From nmav at gnutls.org Tue May 6 21:37:01 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 06 May 2014 21:37:01 +0200 Subject: [gnutls-devel] gnutls 3.1.24 Message-ID: <1399405021.14966.1.camel@nomad.lan> Hello, I've just released gnutls 3.1.24. This is a bug fix release on the old stable branch. * Version 3.1.24 (released 2014-05-06) ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.24.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Tue May 6 21:38:47 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 06 May 2014 21:38:47 +0200 Subject: [gnutls-devel] gnutls 3.2.14 Message-ID: <1399405127.14966.3.camel@nomad.lan> Hello, I've just released gnutls 3.2.14. This is a bugfix release on the current stable branch. * Version 3.2.14 (released 2014-05-06) ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. ** libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** configure: Added --with-nettle-mini option, which allows linking with a libnettle that contains gmp. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.14.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Tue May 6 21:41:07 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 06 May 2014 21:41:07 +0200 Subject: [gnutls-devel] gnutls 3.3.2 Message-ID: <1399405267.14966.4.camel@nomad.lan> Hello, I've just released gnutls 3.3.2. This is a bugfix release on the next stable branch. * Version 3.3.2 (released 2014-05-06) ** libgnutls: Added the 'very weak' certificate verification profile that corresponds to 64-bit security level. ** libgnutls: Corrected file descriptor leak on random generator initialization. ** libgnutls: Corrected file descriptor leak on PSK password file reading. Issue identified using the Codenomicon TLS test suite. ** libgnutls: Avoid deinitialization if initialization has failed. ** libgnutls: null-terminate othername alternative names. ** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly on a PKCS #11 trust list. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** libgnutls-guile: Fixed compilation issue. ** certtool: Allow exporting a CRL on DER format. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: GNUTLS_PROFILE_VERY_WEAK: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.2.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Wed May 7 14:16:27 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 7 May 2014 14:16:27 +0200 Subject: [gnutls-devel] gnutls 3.3.2 In-Reply-To: <1399405267.14966.4.camel@nomad.lan> References: <1399405267.14966.4.camel@nomad.lan> Message-ID: On Tue, May 6, 2014 at 9:41 PM, Nikos Mavrogiannopoulos wrote: > ** libgnutls: Corrected file descriptor leak on PSK password file > reading. Issue identified using the Codenomicon TLS test suite. > ** libgnutls: Several small bug fixes identified using valgrind and > the Codenomicon TLS test suite. I should have mentioned that Codenomicon offered its TLS test suite to check GnuTLS. It is fuzz testing suite, which allows to test the not so often executed error code paths. regards, Nikos From ametzler at bebt.de Sat May 24 08:58:07 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 24 May 2014 08:58:07 +0200 Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes Message-ID: <20140524065807.GA2250@downhill.g.la> Hello, GnuTLS symbol versioning apparently does not fullfill its main purpose, to allow a binary to link against gnutls 2.x and gnutls 3.x without crashing. This is a pretty common screnario for distributions in a transition period, where you go from: scenario1 application --depends_on--> libgnutls.so.26 `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.26 to scenario2 application --depends_on--> libgnutls.so.26 `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.28 at some point of time, since you cannot switch the whole distro at one point. Especially for the GnuTLS transition, since this is not just a straight rebuild but involves checking the source's gcrypt related code. Usually symbol-versioning would cause any references to gnutls to be resolved to GnuTLS 2.x in both of the abovementioned cases, libbar's to GnuTLS 2.x or 3.x respectively. However e.g. gnutls_init() is versioned as @1.4 in both gnutls versions, therefore in scenario2 application could also get gnutls_init() from GnuTLS 3.x. Another function where it is obvious this breaks is gnutls_priority_set_direct(), where 3.x accepts more priority strings. ------ Anyway, this causes hard crashes like in or . Fixing this in gnutls' source is pretty easy: In gnutls.map move the contents of GNUTLS_1_4, GNUTLS_2_8, GNUTLS_2_10 and GNUTLS_2_12 to GNUTLS_3_0_0. However it breaks the ABI, everything linking against gnutls3 will need to be rebuilt after the change. Afaiu a soname bump would therefore be the correct thing. cu Andreas See also: -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sat May 24 09:36:27 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 24 May 2014 09:36:27 +0200 Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes In-Reply-To: <20140524065807.GA2250@downhill.g.la> References: <20140524065807.GA2250@downhill.g.la> Message-ID: <1400916987.19659.9.camel@nomad.lan> On Sat, 2014-05-24 at 08:58 +0200, Andreas Metzler wrote: > Hello, > > GnuTLS symbol versioning apparently does not fullfill its main > purpose, to allow a binary to link against gnutls 2.x and gnutls 3.x > without crashing. > This is a pretty common screnario for distributions in a transition > period, where you go from: > scenario1 > application --depends_on--> libgnutls.so.26 > `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.26 > to > scenario2 > application --depends_on--> libgnutls.so.26 > `-depends_on--> libbar.so.5 --dep_on--> libgnutls.so.28 > at some point of time, since you cannot switch the whole distro at one > point. Especially for the GnuTLS transition, since this is not just a > straight rebuild but involves checking the source's gcrypt related > code. > Usually symbol-versioning would cause any references to gnutls to be > resolved to GnuTLS 2.x in both of the abovementioned cases, libbar's > to GnuTLS 2.x or 3.x respectively. However e.g. gnutls_init() is > versioned as @1.4 in both gnutls versions, therefore in scenario2 > application could also get gnutls_init() from GnuTLS 3.x. [...] > Fixing this in gnutls' source is pretty easy: In gnutls.map move the > contents of GNUTLS_1_4, GNUTLS_2_8, GNUTLS_2_10 and GNUTLS_2_12 to > GNUTLS_3_0_0. However it breaks the ABI, everything linking against > gnutls3 will need to be rebuilt after the change. I think symbol versioning is pretty good for libc and stateless functions but cannot do much when there are internal structures involved like in gnutls. I believe nevertheless that the way gnutls uses symbol versioning is the recommended way for all libraries. As I understand from your suggestion here, is to change symbol versioning on every major version bump? I could consider that for the next soname bump (not soon) but unfortunately the ABI cannot be broken now as there have been quite many releases in the 3.x series. Is there a reason to keep the old gnutls version? The API's are compatible and old programs need only to be recompiled with the new library. regards, Nikos From ametzler at bebt.de Sat May 24 15:09:16 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 24 May 2014 15:09:16 +0200 Subject: [gnutls-devel] Symbol versioning in gnutls broken -> crashes In-Reply-To: <1400916987.19659.9.camel@nomad.lan> References: <20140524065807.GA2250@downhill.g.la> <1400916987.19659.9.camel@nomad.lan> Message-ID: <20140524130916.GB1487@downhill.g.la> On 2014-05-24 Nikos Mavrogiannopoulos wrote: > On Sat, 2014-05-24 at 08:58 +0200, Andreas Metzler wrote: [...] > I think symbol versioning is pretty good for libc and stateless > functions but cannot do much when there are internal structures involved > like in gnutls. > I believe nevertheless that the way gnutls uses symbol versioning is the > recommended way for all libraries. Hello, I do not think so. There are two distinct uses for symbol versioning: #1 the glibc way: They use symbol versioning/mangling as a special tool to _avoid_ a soname bump when they change/extend the API/ABI while. If foo() in 2.1.16 behaves different than foo() in earlier versions than glibc provides both versions of foo(), binaries built against the old version can keep using foo at GLIBC_2.1 while a freshly built binary will end up using foo at GLIBC_2.1.16. This requires more than just shipping and using a .map file. #2 Pretty much everything else. They occassionally break the ABI and need to bump the soname. Then one versions the symbols corresponding to the soname. This guarantees that a program which (indirectly) links against two versions of the library gets the correct function from the correct library. > As I understand from your suggestion > here, is to change symbol versioning on every major version bump? Yes. > I could consider that for the next soname bump (not soon) but > unfortunately the ABI cannot be broken now as there have been quite > many releases in the 3.x series. Is there a reason to keep the old > gnutls version? The API's are compatible and old programs need only > to be recompiled with the new library. Well, it is not just a straight recompile. Some stuff does not build, and also there is loads of unnecessary gcrypt linkage to get rid of. And Debian especially needs to care about partial upgrades. Also the transition is huge: There are 214 binary packages involved which just will not all be ready for transition at one time. I can understand if you will not bump the soname now, however I am pretty sure we will be forced to do so in Debian. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From kroosec at gmail.com Tue May 27 01:17:16 2014 From: kroosec at gmail.com (Hani Benhabiles) Date: Tue, 27 May 2014 00:17:16 +0100 Subject: [gnutls-devel] [PATCH] Fix unused variable warning without PKCS#11 support. Message-ID: <1401146236-13235-1-git-send-email-kroosec@gmail.com> Signed-off-by: Hani Benhabiles --- lib/x509/verify-high.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 9bae145..dd2e2b4 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -677,9 +677,9 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t * issuer, unsigned int flags) { +#ifdef ENABLE_PKCS11 int ret; -#ifdef ENABLE_PKCS11 if (list->pkcs11_token) { gnutls_datum_t der = {NULL, 0}; /* use the token for verification */ -- 1.8.3.2 From nmav at gnutls.org Tue May 27 09:34:56 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 27 May 2014 09:34:56 +0200 Subject: [gnutls-devel] [PATCH] Fix unused variable warning without PKCS#11 support. In-Reply-To: <1401146236-13235-1-git-send-email-kroosec@gmail.com> References: <1401146236-13235-1-git-send-email-kroosec@gmail.com> Message-ID: Applied, thank you. On Tue, May 27, 2014 at 1:17 AM, Hani Benhabiles wrote: > Signed-off-by: Hani Benhabiles > --- > lib/x509/verify-high.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c > index 9bae145..dd2e2b4 100644 > --- a/lib/x509/verify-high.c > +++ b/lib/x509/verify-high.c > @@ -677,9 +677,9 @@ int > gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, > gnutls_x509_crt_t * issuer, > unsigned int flags) > { > +#ifdef ENABLE_PKCS11 > int ret; > > -#ifdef ENABLE_PKCS11 > if (list->pkcs11_token) { > gnutls_datum_t der = {NULL, 0}; > /* use the token for verification */ > -- > 1.8.3.2 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kurt at roeckx.be Thu May 29 10:25:01 2014 From: kurt at roeckx.be (Kurt Roeckx) Date: Thu, 29 May 2014 10:25:01 +0200 Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String Message-ID: <1401351901-29135-1-git-send-email-kurt@roeckx.be> --- lib/x509/x509_ext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index ea6a496..6d7421e 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data, size_t size, } if (strcmp(choice_type, "utf8String") != 0 - && strcmp(choice_type, "IA5String") != 0 + && strcmp(choice_type, "ia5String") != 0 && strcmp(choice_type, "bmpString") != 0 && strcmp(choice_type, "visibleString") != 0) { gnutls_assert(); -- 2.0.0.rc2 From kurt at roeckx.be Thu May 29 17:13:56 2014 From: kurt at roeckx.be (Kurt Roeckx) Date: Thu, 29 May 2014 17:13:56 +0200 Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String In-Reply-To: References: <1401351901-29135-1-git-send-email-kurt@roeckx.be> Message-ID: <20140529151356.GA11888@roeckx.be> On Thu, May 29, 2014 at 05:07:36PM +0200, Nikos Mavrogiannopoulos wrote: > On Thu, May 29, 2014 at 10:25 AM, Kurt Roeckx wrote: > > > --- > > lib/x509/x509_ext.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c > > index ea6a496..6d7421e 100644 > > --- a/lib/x509/x509_ext.c > > +++ b/lib/x509/x509_ext.c > > @@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data, > > size_t size, > > } > > if (strcmp(choice_type, "utf8String") != 0 > > - && strcmp(choice_type, "IA5String") != 0 > > + && strcmp(choice_type, "ia5String") != 0 > > && strcmp(choice_type, "bmpString") != 0 > > && strcmp(choice_type, "visibleString") != 0) { > > gnutls_assert(); > > > > Thank you, applied. > > Do you happen to have a certificate that triggers the error, so that I can > add it in the test suite? I actually have a few thousand of those, but I'm not sure it's a good idea to take a random one from that to put it in the test suite. Kurt From nmav at gnutls.org Thu May 29 17:07:36 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 29 May 2014 17:07:36 +0200 Subject: [gnutls-devel] [PATCH] Fix capitalisation of ia5String In-Reply-To: <1401351901-29135-1-git-send-email-kurt@roeckx.be> References: <1401351901-29135-1-git-send-email-kurt@roeckx.be> Message-ID: On Thu, May 29, 2014 at 10:25 AM, Kurt Roeckx wrote: > --- > lib/x509/x509_ext.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c > index ea6a496..6d7421e 100644 > --- a/lib/x509/x509_ext.c > +++ b/lib/x509/x509_ext.c > @@ -1593,7 +1593,7 @@ static int decode_user_notice(const void *data, > size_t size, > } > if (strcmp(choice_type, "utf8String") != 0 > - && strcmp(choice_type, "IA5String") != 0 > + && strcmp(choice_type, "ia5String") != 0 > && strcmp(choice_type, "bmpString") != 0 > && strcmp(choice_type, "visibleString") != 0) { > gnutls_assert(); > Thank you, applied. Do you happen to have a certificate that triggers the error, so that I can add it in the test suite? regards, Nikos -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri May 30 07:25:49 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 30 May 2014 07:25:49 +0200 Subject: [gnutls-devel] gnutls 3.1.25 Message-ID: <1401427549.2644.2.camel@nomad.lan> Hello, I've just released gnutls 3.1.25. This is a bug fix release on the old stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 security advisory. * Version 3.1.25 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.25.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri May 30 07:27:12 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 30 May 2014 07:27:12 +0200 Subject: [gnutls-devel] gnutls 3.2.15 Message-ID: <1401427632.2644.4.camel@nomad.lan> Hello, I've just released gnutls 3.2.15. This is a bugfix release on the current stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 security advisory. * Version 3.2.15 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: Several memory leaks caused by error conditions were fixed. The leaks were identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** gnutls-cli: if dane is requested but not PKIX verification, then only do verify the end certificate. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri May 30 07:28:26 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 30 May 2014 07:28:26 +0200 Subject: [gnutls-devel] gnutls 3.3.3 Message-ID: <1401427706.2644.5.camel@nomad.lan> Hello, I've just released gnutls 3.3.3. This is a bugfix release on the next stable branch, which addresses the http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 security advisory. * Version 3.3.3 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: gnutls_global_set_mutex() was modified to operate with the new initialization process. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 ** gnutls-cli: --dane will only check the end certificate if PKIX validation has been disabled. ** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot be emulated with the implicit initialization of gnutls. ** certtool: Allow multiple organizations and organizational unit names to be specified in a template. ** certtool: Warn when invalid configuration options are set to a template. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: gnutls_credentials_get: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.3.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Fri May 30 18:56:41 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 30 May 2014 18:56:41 +0200 Subject: [gnutls-devel] gnutls 3.3.3 In-Reply-To: <1401427706.2644.5.camel@nomad.lan> References: <1401427706.2644.5.camel@nomad.lan> Message-ID: <20140530165641.GC1539@downhill.g.la> On 2014-05-30 Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.3.3. This is a bugfix release on Hello, I am getting multiple crashes from the test-suite with this release. FAIL: mini-record-2 FAIL: record-sizes-range FAIL: mini-dtls-hello-verify FAIL: mini-dtls-rehandshake FAIL: mini-alpn FAIL: mini-dtls-srtp FAIL: mini-record FAIL: mini-dtls-record FAIL: mini-handshake-timeout FAIL: openpgp-auth e.g. (SID)ametzler at argenau:/tmp/GNUTLS/crashme/gnutls-3.3.3$ gdb tests/mini-dtls-srtp [...] Reading symbols from /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp...done. (gdb) run Starting program: /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp warning: Could not load shared library symbols for linux-gate.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637 637 movdqu (%esi),%xmm0 (gdb) bt full #0 vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637 No locals. #1 0x00000000 in ?? () No symbol table info available. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Fri May 30 19:13:19 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 30 May 2014 19:13:19 +0200 Subject: [gnutls-devel] gnutls 3.3.3 In-Reply-To: <20140530165641.GC1539@downhill.g.la> References: <1401427706.2644.5.camel@nomad.lan> <20140530165641.GC1539@downhill.g.la> Message-ID: <20140530171319.GD1539@downhill.g.la> On 2014-05-30 Andreas Metzler wrote: > On 2014-05-30 Nikos Mavrogiannopoulos wrote: >> I've just released gnutls 3.3.3. This is a bugfix release on > I am getting multiple crashes from the test-suite with this release. [...] > Program received signal SIGSEGV, Segmentation fault. > vpaes_cbc_encrypt () at elf/aes-ssse3-x86.s:637 > 637 movdqu (%esi),%xmm0 The bug is triggered by 7b819e932d4ff85d0dd7ca5dc2632c8d3d442f79 Dropping this part lets the testsuite succeed. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Fri May 30 19:28:17 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 30 May 2014 19:28:17 +0200 Subject: [gnutls-devel] gnutls 3.3.3 In-Reply-To: <20140530165641.GC1539@downhill.g.la> References: <1401427706.2644.5.camel@nomad.lan> <20140530165641.GC1539@downhill.g.la> Message-ID: <1401470897.9937.3.camel@nomad.lan> On Fri, 2014-05-30 at 18:56 +0200, Andreas Metzler wrote: > On 2014-05-30 Nikos Mavrogiannopoulos wrote: > > Hello, > > I've just released gnutls 3.3.3. This is a bugfix release on > > Hello, > > I am getting multiple crashes from the test-suite with this release. > FAIL: mini-record-2 > FAIL: record-sizes-range > FAIL: mini-dtls-hello-verify > FAIL: mini-dtls-rehandshake > FAIL: mini-alpn > FAIL: mini-dtls-srtp > FAIL: mini-record > FAIL: mini-dtls-record > FAIL: mini-handshake-timeout > FAIL: openpgp-auth > e.g. > (SID)ametzler at argenau:/tmp/GNUTLS/crashme/gnutls-3.3.3$ gdb tests/mini-dtls-srtp > [...] > Reading symbols from /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp...done. > (gdb) run > Starting program: /tmp/GNUTLS/crashme/gnutls-3.3.3/tests/mini-dtls-srtp > warning: Could not load shared library symbols for linux-gate.so.1. > Do you need "set solib-search-path" or "set sysroot"? > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". > Program received signal SIGSEGV, Segmentation fault. Thanks, Is that solved with the 676040da1b760daf8da94944ebf271696b955b59 commit? It seems the included assembly files were quite old, although I wouldn't expect a crash. An alternative is to use "--disable-hardware-acceleration". regards, Nikos From ametzler at bebt.de Fri May 30 19:49:56 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 30 May 2014 19:49:56 +0200 Subject: [gnutls-devel] gnutls 3.3.3 In-Reply-To: <1401470897.9937.3.camel@nomad.lan> References: <1401427706.2644.5.camel@nomad.lan> <20140530165641.GC1539@downhill.g.la> <1401470897.9937.3.camel@nomad.lan> Message-ID: <20140530174956.GE1539@downhill.g.la> On 2014-05-30 Nikos Mavrogiannopoulos wrote: > On Fri, 2014-05-30 at 18:56 +0200, Andreas Metzler wrote: [...] > > I am getting multiple crashes from the test-suite with this release. [...] > Thanks, > Is that solved with the 676040da1b760daf8da94944ebf271696b955b59 > commit? It seems the included assembly files were quite old, although I > wouldn't expect a crash. An alternative is to use > "--disable-hardware-acceleration". The asm upgrade seems to work, thanks. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sat May 31 10:43:39 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 31 May 2014 10:43:39 +0200 Subject: [gnutls-devel] gnutls 3.3.4 Message-ID: <1401525819.4466.1.camel@nomad.lan> Hello, I've just released gnutls 3.3.4. This is fixes an issue on the hardware acceleration on certain CPUs that was introduced in the previous release. * Version 3.3.4 (released 2014-05-31) ** libgnutls: Updated Andy Polyakov's assembly code. That prevents a crash on certain CPUs. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.4.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos