYS (inet_ntop, const char *,
+ (int af, const void *restrict src,
+ char *restrict dst, socklen_t cnt)
+ _GL_ARG_NONNULL ((2, 3)));
+# endif
+/* Need to cast, because on NonStop Kernel, the fourth parameter is
+ size_t cnt. */
+_GL_CXXALIAS_SYS_CAST (inet_ntop, const char *,
+ (int af, const void *restrict src,
+ char *restrict dst, socklen_t cnt));
+# endif
+_GL_CXXALIASWARN (inet_ntop);
+#elif defined GNULIB_POSIXCHECK
+# undef inet_ntop
+# if HAVE_RAW_DECL_INET_NTOP
+_GL_WARN_ON_USE (inet_ntop, "inet_ntop is unportable - "
+ "use gnulib module inet_ntop for portability");
+# endif
+#endif
+
+#if @GNULIB_INET_PTON@
+# if @REPLACE_INET_PTON@
+# if !(defined __cplusplus && defined GNULIB_NAMESPACE)
+# undef inet_pton
+# define inet_pton rpl_inet_pton
+# endif
+_GL_FUNCDECL_RPL (inet_pton, int,
+ (int af, const char *restrict src, void *restrict dst)
+ _GL_ARG_NONNULL ((2, 3)));
+_GL_CXXALIAS_RPL (inet_pton, int,
+ (int af, const char *restrict src, void *restrict dst));
+# else
+# if !@HAVE_DECL_INET_PTON@
+_GL_FUNCDECL_SYS (inet_pton, int,
+ (int af, const char *restrict src, void *restrict dst)
+ _GL_ARG_NONNULL ((2, 3)));
+# endif
+_GL_CXXALIAS_SYS (inet_pton, int,
+ (int af, const char *restrict src, void *restrict dst));
+# endif
+_GL_CXXALIASWARN (inet_pton);
+#elif defined GNULIB_POSIXCHECK
+# undef inet_pton
+# if HAVE_RAW_DECL_INET_PTON
+_GL_WARN_ON_USE (inet_pton, "inet_pton is unportable - "
+ "use gnulib module inet_pton for portability");
+# endif
+#endif
+
+
+#endif /* _ at GUARD_PREFIX@_ARPA_INET_H */
+#endif /* _ at GUARD_PREFIX@_ARPA_INET_H */
diff --git a/gl/tests/fd-hook.c b/gl/tests/fd-hook.c
new file mode 100644
index 0000000..0171cc6
--- /dev/null
+++ b/gl/tests/fd-hook.c
@@ -0,0 +1,116 @@
+/* Hook for making making file descriptor functions close(), ioctl() extensible.
+ Copyright (C) 2009-2014 Free Software Foundation, Inc.
+ Written by Bruno Haible , 2009.
+
+ This program is free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see . */
+
+#include
+
+/* Specification. */
+#include "fd-hook.h"
+
+#include
+
+/* Currently, this entire code is only needed for the handling of sockets
+ on native Windows platforms. */
+#if WINDOWS_SOCKETS
+
+/* The first and last link in the doubly linked list.
+ Initially the list is empty. */
+static struct fd_hook anchor = { &anchor, &anchor, NULL, NULL };
+
+int
+execute_close_hooks (const struct fd_hook *remaining_list, gl_close_fn primary,
+ int fd)
+{
+ if (remaining_list == &anchor)
+ /* End of list reached. */
+ return primary (fd);
+ else
+ return remaining_list->private_close_fn (remaining_list->private_next,
+ primary, fd);
+}
+
+int
+execute_all_close_hooks (gl_close_fn primary, int fd)
+{
+ return execute_close_hooks (anchor.private_next, primary, fd);
+}
+
+int
+execute_ioctl_hooks (const struct fd_hook *remaining_list, gl_ioctl_fn primary,
+ int fd, int request, void *arg)
+{
+ if (remaining_list == &anchor)
+ /* End of list reached. */
+ return primary (fd, request, arg);
+ else
+ return remaining_list->private_ioctl_fn (remaining_list->private_next,
+ primary, fd, request, arg);
+}
+
+int
+execute_all_ioctl_hooks (gl_ioctl_fn primary,
+ int fd, int request, void *arg)
+{
+ return execute_ioctl_hooks (anchor.private_next, primary, fd, request, arg);
+}
+
+void
+register_fd_hook (close_hook_fn close_hook, ioctl_hook_fn ioctl_hook, struct fd_hook *link)
+{
+ if (close_hook == NULL)
+ close_hook = execute_close_hooks;
+ if (ioctl_hook == NULL)
+ ioctl_hook = execute_ioctl_hooks;
+
+ if (link->private_next == NULL && link->private_prev == NULL)
+ {
+ /* Add the link to the doubly linked list. */
+ link->private_next = anchor.private_next;
+ link->private_prev = &anchor;
+ link->private_close_fn = close_hook;
+ link->private_ioctl_fn = ioctl_hook;
+ anchor.private_next->private_prev = link;
+ anchor.private_next = link;
+ }
+ else
+ {
+ /* The link is already in use. */
+ if (link->private_close_fn != close_hook
+ || link->private_ioctl_fn != ioctl_hook)
+ abort ();
+ }
+}
+
+void
+unregister_fd_hook (struct fd_hook *link)
+{
+ struct fd_hook *next = link->private_next;
+ struct fd_hook *prev = link->private_prev;
+
+ if (next != NULL && prev != NULL)
+ {
+ /* The link is in use. Remove it from the doubly linked list. */
+ prev->private_next = next;
+ next->private_prev = prev;
+ /* Clear the link, to mark it unused. */
+ link->private_next = NULL;
+ link->private_prev = NULL;
+ link->private_close_fn = NULL;
+ link->private_ioctl_fn = NULL;
+ }
+}
+
+#endif
diff --git a/gl/tests/fd-hook.h b/gl/tests/fd-hook.h
new file mode 100644
index 0000000..1aa264e
--- /dev/null
+++ b/gl/tests/fd-hook.h
@@ -0,0 +1,119 @@
+/* Hook for making making file descriptor functions close(), ioctl() extensible.
+ Copyright (C) 2009-2014 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see . */
+
+
+#ifndef FD_HOOK_H
+#define FD_HOOK_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/* Currently, this entire code is only needed for the handling of sockets
+ on native Windows platforms. */
+#if WINDOWS_SOCKETS
+
+
+/* Type of function that closes FD. */
+typedef int (*gl_close_fn) (int fd);
+
+/* Type of function that applies a control request to FD. */
+typedef int (*gl_ioctl_fn) (int fd, int request, void *arg);
+
+/* An element of the list of file descriptor hooks.
+ In CLOS (Common Lisp Object System) speak, it consists of an "around"
+ method for the close() function and an "around" method for the ioctl()
+ function.
+ The fields of this structure are considered private. */
+struct fd_hook
+{
+ /* Doubly linked list. */
+ struct fd_hook *private_next;
+ struct fd_hook *private_prev;
+ /* Function that treats the types of FD that it knows about and calls
+ execute_close_hooks (REMAINING_LIST, PRIMARY, FD) as a fallback. */
+ int (*private_close_fn) (const struct fd_hook *remaining_list,
+ gl_close_fn primary,
+ int fd);
+ /* Function that treats the types of FD that it knows about and calls
+ execute_ioctl_hooks (REMAINING_LIST, PRIMARY, FD, REQUEST, ARG) as a
+ fallback. */
+ int (*private_ioctl_fn) (const struct fd_hook *remaining_list,
+ gl_ioctl_fn primary,
+ int fd, int request, void *arg);
+};
+
+/* This type of function closes FD, applying special knowledge for the FD
+ types it knows about, and calls
+ execute_close_hooks (REMAINING_LIST, PRIMARY, FD)
+ for the other FD types.
+ In CLOS speak, REMAINING_LIST is the remaining list of "around" methods,
+ and PRIMARY is the "primary" method for close(). */
+typedef int (*close_hook_fn) (const struct fd_hook *remaining_list,
+ gl_close_fn primary,
+ int fd);
+
+/* Execute the close hooks in REMAINING_LIST, with PRIMARY as "primary" method.
+ Return 0 or -1, like close() would do. */
+extern int execute_close_hooks (const struct fd_hook *remaining_list,
+ gl_close_fn primary,
+ int fd);
+
+/* Execute all close hooks, with PRIMARY as "primary" method.
+ Return 0 or -1, like close() would do. */
+extern int execute_all_close_hooks (gl_close_fn primary, int fd);
+
+/* This type of function applies a control request to FD, applying special
+ knowledge for the FD types it knows about, and calls
+ execute_ioctl_hooks (REMAINING_LIST, PRIMARY, FD, REQUEST, ARG)
+ for the other FD types.
+ In CLOS speak, REMAINING_LIST is the remaining list of "around" methods,
+ and PRIMARY is the "primary" method for ioctl(). */
+typedef int (*ioctl_hook_fn) (const struct fd_hook *remaining_list,
+ gl_ioctl_fn primary,
+ int fd, int request, void *arg);
+
+/* Execute the ioctl hooks in REMAINING_LIST, with PRIMARY as "primary" method.
+ Return 0 or -1, like ioctl() would do. */
+extern int execute_ioctl_hooks (const struct fd_hook *remaining_list,
+ gl_ioctl_fn primary,
+ int fd, int request, void *arg);
+
+/* Execute all ioctl hooks, with PRIMARY as "primary" method.
+ Return 0 or -1, like ioctl() would do. */
+extern int execute_all_ioctl_hooks (gl_ioctl_fn primary,
+ int fd, int request, void *arg);
+
+/* Add a function pair to the list of file descriptor hooks.
+ CLOSE_HOOK and IOCTL_HOOK may be NULL, indicating no change.
+ The LINK variable points to a piece of memory which is guaranteed to be
+ accessible until the corresponding call to unregister_fd_hook. */
+extern void register_fd_hook (close_hook_fn close_hook, ioctl_hook_fn ioctl_hook,
+ struct fd_hook *link);
+
+/* Removes a hook from the list of file descriptor hooks. */
+extern void unregister_fd_hook (struct fd_hook *link);
+
+
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FD_HOOK_H */
diff --git a/gl/tests/inet_pton.c b/gl/tests/inet_pton.c
new file mode 100644
index 0000000..e9703a7
--- /dev/null
+++ b/gl/tests/inet_pton.c
@@ -0,0 +1,268 @@
+/* inet_pton.c -- convert IPv4 and IPv6 addresses from text to binary form
+
+ Copyright (C) 2006, 2008-2014 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see . */
+
+/*
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include
+
+/* Specification. */
+#include
+
+#if HAVE_DECL_INET_PTON
+
+# undef inet_pton
+
+int
+rpl_inet_pton (int af, const char *restrict src, void *restrict dst)
+{
+ return inet_pton (af, src, dst);
+}
+
+#else
+
+# include
+# include
+# include
+
+# define NS_INADDRSZ 4
+# define NS_IN6ADDRSZ 16
+# define NS_INT16SZ 2
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4 (const char *src, unsigned char *dst);
+# if HAVE_IPV6
+static int inet_pton6 (const char *src, unsigned char *dst);
+# endif
+
+/* int
+ * inet_pton(af, src, dst)
+ * convert from presentation format (which usually means ASCII printable)
+ * to network format (which is usually some kind of binary format).
+ * return:
+ * 1 if the address was valid for the specified address family
+ * 0 if the address wasn't valid ('dst' is untouched in this case)
+ * -1 if some other error occurred ('dst' is untouched in this case, too)
+ * author:
+ * Paul Vixie, 1996.
+ */
+int
+inet_pton (int af, const char *restrict src, void *restrict dst)
+{
+ switch (af)
+ {
+ case AF_INET:
+ return (inet_pton4 (src, dst));
+
+# if HAVE_IPV6
+ case AF_INET6:
+ return (inet_pton6 (src, dst));
+# endif
+
+ default:
+ errno = EAFNOSUPPORT;
+ return (-1);
+ }
+ /* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ * like inet_aton() but without all the hexadecimal, octal (with the
+ * exception of 0) and shorthand.
+ * return:
+ * 1 if 'src' is a valid dotted quad, else 0.
+ * notice:
+ * does not touch 'dst' unless it's returning 1.
+ * author:
+ * Paul Vixie, 1996.
+ */
+static int
+inet_pton4 (const char *restrict src, unsigned char *restrict dst)
+{
+ int saw_digit, octets, ch;
+ unsigned char tmp[NS_INADDRSZ], *tp;
+
+ saw_digit = 0;
+ octets = 0;
+ *(tp = tmp) = 0;
+ while ((ch = *src++) != '\0')
+ {
+
+ if (ch >= '0' && ch <= '9')
+ {
+ unsigned new = *tp * 10 + (ch - '0');
+
+ if (saw_digit && *tp == 0)
+ return (0);
+ if (new > 255)
+ return (0);
+ *tp = new;
+ if (!saw_digit)
+ {
+ if (++octets > 4)
+ return (0);
+ saw_digit = 1;
+ }
+ }
+ else if (ch == '.' && saw_digit)
+ {
+ if (octets == 4)
+ return (0);
+ *++tp = 0;
+ saw_digit = 0;
+ }
+ else
+ return (0);
+ }
+ if (octets < 4)
+ return (0);
+ memcpy (dst, tmp, NS_INADDRSZ);
+ return (1);
+}
+
+# if HAVE_IPV6
+
+/* int
+ * inet_pton6(src, dst)
+ * convert presentation level address to network order binary form.
+ * return:
+ * 1 if 'src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ * (1) does not touch 'dst' unless it's returning 1.
+ * (2) :: in a full address is silently ignored.
+ * credit:
+ * inspired by Mark Andrews.
+ * author:
+ * Paul Vixie, 1996.
+ */
+static int
+inet_pton6 (const char *restrict src, unsigned char *restrict dst)
+{
+ static const char xdigits[] = "0123456789abcdef";
+ unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+ const char *curtok;
+ int ch, saw_xdigit;
+ unsigned val;
+
+ tp = memset (tmp, '\0', NS_IN6ADDRSZ);
+ endp = tp + NS_IN6ADDRSZ;
+ colonp = NULL;
+ /* Leading :: requires some special handling. */
+ if (*src == ':')
+ if (*++src != ':')
+ return (0);
+ curtok = src;
+ saw_xdigit = 0;
+ val = 0;
+ while ((ch = c_tolower (*src++)) != '\0')
+ {
+ const char *pch;
+
+ pch = strchr (xdigits, ch);
+ if (pch != NULL)
+ {
+ val <<= 4;
+ val |= (pch - xdigits);
+ if (val > 0xffff)
+ return (0);
+ saw_xdigit = 1;
+ continue;
+ }
+ if (ch == ':')
+ {
+ curtok = src;
+ if (!saw_xdigit)
+ {
+ if (colonp)
+ return (0);
+ colonp = tp;
+ continue;
+ }
+ else if (*src == '\0')
+ {
+ return (0);
+ }
+ if (tp + NS_INT16SZ > endp)
+ return (0);
+ *tp++ = (u_char) (val >> 8) & 0xff;
+ *tp++ = (u_char) val & 0xff;
+ saw_xdigit = 0;
+ val = 0;
+ continue;
+ }
+ if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+ inet_pton4 (curtok, tp) > 0)
+ {
+ tp += NS_INADDRSZ;
+ saw_xdigit = 0;
+ break; /* '\0' was seen by inet_pton4(). */
+ }
+ return (0);
+ }
+ if (saw_xdigit)
+ {
+ if (tp + NS_INT16SZ > endp)
+ return (0);
+ *tp++ = (u_char) (val >> 8) & 0xff;
+ *tp++ = (u_char) val & 0xff;
+ }
+ if (colonp != NULL)
+ {
+ /*
+ * Since some memmove()'s erroneously fail to handle
+ * overlapping regions, we'll do the shift by hand.
+ */
+ const int n = tp - colonp;
+ int i;
+
+ if (tp == endp)
+ return (0);
+ for (i = 1; i <= n; i++)
+ {
+ endp[-i] = colonp[n - i];
+ colonp[n - i] = 0;
+ }
+ tp = endp;
+ }
+ if (tp != endp)
+ return (0);
+ memcpy (dst, tmp, NS_IN6ADDRSZ);
+ return (1);
+}
+
+# endif
+
+#endif
diff --git a/gl/tests/sockets.c b/gl/tests/sockets.c
new file mode 100644
index 0000000..962c578
--- /dev/null
+++ b/gl/tests/sockets.c
@@ -0,0 +1,154 @@
+/* sockets.c --- wrappers for Windows socket functions
+
+ Copyright (C) 2008-2014 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see . */
+
+/* Written by Simon Josefsson */
+
+#include
+
+/* Specification. */
+#include "sockets.h"
+
+#if WINDOWS_SOCKETS
+
+/* This includes winsock2.h on MinGW. */
+# include
+
+# include "fd-hook.h"
+# include "msvc-nothrow.h"
+
+/* Get set_winsock_errno, FD_TO_SOCKET etc. */
+# include "w32sock.h"
+
+static int
+close_fd_maybe_socket (const struct fd_hook *remaining_list,
+ gl_close_fn primary,
+ int fd)
+{
+ /* Note about multithread-safety: There is a race condition where, between
+ our calls to closesocket() and the primary close(), some other thread
+ could make system calls that allocate precisely the same HANDLE value
+ as sock; then the primary close() would call CloseHandle() on it. */
+ SOCKET sock;
+ WSANETWORKEVENTS ev;
+
+ /* Test whether fd refers to a socket. */
+ sock = FD_TO_SOCKET (fd);
+ ev.lNetworkEvents = 0xDEADBEEF;
+ WSAEnumNetworkEvents (sock, NULL, &ev);
+ if (ev.lNetworkEvents != 0xDEADBEEF)
+ {
+ /* fd refers to a socket. */
+ /* FIXME: other applications, like squid, use an undocumented
+ _free_osfhnd free function. But this is not enough: The 'osfile'
+ flags for fd also needs to be cleared, but it is hard to access it.
+ Instead, here we just close twice the file descriptor. */
+ if (closesocket (sock))
+ {
+ set_winsock_errno ();
+ return -1;
+ }
+ else
+ {
+ /* This call frees the file descriptor and does a
+ CloseHandle ((HANDLE) _get_osfhandle (fd)), which fails. */
+ _close (fd);
+ return 0;
+ }
+ }
+ else
+ /* Some other type of file descriptor. */
+ return execute_close_hooks (remaining_list, primary, fd);
+}
+
+static int
+ioctl_fd_maybe_socket (const struct fd_hook *remaining_list,
+ gl_ioctl_fn primary,
+ int fd, int request, void *arg)
+{
+ SOCKET sock;
+ WSANETWORKEVENTS ev;
+
+ /* Test whether fd refers to a socket. */
+ sock = FD_TO_SOCKET (fd);
+ ev.lNetworkEvents = 0xDEADBEEF;
+ WSAEnumNetworkEvents (sock, NULL, &ev);
+ if (ev.lNetworkEvents != 0xDEADBEEF)
+ {
+ /* fd refers to a socket. */
+ if (ioctlsocket (sock, request, arg) < 0)
+ {
+ set_winsock_errno ();
+ return -1;
+ }
+ else
+ return 0;
+ }
+ else
+ /* Some other type of file descriptor. */
+ return execute_ioctl_hooks (remaining_list, primary, fd, request, arg);
+}
+
+static struct fd_hook fd_sockets_hook;
+
+static int initialized_sockets_version /* = 0 */;
+
+#endif /* WINDOWS_SOCKETS */
+
+int
+gl_sockets_startup (int version _GL_UNUSED)
+{
+#if WINDOWS_SOCKETS
+ if (version > initialized_sockets_version)
+ {
+ WSADATA data;
+ int err;
+
+ err = WSAStartup (version, &data);
+ if (err != 0)
+ return 1;
+
+ if (data.wVersion < version)
+ return 2;
+
+ if (initialized_sockets_version == 0)
+ register_fd_hook (close_fd_maybe_socket, ioctl_fd_maybe_socket,
+ &fd_sockets_hook);
+
+ initialized_sockets_version = version;
+ }
+#endif
+
+ return 0;
+}
+
+int
+gl_sockets_cleanup (void)
+{
+#if WINDOWS_SOCKETS
+ int err;
+
+ initialized_sockets_version = 0;
+
+ unregister_fd_hook (&fd_sockets_hook);
+
+ err = WSACleanup ();
+ if (err != 0)
+ return 1;
+#endif
+
+ return 0;
+}
diff --git a/gl/tests/sockets.h b/gl/tests/sockets.h
new file mode 100644
index 0000000..0bee1dd
--- /dev/null
+++ b/gl/tests/sockets.h
@@ -0,0 +1,62 @@
+/* sockets.h - wrappers for Windows socket functions
+
+ Copyright (C) 2008-2014 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see . */
+
+/* Written by Simon Josefsson */
+
+#ifndef SOCKETS_H
+# define SOCKETS_H 1
+
+#define SOCKETS_1_0 0x100 /* don't use - does not work on Windows XP */
+#define SOCKETS_1_1 0x101
+#define SOCKETS_2_0 0x200 /* don't use - does not work on Windows XP */
+#define SOCKETS_2_1 0x201
+#define SOCKETS_2_2 0x202
+
+int gl_sockets_startup (int version)
+#if !WINDOWS_SOCKETS
+ _GL_ATTRIBUTE_CONST
+#endif
+ ;
+
+int gl_sockets_cleanup (void)
+#if !WINDOWS_SOCKETS
+ _GL_ATTRIBUTE_CONST
+#endif
+ ;
+
+/* This function is useful it you create a socket using gnulib's
+ Winsock wrappers but needs to pass on the socket handle to some
+ other library that only accepts sockets. */
+#if WINDOWS_SOCKETS
+
+#include
+
+#include "msvc-nothrow.h"
+
+static inline SOCKET
+gl_fd_to_handle (int fd)
+{
+ return _get_osfhandle (fd);
+}
+
+#else
+
+#define gl_fd_to_handle(x) (x)
+
+#endif /* WINDOWS_SOCKETS */
+
+#endif /* SOCKETS_H */
diff --git a/src/gl/stdint.in.h b/src/gl/stdint.in.h
index 5deca39..247f0d8 100644
--- a/src/gl/stdint.in.h
+++ b/src/gl/stdint.in.h
@@ -38,8 +38,7 @@
other system header files; just include the system's .
Ideally we should test __BIONIC__ here, but it is only defined after
has been included; hence test __ANDROID__ instead. */
-#if defined __ANDROID__ \
- && defined _SYS_TYPES_H_ && !defined __need_size_t
+#if defined __ANDROID__ && defined _GL_INCLUDING_SYS_TYPES_H
# @INCLUDE_NEXT@ @NEXT_STDINT_H@
#else
diff --git a/src/gl/sys_types.in.h b/src/gl/sys_types.in.h
index d3a4be1..deb5d67 100644
--- a/src/gl/sys_types.in.h
+++ b/src/gl/sys_types.in.h
@@ -23,7 +23,9 @@
#ifndef _ at GUARD_PREFIX@_SYS_TYPES_H
/* The include_next requires a split double-inclusion guard. */
+# define _GL_INCLUDING_SYS_TYPES_H
#@INCLUDE_NEXT@ @NEXT_SYS_TYPES_H@
+# undef _GL_INCLUDING_SYS_TYPES_H
#ifndef _ at GUARD_PREFIX@_SYS_TYPES_H
#define _ at GUARD_PREFIX@_SYS_TYPES_H
--
1.8.3.2
From cernekee at gmail.com Fri Mar 7 07:35:09 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 22:35:09 -0800
Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving
doc/invoke-*.texi
In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394174109-661-5-git-send-email-cernekee@gmail.com>
Several problems were found in this area:
1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with
no input file and it will hang forever waiting for content from stdin:
mv -f enums.texi-tmp enums.texi
mkdir enums
../../doc/scripts/split-texi.pl enums enum < enums.texi
echo stamp_enums > stamp_enums
cd ../src/ && autogen -Tagtexi-cmd.tpl && \
rm -f ../doc/invoke-gnutls-cli.texi && \
../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \
mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \
rm -f ../src/invoke-gnutls-cli.texi
Since these documents are @include'd by other documents, it is probably
a good idea to make sure the targets are buildable in case they get
listed as prerequisites.
2) SRC_DEF_* used relative paths which are correct for an in-place build,
but incorrect for an out-of-tree build. They should use something like
$(top_srcdir)/src to resolve the ambiguity.
3) cleanup-autogen.pl was also referenced using a relative pathname,
breaking out-of-tree builds.
4) Copy&paste targets that could be replaced with simple patterns.
Signed-off-by: Kevin Cernekee
---
doc/Makefile.am | 141 ++++++++++++--------------------------------------------
1 file changed, 30 insertions(+), 111 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 7c33cfa..a876845 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -32,112 +32,36 @@ endif
-include $(top_srcdir)/doc/doc.mk
-SRC_DEF_CLI =
-SRC_DEF_CLI_DEBUG =
-SRC_DEF_SERV =
-SRC_DEF_CERTTOOL =
-SRC_DEF_OCSPTOOL =
-SRC_DEF_DANETOOL =
-SRC_DEF_SRPTOOL =
-SRC_DEF_PSKTOOL =
-SRC_DEF_P11TOOL =
-SRC_DEF_TPMTOOL =
-if WANT_TEST_SUITE
-SRC_DEF_CLI += ../src/cli-args.def
-SRC_DEF_CLI_DEBUG += ../src/cli-debug-args.def
-SRC_DEF_SERV += ../src/serv-args.def
-SRC_DEF_CERTTOOL += ../src/certtool-args.def
-SRC_DEF_OCSPTOOL += ../src/ocsptool-args.def
-SRC_DEF_DANETOOL += ../src/danetool-args.def
-SRC_DEF_SRPTOOL += ../src/srptool-args.def
-SRC_DEF_PSKTOOL += ../src/psk-args.def
-SRC_DEF_P11TOOL += ../src/p11tool-args.def
-SRC_DEF_TPMTOOL += ../src/tpmtool-args.def
-endif
-
-invoke-gnutls-cli.texi: $(SRC_DEF_CLI)
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-gnutls-cli-debug.texi: $(SRC_DEF_CLI_DEBUG) invoke-gnutls-cli.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-gnutls-serv.texi: $(SRC_DEF_SERV) invoke-gnutls-cli-debug.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-certtool.texi: $(SRC_DEF_CERTTOOL) invoke-gnutls-serv.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) invoke-certtool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-danetool.texi: $(SRC_DEF_DANETOOL) invoke-ocsptool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-srptool.texi: $(SRC_DEF_SRPTOOL) invoke-danetool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsubsection/g' ../doc/$@
-
-invoke-psktool.texi: $(SRC_DEF_PSKTOOL) invoke-srptool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsubsection/g' ../doc/$@
-
-invoke-p11tool.texi: $(SRC_DEF_P11TOOL) invoke-psktool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-tpmtool.texi: $(SRC_DEF_TPMTOOL) invoke-p11tool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
+AUTOGENED_GNUTLS_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \
+ invoke-gnutls-serv.texi
+AUTOGENED_UTIL0_DOC = invoke-certtool.texi invoke-ocsptool.texi \
+ invoke-p11tool.texi invoke-tpmtool.texi invoke-danetool.texi
+AUTOGENED_UTIL1_DOC = invoke-psktool.texi invoke-srptool.texi
+
+AUTOGENED_DOC = $(AUTOGENED_GNUTLS_DOC) $(AUTOGENED_UTIL0_DOC) \
+ $(AUTOGENED_UTIL1_DOC)
+
+# $(AUTOGEN) could be /bin/true. If so, just use the shipped texi file.
+autogen_common = \
+ $(AUTOGEN) -Tagtexi-cmd.tpl $1; \
+ if [ ! -e $2 ]; then \
+ cp $(srcdir)/$2 .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $2 > $2.tmp && \
+ mv -f $2.tmp $2
+
+$(AUTOGENED_GNUTLS_DOC) : invoke-gnutls-%.texi : $(top_srcdir)/src/%-args.def
+ $(call autogen_common,$<,$@)
+
+$(AUTOGENED_UTIL0_DOC) : invoke-%.texi : $(top_srcdir)/src/%-args.def
+ $(call autogen_common,$<,$@) && \
+ sed -i 's/@subheading/@subsubheading/g' $@ && \
+ sed -i 's/@section/@subsection/g' $@
+
+$(AUTOGENED_UTIL1_DOC) : invoke-%.texi : $(top_srcdir)/src/%-args.def
+ $(call autogen_common,$<,$@) && \
+ sed -i 's/@subheading/@subsubheading/g' $@ && \
+ sed -i 's/@section/@subsubsection/g' $@
info_TEXINFOS = gnutls.texi gnutls-guile.texi
gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \
@@ -149,11 +73,6 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \
cha-shared-key.texi cha-gtls-examples.texi cha-upgrade.texi \
cha-tokens.texi cha-crypto.texi cha-auth.texi
-AUTOGENED_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \
- invoke-gnutls-serv.texi invoke-certtool.texi invoke-srptool.texi \
- invoke-ocsptool.texi invoke-psktool.texi invoke-p11tool.texi \
- invoke-tpmtool.texi invoke-danetool.texi
-
gnutls_TEXINFOS += stamp_functions
# Examples.
--
1.8.3.2
From cernekee at gmail.com Fri Mar 7 07:35:07 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 22:35:07 -0800
Subject: [gnutls-devel] [PATCH 3/5] doc: Fix enums.texi failure on
out-of-tree builds
In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394174109-661-3-git-send-email-cernekee@gmail.com>
enums.texi is a generated file so we should not look for it in $(srcdir).
When we do, chaos ensues:
mv -f enums.texi-tmp enums.texi
mkdir enums
../../doc/scripts/split-texi.pl enums enum < ../../doc/enums.texi
/bin/bash: ../../doc/enums.texi: No such file or directory
make[4]: *** [stamp_enums] Error 1
make[4]: Leaving directory `/home/user/gnutls/build/doc'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/user/gnutls/build/doc'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/user/gnutls/build/doc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/user/gnutls/build'
make: *** [all] Error 2
Signed-off-by: Kevin Cernekee
---
doc/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index e30ac52..7c33cfa 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -429,7 +429,7 @@ stamp_functions: $(API_FILES)
stamp_enums: enums.texi
-mkdir enums
- $(srcdir)/scripts/split-texi.pl enums enum < $(srcdir)/enums.texi
+ $(srcdir)/scripts/split-texi.pl enums enum < $<
echo $@ > $@
$(ENUMS): stamp_enums
@@ -449,7 +449,7 @@ compare-exported:
rm -f tmp-exp-$@ tmp-head-$@
compare-makefile: enums.texi
- ENUMS=`grep '^@c ' $(srcdir)/enums.texi | sed 's/@c //g' | sort -d`; \
+ ENUMS=`grep '^@c ' $< | sed 's/@c //g' | sort -d`; \
STR=""; \
for i in $$ENUMS; do \
STR="$$STR\nENUMS += enums/$$i"; \
--
1.8.3.2
From cernekee at gmail.com Fri Mar 7 08:20:36 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Thu, 6 Mar 2014 23:20:36 -0800
Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures
In-Reply-To: <1394176069.4157.19.camel@nomad.lan>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
<1394176069.4157.19.camel@nomad.lan>
Message-ID:
On Thu, Mar 6, 2014 at 11:07 PM, Nikos Mavrogiannopoulos
wrote:
>> 2) Missing inet_pton.c error during GnuTLS "make bootstrap":
>
> Hello Kevin,
> Is that on latest master? I fixed some issue yesterday that was related
> to that.
It was broken this morning (GMT -0800) but it does appear to be fixed
on the latest master, probably by 32557a59a.
> btw. I do not have commit nr: cb3c90598c1
That is the upstream gnulib commit that fixes the Android builds:
commit cb3c90598c13d3db616c0c1e62c5d59ed80b069d
Author: Kevin Cernekee
Date: Wed Mar 5 12:10:56 2014 -0800
stdint, read-file: fix missing SIZE_MAX on Android (tiny change)
This is basically one of the options Bruno Haible proposed in:
http://lists.gnu.org/archive/html/bug-gnulib/2012-01/msg00282.html
* lib/sys_types.in.h (_GL_INCLUDING_UNISTD_H): New macro.
* lib/stdint.in.h: Use it.
* modules/stdint (Depends-on): Add sys_types.
From dkg at fifthhorseman.net Fri Mar 7 10:01:04 2014
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 07 Mar 2014 09:01:04 +0000
Subject: [gnutls-devel] dane - limited usability die to (indirect)
OpenSSL dependency
In-Reply-To: <5310F24E.4010900@gnutls.org>
References: <20131228135512.GB3225@downhill.g.la>
<1388241258.14170.10.camel@aspire.lan> <5310F24E.4010900@gnutls.org>
Message-ID: <53198AD0.7010403@fifthhorseman.net>
On 02/28/2014 08:32 PM, Nikos Mavrogiannopoulos wrote:
> I realized that dnsmasq uses nettle to provide dnssec support. If
> someone could make a small library out of it, we could simply switch to
> it from unbound.
This sounds promising, but i don't see any such usage in the source of
dnsmasq 2.68. are you sure it's in dnsmasq?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL:
From nmav at gnutls.org Fri Mar 7 14:00:35 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 7 Mar 2014 14:00:35 +0100
Subject: [gnutls-devel] dane - limited usability die to (indirect)
OpenSSL dependency
In-Reply-To: <53198AD0.7010403@fifthhorseman.net>
References: <20131228135512.GB3225@downhill.g.la>
<1388241258.14170.10.camel@aspire.lan>
<5310F24E.4010900@gnutls.org> <53198AD0.7010403@fifthhorseman.net>
Message-ID:
On Fri, Mar 7, 2014 at 10:01 AM, Daniel Kahn Gillmor
wrote:
> On 02/28/2014 08:32 PM, Nikos Mavrogiannopoulos wrote:
>> I realized that dnsmasq uses nettle to provide dnssec support. If
>> someone could make a small library out of it, we could simply switch to
>> it from unbound.
> This sounds promising, but i don't see any such usage in the source of
> dnsmasq 2.68. are you sure it's in dnsmasq?
I don't know if it is released yet. I saw the addition in the
changelog entries. The code is at
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/dnssec.c;hb=HEAD
regards,
Nikos
From cernekee at gmail.com Sat Mar 8 05:38:27 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Fri, 7 Mar 2014 20:38:27 -0800
Subject: [gnutls-devel] [PATCH V2 1/4] updated gnulib
Message-ID: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
This pulls in upstream commit cb3c90598 (stdint, read-file: fix missing
SIZE_MAX on Android).
Signed-off-by: Kevin Cernekee
---
src/gl/stdint.in.h | 3 +--
src/gl/sys_types.in.h | 2 ++
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/gl/stdint.in.h b/src/gl/stdint.in.h
index 5deca39..247f0d8 100644
--- a/src/gl/stdint.in.h
+++ b/src/gl/stdint.in.h
@@ -38,8 +38,7 @@
other system header files; just include the system's .
Ideally we should test __BIONIC__ here, but it is only defined after
has been included; hence test __ANDROID__ instead. */
-#if defined __ANDROID__ \
- && defined _SYS_TYPES_H_ && !defined __need_size_t
+#if defined __ANDROID__ && defined _GL_INCLUDING_SYS_TYPES_H
# @INCLUDE_NEXT@ @NEXT_STDINT_H@
#else
diff --git a/src/gl/sys_types.in.h b/src/gl/sys_types.in.h
index d3a4be1..deb5d67 100644
--- a/src/gl/sys_types.in.h
+++ b/src/gl/sys_types.in.h
@@ -23,7 +23,9 @@
#ifndef _ at GUARD_PREFIX@_SYS_TYPES_H
/* The include_next requires a split double-inclusion guard. */
+# define _GL_INCLUDING_SYS_TYPES_H
#@INCLUDE_NEXT@ @NEXT_SYS_TYPES_H@
+# undef _GL_INCLUDING_SYS_TYPES_H
#ifndef _ at GUARD_PREFIX@_SYS_TYPES_H
#define _ at GUARD_PREFIX@_SYS_TYPES_H
--
1.8.3.2
From cernekee at gmail.com Sat Mar 8 05:38:30 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Fri, 7 Mar 2014 20:38:30 -0800
Subject: [gnutls-devel] [PATCH V2 4/4] Fix build failures involving
doc/invoke-*.texi
In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
References: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394253510-8458-4-git-send-email-cernekee@gmail.com>
Several problems were found in this area:
1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with
no input file and it will hang forever waiting for content from stdin:
mv -f enums.texi-tmp enums.texi
mkdir enums
../../doc/scripts/split-texi.pl enums enum < enums.texi
echo stamp_enums > stamp_enums
cd ../src/ && autogen -Tagtexi-cmd.tpl && \
rm -f ../doc/invoke-gnutls-cli.texi && \
../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \
mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \
rm -f ../src/invoke-gnutls-cli.texi
Since these documents are @include'd by other documents, it is probably
a good idea to make sure the targets are buildable in case they get
listed as prerequisites.
2) SRC_DEF_* used relative paths which are correct for an in-place build,
but incorrect for an out-of-tree build. They should use something like
$(top_srcdir)/src to resolve the ambiguity.
3) cleanup-autogen.pl was also referenced using a relative pathname,
breaking out-of-tree builds.
4) The non-portable "sed -i" flag was used.
Signed-off-by: Kevin Cernekee
---
.gitignore | 12 +---
doc/Makefile.am | 207 +++++++++++++++++++++++++++-----------------------------
2 files changed, 102 insertions(+), 117 deletions(-)
diff --git a/.gitignore b/.gitignore
index 6b50937..6b2615a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -689,16 +689,8 @@ src/gl/warn-on-use.h
doc/stamp_invoke
src/gl/libgnu_gpl.a
src/gl/libgnu_gpl.la
-doc/invoke-certtool.texi
-doc/invoke-danetool.texi
-doc/invoke-gnutls-cli-debug.texi
-doc/invoke-gnutls-cli.texi
-doc/invoke-gnutls-serv.texi
-doc/invoke-ocsptool.texi
-doc/invoke-p11tool.texi
-doc/invoke-psktool.texi
-doc/invoke-srptool.texi
-doc/invoke-tpmtool.texi
+doc/invoke-*.texi
+doc/invoke-*.menu
doc/parse-datetime.texi
tests/fips-test
tests/global-init
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 7c33cfa..73fe681 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -31,113 +31,106 @@ endif
-include $(top_srcdir)/doc/doc.mk
-
-SRC_DEF_CLI =
-SRC_DEF_CLI_DEBUG =
-SRC_DEF_SERV =
-SRC_DEF_CERTTOOL =
-SRC_DEF_OCSPTOOL =
-SRC_DEF_DANETOOL =
-SRC_DEF_SRPTOOL =
-SRC_DEF_PSKTOOL =
-SRC_DEF_P11TOOL =
-SRC_DEF_TPMTOOL =
-if WANT_TEST_SUITE
-SRC_DEF_CLI += ../src/cli-args.def
-SRC_DEF_CLI_DEBUG += ../src/cli-debug-args.def
-SRC_DEF_SERV += ../src/serv-args.def
-SRC_DEF_CERTTOOL += ../src/certtool-args.def
-SRC_DEF_OCSPTOOL += ../src/ocsptool-args.def
-SRC_DEF_DANETOOL += ../src/danetool-args.def
-SRC_DEF_SRPTOOL += ../src/srptool-args.def
-SRC_DEF_PSKTOOL += ../src/psk-args.def
-SRC_DEF_P11TOOL += ../src/p11tool-args.def
-SRC_DEF_TPMTOOL += ../src/tpmtool-args.def
-endif
-
-invoke-gnutls-cli.texi: $(SRC_DEF_CLI)
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-gnutls-cli-debug.texi: $(SRC_DEF_CLI_DEBUG) invoke-gnutls-cli.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-gnutls-serv.texi: $(SRC_DEF_SERV) invoke-gnutls-cli-debug.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@
-
-invoke-certtool.texi: $(SRC_DEF_CERTTOOL) invoke-gnutls-serv.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) invoke-certtool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-danetool.texi: $(SRC_DEF_DANETOOL) invoke-ocsptool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-srptool.texi: $(SRC_DEF_SRPTOOL) invoke-danetool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsubsection/g' ../doc/$@
-
-invoke-psktool.texi: $(SRC_DEF_PSKTOOL) invoke-srptool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsubsection/g' ../doc/$@
-
-invoke-p11tool.texi: $(SRC_DEF_P11TOOL) invoke-psktool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
-
-invoke-tpmtool.texi: $(SRC_DEF_TPMTOOL) invoke-p11tool.texi
- -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \
- rm -f ../doc/$@ && \
- ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \
- mv -f ../doc/$@.tmp ../doc/$@ && \
- rm -f ../src/$@ && \
- sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \
- sed -i 's/@section/@subsection/g' ../doc/$@
+invoke-gnutls-cli.texi: $(top_srcdir)/src/cli-args.def
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ mv -f $@.tmp $@
+
+invoke-gnutls-cli-debug.texi: $(top_srcdir)/src/cli-debug-args.def invoke-gnutls-cli.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ mv -f $@.tmp $@
+
+invoke-gnutls-serv.texi: $(top_srcdir)/src/serv-args.def invoke-gnutls-cli-debug.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ mv -f $@.tmp $@
+
+invoke-certtool.texi: $(top_srcdir)/src/certtool-args.def invoke-gnutls-serv.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-args.def invoke-certtool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-danetool.texi: $(top_srcdir)/src/danetool-args.def invoke-ocsptool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-srptool.texi: $(top_srcdir)/src/srptool-args.def invoke-danetool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-psktool.texi: $(top_srcdir)/src/psktool-args.def invoke-srptool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-p11tool.texi: $(top_srcdir)/src/p11tool-args.def invoke-psktool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
+
+invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-args.def invoke-p11tool.texi
+ $(AUTOGEN) -Tagtexi-cmd.tpl $<; \
+ if [ ! -e $@ ]; then \
+ cp $(srcdir)/$@ .; \
+ fi; \
+ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
+ rm -f $@ && \
+ sed -e 's/@subheading/@subsubheading/g' \
+ -e 's/@section/@subsection/g' $@.tmp > $@ && \
+ rm -f $@.tmp
info_TEXINFOS = gnutls.texi gnutls-guile.texi
gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \
--
1.8.3.2
From cernekee at gmail.com Sat Mar 8 05:38:29 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Fri, 7 Mar 2014 20:38:29 -0800
Subject: [gnutls-devel] [PATCH V2 3/4] Fix build failures on autogen'ed docs
In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
References: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394253510-8458-3-git-send-email-cernekee@gmail.com>
autogen needs to be invoked with $(srcdir)/-args.def or else it
will not be able to find the input file if GnuTLS is built out of tree,
e.g.
mkdir build
cd build
../configure
make
Also, add missing targets for %-args.h, to avoid this error:
make[2]: Entering directory `/home/user/gnutls/src'
autogen srptool-args.def
autogen psk-args.def
make[2]: *** No rule to make target `ocsptool-args.h', needed by `all'. Stop.
make[2]: Leaving directory `/home/user/gnutls/src'
make[1]: *** [all-recursive] Error 1
For portability's sake we will spell out the rule for each target instead
of using a GNU '%' pattern rule:
https://www.gnu.org/software/make/manual/html_node/Features.html#Features
Signed-off-by: Kevin Cernekee
---
src/Makefile.am | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index f6d7f6c..4ca2a92 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -213,23 +213,23 @@ libcmd_tpmtool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIM
endif # ENABLE_TROUSERS
-danetool-args.c: $(srcdir)/args-std.def $(srcdir)/danetool-args.def
- -$(AUTOGEN) danetool-args.def
-ocsptool-args.c: $(srcdir)/args-std.def $(srcdir)/ocsptool-args.def
- -$(AUTOGEN) ocsptool-args.def
-tpmtool-args.c: $(srcdir)/args-std.def $(srcdir)/tpmtool-args.def
- -$(AUTOGEN) tpmtool-args.def
-p11tool-args.c: $(srcdir)/args-std.def $(srcdir)/p11tool-args.def
- -$(AUTOGEN) p11tool-args.def
-psktool-args.c: $(srcdir)/args-std.def $(srcdir)/psktool-args.def
- -$(AUTOGEN) psktool-args.def
-cli-debug-args.c: $(srcdir)/args-std.def $(srcdir)/cli-debug-args.def
- -$(AUTOGEN) cli-debug-args.def
-cli-args.c: $(srcdir)/args-std.def $(srcdir)/cli-args.def
- -$(AUTOGEN) cli-args.def
-serv-args.c: $(srcdir)/args-std.def $(srcdir)/serv-args.def
- -$(AUTOGEN) serv-args.def
-srptool-args.c: $(srcdir)/args-std.def $(srcdir)/srptool-args.def
- -$(AUTOGEN) srptool-args.def
-certtool-args.c: $(srcdir)/args-std.def $(srcdir)/certtool-args.def
- -$(AUTOGEN) certtool-args.def
+danetool-args.c danetool-args.h: $(srcdir)/danetool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+ocsptool-args.c ocsptool-args.h: $(srcdir)/ocsptool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+tpmtool-args.c tpmtool-args.h: $(srcdir)/tpmtool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+p11tool-args.c p11tool-args.h: $(srcdir)/p11tool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+psktool-args.c psktool-args.h: $(srcdir)/psktool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+cli-debug-args.c cli-debug-args.h: $(srcdir)/cli-debug-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+cli-args.c cli-args.h: $(srcdir)/cli-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+serv-args.c serv-args.h: $(srcdir)/serv-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+srptool-args.c srptool-args.h: $(srcdir)/srptool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
+certtool-args.c certtool-args.h: $(srcdir)/certtool-args.def $(srcdir)/args-std.def
+ -$(AUTOGEN) $<
--
1.8.3.2
From cernekee at gmail.com Sat Mar 8 05:38:28 2014
From: cernekee at gmail.com (Kevin Cernekee)
Date: Fri, 7 Mar 2014 20:38:28 -0800
Subject: [gnutls-devel] [PATCH V2 2/4] README-alpha: Add gperf dependency
for building from git
In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
References: <1394253510-8458-1-git-send-email-cernekee@gmail.com>
Message-ID: <1394253510-8458-2-git-send-email-cernekee@gmail.com>
Without gperf, priority-options.h does not get built and this results
in a compile error.
Signed-off-by: Kevin Cernekee
---
README-alpha | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README-alpha b/README-alpha
index 3df2d8a..8120b4f 100644
--- a/README-alpha
+++ b/README-alpha
@@ -25,6 +25,7 @@ We require several tools to check out and build the software, including:
- Nettle
- Guile
- p11-kit
+- gperf
- libtasn1 (optional)
- datefudge (optional)
- Libidn (optional, for crywrap)
@@ -40,7 +41,7 @@ apt-get install git-core autoconf libtool gettext autopoint
apt-get install texinfo texlive texlive-generic-recommended texlive-extra-utils
apt-get install help2man gtk-doc-tools valgrind
apt-get install guile-1.8-dev libtasn1-3-dev
-apt-get install datefudge libidn11-dev gawk
+apt-get install datefudge libidn11-dev gawk gperf
You will sometimes need to install more recent versions of Automake,
Nettle, P11-kit and Autogen, which you will need to build from
--
1.8.3.2
From nmav at gnutls.org Sat Mar 8 09:51:15 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 08 Mar 2014 09:51:15 +0100
Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving
doc/invoke-*.texi
In-Reply-To: <1394174109-661-5-git-send-email-cernekee@gmail.com>
References: <1394174109-661-1-git-send-email-cernekee@gmail.com>
<1394174109-661-5-git-send-email-cernekee@gmail.com>
Message-ID: <1394268675.4172.2.camel@nomad.lan>
On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote:
> Several problems were found in this area:
>
> 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with
> no input file and it will hang forever waiting for content from stdin:
>
> mv -f enums.texi-tmp enums.texi
> mkdir enums
> ../../doc/scripts/split-texi.pl enums enum < enums.texi
> echo stamp_enums > stamp_enums
> cd ../src/ && autogen -Tagtexi-cmd.tpl && \
> rm -f ../doc/invoke-gnutls-cli.texi && \
> ../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \
> mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \
> rm -f ../src/invoke-gnutls-cli.texi
>
Applied all 5. Thank you.
Nikos
From tobias at 23.gs Sat Mar 8 16:06:44 2014
From: tobias at 23.gs (Tobias Gruetzmacher)
Date: Sat, 8 Mar 2014 16:06:44 +0100
Subject: [gnutls-devel] Fix shared build on Win32
Message-ID: <20140308150644.GA5606@23.gs>
Hi,
while debugging shared builds in MXE (A Win32-cross-build environment
for Linux) I came accress the usage of _gnutls_vasprintf in
libgnutls-xssl. This breaks because libgnutls does not export that
symbol. The current fix used for MXE is here:
https://github.com/mxe/mxe/blob/master/src/gnutls-2-add-missing-export.patch
Since I consider this patch trivial, I suppose it is under the most
liberal licence you can find.
Regards, Tobias
--
GPG-Key 0xE2BEA341 - signed/encrypted mail preferred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
From syn4m1cs at riseup.net Sun Mar 9 11:46:28 2014
From: syn4m1cs at riseup.net (Synamics)
Date: Sun, 09 Mar 2014 07:46:28 -0300
Subject: [gnutls-devel] Fwd: Devel page points to insecure cloning of GnuTLS
In-Reply-To: <531C45B5.30505@riseup.net>
References: <531C45B5.30505@riseup.net>
Message-ID: <531C4684.2000709@riseup.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, good morning
The page http://www.gnutls.org/devel.html points to
"git://gitorious.org/gnutls/gnutls.git", which uses git protocol,
without authentication of the downloaded packages.
Why not subtitute it with https://gitorious.org/gnutls/gnutls.git ?
You have done a good job with GnuTLS, I'll try to help you at auditing it...
Good-Bye.
- --
Synamics synamics at riseup.net GPG: 8BCC264B
(1570 A5FC 48D1 99C6 1C45 E847 567E 231A 8BCC 264B)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJTHEW1AAoJEFZ+IxqLzCZLJBcQAJnL99pc0LI0RrbvO91QVsS0
i6RG49+VhzF8NV1hDeBXeGXQ7ng5Z9HxlOh2RsXPbzLhsTIvm4QNyE0SWoDgBLn+
evGxaPX0NW+27sHe7GTFpQlDD/Eh0bR6yIOEMrRODcuyPK44nDngAmtzLsTMP4EP
mRt5ErbHzgB1B5/3O2PJs4ekIkZ65ZZntEJToD9LL5TCIVnAGxXMyGSv6xCV6CgN
ey14JdsKNP9Py4AcbG9aW91g+PzE83ULgNhs6cel0TrRoVAxfnm0AxfQAHeYRmI9
5PLc6KS9vpZSGQsVSU7vl4MmvIcsCvMT60eAbdXvElG5Z2Dr6KKsReta6fGMfefj
r9SlxzOd6MwlFpu1xw8q3tUvk1aPHrPnGrGShMiC1iRn7oVFqSDQaXmoej6CEirc
8Xp/DISPElpDdDgFm7o6ifyATrvmKyAoa2Miy6smTg5eJMJwPOKGPdysBorMoFGn
R0vksg8YL7s/sdb1XyBNqSrfXUM0xfcsxAnuW2A6iOZW+jTwHx4WhwhmlG00qKsG
GS4CxV9QddnCl05Gi1z1/0GjC4liWxQSs4aGlrWa7stIWfpudWveSfrMOSaHN8dU
WFR0BY6ITc6yWFBQSTKSkCMtFfBnpIOAG4o7n9R9G9iYK2xcFm3v+LiEpyHonECj
KbiS5gNJHqFDYb7SIjkD
=n0m4
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2291 bytes
Desc: S/MIME Cryptographic Signature
URL:
From dkg at fifthhorseman.net Mon Mar 10 01:04:11 2014
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sun, 09 Mar 2014 20:04:11 -0400
Subject: [gnutls-devel] Fwd: Devel page points to insecure cloning of
GnuTLS
In-Reply-To: <531C4684.2000709@riseup.net>
References: <531C45B5.30505@riseup.net> <531C4684.2000709@riseup.net>
Message-ID: <531D017B.8060208@fifthhorseman.net>
On 03/09/2014 06:46 AM, Synamics wrote:
> The page http://www.gnutls.org/devel.html points to
> "git://gitorious.org/gnutls/gnutls.git", which uses git protocol,
> without authentication of the downloaded packages.
> Why not subtitute it with https://gitorious.org/gnutls/gnutls.git ?
the https transport only provides transport-layer authentication also,
which just proves that you're connecting to the gitorious server -- not
that the files in question are the correct files for the GnuTLS project.
To verify the provenance of the data, you need to check the OpenPGP
signatures in the git tag that you are interested in (there are tags
that correspond to each released version). The tag should be signed by
Nikos Mavrogiannopolous.
for example:
git tag -v gnutls_3_2_12_1
I believe Nikos' key has the following fingerprint (but have not
verified it in person with him):
1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171
gitorious' git https:// transport appears to be the "dumb" version,
which means that fetching a large repository with a complex history
(like that of the gnutls project) is expensive and slow. the git://
transport is significantly faster and more efficient.
if you can spare the bandwidth and the CPU and RAM, you can try
comparing these two commands:
time git clone https://gitorious.org/gnutls/gnutls.git
time git clone git://gitorious.org/gnutls/gnutls.git
If gitorious used the git-http-backend (i don't know how well that would
integrate with their nginx+varnish setup), so that git could use the
smart http transport, i'd be more inclined to agree with the proposed
change (because transport security and privacy is better than cleartext
in general, even if the real cryptographic checks you want on the source
code need to come from the OpenPGP signatures in the repo itself), but
for efficiency purposes, i think the current choice of git:// is a
better one.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL:
From nmav at gnutls.org Tue Mar 11 10:03:28 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 11 Mar 2014 10:03:28 +0100
Subject: [gnutls-devel] Fix shared build on Win32
In-Reply-To: <20140308150644.GA5606@23.gs>
References: <20140308150644.GA5606@23.gs>
Message-ID:
On Sat, Mar 8, 2014 at 4:06 PM, Tobias Gruetzmacher wrote:
> Hi,
> while debugging shared builds in MXE (A Win32-cross-build environment
> for Linux) I came accress the usage of _gnutls_vasprintf in
> libgnutls-xssl. This breaks because libgnutls does not export that
> symbol. The current fix used for MXE is here:
That you. I've committed the fix in the 3.2 branch. I've also removed
xssl from the main branch of gnutls. There are no resources to support
a second library, despite the fact that I liked the idea of the high
level library.
regards,
Nikos
From luisgf at luisgf.es Wed Mar 12 14:21:46 2014
From: luisgf at luisgf.es (Luis G.F)
Date: Wed, 12 Mar 2014 14:21:46 +0100
Subject: [gnutls-devel] Memory leak in GnuTLS serv.c
Message-ID: <53205F6A.8070507@luisgf.es>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all:
Attach to this email, you can found a patch to apply to the lastest
version of gnutls in order to fix a potential memory leak in serv.c.
Thanks for your great work, regards Luis!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTIF9qAAoJEGvLwn/JGLgP+MkQALkjyULosEHQlYUtswtH90Au
z9aaBJeoi1wRngAFj1pVRNHxAp9n0B1i9hqT3jBkrptCMCj+0xUG+eXfIXmvudxE
PJjSDbTiXbNFlCVslASx92cQkOmGzOnIvklY9vUmw2pBm1se0pU+Rhqh2ZPOxfYt
9Wzwtgyesktr9nrlL8ou1Beta+MuEhOEvmkSYWViqeZDgDUn18o/7e0ucOIu0peq
eGERCH6no3L9ED+TC1MQxGGiZWCLULIQuXOYjEXeEQXc1sN3Ib3WiDzzVwjaP75H
9gFsKGOo51rYbQrw6jiIQBG8idJo3LQGW5HCAy9QpRPdW6YBgyzudKqeVjqBO170
jZ/jUMMqc2slYDjR8wTsxeAYXn7pZ+no8iAIpkqJ8/jOLqxlkwUPbbg0dvwp19Fd
fkB43/jclzF30BawTgWRwsVobmGe1VQGqphTrhrh/vqvqmaMZyLLUAh5wIRJQL+f
RnROTzQN67azU4creMoTqhQyYQtFUqqPJqvcl+pqWBBndOatvfST1k3VCeRhSw+R
tmpVAKBQeaftufcQHfTbmPYYtiqeX6/HRMrR0lVVk9k62W1llH7a+GQs29WHnoFL
a+xk/C8OcaYe6pqzJyvHLgmGknfWh/Pga1DdiBB7m8obSjalJT/ekETUC2fQqIGx
1VM5QXCFSOZyeclWe9wm
=npDX
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_memory_leak.patch
Type: text/x-patch
Size: 1335 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_memory_leak.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL:
From noloader at gmail.com Tue Mar 18 07:11:02 2014
From: noloader at gmail.com (Jeffrey Walton)
Date: Tue, 18 Mar 2014 02:11:02 -0400
Subject: [gnutls-devel] Overly permissive hostname matching
Message-ID:
I believe GnuTLS has a security flaw in its certificate hostname matching code.
In the attached server certificate, the hostname is provided via a
Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
Also attached is the default CA, which was used to sign the server's
certificate.
Effectively, wget accepts a single certificate for the gTLD of .COM.
That's probably bad. If a CA is compromised, then the compromised CA
could issue a "super certificate" and cover the entire top level
domain space.
I suspect wget also accepts certificates for .COM's friends, like
.NET, .ORG, .MIL, etc.
Its probably not limited to gTLDs. Mozilla maintains a list of
effective TLDs at https://wiki.mozilla.org/Public_Suffix_List. The
1600+ effective TLDs are probably accepted, too.
Attached are the certificates, keys, and commands to set up a test rig
with OpenSSL's s_server. The certificates are issued for example.com,
and require a modification to /etc/hosts to make things work as
(un)expected.
Jeffrey Walton
Baltimore, MD, US
$ echo -e "GET / HTTP/1.0\r\n" | gnutls-cli --x509cafile
ca-rsa-cert.pem example.com --port 8443
Processed 1 CA certificate(s).
Resolving 'example.com'...
Connecting to '127.0.0.1:8443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `O=Example\, LLC,CN=Example Certificate', issuer
`C=USO=Example\, LLC,CN=Example CA', RSA key 2048 bits, signed using
RSA-SHA256, activated `2014-01-01 00:00:00 UTC', expires `2024-01-01
00:00:00 UTC', SHA-1 fingerprint
`6ef2b017e26ce55092c8f886cff7ef9479629375'
- The hostname in the certificate matches 'example.com'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostname-verification.tar.gz
Type: application/x-gzip
Size: 6409 bytes
Desc: not available
URL:
From nmav at gnutls.org Tue Mar 18 09:40:29 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 18 Mar 2014 09:40:29 +0100
Subject: [gnutls-devel] Overly permissive hostname matching
In-Reply-To:
References:
Message-ID:
On Tue, Mar 18, 2014 at 7:11 AM, Jeffrey Walton wrote:
> I believe GnuTLS has a security flaw in its certificate hostname matching code.
> In the attached server certificate, the hostname is provided via a
> Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
> Also attached is the default CA, which was used to sign the server's
> certificate.
> Effectively, wget accepts a single certificate for the gTLD of .COM.
> That's probably bad. If a CA is compromised, then the compromised CA
> could issue a "super certificate" and cover the entire top level
> domain space.
That's a very interesting point, but I am not sure there is an easy
fix. GnuTLS follows RFC2818 for hostname verification, and that
document is pretty clear on the scope of the wildcards. It mentions
for example: "f*.com matches foo.com". Maybe we can forbid a first
level wildcard, but is that practice documented somewhere? I don't see
any IETF documents updating RFC2818.
Maybe TLS-UTA [0], is a better discussion place for that.
[0]. https://tools.ietf.org/wg/uta/
regards,
Nikos
From dkg at fifthhorseman.net Tue Mar 18 15:23:08 2014
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 18 Mar 2014 10:23:08 -0400
Subject: [gnutls-devel] Overly permissive hostname matching
In-Reply-To:
References:
Message-ID: <532856CC.9040608@fifthhorseman.net>
On 03/18/2014 04:40 AM, Nikos Mavrogiannopoulos wrote:
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.
RFC 2818 is a web-specific reference, so it doesn't cover all uses of
TLS; the CA/Browser Forum baseline requirements section 11.1.3 covers
what CAs are supposed to do about wildcard issuance:
https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf
the CABForum guidelines have no mention of any on mixed
wildcard/non-wildcard labels in the CN or dNSNames, which makes me think
they haven't even been considered. I don't think f*.com is a reasonable
thing for modern CAs to issue.
for other IETF references, RFC 6125 has some useful material, though it
explicitly deprecates wildcards, only recommending their use for
backward/legacy compatibility:
https://tools.ietf.org/html/rfc6125#section-6.4.3
https://tools.ietf.org/html/rfc6125#section-7.2
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL:
From noloader at gmail.com Tue Mar 18 10:08:31 2014
From: noloader at gmail.com (Jeffrey Walton)
Date: Tue, 18 Mar 2014 05:08:31 -0400
Subject: [gnutls-devel] Overly permissive hostname matching
In-Reply-To:
References:
Message-ID:
On Tue, Mar 18, 2014 at 4:40 AM, Nikos Mavrogiannopoulos
wrote:
> On Tue, Mar 18, 2014 at 7:11 AM, Jeffrey Walton wrote:
>> I believe GnuTLS has a security flaw in its certificate hostname matching code.
>> In the attached server certificate, the hostname is provided via a
>> Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
>> Also attached is the default CA, which was used to sign the server's
>> certificate.
>> Effectively, wget accepts a single certificate for the gTLD of .COM.
>> That's probably bad. If a CA is compromised, then the compromised CA
>> could issue a "super certificate" and cover the entire top level
>> domain space.
>
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.
Hi Niko. I don't recall reading a prohibition anywhere. I even seem to
recall the browser's use of the list as voluntary (for lack of a
better term) since it was not prohibited or under specified. Maybe its
one of those things along the lines of "why would anyone ever need to
revoke a CA"....
Intuitively, we know that no one CA services a particular domain in
the gTLD space, so something seems out of place in clients willing to
accept a super cert.
How does GnuTLS handle DNS names with an embedded NULL (Kaminsky's and
Marlinspike's NULL Termination Attacks)? Does it take a proactive
approach by rejecting the certifcate? If so, rejecting a certifcate
for *.COM and *.NET would seem to be consistent behavior.
Jeff
From mancha1 at hush.com Wed Mar 19 03:48:57 2014
From: mancha1 at hush.com (mancha)
Date: Wed, 19 Mar 2014 02:48:57 +0000
Subject: [gnutls-devel] Overly permissive hostname matching
Message-ID: <20140319024857.953B5A0157@smtp.hushmail.com>
On Tue, 18 Mar 2014 08:40:50 "Nikos Mavrogiannopoulos" wrote:
>That's a very interesting point, but I am not sure there is an
>easy fix. GnuTLS follows RFC2818 for hostname verification, and
>that document is pretty clear on the scope of the wildcards. It
>mentions for example: "f*.com matches foo.com". Maybe we can
>forbid a first level wildcard, but is that practice documented
>somewhere? I don't see any IETF documents updating RFC2818.
Apropos, this is addressed client-side in different ways (e.g.):
1. Chromium (x509_certificate.cc)
// Do not allow wildcards for public/ICANN registry controlled
domains -
// that is, prevent *.com or *.co.uk as valid presented names, but
do not
// prevent *.appspot.com (a private registry controlled domain).
// In addition, unknown top-level domains (such as 'intranet'
domains or
// new TLDs/gTLDs not yet added to the registry controlled domain
dataset)
// are also implicitly prevented.
// Because |reference_domain| must contain at least one name
component that
// is not registry controlled, this ensures that all reference
domains
// contain at least three domain components when using wildcards.
size_t registry_length =
registry_controlled_domains::GetRegistryLength(
reference_name,
registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
2. Mozilla (certdb.c)
/* New approach conforms to RFC 6125. */
char *wildcard = PORT_Strchr(cn, '*');
char *firstcndot = PORT_Strchr(cn, '.');
char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') :
NULL;
char *firsthndot = PORT_Strchr(hn, '.');
/* For a cn pattern to be considered valid, the wildcard
character...
* - may occur only in a DNS name with at least 3 components, and
* - may occur only as last character in the first component, and
* - may be preceded by additional characters, and
* - must not be preceded by an IDNA ACE prefix (xn--)
*/
if (wildcard && secondcndot && secondcndot[1] && firsthndot
&& firstcndot - wildcard == 1 /* wildcard is last char in
first component */
&& secondcndot - firstcndot > 1 /* second component is non-
empty */
&& PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in
cn */
&& !PORT_Strncasecmp(cn, hn, wildcard - cn)
&& !PORT_Strcasecmp(firstcndot, firsthndot)
/* If hn starts with xn--, then cn must start with wildcard
*/
&& (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
/* valid wildcard pattern match */
return SECSuccess;
}
--mancha
PS Nikos, I posted this message earlier via gmane[1] but it seems to
have been routed to a defunct list[2] rather than the current
one[3].
Have you seen this before?
[1]
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
[2] https://lists.gnu.org/archive/html/gnutls-devel/2014-
03/index.html
[3] http://lists.gnutls.org/pipermail/gnutls-devel/2014-
March/thread.html
From nmav at gnutls.org Wed Mar 19 14:22:06 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 19 Mar 2014 14:22:06 +0100
Subject: [gnutls-devel] Overly permissive hostname matching
In-Reply-To: <20140319024857.953B5A0157@smtp.hushmail.com>
References: <20140319024857.953B5A0157@smtp.hushmail.com>
Message-ID:
On Wed, Mar 19, 2014 at 3:48 AM, mancha wrote:
> Apropos, this is addressed client-side in different ways (e.g.):
> 1. Chromium (x509_certificate.cc)
[...]
> 2. Mozilla (certdb.c)
[...]
Hello,
Indeed, I think that this should be changed in new versions of
gnutls. I think the mozilla rule of:
- may occur only in a DNS name with at least 3 components, and
Is a good one to start with. However, I'd appreciate if somebody could
bring that up to the TLS-UTA working group (I'm too busy to pursue
that). I think that the wildcard behaviour, if needed at all, should
be defined by an IETF document, rather than each implementation making
its own assumptions.
regards,
Nikos
> PS Nikos, I posted this message earlier via gmane[1] but it seems to
> have been routed to a defunct list[2] rather than the current
> one[3].
> Have you seen this before?
No, I haven't used gmane for posting. Is there anything I can do for
fixing that?
regards,
Nikos
From mancha1 at zoho.com Wed Mar 19 23:04:55 2014
From: mancha1 at zoho.com (mancha)
Date: Wed, 19 Mar 2014 22:04:55 +0000
Subject: [gnutls-devel] Overly permissive hostname matching
In-Reply-To:
References: <20140319024857.953B5A0157@smtp.hushmail.com>
Message-ID: <20140319220455.GA32282@zoho.com>
On Wed, Mar 19, 2014 at 02:22:06PM +0100, Nikos Mavrogiannopoulos wrote:
> No, I haven't used gmane for posting. Is there anything I can do for
> fixing that?
>
Hi Nikos.
I've emailed Lars at gmane to let him know about this quirk. I doubt
there's anything to do on your end but I'll let you know if there
is.
Cheers.
--mancha
From ametzler at bebt.de Thu Mar 20 17:02:32 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Thu, 20 Mar 2014 17:02:32 +0100
Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x
Message-ID: <20140320160232.GB3241@downhill.g.la>
Hello,
this is
GnuTLS 2.12.x seems to fail to connect to servers using a cert signed
with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this
has become more important.
More details in abovementioned bugreport.
Ivan Shmakov has provided attached patch for
GnuTLS 2.12.x. Could you please review it (and if this is successful
integrate to GIT).
thanks, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: possible.patch
Type: text/x-diff
Size: 6368 bytes
Desc: not available
URL:
From nmav at gnutls.org Thu Mar 20 19:06:26 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 20 Mar 2014 19:06:26 +0100
Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x
In-Reply-To: <20140320160232.GB3241@downhill.g.la>
References: <20140320160232.GB3241@downhill.g.la>
Message-ID: <1395338786.4183.7.camel@nomad.lan>
On Thu, 2014-03-20 at 17:02 +0100, Andreas Metzler wrote:
> Hello,
>
> this is
>
> GnuTLS 2.12.x seems to fail to connect to servers using a cert signed
> with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this
> has become more important.
> More details in abovementioned bugreport.
> Ivan Shmakov has provided attached patch for
> GnuTLS 2.12.x. Could you please review it (and if this is successful
> integrate to GIT).
Hello Andreas,
From a quick glimpse I don't think that this would solve the problem.
This code does not restrict the signature algorithms available for
certificate verification, but rather the signature algorithms that will
be used during the TLS handshake. As I understand (but cannot deduce
because the logs available are very limited) the client advertises only
support for SHA512 hash in the signature algorithms extension.
Unfortunately that version of gnutls could only work with either SHA1 or
SHA256 in the TLS 1.2 handshake and this is what this check takes care
of.
So I will not commit this patch, but nevertheless, I think the issue is
easy solvable, as it is just a misconfiguration of the client. Just make
sure it does not only support SHA512.
regards,
Nikos
From nmav at gnutls.org Fri Mar 21 08:51:19 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 21 Mar 2014 08:51:19 +0100
Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x
In-Reply-To: <1395338786.4183.7.camel@nomad.lan>
References: <20140320160232.GB3241@downhill.g.la>
<1395338786.4183.7.camel@nomad.lan>
Message-ID:
On Thu, Mar 20, 2014 at 7:06 PM, Nikos Mavrogiannopoulos
wrote:
>> GnuTLS 2.12.x seems to fail to connect to servers using a cert signed
>> with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this
>> has become more important.
>> More details in abovementioned bugreport.
>> Ivan Shmakov has provided attached patch for
>> GnuTLS 2.12.x. Could you please review it (and if this is successful
>> integrate to GIT).
> Hello Andreas,
> From a quick glimpse I don't think that this would solve the problem.
> This code does not restrict the signature algorithms available for
> certificate verification, but rather the signature algorithms that will
> be used during the TLS handshake. As I understand (but cannot deduce
> because the logs available are very limited) the client advertises only
> support for SHA512 hash in the signature algorithms extension.
> Unfortunately that version of gnutls could only work with either SHA1 or
> SHA256 in the TLS 1.2 handshake and this is what this check takes care
> of.
It seems I was wrong on that assessment. It is a different issue. That
code tries to enforce the TLS 1.2 (rfc5246) requirement:
"If the client provided a "signature_algorithms" extension, then all
certificates provided by the server MUST be signed by a hash/signature
algorithm pair that appears in that extension."
and it seems is buggy when the server has a sha512 certificate. That
code was removed in the end as the reporter noticed [*], so I guess
re-applying that patch would fix the issue (I cannot check whether
there were followups in that fix or other related changes).
Alternatively you could disable TLS 1.2 in that version of gnutls.
regards,
Nikos
[*]. The reason was that the server has no say in which algorithm the
CA will sign its certificate with, so there was an implementer
consensus in the TLS WG to ignore this protocol requirement.
From noloader at gmail.com Sat Mar 22 04:04:13 2014
From: noloader at gmail.com (Jeffrey Walton)
Date: Fri, 21 Mar 2014 23:04:13 -0400
Subject: [gnutls-devel] More hostname matching goodness
Message-ID:
Hi Gentleman/Nikos,
Here's another that looks illegal per the RFCs and CA/B Baseline.
Create a server cert with a single SAN of "WWW.*.COM":
$ openssl x509 -in server-rsa-cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9008050290962543110 (0x7d0306034fad3206)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Example, LLC, CN=Example CA
Validity
Not Before: Jan 1 00:00:00 2014 GMT
Not After : Jan 1 00:00:00 2024 GMT
Subject: O=Example, LLC, CN=Example Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:3b:86:b8:17:4e:0f:b7:d5:ff:9b:4a:16:32:
...
aa:7a:2e:24:75:25:20:e6:5e:5c:c2:67:56:0f:14:
dd:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.*.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Subject Key Identifier:
B5:AF:38:82:0C:C4:32:6E:9F:F5:F1:97:83:49:26:8D:AB:CB:3C:88
X509v3 Authority Key Identifier:
keyid:B1:77:69:71:06:C6:25:90:28:B8:BA:49:70:A1:2F:3F:0F:32:C0:3C
...
Start the server:
$ openssl s_server -accept 8443 -www -certform PEM -cert
server-rsa-cert-2.pem -keyform PEM -key server-rsa-key-plain.pem -tls1
-cipher HIGH:-EDH:-DHE
Make a client request trusting the exemplary CA:
$ echo -e "GET / HTTP/1.0\r\n" | gnutls-cli --x509cafile
ca-rsa-cert.pem www.example.com --port 8443
Processed 1 CA certificate(s).
Resolving 'www.example.com'...
Connecting to '127.0.0.1:8443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `O=Example\, LLC,CN=Example Certificate', issuer
`C=USO=Example\, LLC,CN=Example CA', RSA key 2048 bits, signed using
RSA-SHA256, activated `2014-01-01 00:00:00 UTC', expires `2024-01-01
00:00:00 UTC', SHA-1 fingerprint
`bc1c3a33d91dfeb60b0d6083921041f7ffd7dbfa'
- The hostname in the certificate matches 'www.example.com'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
*****
I also found a server certificate with two SANs is most useful: one
"*.COM", and one "WWW.*.COM".
I've also got a really cool "one cert to rule them all". Its got the
top levels (*.COM, *.NET, etc) and the named host variants (WWW.*.COM,
WWW.*.NET, MAIL.*.COM, MAIL.*.NET, FTP.*.COM, FTP.*.NET).
Jeffrey Walton
Baltimore, MD, US
From nmav at gnutls.org Mon Mar 24 09:45:59 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 24 Mar 2014 09:45:59 +0100
Subject: [gnutls-devel] More hostname matching goodness
In-Reply-To:
References:
Message-ID:
On Sat, Mar 22, 2014 at 4:04 AM, Jeffrey Walton wrote:
> Hi Gentleman/Nikos,
> Here's another that looks illegal per the RFCs and CA/B Baseline.
> Create a server cert with a single SAN of "WWW.*.COM":
Hello Jeffrey,
This is a legal wildcard based on an rfc2818 interpretation that our
wildcard parser was based on. I agree with you that wildcard support
shouldn't extend so much. I have already limited the scope of
wildcards to just a left-most '*' in gnutls 3.3.0 (to follow rfc6125),
with the intention to completely drop wildcard support at some point.
I'll also restrict the code of existing releases (3.2 and 3.1) to two
domain components after the wildcard rule, to reduce any compatibility
issues. Thank you for bringing these issues up.
regards,
Nikos
From nmav at gnutls.org Mon Mar 24 21:19:04 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 24 Mar 2014 21:19:04 +0100
Subject: [gnutls-devel] More hostname matching goodness
In-Reply-To:
References:
Message-ID: <1395692344.4227.4.camel@nomad.lan>
On Mon, 2014-03-24 at 15:28 -0400, James Cloos wrote:
> NM> with the intention to completely drop wildcard support at some point.
> Wildcard support should remain indefinitely.
> It is superior to listing every match in the cert. Having to churn
> certs just because new hosts are added is riskier than using wildcards.
Hello,
I am not really sure about it. It does not make much sense to re-use
the same key and certificate in a large number of hosts. It pretty much
ensures that if any of the hosts is compromised, all of them will.
The main reason this was done is in order to reduce the costs to
CA-issued certificates, but I don't think that this is still the case.
> NM> I'll also restrict the code of existing releases (3.2 and 3.1) to two
> NM> domain components after the wildcard rule,
> Do you mean at least two right of the wildcard or that the wildcard will
> match at most two?
At least two components right of the wildcard.
regards,
Nikos
From cloos at jhcloos.com Mon Mar 24 20:28:03 2014
From: cloos at jhcloos.com (James Cloos)
Date: Mon, 24 Mar 2014 15:28:03 -0400
Subject: [gnutls-devel] More hostname matching goodness
In-Reply-To:
(Nikos Mavrogiannopoulos's message of "Mon, 24 Mar 2014 09:45:59
+0100")
References:
Message-ID:
>>>>> "NM" == Nikos Mavrogiannopoulos writes:
NM> with the intention to completely drop wildcard support at some point.
Wildcard support should remain indefinitely.
It is superior to listing every match in the cert. Having to churn
certs just because new hosts are added is riskier than using wildcards.
NM> I'll also restrict the code of existing releases (3.2 and 3.1) to two
NM> domain components after the wildcard rule,
Do you mean at least two right of the wildcard or that the wildcard will
match at most two?
-JimC
--
James Cloos OpenPGP: 1024D/ED7DAEA6
From noloader at gmail.com Mon Mar 24 21:36:45 2014
From: noloader at gmail.com (Jeffrey Walton)
Date: Mon, 24 Mar 2014 16:36:45 -0400
Subject: [gnutls-devel] More hostname matching goodness
In-Reply-To: <1395692344.4227.4.camel@nomad.lan>
References:
<1395692344.4227.4.camel@nomad.lan>
Message-ID:
On Mon, Mar 24, 2014 at 4:19 PM, Nikos Mavrogiannopoulos
wrote:
> On Mon, 2014-03-24 at 15:28 -0400, James Cloos wrote:
>
>> NM> with the intention to completely drop wildcard support at some point.
>> Wildcard support should remain indefinitely.
>> It is superior to listing every match in the cert. Having to churn
>> certs just because new hosts are added is riskier than using wildcards.
>
> I am not really sure about it. It does not make much sense to re-use
> the same key and certificate in a large number of hosts.
I can't speak for a lot of the use cases you probably encounter, but I
abandoned key rotation some time ago. Now I practice key continuity
and re-certify the same key from year to year (sans an event like a
key compromise). I do ue a different key for each service (www vs
mail, etc).
Key continuity appears to be a more desirable property. Key
re-certification helps a lot when security diversification techniques
are used, like public key pinning. Its also being practiced by folks
like Google. Google's certs expire every 30 days or so, while the same
public key is re-certifed.
Now we need a Public Key Patrol rather than a Cert Patrol. Cert Patrol
has become much too noisy because its looking for changes in the wrong
places.
> It pretty much
> ensures that if any of the hosts is compromised, all of them will.
I think they are the same problem in a shared hosting environment. If
a server get compromised, then it does not matter if the bad guy has
to egress 1 key or 1000 keys. The compromise occurred, and the keys
are leaving.
I also look at it like this: pre-SNI, there were super certs with
hundreds of domains under the same key. It does not matter if its one
key/cert/lots of domains or lots of keys/single certs/lots of domains.
Again, the private keys are leaving regardless of how they are bound
and presented.
If you are talking about a host with different services (www, mail,
openssh), then I don't see it being much different. Once the bad guy
gets in, the keys are probably going to leave with him or her.
Jeff
From nmav at gnutls.org Tue Mar 25 09:55:20 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 25 Mar 2014 09:55:20 +0100
Subject: [gnutls-devel] More hostname matching goodness
In-Reply-To:
References:
<1395692344.4227.4.camel@nomad.lan>
Message-ID:
On Mon, Mar 24, 2014 at 9:36 PM, Jeffrey Walton wrote:
>>> NM> with the intention to completely drop wildcard support at some point.
>>> Wildcard support should remain indefinitely.
>>> It is superior to listing every match in the cert. Having to churn
>>> certs just because new hosts are added is riskier than using wildcards.
>> I am not really sure about it. It does not make much sense to re-use
>> the same key and certificate in a large number of hosts.
> I can't speak for a lot of the use cases you probably encounter, but I
> abandoned key rotation some time ago. Now I practice key continuity
> and re-certify the same key from year to year (sans an event like a
> key compromise). I do ue a different key for each service (www vs
> mail, etc).
> Key continuity appears to be a more desirable property. Key
> re-certification helps a lot when security diversification techniques
> are used, like public key pinning. Its also being practiced by folks
> like Google. Google's certs expire every 30 days or so, while the same
> public key is re-certifed.
Note that my comment is on re-using keys on a large number of hosts,
not on generating new keys on every certificate update. Key continuity
is a good thing and we try to take advantage of it by providing the
trust on first use API:
http://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-trust-on-first-use-authentication.html
> Now we need a Public Key Patrol rather than a Cert Patrol. Cert Patrol
> has become much too noisy because its looking for changes in the wrong
> places.
I certainly agree.
>> It pretty much
>> ensures that if any of the hosts is compromised, all of them will.
> I think they are the same problem in a shared hosting environment. If
> a server get compromised, then it does not matter if the bad guy has
> to egress 1 key or 1000 keys. The compromise occurred, and the keys
> are leaving.
> I also look at it like this: pre-SNI, there were super certs with
> hundreds of domains under the same key. It does not matter if its one
> key/cert/lots of domains or lots of keys/single certs/lots of domains.
> Again, the private keys are leaving regardless of how they are bound
> and presented.
I find it is better to have individual certificates that share the
same private key, rather than allowing wildcard certificates (that
still share the same private key). In the latter case you have a
certificate for an unlimited amount of hosts, while in the former,
just for the set you're interested in.
In any case, the plan to completely remove wildcards is in the
long-run, it is not going to happen in the next release of gnutls.
Possibly the decision will be based on data of their actual usage.
regards,
Nikos
From dkg at fifthhorseman.net Wed Mar 26 23:25:47 2014
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 26 Mar 2014 18:25:47 -0400
Subject: [gnutls-devel] [PATCH] update README to reflect gmplib licensing
change
Message-ID: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net>
As of version 6.0.0, gmplib moved its licensing from LGPLv3+ to a
dual-license LGPLv3+/GPLv2+ license.
This licensing change affects the licenses under which versions of
GnuTLS can be redistributed.
Update the README to reflect this change.
---
README | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/README b/README
index be27c68..beff45e 100644
--- a/README
+++ b/README
@@ -104,11 +104,13 @@ LICENSING
Since GnuTLS version 3.1.10, the core library has been released under
the GNU Lesser General Public License (LGPL) version 2.1 or later.
-Note, however, that new versions of the gmplib library used by GnuTLS
-are distributed under LGPLv3, and as such binaries of this library
-need to be distributed under LGPLv3. If this is undesirable older
-versions of the gmplib which are under LGPLv2.1 (e.g., version 4.2.1)
-may be used instead.
+Note, however, that version 6.0.0 and later of the gmplib library used
+by GnuTLS are distributed under a LGPLv3+ or GPLv2+ dual license, and
+as such binaries of this library need to be distributed under the same
+LGPLv3+ or GPLv2+ dual license. If this is undesirable older versions
+of the gmplib which are under LGPLv2.1 (e.g., version 4.2.1) may be
+used instead. (gmplib versions between 4.2.2 through 5.1.3 were
+licensed under LGPLv3+ only).
The GNU LGPL applies to the main GnuTLS library, while the
included applications as well as gnutls-openssl
--
1.9.0
From nmav at gnutls.org Thu Mar 27 09:11:37 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 27 Mar 2014 09:11:37 +0100
Subject: [gnutls-devel] [PATCH] update README to reflect gmplib
licensing change
In-Reply-To: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net>
References: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net>
Message-ID: <1395907897.7496.0.camel@nomad.lan>
On Wed, 2014-03-26 at 18:25 -0400, Daniel Kahn Gillmor wrote:
> As of version 6.0.0, gmplib moved its licensing from LGPLv3+ to a
> dual-license LGPLv3+/GPLv2+ license.
>
> This licensing change affects the licenses under which versions of
> GnuTLS can be redistributed.
Thank you. It is applied.
regards,
Nikos
From nmav at gnutls.org Thu Mar 27 17:54:46 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 27 Mar 2014 17:54:46 +0100
Subject: [gnutls-devel] gnutls 3.3.0pre0
Message-ID: <1395939286.30082.0.camel@nomad.lan>
Hello,
I've just released gnutls 3.3.0pre0. This is a pre-release of the next
stable branch, which adds new features, optimizations and cleanups to
the GnuTLS library.
* Version 3.3.0 (pre-release 2014-03-27)
** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.
** libgnutls: static libraries are not built by default.
** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11
modules.
** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork.
** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags using GNUTLS_PROFILE_TO_VFLAGS()
** libgnutls: Added the SYSTEM priority string initial keyword.
That allows a compile-time specified configuration file to be
used to read the priorities. That can be used to impose system
specific policies.
** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
and set a verification profile by default. The LEGACY keyword is
introduced to set the old defaults.
** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).
** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.
** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.
** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).
** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).
** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.
** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more
efficiently.
** libgnutls: Depend on p11-kit 0.20.0 or later.
** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension
has been removed. It was not approved by IETF.
** libgnutls: The experimental xssl library is removed from the gnutls
distribution.
** libgnutls: Reduced the number of gnulib modules used.
** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).
** libgnutls: Added --enable-fips140-mode configuration option
(unsupported).
That option enables (when running on FIPS140-enabled system):
o RSA, DSA and DH key generation as in FIPS-186-4 (using provable
primes)
o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
o Self-tests on initialization on ciphers/MACs, public key algorithms
and the random generator.
o HMAC-SHA256 verification of the library on load.
o MD5 is included for TLS purposes but cannot be used by the high level
hashing functions.
o All ciphers except AES are disabled.
o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
o All keys (temporal and long term) are zeroized after use.
o Security levels are adjusted to the FIPS140-2 recommendations (rather
than ECRYPT).
** API and ABI modifications:
gnutls_privkey_generate: Added
gnutls_pkcs11_crt_is_known: Added
gnutls_fips140_mode_enabled: Added
gnutls_sec_param_to_symmetric_bits: Added
gnutls_pubkey_export_ecc_x962: Added (replaces
gnutls_pubkey_get_pk_ecc_x962)
gnutls_pubkey_export_ecc_raw: Added (replaces
gnutls_pubkey_get_pk_ecc_raw)
gnutls_pubkey_export_dsa_raw: Added (replaces
gnutls_pubkey_get_pk_dsa_raw)
gnutls_pubkey_export_rsa_raw: Added (replaces
gnutls_pubkey_get_pk_rsa_raw)
gnutls_pubkey_verify_params: Added
gnutls_privkey_export_ecc_raw: Added
gnutls_privkey_export_dsa_raw: Added
gnutls_privkey_export_rsa_raw: Added
gnutls_privkey_import_ecc_raw: Added
gnutls_privkey_import_dsa_raw: Added
gnutls_privkey_import_rsa_raw: Added
gnutls_privkey_verify_params: Added
gnutls_x509_name_constraints_init: Added
gnutls_x509_name_constraints_deinit: Added
gnutls_x509_crt_get_name_constraints: Added
gnutls_x509_name_constraints_add_permitted: Added
gnutls_x509_name_constraints_add_excluded: Added
gnutls_x509_crt_set_name_constraints: Added
gnutls_x509_name_constraints_get_permitted: Added
gnutls_x509_name_constraints_get_excluded: Added
gnutls_x509_name_constraints_check: Added
gnutls_x509_name_constraints_check_crt: Added
gnutls_x509_crl_get_extension_data2: Added
gnutls_x509_crt_get_extension_data2: Added
gnutls_x509_crq_get_extension_data2: Added
gnutls_subject_alt_names_init: Added
gnutls_subject_alt_names_deinit: Added
gnutls_subject_alt_names_get: Added
gnutls_subject_alt_names_set: Added
gnutls_x509_ext_import_subject_alt_names: Added
gnutls_x509_ext_export_subject_alt_names: Added
gnutls_x509_crl_dist_points_init: Added
gnutls_x509_crl_dist_points_deinit: Added
gnutls_x509_crl_dist_points_get: Added
gnutls_x509_crl_dist_points_set: Added
gnutls_x509_ext_import_crl_dist_points: Added
gnutls_x509_ext_export_crl_dist_points: Added
gnutls_x509_ext_import_name_constraints: Added
gnutls_x509_ext_export_name_constraints: Added
gnutls_x509_aia_init: Added
gnutls_x509_aia_deinit: Added
gnutls_x509_aia_get: Added
gnutls_x509_aia_set: Added
gnutls_x509_ext_import_aia: Added
gnutls_x509_ext_export_aia: Added
gnutls_x509_ext_import_subject_key_id: Added
gnutls_x509_ext_export_subject_key_id: Added
gnutls_x509_ext_export_authority_key_id: Added
gnutls_x509_ext_import_authority_key_id: Added
gnutls_x509_aki_init: Added
gnutls_x509_aki_get_id: Added
gnutls_x509_aki_get_cert_issuer: Added
gnutls_x509_aki_set_id: Added
gnutls_x509_aki_set_cert_issuer: Added
gnutls_x509_aki_deinit: Added
gnutls_x509_ext_import_private_key_usage_period: Added
gnutls_x509_ext_export_private_key_usage_period: Added
gnutls_x509_ext_import_basic_constraints: Added
gnutls_x509_ext_export_basic_constraints: Added
gnutls_x509_ext_import_key_usage: Added
gnutls_x509_ext_export_key_usage: Added
gnutls_x509_ext_import_proxy: Added
gnutls_x509_ext_export_proxy: Added
gnutls_x509_policies_init: Added
gnutls_x509_policies_deinit: Added
gnutls_x509_policies_get: Added
gnutls_x509_policies_set: Added
gnutls_x509_ext_import_policies: Added
gnutls_x509_ext_export_policies: Added
gnutls_x509_key_purpose_init: Added
gnutls_x509_key_purpose_deinit: Added
gnutls_x509_key_purpose_set: Added
gnutls_x509_key_purpose_get: Added
gnutls_x509_ext_import_key_purposes: Added
gnutls_x509_ext_export_key_purposes: Added
gnutls_digest_self_test: Added (conditionally)
gnutls_mac_self_test: Added (conditionally)
gnutls_pk_self_test: Added (conditionally)
gnutls_cipher_self_test: Added (conditionally)
gnutls_global_set_mem_functions: Deprecated
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From ametzler at bebt.de Sun Mar 30 19:37:53 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Sun, 30 Mar 2014 19:37:53 +0200
Subject: [gnutls-devel] 3.3.0pre0 - [sparc] Bus error on chainverify test
Message-ID: <20140330173753.GB3217@downhill.g.la>
Hello,
3.3.0pre0's testsuite produces an error on sparc:
-------------
(sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ ./tests/chainverify
Bus error
(sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$
-------------
(gdb) run
Starting program: /home/ametzler/GNUTLS/gnutls28-3.3.0~pre0/./tests/chainverify
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/sparc-linux-gnu/libthread_db.so.1".
Program received signal SIGBUS, Bus error.
asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315
315 if (p->down)
(gdb) bt
#0 asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315
#1 0xf7f3f18c in gnutls_x509_crt_import (cert=0x1bf10, data=0xffffd668,
format=GNUTLS_X509_FMT_PEM) at x509.c:207
#2 0x00010f40 in doit () at chainverify.c:1279
#3 0x00010b30 in main (argc=0, argv=0xffffd7c4) at utils.c:146
(gdb)
-------------
I have built against included minitasn for improved debugging output.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Mon Mar 31 10:16:06 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 31 Mar 2014 10:16:06 +0200
Subject: [gnutls-devel] 3.3.0pre0 - [sparc] Bus error on chainverify test
In-Reply-To: <20140330173753.GB3217@downhill.g.la>
References: <20140330173753.GB3217@downhill.g.la>
Message-ID:
On Sun, Mar 30, 2014 at 7:37 PM, Andreas Metzler wrote:
> Hello,
> 3.3.0pre0's testsuite produces an error on sparc:
> -------------
> (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ ./tests/chainverify
> Bus error
> (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$
> -------------
> (gdb) run
> Starting program: /home/ametzler/GNUTLS/gnutls28-3.3.0~pre0/./tests/chainverify
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/sparc-linux-gnu/libthread_db.so.1".
> Program received signal SIGBUS, Bus error.
> asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315
> 315 if (p->down)
> (gdb) bt
> #0 asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315
> #1 0xf7f3f18c in gnutls_x509_crt_import (cert=0x1bf10, data=0xffffd668,
> format=GNUTLS_X509_FMT_PEM) at x509.c:207
> #2 0x00010f40 in doit () at chainverify.c:1279
Thank you. That's a pretty weird issue as I can't see what could have caused an
alignment problem at this code, and this code shouldn't have been called at all.
I'll try to check it soon.
regards,
Nikos