From nmav at gnutls.org Tue May 6 21:37:01 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 06 May 2014 21:37:01 +0200
Subject: [gnutls-devel] gnutls 3.1.24
Message-ID: <1399405021.14966.1.camel@nomad.lan>
Hello,
I've just released gnutls 3.1.24. This is a bug fix release on the old
stable branch.
* Version 3.1.24 (released 2014-05-06)
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Tue May 6 21:38:47 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 06 May 2014 21:38:47 +0200
Subject: [gnutls-devel] gnutls 3.2.14
Message-ID: <1399405127.14966.3.camel@nomad.lan>
Hello,
I've just released gnutls 3.2.14. This is a bugfix release on the
current stable branch.
* Version 3.2.14 (released 2014-05-06)
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Tue May 6 21:41:07 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 06 May 2014 21:41:07 +0200
Subject: [gnutls-devel] gnutls 3.3.2
Message-ID: <1399405267.14966.4.camel@nomad.lan>
Hello,
I've just released gnutls 3.3.2. This is a bugfix release on the next stable branch.
* Version 3.3.2 (released 2014-05-06)
** libgnutls: Added the 'very weak' certificate verification profile
that corresponds to 64-bit security level.
** libgnutls: Corrected file descriptor leak on random generator
initialization.
** libgnutls: Corrected file descriptor leak on PSK password file
reading. Issue identified using the Codenomicon TLS test suite.
** libgnutls: Avoid deinitialization if initialization has failed.
** libgnutls: null-terminate othername alternative names.
** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
on a PKCS #11 trust list.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** libgnutls-guile: Fixed compilation issue.
** certtool: Allow exporting a CRL on DER format.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
GNUTLS_PROFILE_VERY_WEAK: Added
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Wed May 7 14:16:27 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 7 May 2014 14:16:27 +0200
Subject: [gnutls-devel] gnutls 3.3.2
In-Reply-To: <1399405267.14966.4.camel@nomad.lan>
References: <1399405267.14966.4.camel@nomad.lan>
Message-ID:
On Tue, May 6, 2014 at 9:41 PM, Nikos Mavrogiannopoulos wrote:
> ** libgnutls: Corrected file descriptor leak on PSK password file
> reading. Issue identified using the Codenomicon TLS test suite.
> ** libgnutls: Several small bug fixes identified using valgrind and
> the Codenomicon TLS test suite.
I should have mentioned that Codenomicon offered its TLS test suite to
check GnuTLS. It is fuzz testing suite, which allows to test the not
so often executed error code paths.
regards,
Nikos
From ametzler at bebt.de Sat May 24 08:58:07 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Sat, 24 May 2014 08:58:07 +0200
Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes
Message-ID: <20140524065807.GA2250@downhill.g.la>
Hello,
GnuTLS symbol versioning apparently does not fullfill its main
purpose, to allow a binary to link against gnutls 2.x and gnutls 3.x
without crashing.
This is a pretty common screnario for distributions in a transition
period, where you go from:
scenario1
application --depends_on--> libgnutls.so.26
`-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.26
to
scenario2
application --depends_on--> libgnutls.so.26
`-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.28
at some point of time, since you cannot switch the whole distro at one
point. Especially for the GnuTLS transition, since this is not just a
straight rebuild but involves checking the source's gcrypt related
code.
Usually symbol-versioning would cause any references to gnutls to be
resolved to GnuTLS 2.x in both of the abovementioned cases, libbar's
to GnuTLS 2.x or 3.x respectively. However e.g. gnutls_init() is
versioned as @1.4 in both gnutls versions, therefore in scenario2
application could also get gnutls_init() from GnuTLS 3.x.
Another function where it is obvious this breaks is
gnutls_priority_set_direct(), where 3.x accepts more priority strings.
------
Anyway, this causes hard crashes like in
or
.
Fixing this in gnutls' source is pretty easy: In gnutls.map move the
contents of GNUTLS_1_4, GNUTLS_2_8, GNUTLS_2_10 and GNUTLS_2_12 to
GNUTLS_3_0_0. However it breaks the ABI, everything linking against
gnutls3 will need to be rebuilt after the change. Afaiu a soname bump
would therefore be the correct thing.
cu Andreas
See also:
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Sat May 24 09:36:27 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 24 May 2014 09:36:27 +0200
Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes
In-Reply-To: <20140524065807.GA2250@downhill.g.la>
References: <20140524065807.GA2250@downhill.g.la>
Message-ID: <1400916987.19659.9.camel@nomad.lan>
On Sat, 2014-05-24 at 08:58 +0200, Andreas Metzler wrote:
> Hello,
>
> GnuTLS symbol versioning apparently does not fullfill its main
> purpose, to allow a binary to link against gnutls 2.x and gnutls 3.x
> without crashing.
> This is a pretty common screnario for distributions in a transition
> period, where you go from:
> scenario1
> application --depends_on--> libgnutls.so.26
> `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.26
> to
> scenario2
> application --depends_on--> libgnutls.so.26
> `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.28
> at some point of time, since you cannot switch the whole distro at one
> point. Especially for the GnuTLS transition, since this is not just a
> straight rebuild but involves checking the source's gcrypt related
> code.
> Usually symbol-versioning would cause any references to gnutls to be
> resolved to GnuTLS 2.x in both of the abovementioned cases, libbar's
> to GnuTLS 2.x or 3.x respectively. However e.g. gnutls_init() is
> versioned as @1.4 in both gnutls versions, therefore in scenario2
> application could also get gnutls_init() from GnuTLS 3.x.
[...]
> Fixing this in gnutls' source is pretty easy: In gnutls.map move the
> contents of GNUTLS_1_4, GNUTLS_2_8, GNUTLS_2_10 and GNUTLS_2_12 to
> GNUTLS_3_0_0. However it breaks the ABI, everything linking against
> gnutls3 will need to be rebuilt after the change.
I think symbol versioning is pretty good for libc and stateless
functions but cannot do much when there are internal structures involved
like in gnutls.
I believe nevertheless that the way gnutls uses symbol versioning is the
recommended way for all libraries. As I understand from your suggestion
here, is to change symbol versioning on every major version bump? I
could consider that for the next soname bump (not soon) but
unfortunately the ABI cannot be broken now as there have been quite many
releases in the 3.x series. Is there a reason to keep the old gnutls
version? The API's are compatible and old programs need only to be
recompiled with the new library.
regards,
Nikos
From ametzler at bebt.de Sat May 24 15:09:16 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Sat, 24 May 2014 15:09:16 +0200
Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes
In-Reply-To: <1400916987.19659.9.camel@nomad.lan>
References: <20140524065807.GA2250@downhill.g.la>
<1400916987.19659.9.camel@nomad.lan>
Message-ID: <20140524130916.GB1487@downhill.g.la>
On 2014-05-24 Nikos Mavrogiannopoulos wrote:
> On Sat, 2014-05-24 at 08:58 +0200, Andreas Metzler wrote:
[...]
> I think symbol versioning is pretty good for libc and stateless
> functions but cannot do much when there are internal structures involved
> like in gnutls.
> I believe nevertheless that the way gnutls uses symbol versioning is the
> recommended way for all libraries.
Hello,
I do not think so. There are two distinct uses for symbol versioning:
#1 the glibc way: They use symbol versioning/mangling as a special
tool to _avoid_ a soname bump when they change/extend the API/ABI
while. If foo() in 2.1.16 behaves different than foo() in earlier
versions than glibc provides both versions of foo(), binaries built
against the old version can keep using foo at GLIBC_2.1 while a
freshly built binary will end up using foo at GLIBC_2.1.16. This
requires more than just shipping and using a .map file.
#2 Pretty much everything else. They occassionally break the ABI and
need to bump the soname. Then one versions the symbols corresponding
to the soname. This guarantees that a program which (indirectly)
links against two versions of the library gets the correct function
from the correct library.
> As I understand from your suggestion
> here, is to change symbol versioning on every major version bump?
Yes.
> I could consider that for the next soname bump (not soon) but
> unfortunately the ABI cannot be broken now as there have been quite
> many releases in the 3.x series. Is there a reason to keep the old
> gnutls version? The API's are compatible and old programs need only
> to be recompiled with the new library.
Well, it is not just a straight recompile. Some stuff does not build,
and also there is loads of unnecessary gcrypt linkage to get rid of.
And Debian especially needs to care about partial upgrades. Also the
transition is huge: There are 214 binary packages involved which just
will not all be ready for transition at one time.
I can understand if you will not bump the soname now, however I am
pretty sure we will be forced to do so in Debian.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From kroosec at gmail.com Tue May 27 01:17:16 2014
From: kroosec at gmail.com (Hani Benhabiles)
Date: Tue, 27 May 2014 00:17:16 +0100
Subject: [gnutls-devel] [PATCH] Fix unused variable warning without PKCS#11
support.
Message-ID: <1401146236-13235-1-git-send-email-kroosec@gmail.com>
Signed-off-by: Hani Benhabiles
---
lib/x509/verify-high.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 9bae145..dd2e2b4 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -677,9 +677,9 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * issuer,
unsigned int flags)
{
+#ifdef ENABLE_PKCS11
int ret;
-#ifdef ENABLE_PKCS11
if (list->pkcs11_token) {
gnutls_datum_t der = {NULL, 0};
/* use the token for verification */
--
1.8.3.2
From nmav at gnutls.org Tue May 27 09:34:56 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 27 May 2014 09:34:56 +0200
Subject: [gnutls-devel] [PATCH] Fix unused variable warning without
PKCS#11 support.
In-Reply-To: <1401146236-13235-1-git-send-email-kroosec@gmail.com>
References: <1401146236-13235-1-git-send-email-kroosec@gmail.com>
Message-ID:
Applied, thank you.
On Tue, May 27, 2014 at 1:17 AM, Hani Benhabiles wrote:
> Signed-off-by: Hani Benhabiles
> ---
> lib/x509/verify-high.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
> index 9bae145..dd2e2b4 100644
> --- a/lib/x509/verify-high.c
> +++ b/lib/x509/verify-high.c
> @@ -677,9 +677,9 @@ int
> gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
> gnutls_x509_crt_t * issuer,
> unsigned int flags)
> {
> +#ifdef ENABLE_PKCS11
> int ret;
>
> -#ifdef ENABLE_PKCS11
> if (list->pkcs11_token) {
> gnutls_datum_t der = {NULL, 0};
> /* use the token for verification */
> --
> 1.8.3.2
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From kurt at roeckx.be Thu May 29 10:25:01 2014
From: kurt at roeckx.be (Kurt Roeckx)
Date: Thu, 29 May 2014 10:25:01 +0200
Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String
Message-ID: <1401351901-29135-1-git-send-email-kurt@roeckx.be>
---
lib/x509/x509_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index ea6a496..6d7421e 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data, size_t size,
}
if (strcmp(choice_type, "utf8String") != 0
- && strcmp(choice_type, "IA5String") != 0
+ && strcmp(choice_type, "ia5String") != 0
&& strcmp(choice_type, "bmpString") != 0
&& strcmp(choice_type, "visibleString") != 0) {
gnutls_assert();
--
2.0.0.rc2
From kurt at roeckx.be Thu May 29 17:13:56 2014
From: kurt at roeckx.be (Kurt Roeckx)
Date: Thu, 29 May 2014 17:13:56 +0200
Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String
In-Reply-To:
References: <1401351901-29135-1-git-send-email-kurt@roeckx.be>
Message-ID: <20140529151356.GA11888@roeckx.be>
On Thu, May 29, 2014 at 05:07:36PM +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, May 29, 2014 at 10:25 AM, Kurt Roeckx wrote:
>
> > ---
> > lib/x509/x509_ext.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
> > index ea6a496..6d7421e 100644
> > --- a/lib/x509/x509_ext.c
> > +++ b/lib/x509/x509_ext.c
> > @@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data,
> > size_t size,
> > }
> > if (strcmp(choice_type, "utf8String") != 0
> > - && strcmp(choice_type, "IA5String") != 0
> > + && strcmp(choice_type, "ia5String") != 0
> > && strcmp(choice_type, "bmpString") != 0
> > && strcmp(choice_type, "visibleString") != 0) {
> > gnutls_assert();
> >
>
> Thank you, applied.
>
> Do you happen to have a certificate that triggers the error, so that I can
> add it in the test suite?
I actually have a few thousand of those, but I'm not sure it's a
good idea to take a random one from that to put it in the test
suite.
Kurt
From nmav at gnutls.org Thu May 29 17:07:36 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 29 May 2014 17:07:36 +0200
Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String
In-Reply-To: <1401351901-29135-1-git-send-email-kurt@roeckx.be>
References: <1401351901-29135-1-git-send-email-kurt@roeckx.be>
Message-ID:
On Thu, May 29, 2014 at 10:25 AM, Kurt Roeckx wrote:
> ---
> lib/x509/x509_ext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
> index ea6a496..6d7421e 100644
> --- a/lib/x509/x509_ext.c
> +++ b/lib/x509/x509_ext.c
> @@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data,
> size_t size,
> }
> if (strcmp(choice_type, "utf8String") != 0
> - && strcmp(choice_type, "IA5String") != 0
> + && strcmp(choice_type, "ia5String") != 0
> && strcmp(choice_type, "bmpString") != 0
> && strcmp(choice_type, "visibleString") != 0) {
> gnutls_assert();
>
Thank you, applied.
Do you happen to have a certificate that triggers the error, so that I can
add it in the test suite?
regards,
Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Fri May 30 07:25:49 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 30 May 2014 07:25:49 +0200
Subject: [gnutls-devel] gnutls 3.1.25
Message-ID: <1401427549.2644.2.camel@nomad.lan>
Hello,
I've just released gnutls 3.1.25. This is a bug fix release on the old
stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
security advisory.
* Version 3.1.25 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Fri May 30 07:27:12 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 30 May 2014 07:27:12 +0200
Subject: [gnutls-devel] gnutls 3.2.15
Message-ID: <1401427632.2644.4.camel@nomad.lan>
Hello,
I've just released gnutls 3.2.15. This is a bugfix release on the
current stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
security advisory.
* Version 3.2.15 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.
** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Fri May 30 07:28:26 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 30 May 2014 07:28:26 +0200
Subject: [gnutls-devel] gnutls 3.3.3
Message-ID: <1401427706.2644.5.camel@nomad.lan>
Hello,
I've just released gnutls 3.3.3. This is a bugfix release on
the next stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
security advisory.
* Version 3.3.3 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: gnutls_global_set_mutex() was modified to operate with the
new initialization process.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552
** gnutls-cli: --dane will only check the end certificate if PKIX validation
has been disabled.
** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
be emulated with the implicit initialization of gnutls.
** certtool: Allow multiple organizations and organizational unit names to
be specified in a template.
** certtool: Warn when invalid configuration options are set to a template.
** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
gnutls_credentials_get: Added
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From ametzler at bebt.de Fri May 30 18:56:41 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Fri, 30 May 2014 18:56:41 +0200
Subject: [gnutls-devel] gnutls 3.3.3
In-Reply-To: <1401427706.2644.5.camel@nomad.lan>
References: <1401427706.2644.5.camel@nomad.lan>
Message-ID: <20140530165641.GC1539@downhill.g.la>
On 2014-05-30 Nikos Mavrogiannopoulos wrote:
> Hello,
> I've just released gnutls 3.3.3. This is a bugfix release on
Hello,
I am getting multiple crashes from the test-suite with this release.
FAIL: mini-record-2
FAIL: record-sizes-range
FAIL: mini-dtls-hello-verify
FAIL: mini-dtls-rehandshake
FAIL: mini-alpn
FAIL: mini-dtls-srtp
FAIL: mini-record
FAIL: mini-dtls-record
FAIL: mini-handshake-timeout
FAIL: openpgp-auth
e.g.
(SID)ametzler at argenau:/tmp/GNUTLS/crashme/gnutls-3.3.3$ gdb tests/mini-dtls-srtp
[...]
Reading symbols from /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp...done.
(gdb) run
Starting program: /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp
warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637
637 movdqu (%esi),%xmm0
(gdb) bt full
#0 vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637
No locals.
#1 0x00000000 in ?? ()
No symbol table info available.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From ametzler at bebt.de Fri May 30 19:13:19 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Fri, 30 May 2014 19:13:19 +0200
Subject: [gnutls-devel] gnutls 3.3.3
In-Reply-To: <20140530165641.GC1539@downhill.g.la>
References: <1401427706.2644.5.camel@nomad.lan>
<20140530165641.GC1539@downhill.g.la>
Message-ID: <20140530171319.GD1539@downhill.g.la>
On 2014-05-30 Andreas Metzler wrote:
> On 2014-05-30 Nikos Mavrogiannopoulos wrote:
>> I've just released gnutls 3.3.3. This is a bugfix release on
> I am getting multiple crashes from the test-suite with this release.
[...]
> Program received signal SIGSEGV, Segmentation fault.
> vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637
> 637 movdqu (%esi),%xmm0
The bug is triggered by 7b819e932d4ff85d0dd7ca5dc2632c8d3d442f79
Dropping this part lets the testsuite succeed.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Fri May 30 19:28:17 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 30 May 2014 19:28:17 +0200
Subject: [gnutls-devel] gnutls 3.3.3
In-Reply-To: <20140530165641.GC1539@downhill.g.la>
References: <1401427706.2644.5.camel@nomad.lan>
<20140530165641.GC1539@downhill.g.la>
Message-ID: <1401470897.9937.3.camel@nomad.lan>
On Fri, 2014-05-30 at 18:56 +0200, Andreas Metzler wrote:
> On 2014-05-30 Nikos Mavrogiannopoulos wrote:
> > Hello,
> > I've just released gnutls 3.3.3. This is a bugfix release on
>
> Hello,
>
> I am getting multiple crashes from the test-suite with this release.
> FAIL: mini-record-2
> FAIL: record-sizes-range
> FAIL: mini-dtls-hello-verify
> FAIL: mini-dtls-rehandshake
> FAIL: mini-alpn
> FAIL: mini-dtls-srtp
> FAIL: mini-record
> FAIL: mini-dtls-record
> FAIL: mini-handshake-timeout
> FAIL: openpgp-auth
> e.g.
> (SID)ametzler at argenau:/tmp/GNUTLS/crashme/gnutls-3.3.3$ gdb tests/mini-dtls-srtp
> [...]
> Reading symbols from /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp...done.
> (gdb) run
> Starting program: /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp
> warning: Could not load shared library symbols for linux-gate.so.1.
> Do you need "set solib-search-path" or "set sysroot"?
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
> Program received signal SIGSEGV, Segmentation fault.
Thanks,
Is that solved with the 676040da1b760daf8da94944ebf271696b955b59
commit? It seems the included assembly files were quite old, although I
wouldn't expect a crash. An alternative is to use
"--disable-hardware-acceleration".
regards,
Nikos
From ametzler at bebt.de Fri May 30 19:49:56 2014
From: ametzler at bebt.de (Andreas Metzler)
Date: Fri, 30 May 2014 19:49:56 +0200
Subject: [gnutls-devel] gnutls 3.3.3
In-Reply-To: <1401470897.9937.3.camel@nomad.lan>
References: <1401427706.2644.5.camel@nomad.lan>
<20140530165641.GC1539@downhill.g.la>
<1401470897.9937.3.camel@nomad.lan>
Message-ID: <20140530174956.GE1539@downhill.g.la>
On 2014-05-30 Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-05-30 at 18:56 +0200, Andreas Metzler wrote:
[...]
> > I am getting multiple crashes from the test-suite with this release.
[...]
> Thanks,
> Is that solved with the 676040da1b760daf8da94944ebf271696b955b59
> commit? It seems the included assembly files were quite old, although I
> wouldn't expect a crash. An alternative is to use
> "--disable-hardware-acceleration".
The asm upgrade seems to work, thanks.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From nmav at gnutls.org Sat May 31 10:43:39 2014
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 31 May 2014 10:43:39 +0200
Subject: [gnutls-devel] gnutls 3.3.4
Message-ID: <1401525819.4466.1.camel@nomad.lan>
Hello,
I've just released gnutls 3.3.4. This is fixes an issue on the hardware acceleration on certain CPUs that was introduced in the previous release.
* Version 3.3.4 (released 2014-05-31)
** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
. A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos