From nmav at gnutls.org Mon Feb 1 11:54:51 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 1 Feb 2016 11:54:51 +0100 Subject: [gnutls-devel] trivial [patch] fix typos In-Reply-To: <20160131170356.GA17265@argenau.bebt.de> References: <20160131170356.GA17265@argenau.bebt.de> Message-ID: On Sun, Jan 31, 2016 at 6:03 PM, Andreas Metzler wrote: > Hello, > find attached a trivial patch fixing some typos found by lintian. Thank you. Applied. From nmav at gnutls.org Wed Feb 3 09:04:51 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 03 Feb 2016 09:04:51 +0100 Subject: [gnutls-devel] gnutls 3.3.21 Message-ID: <1454486691.2094.1.camel@gnutls.org> Hello, I've just released gnutls 3.3.21. This is a bug-fix release on the previous stable branch. * Version 3.3.21 (released 2016-02-03) ** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would negotiate the last commonly supported protocol, rather than the first. Reported by Remi Denis-Courmont (#63). ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". The previous behavior can be restored using the flag --with-arcfour128 to configure. ** libgnutls: Corrected regression causes by incorrect fix in gnutls_x509_ext_export_key_usage() at 3.3.20 release. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.21.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.21.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Wed Feb 3 09:24:40 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 03 Feb 2016 09:24:40 +0100 Subject: [gnutls-devel] gnutls 3.4.9 Message-ID: <1454487880.2094.3.camel@gnutls.org> Hello, I've just released gnutls 3.4.9. This version fixes bugs in the current stable branch. * Version 3.4.9 (released 2016-02-03) ** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would negotiate the last commonly supported protocol, rather than the first. Reported by Remi Denis-Courmont (#63). ** libgnutls: Tolerate empty DN fields in informational output functions. ** libgnutls: Corrected regression causes by incorrect fix in gnutls_x509_ext_export_key_usage() at 3.4.8 release. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.9.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.9.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Tue Feb 9 13:51:49 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 9 Feb 2016 13:51:49 +0100 Subject: [gnutls-devel] [patch] improve priority string documentation Message-ID: <20160209125149.GA1174@argenau.bebt.de> Hello, afaict the docs currently do not say that NORMAL:+%COMPAT is nt a valid priority string, attached patch tries to fix this. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-improve-doc-on-special-keywords-in-priority-string.patch Type: text/x-diff Size: 1184 bytes Desc: not available URL: From jaak.ristioja at cyber.ee Wed Feb 10 00:15:52 2016 From: jaak.ristioja at cyber.ee (Jaak Ristioja) Date: Wed, 10 Feb 2016 01:15:52 +0200 Subject: [gnutls-devel] gnutls_record_recv/gnutls_record_send and record length? Message-ID: <56BA7328.1070600@cyber.ee> Hi! TLS 1.2 specifies a maximum record payload of 2^14 bytes. The GnuTLS documentation for gnutls_record_send states that the maximum number of bytes gnutls_record_send can send in a single call is determined by the negotiated maximum record size (<= 2^14 bytes). Does gnutls_record_recv have similar limitations? I'm thinking of implementing buffers for both send and receive and I wonder whether 2^14-byte read and write buffers will suffice to minimize the number of gnutls calls. Best regards, Jaak Ristioja From nmav at gnutls.org Wed Feb 10 09:54:28 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 10 Feb 2016 09:54:28 +0100 Subject: [gnutls-devel] gnutls_record_recv/gnutls_record_send and record length? In-Reply-To: <56BA7328.1070600@cyber.ee> References: <56BA7328.1070600@cyber.ee> Message-ID: On Wed, Feb 10, 2016 at 12:15 AM, Jaak Ristioja wrote: > Hi! > TLS 1.2 specifies a maximum record payload of 2^14 bytes. The GnuTLS > documentation for gnutls_record_send states that the maximum number of > bytes gnutls_record_send can send in a single call is determined by the > negotiated maximum record size (<= 2^14 bytes). Does gnutls_record_recv > have similar limitations? I'm thinking of implementing buffers for both > send and receive and I wonder whether 2^14-byte read and write buffers > will suffice to minimize the number of gnutls calls. The answer is yes, you can rely gnutls_record_recv() to return data <= 2^14 per call. However to minimize the number of calls to gnutls you may consider to use gnutls_record_recv_packet(). That in addition will eliminate any need for copying buffers. regards, Nikos From nmav at gnutls.org Wed Feb 10 10:01:33 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 10 Feb 2016 10:01:33 +0100 Subject: [gnutls-devel] [patch] improve priority string documentation In-Reply-To: <20160209125149.GA1174@argenau.bebt.de> References: <20160209125149.GA1174@argenau.bebt.de> Message-ID: Applied. Thank you. On Tue, Feb 9, 2016 at 1:51 PM, Andreas Metzler wrote: > Hello, > > afaict the docs currently do not say that NORMAL:+%COMPAT is nt a > valid priority string, attached patch tries to fix this. > > cu Andreas > -- > `What a good friend you are to him, Dr. Maturin. His other friends are > so grateful to you.' > `I sew his ears on from time to time, sure' > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From jaak.ristioja at cyber.ee Wed Feb 10 10:41:53 2016 From: jaak.ristioja at cyber.ee (Jaak Ristioja) Date: Wed, 10 Feb 2016 11:41:53 +0200 Subject: [gnutls-devel] gnutls_record_recv/gnutls_record_send and record length? In-Reply-To: References: <56BA7328.1070600@cyber.ee> Message-ID: <56BB05E1.9050701@cyber.ee> On 10.02.2016 10:54, Nikos Mavrogiannopoulos wrote: > On Wed, Feb 10, 2016 at 12:15 AM, Jaak Ristioja wrote: >> Hi! >> TLS 1.2 specifies a maximum record payload of 2^14 bytes. The GnuTLS >> documentation for gnutls_record_send states that the maximum number of >> bytes gnutls_record_send can send in a single call is determined by the >> negotiated maximum record size (<= 2^14 bytes). Does gnutls_record_recv >> have similar limitations? I'm thinking of implementing buffers for both >> send and receive and I wonder whether 2^14-byte read and write buffers >> will suffice to minimize the number of gnutls calls. > > The answer is yes, you can rely gnutls_record_recv() to return data <= > 2^14 per call. This might be worth documenting. > However to minimize the number of calls to gnutls you may consider to > use gnutls_record_recv_packet(). That in addition will eliminate any > need for copying buffers. I didn't know that but it might help me a lot! Thanks! Best regards, Jaak From tim.ruehsen at gmx.de Thu Feb 11 15:25:18 2016 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Thu, 11 Feb 2016 15:25:18 +0100 Subject: [gnutls-devel] error: certificate policies import: ASN1 parser: Error in DER parsing Message-ID: <4837491.fbkSLpno8t@blitz-lx> On Debian SID (amd64), I recognize a ASN1 error with $ gnutls-cli -V outlook.office365.com ... error: certificate policies import: ASN1 parser: Error in DER parsing. ... $ gnutls-cli --version gnutls-cli 3.4.9 I am not sure if it is a GnuTLS issue or if it is an underlying library (libtasn ?) or whatever. Any idea ? Regards, Tim Processed 172 CA certificate(s). Resolving 'outlook.office365.com'... Connecting to '132.245.61.226:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 5a00020e4289e78c6958489ec1000100020e42 Issuer: C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft IT,CN=Microsoft IT SSL SHA2 Validity: Not Before: Tue Oct 13 22:20:04 UTC 2015 Not After: Thu Oct 12 22:20:04 UTC 2017 Subject: C=US,ST=WA,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporation,CN=outlook.com Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:e4:ff:c7:ed:b8:dd:9c:1f:a8:b9:17:12:3f:0a:cb ee:20:b4:b2:f0:6d:9e:3a:49:db:41:2d:f6:16:6e:79 ba:8b:32:76:4e:e8:02:58:a4:bf:88:3c:07:da:e8:1e 46:b9:4a:fe:ea:06:d6:9f:f6:90:c5:75:1e:18:c7:72 e0:a9:26:65:fe:e9:58:76:94:e5:54:54:9b:69:87:a1 43:1c:7a:09:9c:d7:9a:14:b0:93:d7:1e:07:a4:b1:9a a1:cf:e9:77:93:8f:f2:7f:ad:b0:04:bc:4a:10:37:ad a8:fe:42:14:f6:1b:97:d1:a3:f1:ef:83:6d:85:4d:87 57:cf:58:b4:7b:93:27:57:39:b8:f7:fd:be:c3:7b:b4 04:d1:72:02:98:80:f4:16:f4:4b:ca:db:d6:23:f5:9f 1b:a0:42:9a:9b:48:26:9b:55:a2:f1:11:91:7c:a7:6d 62:35:7d:bc:a4:c1:68:d2:f1:bf:85:b5:be:45:7c:78 6e:25:86:ab:29:6b:d1:1e:8d:4c:2e:f9:3b:0f:6f:59 3e:5b:c7:47:03:2d:d2:ab:fc:9f:25:59:88:18:0b:fb 86:bf:75:85:67:50:02:aa:45:a0:44:77:78:d9:99:fe 1d:9f:51:c5:e6:41:77:b2:c6:bc:8d:b0:1f:8b:9b:78 e7 Exponent (bits 24): 01:00:01 Extensions: Key Usage (not critical): Digital signature. Key encipherment. Data encipherment. Key Purpose (not critical): TLS WWW Server. TLS WWW Client. Unknown extension 1.2.840.113549.1.9.15 (not critical): ASCII: 0i0...*.H.........0...*.H.........0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0... +....0...*.H..... Hexdump: 3069300e06082a864886f70d030202020080300e06082a864886f70d030402020080300b060960864801650304012a300b060960864801650304012d300b0609608648016503040102300b0609608648016503040105300706052b0e030207300a06082a864886f70d0307 Subject Key Identifier (not critical): 9db0981c245ad49ded5153c4d7f6bab18d7b900f Authority Key Identifier (not critical): 51af24269cf468225780262b3b4662157b1ecca5 CRL Distribution points (not critical): URI: http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl URI: http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://www.microsoft.com/pki/mscorp/msitwww2.crt Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.msocsp.com error: certificate policies import: ASN1 parser: Error in DER parsing. Unknown extension 1.3.6.1.4.1.311.21.10 (not critical): ASCII: 0.0...+.......0...+....... Hexdump: 3018300a06082b06010505070301300a06082b06010505070302 Subject Alternative Name (not critical): DNSname: outlook.com DNSname: *.outlook.com DNSname: office365.com DNSname: *.office365.com DNSname: *.live.com DNSname: *.internal.outlook.com DNSname: *.outlook.office365.com DNSname: outlook.office.com DNSname: attachment.outlook.office.net DNSname: attachment.outlook.officeppe.net DNSname: *.office.com Signature Algorithm: RSA-SHA256 Signature: 0d:4c:9c:84:be:af:71:b2:88:98:e0:db:e6:6c:c7:ba bd:e3:3e:3c:a2:f4:50:26:a2:06:eb:f7:3b:51:4c:ca ea:d1:05:90:87:a9:00:37:cb:b3:32:3e:cb:87:58:1b b1:8f:d6:3f:5e:e8:ad:9a:d5:2b:45:db:fb:44:8c:5d b5:20:0e:8d:4b:f2:13:88:e1:57:a1:2b:4b:41:9e:13 23:54:9b:dc:82:10:a0:e7:96:72:1b:58:7f:62:88:41 76:2f:40:9b:ad:5a:ec:e9:d6:07:11:50:7d:f1:b8:7c 4a:af:e4:c5:94:88:9c:5a:a4:1c:72:70:58:cd:4a:95 76:6f:76:22:19:47:a9:d8:d3:e2:42:88:62:33:c3:5c 4c:be:18:c7:a1:f7:e8:76:09:50:20:8a:db:2e:64:77 d5:2f:d5:7c:8a:4d:ed:ae:48:7a:a6:b1:a8:b5:c6:bf 25:9d:3a:70:aa:fb:09:62:ff:63:3d:33:34:a9:23:be f4:c5:fe:92:7a:9b:85:2f:92:e8:52:26:86:99:61:4e 11:8f:78:e3:5a:a8:f5:22:b3:fa:a4:3b:1c:f7:d6:1d e4:79:14:4a:45:2a:e3:13:7c:ca:10:ee:30:31:0a:51 0f:c8:8d:14:f1:d7:39:d6:2f:34:c4:2f:06:5e:46:f0 e4:da:de:31:5c:52:48:b0:6c:66:f2:3d:5a:2f:bf:8e c5:7c:6b:a4:ce:e1:0f:bd:68:99:06:b1:35:af:b8:9d 85:2e:04:37:8f:a7:fd:40:73:fc:fb:4b:61:0f:81:10 bf:18:c2:7f:50:d7:0a:7c:3f:c7:6a:df:28:d4:03:fb 61:3e:d1:60:5e:c6:4a:a4:b1:70:41:8a:56:17:24:e5 80:1a:42:c6:e3:8c:d7:6b:c7:c3:77:5a:8d:2a:be:ef c1:bc:94:46:53:bf:52:bd:68:09:00:47:e9:6d:01:63 a8:5d:f1:d4:d4:7e:9a:51:2b:89:3b:ae:8e:a0:1e:85 7f:10:61:d4:f0:28:d2:cc:25:21:79:66:27:24:18:d0 a2:fa:49:41:01:dd:64:9a:f4:dd:63:7c:1f:dc:a6:0b 05:07:d4:56:48:1a:d5:e2:e8:aa:65:ab:3c:b1:58:87 3f:10:14:b1:7f:18:d8:8b:90:04:48:82:e0:0c:65:5e fb:bd:cd:07:97:d5:21:37:6c:32:12:70:6b:7e:39:8e 75:92:83:ff:76:c8:32:15:b5:97:8f:68:0a:4c:61:16 48:b7:10:3f:71:34:f0:f4:c4:40:4f:5b:bd:9b:c7:41 f2:62:9e:c2:87:fd:6c:dd:76:51:fc:87:c5:68:a0:c1 Other Information: SHA1 fingerprint: a0476c0c30347a7a159a9ff50bcdbc84bdd3d166 SHA256 fingerprint: a1c0266559141b2e70d6c65e1554b216ac7bd3b49f5fb06fc84a2c4cb964ef7a Public Key ID: 8d168ddb5c566672875f2829029291c58867fbb4 Public key's random art: +--[ RSA 2048]----+ | .oBo. ..=o.| | . *.. .o. o*o..| | o . o...o. ..| | . . B o .| | o .S + | | E. | | | | | | | +-----------------+ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From nmav at gnutls.org Thu Feb 11 17:32:48 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 11 Feb 2016 17:32:48 +0100 Subject: [gnutls-devel] error: certificate policies import: ASN1 parser: Error in DER parsing In-Reply-To: <4837491.fbkSLpno8t@blitz-lx> References: <4837491.fbkSLpno8t@blitz-lx> Message-ID: On Thu, Feb 11, 2016 at 3:25 PM, Tim Ruehsen wrote: > On Debian SID (amd64), I recognize a ASN1 error with > > $ gnutls-cli -V outlook.office365.com > ... > error: certificate policies import: ASN1 parser: Error in DER parsing. > ... That's pretty interesting. I run it on master and got: |<3>| ASSERT: common.c:1070 |<3>| ASSERT: common.c:1186 |<3>| ASSERT: x509_ext.c:1850 The common.c:1070 code is the embedded null in string protection routine: /* Refuse to deal with strings containing NULs. */ if (etype != ASN1_ETYPE_OCTET_STRING) { if (output->data) len = strlen((void *) output->data); else len = 0; if (len != (size_t) output->size) { _gnutls_free_datum(output); ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); } } So it is an ascii string with an embedded NULL. For sure we need a better error code to handle this type of errors. regards, Nikos From ludo at gnu.org Thu Feb 11 23:04:30 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:30 +0100 Subject: [gnutls-devel] [PATCH 0/8] Assorted Guile bindings improvements Message-ID: <1455228278-23708-1-git-send-email-ludo@gnu.org> Hello! Here are some cleanups and improvements to the Guile bindings. The new things is that Guile modules are compiled (on 2.x) and that Guile 2.1/2.2 is supported. This is against master but could be applied to the 3.4 branch as well. Thanks, Ludo'. PS: I lost commit access with the move to gitlab.com so I'd be grateful if you could commit on my behalf. Ludovic Court?s (8): guile: tests: Add 'with-child-process'. guile: tests: Make sure no processes are left behind. guile: tests: Add Guile 2.2 compatibility layer. guile: doc: Change prompt in examples. guile: Build and install .go files on Guile 2.x. guile: build: Make silent rules actually quiet. guile: Install modules in versioned directory by default. guile: Work around lack of 'eval-when' on 1.8. configure.ac | 28 ++++--- doc/gnutls-guile.texi | 32 ++++---- guile/.dir-locals.el | 12 +++ guile/Makefile.am | 123 ++++++++++++++++++++++++++++++- guile/modules/Makefile.am | 38 ---------- guile/modules/gnutls.in | 8 +- guile/modules/gnutls/build/tests.scm | 66 ++++++++++++++++- guile/src/Makefile.am | 20 ++--- guile/tests/Makefile.am | 43 ----------- guile/tests/anonymous-auth.scm | 77 ++++++++++--------- guile/tests/openpgp-auth.scm | 93 ++++++++++++----------- guile/tests/session-record-port.scm | 138 +++++++++++++++++------------------ guile/tests/x509-auth.scm | 104 +++++++++++++------------- 13 files changed, 454 insertions(+), 328 deletions(-) create mode 100644 guile/.dir-locals.el delete mode 100644 guile/modules/Makefile.am delete mode 100644 guile/tests/Makefile.am -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:31 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:31 +0100 Subject: [gnutls-devel] [PATCH 1/8] guile: tests: Add 'with-child-process'. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-2-git-send-email-ludo@gnu.org> This makes sure that child processes always exit no matter what. * guile/modules/gnutls/build/tests.scm (define-syntax-rule) [!guile-2]: New macro. (call-with-child-process): New procedure. (with-child-process): New macro. * guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm, guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: Use it instead of an explicit 'primitive-fork' call. * guile/.dir-locals.el: New file. * guile/Makefile.am (EXTRA_DIST): New variable. --- guile/.dir-locals.el | 12 +++ guile/Makefile.am | 4 +- guile/modules/gnutls/build/tests.scm | 41 ++++++++++- guile/tests/anonymous-auth.scm | 76 ++++++++++--------- guile/tests/openpgp-auth.scm | 92 ++++++++++++----------- guile/tests/session-record-port.scm | 137 +++++++++++++++++------------------ guile/tests/x509-auth.scm | 103 +++++++++++++------------- 7 files changed, 255 insertions(+), 210 deletions(-) create mode 100644 guile/.dir-locals.el diff --git a/guile/.dir-locals.el b/guile/.dir-locals.el new file mode 100644 index 0000000..54091cc --- /dev/null +++ b/guile/.dir-locals.el @@ -0,0 +1,12 @@ +;; Per-directory local variables for GNU Emacs 23 and later. + +((nil + . ((fill-column . 78) + (tab-width . 8))) + (c-mode . ((c-file-style . "gnu"))) + (scheme-mode + . + ((indent-tabs-mode . nil) + (eval . (put 'with-child-process 'scheme-indent-function 1)))) + (texinfo-mode . ((indent-tabs-mode . nil) + (fill-column . 72)))) diff --git a/guile/Makefile.am b/guile/Makefile.am index a981ed5..ed9b8ba 100644 --- a/guile/Makefile.am +++ b/guile/Makefile.am @@ -1,5 +1,5 @@ # GnuTLS --- Guile bindings for GnuTLS. -# Copyright (C) 2007-2012 Free Software Foundation, Inc. +# Copyright (C) 2007-2012, 2016 Free Software Foundation, Inc. # # GnuTLS is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -16,3 +16,5 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA SUBDIRS = modules src tests + +EXTRA_DIST = .dir-locals.el diff --git a/guile/modules/gnutls/build/tests.scm b/guile/modules/gnutls/build/tests.scm index f5e135b..5a03ce7 100644 --- a/guile/modules/gnutls/build/tests.scm +++ b/guile/modules/gnutls/build/tests.scm @@ -1,5 +1,5 @@ ;;; GnuTLS --- Guile bindings for GnuTLS. -;;; Copyright (C) 2011-2012 Free Software Foundation, Inc. +;;; Copyright (C) 2011-2012, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS is free software; you can redistribute it and/or ;;; modify it under the terms of the GNU Lesser General Public @@ -18,7 +18,8 @@ ;;; Written by Ludovic Court?s . (define-module (gnutls build tests) - #:export (run-test)) + #:export (run-test + with-child-process)) (define (run-test thunk) "Call `(exit (THUNK))'. If THUNK raises an exception, then call `(exit 1)' and @@ -39,3 +40,39 @@ display a backtrace. Otherwise, return THUNK's return value." (lambda () (exit 1))) (exit 1))))) + +(define (call-with-child-process child parent) + "Run thunk CHILD in a child process and invoke PARENT from the parent +process, passing it the PID of the child process. Make sure the child +process exits upon failure." + (let ((pid (primitive-fork))) + (if (zero? pid) + (dynamic-wind + (const #t) + (lambda () + (primitive-exit (if (child) 0 1))) + (lambda () + (primitive-exit 2))) + (parent pid)))) + +(cond-expand + ((not guile-2) ;1.8, yay! + (use-modules (ice-9 syncase)) + + (define-syntax define-syntax-rule + (syntax-rules () + ((_ (name args ...) docstring body) + (define-syntax name + (syntax-rules () + ((_ args ...) body)))))) + + (export define-syntax-rule)) + (else + #t)) + +(define-syntax-rule (with-child-process pid parent child) + "Fork and evaluate expression PARENT in the current process, with PID bound +to the PID of its child process; the child process evaluated CHILD." + (call-with-child-process + (lambda () child) + (lambda (pid) parent))) diff --git a/guile/tests/anonymous-auth.scm b/guile/tests/anonymous-auth.scm index 585b3a5..d01884d 100644 --- a/guile/tests/anonymous-auth.scm +++ b/guile/tests/anonymous-auth.scm @@ -1,5 +1,5 @@ ;;; GnuTLS --- Guile bindings for GnuTLS. -;;; Copyright (C) 2007-2013 Free Software Foundation, Inc. +;;; Copyright (C) 2007-2013, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS is free software; you can redistribute it and/or ;;; modify it under the terms of the GNU Lesser General Public @@ -52,43 +52,41 @@ ;; (format #t "[~a|~a] ~a" (getpid) level str))) (run-test - (lambda () - (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) - (pid (primitive-fork))) - (if (= 0 pid) - - (let ((client (make-session connection-end/client))) - ;; client-side (child process) - (set-session-priorities! client priorities) - (set-session-server-name! client - server-name-type/dns (gethostname)) - (set-session-transport-fd! client (port->fdes (car socket-pair))) - (set-session-credentials! client (make-anonymous-client-credentials)) - (set-session-dh-prime-bits! client 1024) - - (handshake client) - (record-send client %message) - (bye client close-request/rdwr) - - (primitive-exit)) - - (let ((server (make-session connection-end/server))) - ;; server-side - (set-session-priorities! server priorities) - - (set-session-transport-fd! server (port->fdes (cdr socket-pair))) - (let ((cred (make-anonymous-server-credentials)) - (dh-params (import-dh-params "dh-parameters.pem"))) - ;; Note: DH parameter generation can take some time. - (set-anonymous-server-dh-parameters! cred dh-params) - (set-session-credentials! server cred)) - (set-session-dh-prime-bits! server 1024) - - (handshake server) - (let* ((buf (make-u8vector (u8vector-length %message))) - (amount (record-receive! server buf))) - (bye server close-request/rdwr) - (and (= amount (u8vector-length %message)) - (equal? buf %message)))))))) + (lambda () + (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0))) + (with-child-process pid + ;; server-side + (let ((server (make-session connection-end/server))) + (set-session-priorities! server priorities) + + (set-session-transport-fd! server (port->fdes (cdr socket-pair))) + (let ((cred (make-anonymous-server-credentials)) + (dh-params (import-dh-params "dh-parameters.pem"))) + ;; Note: DH parameter generation can take some time. + (set-anonymous-server-dh-parameters! cred dh-params) + (set-session-credentials! server cred)) + (set-session-dh-prime-bits! server 1024) + + (handshake server) + (let* ((buf (make-u8vector (u8vector-length %message))) + (amount (record-receive! server buf))) + (bye server close-request/rdwr) + (and (= amount (u8vector-length %message)) + (equal? buf %message)))) + + ;; client-side (child process) + (let ((client (make-session connection-end/client))) + (set-session-priorities! client priorities) + (set-session-server-name! client + server-name-type/dns (gethostname)) + (set-session-transport-fd! client (port->fdes (car socket-pair))) + (set-session-credentials! client (make-anonymous-client-credentials)) + (set-session-dh-prime-bits! client 1024) + + (handshake client) + (record-send client %message) + (bye client close-request/rdwr) + + (primitive-exit)))))) ;;; arch-tag: 8c98de24-0a53-4290-974e-4b071ad162a0 diff --git a/guile/tests/openpgp-auth.scm b/guile/tests/openpgp-auth.scm index a60f885..49b4817 100644 --- a/guile/tests/openpgp-auth.scm +++ b/guile/tests/openpgp-auth.scm @@ -1,5 +1,5 @@ ;;; GnuTLS-extra --- Guile bindings for GnuTLS-EXTRA. -;;; Copyright (C) 2007-2014 Free Software Foundation, Inc. +;;; Copyright (C) 2007-2014, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS-extra is free software; you can redistribute it and/or modify ;;; it under the terms of the GNU General Public License as published by @@ -56,51 +56,49 @@ ;; (format #t "[~a|~a] ~a" (getpid) level str))) (run-test - (lambda () - (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) - (pub (import-key import-openpgp-certificate - "openpgp-pub.asc")) - (sec (import-key import-openpgp-private-key - "openpgp-sec.asc"))) - (let ((pid (primitive-fork))) - (if (= 0 pid) - - (let ((client (make-session connection-end/client)) - (cred (make-certificate-credentials))) - ;; client-side (child process) - (set-session-priorities! client priorities) - - (set-certificate-credentials-openpgp-keys! cred pub sec) - (set-session-credentials! client cred) - (set-session-dh-prime-bits! client 1024) - - (set-session-transport-fd! client (port->fdes (car socket-pair))) - - (handshake client) - (write %message (session-record-port client)) - (bye client close-request/rdwr) - - (primitive-exit)) - - (let ((server (make-session connection-end/server)) - (dh (import-dh-params "dh-parameters.pem"))) - ;; server-side - (set-session-priorities! server priorities) - (set-server-session-certificate-request! server - certificate-request/require) - - (set-session-transport-fd! server (port->fdes (cdr socket-pair))) - (let ((cred (make-certificate-credentials))) - (set-certificate-credentials-dh-parameters! cred dh) - (set-certificate-credentials-openpgp-keys! cred pub sec) - (set-session-credentials! server cred)) - (set-session-dh-prime-bits! server 1024) - - (handshake server) - (let ((msg (read (session-record-port server))) - (auth-type (session-authentication-type server))) - (bye server close-request/rdwr) - (and (eq? auth-type credentials/certificate) - (equal? msg %message))))))))) + (lambda () + (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) + (pub (import-key import-openpgp-certificate + "openpgp-pub.asc")) + (sec (import-key import-openpgp-private-key + "openpgp-sec.asc"))) + (with-child-process pid + ;; server-side + (let ((server (make-session connection-end/server)) + (dh (import-dh-params "dh-parameters.pem"))) + (set-session-priorities! server priorities) + (set-server-session-certificate-request! server + certificate-request/require) + + (set-session-transport-fd! server (port->fdes (cdr socket-pair))) + (let ((cred (make-certificate-credentials))) + (set-certificate-credentials-dh-parameters! cred dh) + (set-certificate-credentials-openpgp-keys! cred pub sec) + (set-session-credentials! server cred)) + (set-session-dh-prime-bits! server 1024) + + (handshake server) + (let ((msg (read (session-record-port server))) + (auth-type (session-authentication-type server))) + (bye server close-request/rdwr) + (and (eq? auth-type credentials/certificate) + (equal? msg %message)))) + + ;; client-side (child process) + (let ((client (make-session connection-end/client)) + (cred (make-certificate-credentials))) + (set-session-priorities! client priorities) + + (set-certificate-credentials-openpgp-keys! cred pub sec) + (set-session-credentials! client cred) + (set-session-dh-prime-bits! client 1024) + + (set-session-transport-fd! client (port->fdes (car socket-pair))) + + (handshake client) + (write %message (session-record-port client)) + (bye client close-request/rdwr) + + (primitive-exit)))))) ;;; arch-tag: 1a973ed5-f45d-45a4-8160-900b6a8c27ff diff --git a/guile/tests/session-record-port.scm b/guile/tests/session-record-port.scm index bb3f25f..8291880 100644 --- a/guile/tests/session-record-port.scm +++ b/guile/tests/session-record-port.scm @@ -1,5 +1,5 @@ ;;; GnuTLS --- Guile bindings for GnuTLS. -;;; Copyright (C) 2007-2012, 2014 Free Software Foundation, Inc. +;;; Copyright (C) 2007-2012, 2014, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS is free software; you can redistribute it and/or ;;; modify it under the terms of the GNU Lesser General Public @@ -51,73 +51,72 @@ ;; (format #t "[~a|~a] ~a" (getpid) level str))) (run-test - (lambda () - ;; Stress the GC. In 0.0, this triggered an abort due to - ;; "scm_unprotect_object called during GC". - (let ((sessions (map (lambda (i) - (make-session connection-end/server)) - (iota 123)))) - (for-each session-record-port sessions) - (gc)(gc)(gc)) - - ;; Stress the GC. The session associated to each port in PORTS should - ;; remain reachable. - (let ((ports (map session-record-port - (map (lambda (i) - (make-session connection-end/server)) - (iota 123))))) - (gc)(gc)(gc) - (for-each (lambda (p) - (catch 'gnutls-error - (lambda () - (read p)) - (lambda (key . args) - #t))) - ports)) - - ;; Try using the record port for I/O. - (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) - (pid (primitive-fork))) - (if (= 0 pid) - - (let ((client (make-session connection-end/client))) - ;; client-side (child process) - (set-session-priorities! client priorities) - - (set-session-transport-port! client (car socket-pair)) - (set-session-credentials! client (make-anonymous-client-credentials)) - (set-session-dh-prime-bits! client 1024) - - (handshake client) - (uniform-vector-write %message (session-record-port client)) - (bye client close-request/rdwr) - - (primitive-exit)) - - (let ((server (make-session connection-end/server))) - ;; server-side - (set-session-priorities! server priorities) - - (set-session-transport-port! server (cdr socket-pair)) - (let ((cred (make-anonymous-server-credentials)) - (dh-params (import-dh-params "dh-parameters.pem"))) - ;; Note: DH parameter generation can take some time. - (set-anonymous-server-dh-parameters! cred dh-params) - (set-session-credentials! server cred)) - (set-session-dh-prime-bits! server 1024) - - (handshake server) - (let* ((buf (make-u8vector (u8vector-length %message))) - (amount - (uniform-vector-read! buf (session-record-port server)))) - (bye server close-request/rdwr) - - ;; Make sure we got everything right. - (and (eq? (session-record-port server) - (session-record-port server)) - (= amount (u8vector-length %message)) - (equal? buf %message) - (eof-object? - (read-char (session-record-port server)))))))))) + (lambda () + ;; Stress the GC. In 0.0, this triggered an abort due to + ;; "scm_unprotect_object called during GC". + (let ((sessions (map (lambda (i) + (make-session connection-end/server)) + (iota 123)))) + (for-each session-record-port sessions) + (gc)(gc)(gc)) + + ;; Stress the GC. The session associated to each port in PORTS should + ;; remain reachable. + (let ((ports (map session-record-port + (map (lambda (i) + (make-session connection-end/server)) + (iota 123))))) + (gc)(gc)(gc) + (for-each (lambda (p) + (catch 'gnutls-error + (lambda () + (read p)) + (lambda (key . args) + #t))) + ports)) + + ;; Try using the record port for I/O. + (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0))) + (with-child-process pid + + ;; server-side + (let ((server (make-session connection-end/server))) + (set-session-priorities! server priorities) + + (set-session-transport-port! server (cdr socket-pair)) + (let ((cred (make-anonymous-server-credentials)) + (dh-params (import-dh-params "dh-parameters.pem"))) + ;; Note: DH parameter generation can take some time. + (set-anonymous-server-dh-parameters! cred dh-params) + (set-session-credentials! server cred)) + (set-session-dh-prime-bits! server 1024) + + (handshake server) + (let* ((buf (make-u8vector (u8vector-length %message))) + (amount + (uniform-vector-read! buf (session-record-port server)))) + (bye server close-request/rdwr) + + ;; Make sure we got everything right. + (and (eq? (session-record-port server) + (session-record-port server)) + (= amount (u8vector-length %message)) + (equal? buf %message) + (eof-object? + (read-char (session-record-port server)))))) + + ;; client-side (child process) + (let ((client (make-session connection-end/client))) + (set-session-priorities! client priorities) + + (set-session-transport-port! client (car socket-pair)) + (set-session-credentials! client (make-anonymous-client-credentials)) + (set-session-dh-prime-bits! client 1024) + + (handshake client) + (uniform-vector-write %message (session-record-port client)) + (bye client close-request/rdwr) + + (primitive-exit)))))) ;;; arch-tag: e873226a-d0b6-4a93-87ec-a1b5ad2ae8a2 diff --git a/guile/tests/x509-auth.scm b/guile/tests/x509-auth.scm index 71c8d15..609251d 100644 --- a/guile/tests/x509-auth.scm +++ b/guile/tests/x509-auth.scm @@ -1,5 +1,5 @@ ;;; GnuTLS --- Guile bindings for GnuTLS. -;;; Copyright (C) 2007-2014 Free Software Foundation, Inc. +;;; Copyright (C) 2007-2014, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS is free software; you can redistribute it and/or ;;; modify it under the terms of the GNU Lesser General Public @@ -55,56 +55,55 @@ ;; (format #t "[~a|~a] ~a" (getpid) level str))) (run-test - (lambda () - (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) - (pub (import-key import-x509-certificate - "x509-certificate.pem")) - (sec (import-key import-x509-private-key - "x509-key.pem"))) - (let ((pid (primitive-fork))) - (if (= 0 pid) - - (let ((client (make-session connection-end/client)) - (cred (make-certificate-credentials))) - ;; client-side (child process) - (set-session-priorities! client priorities) - (set-certificate-credentials-x509-keys! cred (list pub) sec) - (set-session-credentials! client cred) - (set-session-dh-prime-bits! client 1024) - - (set-session-transport-fd! client (port->fdes (car socket-pair))) - - (handshake client) - (write %message (session-record-port client)) - (bye client close-request/rdwr) - - (primitive-exit)) - - (let ((server (make-session connection-end/server)) - (dh (import-dh-params "dh-parameters.pem"))) - ;; server-side - (set-session-priorities! server priorities) - (set-server-session-certificate-request! server - certificate-request/require) - - (set-session-transport-fd! server (port->fdes (cdr socket-pair))) - (let ((cred (make-certificate-credentials)) - (trust-file (search-path %load-path - "x509-certificate.pem")) - (trust-fmt x509-certificate-format/pem)) - (set-certificate-credentials-dh-parameters! cred dh) - (set-certificate-credentials-x509-keys! cred (list pub) sec) - (set-certificate-credentials-x509-trust-file! cred - trust-file - trust-fmt) - (set-session-credentials! server cred)) - (set-session-dh-prime-bits! server 1024) - - (handshake server) - (let ((msg (read (session-record-port server))) - (auth-type (session-authentication-type server))) - (bye server close-request/rdwr) - (and (eq? auth-type credentials/certificate) - (equal? msg %message))))))))) + (lambda () + (let ((socket-pair (socketpair PF_UNIX SOCK_STREAM 0)) + (pub (import-key import-x509-certificate + "x509-certificate.pem")) + (sec (import-key import-x509-private-key + "x509-key.pem"))) + (with-child-process pid + + ;; server-side + (let ((server (make-session connection-end/server)) + (dh (import-dh-params "dh-parameters.pem"))) + (set-session-priorities! server priorities) + (set-server-session-certificate-request! server + certificate-request/require) + + (set-session-transport-fd! server (port->fdes (cdr socket-pair))) + (let ((cred (make-certificate-credentials)) + (trust-file (search-path %load-path + "x509-certificate.pem")) + (trust-fmt x509-certificate-format/pem)) + (set-certificate-credentials-dh-parameters! cred dh) + (set-certificate-credentials-x509-keys! cred (list pub) sec) + (set-certificate-credentials-x509-trust-file! cred + trust-file + trust-fmt) + (set-session-credentials! server cred)) + (set-session-dh-prime-bits! server 1024) + + (handshake server) + (let ((msg (read (session-record-port server))) + (auth-type (session-authentication-type server))) + (bye server close-request/rdwr) + (and (eq? auth-type credentials/certificate) + (equal? msg %message)))) + + ;; client-side (child process) + (let ((client (make-session connection-end/client)) + (cred (make-certificate-credentials))) + (set-session-priorities! client priorities) + (set-certificate-credentials-x509-keys! cred (list pub) sec) + (set-session-credentials! client cred) + (set-session-dh-prime-bits! client 1024) + + (set-session-transport-fd! client (port->fdes (car socket-pair))) + + (handshake client) + (write %message (session-record-port client)) + (bye client close-request/rdwr) + + (primitive-exit)))))) ;;; arch-tag: 1f88f835-a5c8-4fd6-94b6-5a13571ba03d -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:35 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:35 +0100 Subject: [gnutls-devel] [PATCH 5/8] guile: Build and install .go files on Guile 2.x. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-6-git-send-email-ludo@gnu.org> * configure.ac: Check for 'guild' and substitute 'GUILD'. Define 'HAVE_GUILD'. Substitute 'guileobjectdir'. Don't output guile/modules/Makefile and guile/tests/Makefile. * guile/modules/Makefile.am, guile/tests/Makefile.am: Remove. Move contents to... * guile/Makefile.am: ... here. (SUBDIRS): Remove 'modules' and 'tests'. --- configure.ac | 19 ++++++-- guile/Makefile.am | 118 +++++++++++++++++++++++++++++++++++++++++++++- guile/modules/Makefile.am | 38 --------------- guile/tests/Makefile.am | 43 ----------------- 4 files changed, 131 insertions(+), 87 deletions(-) delete mode 100644 guile/modules/Makefile.am delete mode 100644 guile/tests/Makefile.am diff --git a/configure.ac b/configure.ac index 6a5600c..8440def 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -# Copyright (C) 2000-2012 Free Software Foundation, Inc. +# Copyright (C) 2000-2012, 2016 Free Software Foundation, Inc. # # Author: Nikos Mavrogiannopoulos, Simon Josefsson # @@ -730,9 +730,14 @@ if test "$opt_guile_bindings" = "yes"; then AC_PATH_PROG([guile_snarf], [guile-snarf]) if test "x$guile_snarf" = "x"; then - AC_MSG_WARN([`guile-snarf' from Guile 1.8 not found. Guile bindings not built.]) + AC_MSG_WARN([`guile-snarf' from Guile not found. Guile bindings not built.]) opt_guile_bindings=no else + dnl Check for 'guild', which can be used to compile Scheme code + dnl on Guile 2.x. + AC_PATH_PROG([GUILD], [guild]) + AC_SUBST([GUILD]) + GUILE_PROGS GUILE_FLAGS @@ -789,6 +794,10 @@ if test "$opt_guile_bindings" = "yes"; then AC_MSG_RESULT([$guile_effective_version]) guileextensiondir="$libdir/guile/$guile_effective_version" AC_SUBST([guileextensiondir]) + + # The location of .go files. + guileobjectdir="$libdir/guile/$guile_effective_version/site-ccache" + AC_SUBST([guileobjectdir]) else AC_MSG_RESULT([no]) AC_MSG_WARN([A sufficiently recent GNU Guile not found. Guile bindings not built.]) @@ -796,7 +805,9 @@ if test "$opt_guile_bindings" = "yes"; then fi fi fi -AM_CONDITIONAL(HAVE_GUILE, test "$opt_guile_bindings" = "yes") + +AM_CONDITIONAL([HAVE_GUILE], [test "$opt_guile_bindings" = "yes"]) +AM_CONDITIONAL([HAVE_GUILD], [test "x$GUILD" != "x"]) LIBGNUTLS_LIBS="-L${libdir} -lgnutls $LIBS" LIBGNUTLS_CFLAGS="-I${includedir}" @@ -886,9 +897,7 @@ AC_CONFIG_FILES([ gl/Makefile gl/tests/Makefile guile/Makefile - guile/modules/Makefile guile/src/Makefile - guile/tests/Makefile lib/Makefile lib/accelerated/Makefile lib/accelerated/x86/Makefile diff --git a/guile/Makefile.am b/guile/Makefile.am index ed9b8ba..98ac7a1 100644 --- a/guile/Makefile.am +++ b/guile/Makefile.am @@ -15,6 +15,122 @@ # License along with GnuTLS; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -SUBDIRS = modules src tests +# First of all, built the DSO. We cannot compile the Scheme code until this +# is done. +SUBDIRS = src + EXTRA_DIST = .dir-locals.el + +guilemoduledir = $(GUILE_SITE) +guilemodulesubdir = $(GUILE_SITE)/gnutls + +nodist_guilemodule_DATA = modules/gnutls.scm +dist_guilemodulesub_DATA = modules/gnutls/extra.scm + +documentation_modules = \ + modules/system/documentation/README \ + modules/system/documentation/c-snarf.scm \ + modules/system/documentation/output.scm + +helper_modules = \ + modules/gnutls/build/enums.scm \ + modules/gnutls/build/smobs.scm \ + modules/gnutls/build/utils.scm \ + modules/gnutls/build/tests.scm + +EXTRA_DIST += modules/gnutls.in $(helper_modules) $(documentation_modules) + +CLEANFILES = modules/gnutls.scm + +.in.scm: + cat "$^" | $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ + > "$@.tmp" + mv "$@.tmp" "$@" + + +# +# Scheme code compilation. +# + +if HAVE_GUILD + +guileobjectsubdir = $(guileobjectdir)/gnutls +nodist_guileobject_DATA = modules/gnutls.go +nodist_guileobjectsub_DATA = modules/gnutls/extra.go + +GOBJECTS = \ + $(nodist_guileobject_DATA) \ + $(nodist_guileobjectsub_DATA) + +CLEANFILES += $(GOBJECTS) + +AM_V_GUILEC = $(AM_V_GUILEC_$(V)) +AM_V_GUILEC_ = $(AM_V_GUILEC_$(AM_DEFAULT_VERBOSITY)) +AM_V_GUILEC_0 = @echo " GUILEC " $@; + +# Make sure 'gnutls.scm' is built first. +# Unset 'GUILE_LOAD_COMPILED_PATH' so we can be sure that any .go file that we +# load comes from the build directory. +# XXX: Use the C locale for when Guile lacks +# . +%.go: %.scm modules/gnutls.scm + $(AM_V_GUILEC)$(MKDIR_P) "`dirname "$@"`" ; \ + $(AM_V_P) && out=1 || out=- ; \ + unset GUILE_LOAD_COMPILED_PATH ; LC_ALL=C \ + GNUTLS_GUILE_EXTENSION_DIR="$(abs_top_builddir)/guile/src" \ + $(GUILD) compile --target="$(host)" \ + -L "$(top_builddir)/guile/modules" \ + -L "$(top_srcdir)/guile/modules" \ + -Wformat -Wunbound-variable -Warity-mismatch \ + -o "$@" "$<" >&$$out + +SUFFIXES = .go + +endif HAVE_GUILD + + +# +# Tests. +# + +TESTS = \ + tests/anonymous-auth.scm \ + tests/session-record-port.scm \ + tests/pkcs-import-export.scm \ + tests/errors.scm \ + tests/x509-certificates.scm \ + tests/x509-auth.scm \ + tests/priorities.scm + +if ENABLE_OPENPGP +TESTS += \ + tests/openpgp-keys.scm \ + tests/openpgp-keyring.scm \ + tests/openpgp-auth.scm +endif + +if ENABLE_SRP +TESTS += \ + tests/srp-base64.scm +endif + +TESTS_ENVIRONMENT = \ + GUILE_AUTO_COMPILE=0 \ + GUILE_WARN_DEPRECATED=detailed + +LOG_COMPILER = $(top_builddir)/guile/pre-inst-guile -L $(srcdir)/tests + + +EXTRA_DIST += \ + $(TESTS) \ + tests/openpgp-pub.asc \ + tests/openpgp-sec.asc \ + tests/openpgp-elg-pub.asc \ + tests/openpgp-elg-sec.asc \ + tests/openpgp-keyring.gpg \ + tests/openpgp-keyring.asc \ + tests/rsa-parameters.pem \ + tests/dh-parameters.pem \ + tests/x509-certificate.pem \ + tests/x509-key.pem diff --git a/guile/modules/Makefile.am b/guile/modules/Makefile.am deleted file mode 100644 index 71e3d68..0000000 --- a/guile/modules/Makefile.am +++ /dev/null @@ -1,38 +0,0 @@ -# GnuTLS --- Guile bindings for GnuTLS. -# Copyright (C) 2007-2012, 2014 Free Software Foundation, Inc. -# -# GnuTLS is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# GnuTLS is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with GnuTLS; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -guilemoduledir = $(GUILE_SITE) - -nobase_nodist_guilemodule_DATA = gnutls.scm -nobase_dist_guilemodule_DATA = gnutls/extra.scm - -documentation_modules = system/documentation/README \ - system/documentation/c-snarf.scm \ - system/documentation/output.scm - -EXTRA_DIST = gnutls/build/enums.scm gnutls/build/smobs.scm \ - gnutls/build/utils.scm \ - gnutls/build/tests.scm \ - gnutls.in \ - $(documentation_modules) - -CLEANFILES = gnutls.scm - -.in.scm: - cat "$^" | $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ - > "$@.tmp" - mv "$@.tmp" "$@" diff --git a/guile/tests/Makefile.am b/guile/tests/Makefile.am deleted file mode 100644 index 6b1cfd8..0000000 --- a/guile/tests/Makefile.am +++ /dev/null @@ -1,43 +0,0 @@ -# GnuTLS --- Guile bindings for GnuTLS. -# Copyright (C) 2007-2013 Free Software Foundation, Inc. -# -# GnuTLS is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# GnuTLS is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with GnuTLS; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -TESTS = anonymous-auth.scm session-record-port.scm \ - pkcs-import-export.scm \ - errors.scm \ - x509-certificates.scm x509-auth.scm \ - priorities.scm - -if ENABLE_OPENPGP -TESTS += openpgp-keys.scm openpgp-keyring.scm openpgp-auth.scm -endif - -if ENABLE_SRP -TESTS += srp-base64.scm -endif - -TESTS_ENVIRONMENT = \ - GUILE_AUTO_COMPILE=0 \ - GUILE_WARN_DEPRECATED=detailed - -LOG_COMPILER = $(top_builddir)/guile/pre-inst-guile -L $(srcdir) - - -EXTRA_DIST = $(TESTS) openpgp-pub.asc openpgp-sec.asc \ - openpgp-elg-pub.asc openpgp-elg-sec.asc \ - openpgp-keyring.gpg openpgp-keyring.asc \ - rsa-parameters.pem dh-parameters.pem \ - x509-certificate.pem x509-key.pem -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:36 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:36 +0100 Subject: [gnutls-devel] [PATCH 6/8] guile: build: Make silent rules actually quiet. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-7-git-send-email-ludo@gnu.org> * guile/Makefile.am (.in.scm): Use $(AM_V_GEN) and $(AM_V_at). * guile/src/Makefile.am (enums.h, enum-map.i.c) (smobs.h, smob-types.i.c, %.x): Likewise. --- guile/Makefile.am | 5 +++-- guile/src/Makefile.am | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/guile/Makefile.am b/guile/Makefile.am index 98ac7a1..90c2fe5 100644 --- a/guile/Makefile.am +++ b/guile/Makefile.am @@ -44,9 +44,10 @@ EXTRA_DIST += modules/gnutls.in $(helper_modules) $(documentation_modules) CLEANFILES = modules/gnutls.scm .in.scm: - cat "$^" | $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ + $(AM_V_GEN)cat "$^" | \ + $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ > "$@.tmp" - mv "$@.tmp" "$@" + $(AM_V_at)mv "$@.tmp" "$@" # diff --git a/guile/src/Makefile.am b/guile/src/Makefile.am index 4149319..177a861 100644 --- a/guile/src/Makefile.am +++ b/guile/src/Makefile.am @@ -1,5 +1,5 @@ # GnuTLS --- Guile bindings for GnuTLS. -# Copyright (C) 2007-2014 Free Software Foundation, Inc. +# Copyright (C) 2007-2014, 2016 Free Software Foundation, Inc. # # GnuTLS is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -88,20 +88,20 @@ endif HAVE_GCC enums.h: $(srcdir)/make-enum-header.scm - $(GUILE_FOR_BUILD) "$^" > "$@.tmp" - mv "$@.tmp" "$@" + $(AM_V_GEN)$(GUILE_FOR_BUILD) "$^" > "$@.tmp" + $(AM_V_at)mv "$@.tmp" "$@" enum-map.i.c: $(srcdir)/make-enum-map.scm - $(GUILE_FOR_BUILD) "$^" > "$@.tmp" - mv "$@.tmp" "$@" + $(AM_V_GEN)$(GUILE_FOR_BUILD) "$^" > "$@.tmp" + $(AM_V_at)mv "$@.tmp" "$@" smobs.h: $(srcdir)/make-smob-header.scm - $(GUILE_FOR_BUILD) "$^" > "$@.tmp" - mv "$@.tmp" "$@" + $(AM_V_GEN)$(GUILE_FOR_BUILD) "$^" > "$@.tmp" + $(AM_V_at)mv "$@.tmp" "$@" smob-types.i.c: $(srcdir)/make-smob-types.scm - $(GUILE_FOR_BUILD) "$^" > "$@.tmp" - mv "$@.tmp" "$@" + $(AM_V_GEN)$(GUILE_FOR_BUILD) "$^" > "$@.tmp" + $(AM_V_at)mv "$@.tmp" "$@" # C file snarfing. @@ -115,7 +115,7 @@ snarfcppopts = $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ # prerequisites to be ignored: # . %.x: %.c $(GENERATED_BINDINGS) - $(guile_snarf) -o $@ $< $(snarfcppopts) + $(AM_V_GEN)$(guile_snarf) -o $@ $< $(snarfcppopts) # Target used by doc/Makefile, to create all built sources necessary # for generating the manual. -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:37 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:37 +0100 Subject: [gnutls-devel] [PATCH 7/8] guile: Install modules in versioned directory by default. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-8-git-send-email-ludo@gnu.org> * configure.ac: Change default 'GUILE_SITE' value to include $guile_effective_version. --- configure.ac | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 8440def..478c161 100644 --- a/configure.ac +++ b/configure.ac @@ -751,6 +751,10 @@ if test "$opt_guile_bindings" = "yes"; then CFLAGS="$save_CFLAGS" LIBS="$save_LIBS" + AC_MSG_CHECKING([the Guile effective version]) + guile_effective_version="`$GUILE -c '(display (effective-version))'`" + AC_MSG_RESULT([$guile_effective_version]) + if test "$opt_guile_bindings" = "yes"; then AC_MSG_RESULT([yes]) case "x$with_guile_site_dir" in @@ -762,7 +766,7 @@ if test "$opt_guile_bindings" = "yes"; then # Automatically derive $(GUILE_SITE) from $(pkgdatadir). This # hack is used to allow `distcheck' to work (see # `DISTCHECK_CONFIGURE_FLAGS' in the top-level `Makefile.am'). - GUILE_SITE="\$(datadir)/guile/site" + GUILE_SITE="\$(datadir)/guile/site/$guile_effective_version" AC_SUBST(GUILE_SITE) ;; *) @@ -789,9 +793,6 @@ if test "$opt_guile_bindings" = "yes"; then LIBS="$save_LIBS" # The place where guile-gnutls.la will go. - AC_MSG_CHECKING([the Guile effective version]) - guile_effective_version="`$GUILE -c '(display (effective-version))'`" - AC_MSG_RESULT([$guile_effective_version]) guileextensiondir="$libdir/guile/$guile_effective_version" AC_SUBST([guileextensiondir]) -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:34 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:34 +0100 Subject: [gnutls-devel] [PATCH 4/8] guile: doc: Change prompt in examples. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-5-git-send-email-ludo@gnu.org> * doc/gnutls-guile.texi (Guile Preparations): Use the prompt found in 2.0. Change "libguile-gnutls-v-0" to "guile-gnutls-v-2". --- doc/gnutls-guile.texi | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/gnutls-guile.texi b/doc/gnutls-guile.texi index 4bc04ad..061a31f 100644 --- a/doc/gnutls-guile.texi +++ b/doc/gnutls-guile.texi @@ -95,9 +95,9 @@ something like this: @example $ guile -guile> (use-modules (gnutls)) -: no code for module (gnutls) -guile> + at dots{} +scheme@@(guile-user)> (use-modules (gnutls)) +ERROR: no code for module (gnutls) @end example There are two ways to solve this. The first is to make sure that when @@ -134,8 +134,8 @@ Either use the @code{GUILE_LOAD_PATH} environment variable as follows: @example $ GUILE_LOAD_PATH="/usr/local/share/guile/site:$GUILE_LOAD_PATH" guile -guile> (use-modules (gnutls)) -guile> +scheme@@(guile-user)> (use-modules (gnutls)) +scheme@@(guile-user)> @end example Alternatively, you can modify Guile's @code{%load-path} variable @@ -143,11 +143,11 @@ Alternatively, you can modify Guile's @code{%load-path} variable Reference Manual}). At this point, you might get an error regarding - at file{libguile-gnutls-v-0} similar to: + at file{guile-gnutls-v-2} similar to: @example -gnutls.scm:361:1: In procedure dynamic-link in expression (load-extension "libguile-gnutls-v-0" "scm_init_gnutls"): -gnutls.scm:361:1: file: "libguile-gnutls-v-0", message: "libguile-gnutls-v-0.so: cannot open shared object file: No such file or directory" +gnutls.scm:361:1: In procedure dynamic-link in expression (load-extension "guile-gnutls-v-2" "scm_init_gnutls"): +gnutls.scm:361:1: file: "guile-gnutls-v-2", message: "guile-gnutls-v-2.so: cannot open shared object file: No such file or directory" @end example In this case, you will need to modify the run-time linker path, for @@ -155,8 +155,8 @@ example as follows: @example $ LD_LIBRARY_PATH=/usr/local/lib GUILE_LOAD_PATH=/usr/local/share/guile/site guile -guile> (use-modules (gnutls)) -guile> +scheme@@(guile-user)> (use-modules (gnutls)) +scheme@@(guile-user)> @end example To check that you got the intended GnuTLS library version, you may @@ -164,10 +164,10 @@ print the version number of the loaded library as follows: @example $ guile -guile> (use-modules (gnutls)) -guile> (gnutls-version) +scheme@@(guile-user)> (use-modules (gnutls)) +scheme@@(guile-user)> (gnutls-version) "@value{VERSION}" -guile> +scheme@@(guile-user)> @end example -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:38 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:38 +0100 Subject: [gnutls-devel] [PATCH 8/8] guile: Work around lack of 'eval-when' on 1.8. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-9-git-send-email-ludo@gnu.org> * guile/modules/gnutls.in (eval-when) [!guile-2]: New macro. --- guile/modules/gnutls.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/guile/modules/gnutls.in b/guile/modules/gnutls.in index f35f6ea..1936032 100644 --- a/guile/modules/gnutls.in +++ b/guile/modules/gnutls.in @@ -1,5 +1,5 @@ ;;; GnuTLS --- Guile bindings for GnuTLS. -;;; Copyright (C) 2007-2012, 2014, 2015 Free Software Foundation, Inc. +;;; Copyright (C) 2007-2012, 2014, 2015, 2016 Free Software Foundation, Inc. ;;; ;;; GnuTLS is free software; you can redistribute it and/or ;;; modify it under the terms of the GNU Lesser General Public @@ -412,6 +412,12 @@ openpgp-certificate-format/raw openpgp-certificate-format/base64)) +(cond-expand + ((not guile-2) ;silly 1.8 + (define-macro (eval-when foo a b) + `(begin ,a ,b))) + (else #t)) + (eval-when (expand load eval) (define %libdir (or (getenv "GNUTLS_GUILE_EXTENSION_DIR") -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:33 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:33 +0100 Subject: [gnutls-devel] [PATCH 3/8] guile: tests: Add Guile 2.2 compatibility layer. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-4-git-send-email-ludo@gnu.org> This allows tests to run with Guile 2.1/2.2. * guile/modules/gnutls/build/tests.scm (define-replacement) [guile-2]: New macro. (uniform-vector-read!, uniform-vector-write) [guile-2]: New procedures. * doc/gnutls-guile.texi (Guile Preparations): Mention 2.2. --- doc/gnutls-guile.texi | 6 +++--- guile/modules/gnutls/build/tests.scm | 29 +++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/doc/gnutls-guile.texi b/doc/gnutls-guile.texi index 80b03ca..4bc04ad 100644 --- a/doc/gnutls-guile.texi +++ b/doc/gnutls-guile.texi @@ -17,7 +17,7 @@ This manual is last updated @value{UPDATED} for version @value{VERSION} of GnuTLS. -Copyright @copyright{} 2001-2012, 2014 Free Software Foundation, Inc. +Copyright @copyright{} 2001-2012, 2014, 2016 Free Software Foundation, Inc. @quotation Permission is granted to copy, distribute and/or modify this document @@ -85,8 +85,8 @@ a large subset thereof is available. @node Guile Preparations @chapter Guile Preparations -The GnuTLS Guile bindings are available for both the 1.8 and 2.0 stable -series of Guile. +The GnuTLS Guile bindings are available for Guile's 2.0 stable series, +as well as the forthcoming 2.2 series and the legacy 1.8 series. By default they are installed under the GnuTLS installation directory, typically @file{/usr/local/share/guile/site/}). Normally Guile diff --git a/guile/modules/gnutls/build/tests.scm b/guile/modules/gnutls/build/tests.scm index 5a03ce7..2fe6be2 100644 --- a/guile/modules/gnutls/build/tests.scm +++ b/guile/modules/gnutls/build/tests.scm @@ -67,8 +67,29 @@ process exits upon failure." ((_ args ...) body)))))) (export define-syntax-rule)) - (else - #t)) + + (else ;2.0 and 2.2 + (use-modules (rnrs io ports) + (rnrs bytevectors)) + + (define-syntax-rule (define-replacement (name args ...) body ...) + ;; Define a compatibility replacement for NAME, if needed. + (define-public name + (if (module-defined? the-scm-module 'name) + (module-ref the-scm-module 'name) + (lambda (args ...) + body ...)))) + + ;; 'uniform-vector-read!' and 'uniform-vector-write' are deprecated in 2.0 + ;; and absent in 2.2. + + (define-replacement (uniform-vector-read! buf port) + (get-bytevector-n! port buf + 0 (bytevector-length buf))) + + (define-replacement (uniform-vector-write buf port) + (put-bytevector port buf)))) + (define-syntax-rule (with-child-process pid parent child) "Fork and evaluate expression PARENT in the current process, with PID bound @@ -76,3 +97,7 @@ to the PID of its child process; the child process evaluated CHILD." (call-with-child-process (lambda () child) (lambda (pid) parent))) + +;;; Local Variables: +;;; eval: (put 'define-replacement 'scheme-indent-function 1) +;;; End: -- 2.6.3 From ludo at gnu.org Thu Feb 11 23:04:32 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Thu, 11 Feb 2016 23:04:32 +0100 Subject: [gnutls-devel] [PATCH 2/8] guile: tests: Make sure no processes are left behind. In-Reply-To: <1455228278-23708-1-git-send-email-ludo@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <1455228278-23708-3-git-send-email-ludo@gnu.org> Before that, child processes would be left behind and become zombies. * guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm, guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: Add (waitpid pid) call on the server side. --- guile/tests/anonymous-auth.scm | 3 ++- guile/tests/openpgp-auth.scm | 3 ++- guile/tests/session-record-port.scm | 1 + guile/tests/x509-auth.scm | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/guile/tests/anonymous-auth.scm b/guile/tests/anonymous-auth.scm index d01884d..a12eeb5 100644 --- a/guile/tests/anonymous-auth.scm +++ b/guile/tests/anonymous-auth.scm @@ -71,7 +71,8 @@ (let* ((buf (make-u8vector (u8vector-length %message))) (amount (record-receive! server buf))) (bye server close-request/rdwr) - (and (= amount (u8vector-length %message)) + (and (zero? (cdr (waitpid pid))) + (= amount (u8vector-length %message)) (equal? buf %message)))) ;; client-side (child process) diff --git a/guile/tests/openpgp-auth.scm b/guile/tests/openpgp-auth.scm index 49b4817..8c732ce 100644 --- a/guile/tests/openpgp-auth.scm +++ b/guile/tests/openpgp-auth.scm @@ -81,7 +81,8 @@ (let ((msg (read (session-record-port server))) (auth-type (session-authentication-type server))) (bye server close-request/rdwr) - (and (eq? auth-type credentials/certificate) + (and (zero? (cdr (waitpid pid))) + (eq? auth-type credentials/certificate) (equal? msg %message)))) ;; client-side (child process) diff --git a/guile/tests/session-record-port.scm b/guile/tests/session-record-port.scm index 8291880..0eafefa 100644 --- a/guile/tests/session-record-port.scm +++ b/guile/tests/session-record-port.scm @@ -100,6 +100,7 @@ ;; Make sure we got everything right. (and (eq? (session-record-port server) (session-record-port server)) + (zero? (cdr (waitpid pid))) (= amount (u8vector-length %message)) (equal? buf %message) (eof-object? diff --git a/guile/tests/x509-auth.scm b/guile/tests/x509-auth.scm index 609251d..21f192f 100644 --- a/guile/tests/x509-auth.scm +++ b/guile/tests/x509-auth.scm @@ -87,7 +87,8 @@ (let ((msg (read (session-record-port server))) (auth-type (session-authentication-type server))) (bye server close-request/rdwr) - (and (eq? auth-type credentials/certificate) + (and (zero? (cdr (waitpid pid))) + (eq? auth-type credentials/certificate) (equal? msg %message)))) ;; client-side (child process) -- 2.6.3 From jaak.ristioja at cyber.ee Fri Feb 12 15:59:31 2016 From: jaak.ristioja at cyber.ee (Jaak Ristioja) Date: Fri, 12 Feb 2016 16:59:31 +0200 Subject: [gnutls-devel] [PATCH] Removed the invariant htype parameter of _gnutls_recv_int() Message-ID: <1455289171-18765-1-git-send-email-jaak.ristioja@cyber.ee> All uses of _gnutls_recv_int() passed -1 as the htype argument of type gnutls_handshake_description_t, which had been used for SSLv2 client hellos. Introduced in 2001 with dc1122e7b6. --- lib/ext/heartbeat.c | 2 +- lib/handshake.c | 2 +- lib/record.c | 13 +++++-------- lib/record.h | 1 - 4 files changed, 7 insertions(+), 11 deletions(-) diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c index c867025..cc13508 100644 --- a/lib/ext/heartbeat.c +++ b/lib/ext/heartbeat.c @@ -229,7 +229,7 @@ gnutls_heartbeat_ping(gnutls_session_t session, size_t data_size, case SHB_RECV: ret = - _gnutls_recv_int(session, GNUTLS_HEARTBEAT, -1, NULL, + _gnutls_recv_int(session, GNUTLS_HEARTBEAT, NULL, NULL, 0, NULL, session->internals. hb_actual_retrans_timeout_ms); diff --git a/lib/handshake.c b/lib/handshake.c index a46d2b5..3d7a153 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -3104,7 +3104,7 @@ static int recv_handshake_final(gnutls_session_t session, int init) ret = _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, - -1, NULL, ccs, ccs_len, NULL, tleft); + NULL, ccs, ccs_len, NULL, tleft); if (ret <= 0) { ERR("recv ChangeCipherSpec", ret); gnutls_assert(); diff --git a/lib/record.c b/lib/record.c index 2ae3ca9..a2f8637 100644 --- a/lib/record.c +++ b/lib/record.c @@ -301,7 +301,7 @@ int gnutls_bye(gnutls_session_t session, gnutls_close_request_t how) do { ret = _gnutls_recv_int(session, GNUTLS_ALERT, - -1, NULL, NULL, 0, NULL, + NULL, NULL, 0, NULL, session->internals. record_timeout_ms); } @@ -1360,12 +1360,9 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, * that it accepts the gnutls_session_t and the content_type_t of data to * receive (if called by the user the Content is Userdata only) * It is intended to receive data, under the current session. - * - * The gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos. */ ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t htype, gnutls_packet_t *packet, uint8_t * data, size_t data_size, void *seq, unsigned int ms) @@ -1405,7 +1402,7 @@ _gnutls_recv_int(gnutls_session_t session, content_type_t type, if (ret != 0) return ret; - ret = _gnutls_recv_in_buffers(session, type, htype, ms); + ret = _gnutls_recv_in_buffers(session, type, -1, ms); if (ret < 0 && ret != GNUTLS_E_SESSION_EOF) return gnutls_assert_val(ret); @@ -1514,7 +1511,7 @@ ssize_t gnutls_record_recv_packet(gnutls_session_t session, gnutls_packet_t *packet) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, packet, + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, packet, NULL, 0, NULL, session->internals.record_timeout_ms); } @@ -1697,7 +1694,7 @@ int gnutls_record_uncork(gnutls_session_t session, unsigned int flags) ssize_t gnutls_record_recv(gnutls_session_t session, void *data, size_t data_size) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, NULL, + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, NULL, data, data_size, NULL, session->internals.record_timeout_ms); } @@ -1726,7 +1723,7 @@ ssize_t gnutls_record_recv_seq(gnutls_session_t session, void *data, size_t data_size, unsigned char *seq) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, -1, NULL, + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, NULL, data, data_size, seq, session->internals.record_timeout_ms); } diff --git a/lib/record.h b/lib/record.h index 7da8d30..d029586 100644 --- a/lib/record.h +++ b/lib/record.h @@ -45,7 +45,6 @@ _gnutls_send_int(gnutls_session_t session, content_type_t type, } ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_handshake_description_t, gnutls_packet_t *packet, uint8_t * data, size_t sizeofdata, void *seq, unsigned int ms); -- 2.7.1 From n.mavrogiannopoulos at gmail.com Sun Feb 14 11:46:41 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sun, 14 Feb 2016 11:46:41 +0100 Subject: [gnutls-devel] [PATCH] Removed the invariant htype parameter of _gnutls_recv_int() In-Reply-To: <1455289171-18765-1-git-send-email-jaak.ristioja@cyber.ee> References: <1455289171-18765-1-git-send-email-jaak.ristioja@cyber.ee> Message-ID: <1455446801.2485.0.camel@gmail.com> On Fri, 2016-02-12 at 16:59 +0200, Jaak Ristioja wrote: > All uses of _gnutls_recv_int() passed -1 as the htype argument of > type > gnutls_handshake_description_t, which had been used for SSLv2 client > hellos. Introduced in 2001 with dc1122e7b6. Hello Jaak, Could you give some more context on this change? regards, Nikos From ametzler at bebt.de Sun Feb 14 15:14:22 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 14 Feb 2016 15:14:22 +0100 Subject: [gnutls-devel] FTBFS[kfreebsd]: tests/mini-loss-time race Message-ID: <20160214141422.GA27708@argenau.bebt.de> Hello, this is http://bugs.debian.org/813598 reported by Steven Chamberlain: Package: gnutls28 Version: 3.4.8-3 Severity: important Hi, gnutls28 tests/mini-loss-time fails about 20% of the time when I try it on kfreebsd-amd64. I think probably introduced by this commit: https://gitlab.com/gnutls/gnutls/commit/e2a3ad31c487cbce997a08dddc55db639b60c024 The failure happens at ~60 seconds elapsed, when some (expected) timeout is reached. The child always exits first, and closes fds: (49946 101730 = child) 49946 101730 mini-loss-time 60.187211 CALL close(0x4) 49946 101730 mini-loss-time 60.187244 RET close 0 49946 101730 mini-loss-time 60.187346 CALL close(0x3) 49946 101730 mini-loss-time 60.187363 RET close 0 49946 101730 mini-loss-time 60.187830 CALL exit(0) The parent receives SIGCHLD, and some wait() call on the child pid returns: (49871 102302 = parent) 49871 102302 mini-loss-time 60.188448 RET select -1 errno 4 Interrupted system call 49871 102302 mini-loss-time 60.188572 PSIG SIGCHLD caught handler=0x401570 mask=0x0 code=CLD_EXITED 49871 102302 mini-loss-time 60.188594 CALL wait4(0xffffffff,0x7fffffffdd44,0,0) 49871 102302 mini-loss-time 60.188657 RET wait4 49946/0xc31a 49871 102302 mini-loss-time 60.188673 CALL sigreturn(0x7fffffffdd70) 49871 102302 mini-loss-time 60.188689 RET sigreturn JUSTRETURN 49871 102302 mini-loss-time 60.188713 CALL clock_gettime(0,0x7fffffffe320) 49871 102302 mini-loss-time 60.188808 RET clock_gettime 0 49871 102302 mini-loss-time 60.188831 CALL clock_gettime(0,0x7fffffffe320) 49871 102302 mini-loss-time 60.188847 RET clock_gettime 0 In the successful case, the parent exits now. In the failure case, the parent tries to read something from an fd first, I guess a pipe that was just closed at the other end (maybe the server didn't time out quite yet?) : (50000 101614 = parent) 50000 101614 mini-loss-time 59.273668 CALL recvfrom(0x5,0x624833,0x415c,0,0,0) 50000 101614 mini-loss-time 59.273686 RET recvfrom -1 errno 54 Connection reset by peer leading to GNUTLS_E_PUSH_ERROR rather than expected GNUTLS_E_TIMEDOUT. The attached ktrace dumps can be compared using vimdiff to help study this. I haven't tested on GNU/Linux. If I lower the server timeout to 29 seconds, I haven't seen this failure any more. --- tests/mini-loss-time.c.orig +++ tests/mini-loss-time.c @@ -196,7 +196,7 @@ gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_dtls_set_mtu(session, 1500); - gnutls_dtls_set_timeouts(session, 1 * 1000, 30 * 1000); + gnutls_dtls_set_timeouts(session, 1 * 1000, 29 * 1000); /* avoid calling all the priority functions, since the defaults * are adequate. Thanks! -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 10.1-0-amd64 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -------------- next part -------------- A non-text attachment was scrubbed... Name: kdump.fail.gz Type: application/gzip Size: 16737 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kdump.ok.gz Type: application/gzip Size: 16615 bytes Desc: not available URL: From jaak.ristioja at cyber.ee Mon Feb 15 09:32:18 2016 From: jaak.ristioja at cyber.ee (Jaak Ristioja) Date: Mon, 15 Feb 2016 10:32:18 +0200 Subject: [gnutls-devel] [PATCH] Removed the invariant htype parameter of _gnutls_recv_int() In-Reply-To: <1455446801.2485.0.camel@gmail.com> References: <1455289171-18765-1-git-send-email-jaak.ristioja@cyber.ee> <1455446801.2485.0.camel@gmail.com> Message-ID: <56C18D12.1030200@cyber.ee> On 14.02.2016 12:46, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-02-12 at 16:59 +0200, Jaak Ristioja wrote: >> All uses of _gnutls_recv_int() passed -1 as the htype argument of >> type >> gnutls_handshake_description_t, which had been used for SSLv2 client >> hellos. Introduced in 2001 with dc1122e7b6. > > Hello Jaak, > Could you give some more context on this change? I just stumbled upon this while examining the code. I found that _gnutls_recv_int had a lot of parameters (8). I know from [1] that for x86_64 up to only 6 of these arguments are passed in registers (%rdi,%rsi,%rdx,%rcx,%r8,%r9) and the rest are put onto the stack. So I took a look at `objdump -DC` output and tried to microoptimize for performance, but I also think this change improves code readability. Best regards, Jaak [1] System V Application Binary Interface http://www.x86-64.org/documentation/abi.pdf From nmav at gnutls.org Mon Feb 15 09:55:35 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Feb 2016 09:55:35 +0100 Subject: [gnutls-devel] FTBFS[kfreebsd]: tests/mini-loss-time race In-Reply-To: <20160214141422.GA27708@argenau.bebt.de> References: <20160214141422.GA27708@argenau.bebt.de> Message-ID: On Sun, Feb 14, 2016 at 3:14 PM, Andreas Metzler wrote: > Hello, > > this is http://bugs.debian.org/813598 reported by Steven Chamberlain: > > Package: gnutls28 > Version: 3.4.8-3 > Severity: important > Hi, > gnutls28 tests/mini-loss-time fails about 20% of the time when I try it > on kfreebsd-amd64. I think probably introduced by this commit: > https://gitlab.com/gnutls/gnutls/commit/e2a3ad31c487cbce997a08dddc55db639b60c024 I've applied a similar fix in master. Thank you, Nikos From nmav at gnutls.org Mon Feb 15 09:56:27 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Feb 2016 09:56:27 +0100 Subject: [gnutls-devel] [PATCH] Removed the invariant htype parameter of _gnutls_recv_int() In-Reply-To: <56C18D12.1030200@cyber.ee> References: <1455289171-18765-1-git-send-email-jaak.ristioja@cyber.ee> <1455446801.2485.0.camel@gmail.com> <56C18D12.1030200@cyber.ee> Message-ID: On Mon, Feb 15, 2016 at 9:32 AM, Jaak Ristioja wrote: > On 14.02.2016 12:46, Nikos Mavrogiannopoulos wrote: >> On Fri, 2016-02-12 at 16:59 +0200, Jaak Ristioja wrote: >>> All uses of _gnutls_recv_int() passed -1 as the htype argument of >>> type >>> gnutls_handshake_description_t, which had been used for SSLv2 client >>> hellos. Introduced in 2001 with dc1122e7b6. >> >> Hello Jaak, >> Could you give some more context on this change? > > I just stumbled upon this while examining the code. I found that > _gnutls_recv_int had a lot of parameters (8). I know from [1] that for > x86_64 up to only 6 of these arguments are passed in registers > (%rdi,%rsi,%rdx,%rcx,%r8,%r9) and the rest are put onto the stack. So I > took a look at `objdump -DC` output and tried to microoptimize for > performance, but I also think this change improves code readability. Applied, thank you. From jaak.ristioja at cyber.ee Mon Feb 15 11:14:52 2016 From: jaak.ristioja at cyber.ee (Jaak Ristioja) Date: Mon, 15 Feb 2016 12:14:52 +0200 Subject: [gnutls-devel] [PATCH] Broke apart _gnutls_recv_int() to the packet and non-packet cases. Message-ID: <1455531292-10204-1-git-send-email-jaak.ristioja@cyber.ee> Only gnutls_record_recv_packet() called _gnutls_recv_int() with (packet != NULL). I refactored this logic directly downstream into gnutls_record_recv_packet(). The _gnutls_recv_int() function now only handles non-packet specific logic. The _gnutls_recv_int2() function was created to deduplicate common code which would otherwise have ended up in both functions. The rationale behind this change is to optimize what were previously calls of _gnutls_recv_int(). First of all _gnutls_recv_int() now has only 6 parameters, which according to the x86_64 System V Application Binary Interface should now fit into CPU registers and no longer use the stack. Secondly this change avoids a number of branching checks for both packet and non-packet cases. --- lib/ext/heartbeat.c | 2 +- lib/handshake.c | 2 +- lib/record.c | 103 ++++++++++++++++++++++++++++++---------------------- lib/record.h | 1 - 4 files changed, 62 insertions(+), 46 deletions(-) diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c index cc13508..77d990b 100644 --- a/lib/ext/heartbeat.c +++ b/lib/ext/heartbeat.c @@ -229,7 +229,7 @@ gnutls_heartbeat_ping(gnutls_session_t session, size_t data_size, case SHB_RECV: ret = - _gnutls_recv_int(session, GNUTLS_HEARTBEAT, NULL, + _gnutls_recv_int(session, GNUTLS_HEARTBEAT, NULL, 0, NULL, session->internals. hb_actual_retrans_timeout_ms); diff --git a/lib/handshake.c b/lib/handshake.c index 3d7a153..82f605b 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -3104,7 +3104,7 @@ static int recv_handshake_final(gnutls_session_t session, int init) ret = _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, - NULL, ccs, ccs_len, NULL, tleft); + ccs, ccs_len, NULL, tleft); if (ret <= 0) { ERR("recv ChangeCipherSpec", ret); gnutls_assert(); diff --git a/lib/record.c b/lib/record.c index a2f8637..713dd94 100644 --- a/lib/record.c +++ b/lib/record.c @@ -301,7 +301,7 @@ int gnutls_bye(gnutls_session_t session, gnutls_close_request_t how) do { ret = _gnutls_recv_int(session, GNUTLS_ALERT, - NULL, NULL, 0, NULL, + NULL, 0, NULL, session->internals. record_timeout_ms); } @@ -1356,23 +1356,13 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, return ret; } -/* This function behaves exactly like read(). The only difference is - * that it accepts the gnutls_session_t and the content_type_t of data to - * receive (if called by the user the Content is Userdata only) - * It is intended to receive data, under the current session. - */ -ssize_t -_gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_packet_t *packet, - uint8_t * data, size_t data_size, void *seq, - unsigned int ms) +/* Returns a value greater than zero (>= 0) if buffers should be checked + * for data. */ +static ssize_t +_gnutls_recv_int2(gnutls_session_t session) { int ret; - if (packet == NULL && (type != GNUTLS_ALERT && type != GNUTLS_HEARTBEAT) - && (data_size == 0 || data == NULL)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (session->internals.read_eof != 0) { /* if we have already read an EOF */ @@ -1390,37 +1380,48 @@ _gnutls_recv_int(gnutls_session_t session, content_type_t type, return gnutls_assert_val(ret); session->internals.recv_state = RECV_STATE_0; + /* Fall through: */ case RECV_STATE_0: _dtls_async_timer_check(session); + return 1; + default: + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + } +} - if (packet == NULL) { - /* If we have enough data in the cache do not bother receiving - * a new packet. (in order to flush the cache) - */ - ret = check_buffers(session, type, data, data_size, seq); - if (ret != 0) - return ret; +/* This function behaves exactly like read(). The only difference is + * that it accepts the gnutls_session_t and the content_type_t of data to + * receive (if called by the user the Content is Userdata only) + * It is intended to receive data, under the current session. + */ +ssize_t +_gnutls_recv_int(gnutls_session_t session, content_type_t type, + uint8_t * data, size_t data_size, void *seq, + unsigned int ms) +{ + int ret; - ret = _gnutls_recv_in_buffers(session, type, -1, ms); - if (ret < 0 && ret != GNUTLS_E_SESSION_EOF) - return gnutls_assert_val(ret); + if ((type != GNUTLS_ALERT && type != GNUTLS_HEARTBEAT) + && (data_size == 0 || data == NULL)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - return check_buffers(session, type, data, data_size, seq); - } else { - ret = check_packet_buffers(session, type, packet); - if (ret != 0) - return ret; + ret = _gnutls_recv_int2(session); + if (ret <= 0) + return ret; - ret = _gnutls_recv_in_buffers(session, type, -1, ms); - if (ret < 0 && ret != GNUTLS_E_SESSION_EOF) - return gnutls_assert_val(ret); + /* If we have enough data in the cache do not bother receiving + * a new packet. (in order to flush the cache) + */ + ret = check_buffers(session, type, data, data_size, seq); + if (ret != 0) + return ret; - return check_packet_buffers(session, type, packet); - } - default: - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - } + ret = _gnutls_recv_in_buffers(session, type, -1, ms); + if (ret < 0 && ret != GNUTLS_E_SESSION_EOF) + return gnutls_assert_val(ret); + + return check_buffers(session, type, data, data_size, seq); } /** @@ -1511,9 +1512,25 @@ ssize_t gnutls_record_recv_packet(gnutls_session_t session, gnutls_packet_t *packet) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, packet, - NULL, 0, NULL, - session->internals.record_timeout_ms); + int ret; + + if (packet == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + ret = _gnutls_recv_int2(session); + if (ret <= 0) + return ret; + + ret = check_packet_buffers(session, GNUTLS_APPLICATION_DATA, packet); + if (ret != 0) + return ret; + + ret = _gnutls_recv_in_buffers(session, GNUTLS_APPLICATION_DATA, -1, + session->internals.record_timeout_ms); + if (ret < 0 && ret != GNUTLS_E_SESSION_EOF) + return gnutls_assert_val(ret); + + return check_packet_buffers(session, GNUTLS_APPLICATION_DATA, packet); } /** @@ -1694,7 +1711,7 @@ int gnutls_record_uncork(gnutls_session_t session, unsigned int flags) ssize_t gnutls_record_recv(gnutls_session_t session, void *data, size_t data_size) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, NULL, + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, data, data_size, NULL, session->internals.record_timeout_ms); } @@ -1723,7 +1740,7 @@ ssize_t gnutls_record_recv_seq(gnutls_session_t session, void *data, size_t data_size, unsigned char *seq) { - return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, NULL, + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, data, data_size, seq, session->internals.record_timeout_ms); } diff --git a/lib/record.h b/lib/record.h index d029586..f16df47 100644 --- a/lib/record.h +++ b/lib/record.h @@ -45,7 +45,6 @@ _gnutls_send_int(gnutls_session_t session, content_type_t type, } ssize_t _gnutls_recv_int(gnutls_session_t session, content_type_t type, - gnutls_packet_t *packet, uint8_t * data, size_t sizeofdata, void *seq, unsigned int ms); -- 2.7.1 From ludo at gnu.org Sun Feb 21 18:58:35 2016 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Sun, 21 Feb 2016 18:58:35 +0100 Subject: [gnutls-devel] [PATCH] guile: Fix out-of-tree builds. Message-ID: <1456077515-13510-1-git-send-email-ludo@gnu.org> This fixes a regression introduced in 3045a96. * guile/Makefile.am (.in.scm): Make the parent directory of $@. --- guile/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guile/Makefile.am b/guile/Makefile.am index 90c2fe5..acbb594 100644 --- a/guile/Makefile.am +++ b/guile/Makefile.am @@ -44,7 +44,7 @@ EXTRA_DIST += modules/gnutls.in $(helper_modules) $(documentation_modules) CLEANFILES = modules/gnutls.scm .in.scm: - $(AM_V_GEN)cat "$^" | \ + $(AM_V_GEN)$(MKDIR_P) "`dirname "$@"`" ; cat "$^" | \ $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ > "$@.tmp" $(AM_V_at)mv "$@.tmp" "$@" -- 2.6.3 From ludo at gnu.org Sun Feb 21 19:30:19 2016 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Sun, 21 Feb 2016 19:30:19 +0100 Subject: [gnutls-devel] [PATCH 0/8] Assorted Guile bindings improvements References: <1455228278-23708-1-git-send-email-ludo@gnu.org> Message-ID: <874md1x6f8.fsf@gnu.org> Ludovic Court?s skribis: > This is against master but could be applied to the 3.4 branch > as well. Thanks, Nikos, for pushing these patches to ?master?! I can provide ?NEWS? entries for the changes, but I?d need to know in which branch(es) to put them. Thoughts? Thanks, Ludo?. From dkg at fifthhorseman.net Mon Feb 22 02:09:44 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 21 Feb 2016 17:09:44 -0800 Subject: [gnutls-devel] multiple keys + certificates for gnutls-serv (and gnutls_certificate_set_key()) Message-ID: <8737sl4kkn.fsf@alice.fifthhorseman.net> Hi GnuTLS folks-- gnutls-serv limits itself to one --x509keyfile argument, and if you supply multiple keys and multiple certs, it appears to only use the first one. I haven't looked into whether this is handled cleanly in gnutls_certificate_set_key(), but it's documented as: >> If multiple certificates are used with the functions above each >> client?s request will be served with the certificate that matches the >> requested name (see Server name indication). it would be good to be able to launch gnutls-serv with multiple keys and certificates, but multiple names are not the only form of certificate selection that GnuTLS should do. A couple of other selections: (a) an RSA key and an ECDSA key, to support connections with different server signature mechanisms based on ciphersuites. (b) one RSA key with a cert marked for signing-only (DHE-RSA, ECDHE-RSA key exchanges), and another RSA key with a cert marked for encryption only (non-PFS RSA key exchange) (b) in particular is desirable if we want to defend against a possible future Bleichenbacher attack, as described by Tibor Jager: https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf So perhaps this is two requests: * allow multiple certs in gnutls-serv * improve default certificate selection mechanisms based on ciphersuite negotiation (both signature algorithms and key exchange algorithms), not just server name. Does this seem reasonable? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 948 bytes Desc: not available URL: From nmav at gnutls.org Mon Feb 22 11:51:42 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Feb 2016 11:51:42 +0100 Subject: [gnutls-devel] multiple keys + certificates for gnutls-serv (and gnutls_certificate_set_key()) In-Reply-To: <8737sl4kkn.fsf@alice.fifthhorseman.net> References: <8737sl4kkn.fsf@alice.fifthhorseman.net> Message-ID: On Mon, Feb 22, 2016 at 2:09 AM, Daniel Kahn Gillmor wrote: > Hi GnuTLS folks-- > > gnutls-serv limits itself to one --x509keyfile argument, and if you > supply multiple keys and multiple certs, it appears to only use the > first one. > > I haven't looked into whether this is handled cleanly in > gnutls_certificate_set_key(), but it's documented as: Hi, Are you sure that's the case? I've been using gnutls-serv with exactly that use case for quite long time. You should be able to use with multiple and different type of keys since the early versions. regards, Nikos From nmav at gnutls.org Mon Feb 22 11:56:36 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Feb 2016 11:56:36 +0100 Subject: [gnutls-devel] [PATCH 0/8] Assorted Guile bindings improvements In-Reply-To: <874md1x6f8.fsf@gnu.org> References: <1455228278-23708-1-git-send-email-ludo@gnu.org> <874md1x6f8.fsf@gnu.org> Message-ID: On Sun, Feb 21, 2016 at 7:30 PM, Ludovic Court?s wrote: > Ludovic Court?s skribis: >> This is against master but could be applied to the 3.4 branch >> as well. > Thanks, Nikos, for pushing these patches to ?master?! > I can provide ?NEWS? entries for the changes, but I?d need to know in > which branch(es) to put them. Thoughts? Hello Ludo, I don't know. The details for each release are at: https://gitlab.com/gnutls/gnutls/milestones My plan is to have 3.5.0 in the next couple of months and will eventually replace the 3.4.x branch (since it will be backwards compatible). regards, Nikos From n.mavrogiannopoulos at gmail.com Mon Feb 22 11:58:59 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Mon, 22 Feb 2016 11:58:59 +0100 Subject: [gnutls-devel] [PATCH] guile: Fix out-of-tree builds. In-Reply-To: <1456077515-13510-1-git-send-email-ludo@gnu.org> References: <1456077515-13510-1-git-send-email-ludo@gnu.org> Message-ID: Thanks; applied. I've also reverted the disabling of guile in the test suite. Hopefully it succeeds now: https://gitlab.com/gnutls/gnutls/builds On Sun, Feb 21, 2016 at 6:58 PM, Ludovic Court?s wrote: > This fixes a regression introduced in 3045a96. > > * guile/Makefile.am (.in.scm): Make the parent directory of $@. > --- > guile/Makefile.am | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/guile/Makefile.am b/guile/Makefile.am > index 90c2fe5..acbb594 100644 > --- a/guile/Makefile.am > +++ b/guile/Makefile.am > @@ -44,7 +44,7 @@ EXTRA_DIST += modules/gnutls.in $(helper_modules) $(documentation_modules) > CLEANFILES = modules/gnutls.scm > > .in.scm: > - $(AM_V_GEN)cat "$^" | \ > + $(AM_V_GEN)$(MKDIR_P) "`dirname "$@"`" ; cat "$^" | \ > $(SED) -e's|[@]guileextensiondir[@]|$(guileextensiondir)|g' \ > > "$@.tmp" > $(AM_V_at)mv "$@.tmp" "$@" > -- > 2.6.3 > From ludo at gnu.org Mon Feb 22 12:33:17 2016 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Mon, 22 Feb 2016 12:33:17 +0100 Subject: [gnutls-devel] [PATCH] guile: Fix out-of-tree builds. In-Reply-To: (Nikos Mavrogiannopoulos's message of "Mon, 22 Feb 2016 11:58:59 +0100") References: <1456077515-13510-1-git-send-email-ludo@gnu.org> Message-ID: <87d1rpou82.fsf@gnu.org> Nikos Mavrogiannopoulos skribis: > Thanks; applied. I've also reverted the disabling of guile in the test > suite. Hopefully it succeeds now: > https://gitlab.com/gnutls/gnutls/builds Apparently it does: https://gitlab.com/gnutls/gnutls/builds/734562 Thanks, Ludo?. From ludo at gnu.org Mon Feb 22 21:56:32 2016 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Mon, 22 Feb 2016 21:56:32 +0100 Subject: [gnutls-devel] --with-nettle-mini is ineffective Message-ID: <87povompkv.fsf@gnu.org> AFAICS, --with-nettle-mini does not have the desired effect since ?configure? unconditionally looks for Nettle with pkg-config. Quoting hooks.m4: --8<---------------cut here---------------start------------->8--- PKG_CHECK_MODULES(NETTLE, [nettle >= 3.1], [cryptolib="nettle"], [ AC_MSG_ERROR([[ *** *** Libnettle 3.1 was not found. ]]) ]) PKG_CHECK_MODULES(HOGWEED, [hogweed >= 3.1], [], [ AC_MSG_ERROR([[ *** *** Libhogweed (nettle's companion library) was not found. Note that you must compile nettle with gmp support. ]]) ]) AM_CONDITIONAL(ENABLE_NETTLE, test "$cryptolib" = "nettle") AC_DEFINE([HAVE_LIBNETTLE], 1, [nettle is enabled]) GNUTLS_REQUIRES_PRIVATE="Requires.private: nettle, hogweed" AC_ARG_WITH(nettle-mini, AS_HELP_STRING([--with-nettle-mini], [Link against a mini-nettle (that includes mini-gmp)]), mini_nettle=$withval, mini_nettle=no) --8<---------------cut here---------------end--------------->8--- I think the logic should be changed to be like that of $included_libtasn1. Ludo?. From nmav at gnutls.org Tue Feb 23 08:13:31 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Feb 2016 08:13:31 +0100 Subject: [gnutls-devel] --with-nettle-mini is ineffective In-Reply-To: <87povompkv.fsf@gnu.org> References: <87povompkv.fsf@gnu.org> Message-ID: On Mon, Feb 22, 2016 at 9:56 PM, Ludovic Court?s wrote: > AFAICS, --with-nettle-mini does not have the desired effect since > ?configure? unconditionally looks for Nettle with pkg-config. Hi, Nettle-mini is a version of nettle without the gmp dependency. That is used mainly in the openwrt system where you may want to trade performance for space. That version of the library is not included in gnutls, and that's why detection of the library is still required. regards, Nikos From n.mavrogiannopoulos at gmail.com Tue Feb 23 10:55:11 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 23 Feb 2016 10:55:11 +0100 Subject: [gnutls-devel] rfc for TLS false start support Message-ID: Hi, I'm considering to add the following API to support false start [0], i.e., to enable for the client to send data prior the handshake completion. Any comments or suggestions for other possible use cases? https://gitlab.com/gnutls/gnutls/commit/de5d7be0bc989bb6acc24d42084a869fc71396a1#d6bb5b80bfec67c635c66139cbdfb3fbb6a53bc3_2416_2418 regards, Nikos [0]. https://tools.ietf.org/html/draft-ietf-tls-falsestart-01 From ludo at gnu.org Tue Feb 23 18:04:36 2016 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Tue, 23 Feb 2016 18:04:36 +0100 Subject: [gnutls-devel] --with-nettle-mini is ineffective In-Reply-To: (Nikos Mavrogiannopoulos's message of "Tue, 23 Feb 2016 08:13:31 +0100") References: <87povompkv.fsf@gnu.org> Message-ID: <87fuwjgxy3.fsf@gnu.org> Nikos Mavrogiannopoulos skribis: > On Mon, Feb 22, 2016 at 9:56 PM, Ludovic Court?s wrote: >> AFAICS, --with-nettle-mini does not have the desired effect since >> ?configure? unconditionally looks for Nettle with pkg-config. > > Hi, > Nettle-mini is a version of nettle without the gmp dependency. That > is used mainly in the openwrt system where you may want to trade > performance for space. That version of the library is not included in > gnutls, and that's why detection of the library is still required. The lib/nettle directory contains mini-nettle, doesn?t it? Why is the full-blown Nettle still required, then? Ludo?. From nmav at gnutls.org Tue Feb 23 20:45:52 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Feb 2016 20:45:52 +0100 Subject: [gnutls-devel] --with-nettle-mini is ineffective In-Reply-To: <87fuwjgxy3.fsf@gnu.org> References: <87povompkv.fsf@gnu.org> <87fuwjgxy3.fsf@gnu.org> Message-ID: <1456256752.1879.0.camel@gnutls.org> On Tue, 2016-02-23 at 18:04 +0100, Ludovic Court?s wrote: > Nikos Mavrogiannopoulos skribis: > > > On Mon, Feb 22, 2016 at 9:56 PM, Ludovic Court?s > > wrote: > > > AFAICS, --with-nettle-mini does not have the desired effect since > > > ?configure? unconditionally looks for Nettle with pkg-config. > > > > Hi, > > Nettle-mini is a version of nettle without the gmp dependency. > > That > > is used mainly in the openwrt system where you may want to trade > > performance for space. That version of the library is not included > > in > > gnutls, and that's why detection of the library is still required. > > The lib/nettle directory contains mini-nettle, doesn?t it? Why is > the full-blown Nettle still required, then? No, lib/nettle contains gnutls' hooks for nettle. regards, Nikos From jan.vcelak at nic.cz Thu Feb 25 15:21:28 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Thu, 25 Feb 2016 15:21:28 +0100 Subject: [gnutls-devel] [PATCH 0/2] Support for DSA key pairs generating in PKCS #11 Message-ID: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> Hello, this patch set adds support for generating DSA key pairs via PKCS#11. The former code was incorrectly passing CKA_MODULUS_BITS directy to the C_GenerateKeyPair function. However, according to the specification, the implementation expects CKA_PRIME, CKA_SUBPRIME, and CKA_BASE attributes. The new code uses CKM_DSA_PARAMETER_GEN mechanism for C_GenerateKey to generate the DSA parameters to be later used with C_GenerateKeyPair. The implementation has been tested with SoftHSM 2.0. Best regards, Jan Jan Vcelak (2): pkcs11: add interface for C_GenerateKey pkcs11: implement correct DSA key pair generating lib/pkcs11_int.c | 11 +++++++++ lib/pkcs11_int.h | 8 +++++++ lib/pkcs11_privkey.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 78 insertions(+), 4 deletions(-) -- 2.5.0 From jan.vcelak at nic.cz Thu Feb 25 15:21:30 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Thu, 25 Feb 2016 15:21:30 +0100 Subject: [gnutls-devel] [PATCH 2/2] pkcs11: implement correct DSA key pair generating In-Reply-To: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> References: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456410090-16029-3-git-send-email-jan.vcelak@nic.cz> Signed-off-by: Jan Vcelak --- lib/pkcs11_privkey.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index fa4acb4..531f646 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -657,6 +657,58 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, static const char def_rsa_pub_exp[3] = { 1,0,1 }; // 65537 = 0x10001 +struct dsa_params { + /* FIPS 186-3 maximal size for L and N length pair is (3072,256). */ + uint8_t prime[384]; + uint8_t subprime[32]; + uint8_t generator[384]; +}; + +static int +_dsa_params_generate(struct ck_function_list *module, ck_session_handle_t session, + unsigned long bits, struct dsa_params *params, + struct ck_attribute *a, int *a_val) +{ + struct ck_mechanism mech = { CKM_DSA_PARAMETER_GEN }; + struct ck_attribute attr = { CKA_PRIME_BITS, &bits, sizeof(bits) }; + ck_object_handle_t key; + ck_rv_t rv; + + /* Generate DSA parameters from prime length. */ + + rv = pkcs11_generate_key(module, session, &mech, &attr, 1, &key); + if (rv != CKR_OK) { + gnutls_assert(); + _gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv)); + return pkcs11_rv_to_err(rv); + } + + /* Retrieve generated parameters to be used with the new key pair. */ + + a[*a_val + 0].type = CKA_PRIME; + a[*a_val + 0].value = params->prime; + a[*a_val + 0].value_len = sizeof(params->prime); + + a[*a_val + 1].type = CKA_SUBPRIME; + a[*a_val + 1].value = params->subprime; + a[*a_val + 1].value_len = sizeof(params->subprime); + + a[*a_val + 2].type = CKA_BASE; + a[*a_val + 2].value = params->generator; + a[*a_val + 2].value_len = sizeof(params->generator); + + rv = pkcs11_get_attribute_value(module, session, key, &a[*a_val], 3); + if (rv != CKR_OK) { + gnutls_assert(); + _gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv)); + return pkcs11_rv_to_err(rv); + } + + *a_val += 3; + + return 0; +} + /** * gnutls_pkcs11_privkey_generate3: * @url: a token URL @@ -709,6 +761,7 @@ gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, gnutls_datum_t der = {NULL, 0}; ck_key_type_t key_type; uint8_t id[20]; + struct dsa_params dsa_params; PKCS11_CHECK_INIT; FIX_KEY_USAGE(pk, key_usage); @@ -831,10 +884,12 @@ gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, a[a_val].value_len = sizeof(tval); a_val++; - a[a_val].type = CKA_MODULUS_BITS; - a[a_val].value = &_bits; - a[a_val].value_len = sizeof(_bits); - a_val++; + ret = _dsa_params_generate(sinfo.module, sinfo.pks, _bits, + &dsa_params, a, &a_val); + if (ret < 0) { + goto cleanup; + } + break; case GNUTLS_PK_EC: p[p_val].type = CKA_SIGN; -- 2.5.0 From jan.vcelak at nic.cz Thu Feb 25 15:21:29 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Thu, 25 Feb 2016 15:21:29 +0100 Subject: [gnutls-devel] [PATCH 1/2] pkcs11: add interface for C_GenerateKey In-Reply-To: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> References: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456410090-16029-2-git-send-email-jan.vcelak@nic.cz> Signed-off-by: Jan Vcelak --- lib/pkcs11_int.c | 11 +++++++++++ lib/pkcs11_int.h | 8 ++++++++ 2 files changed, 19 insertions(+) diff --git a/lib/pkcs11_int.c b/lib/pkcs11_int.c index a2277b8..e8517d5 100644 --- a/lib/pkcs11_int.c +++ b/lib/pkcs11_int.c @@ -185,6 +185,17 @@ pkcs11_sign(struct ck_function_list * module, } ck_rv_t +pkcs11_generate_key(struct ck_function_list * module, + ck_session_handle_t sess, + struct ck_mechanism * mechanism, + struct ck_attribute * templ, + unsigned long count, + ck_object_handle_t * key) +{ + return (module)->C_GenerateKey(sess, mechanism, templ, count, key); +} + +ck_rv_t pkcs11_generate_key_pair(struct ck_function_list * module, ck_session_handle_t sess, struct ck_mechanism * mechanism, diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index 6c5f266..272e426 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -213,6 +213,14 @@ static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) ck_object_class_t pkcs11_type_to_class(gnutls_pkcs11_obj_type_t type); ck_rv_t +pkcs11_generate_key(struct ck_function_list * module, + ck_session_handle_t sess, + struct ck_mechanism * mechanism, + struct ck_attribute * templ, + unsigned long count, + ck_object_handle_t * key); + +ck_rv_t pkcs11_generate_key_pair(struct ck_function_list * module, ck_session_handle_t sess, struct ck_mechanism * mechanism, -- 2.5.0 From jan.vcelak at nic.cz Thu Feb 25 16:43:35 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Thu, 25 Feb 2016 16:43:35 +0100 Subject: [gnutls-devel] [PATCH] Fix DSA private key import into PKCS #11 Message-ID: <1456415016-23206-1-git-send-email-jan.vcelak@nic.cz> Hello, I'm sending another patch for a bug I discovered when doing some PKCS #11 testing. The DSA algorithm identifier was set only in the private key structure, not in the nested parameters. This made DSA private key import into a token fail. This patch fixes the problem. Tested with SoftHSM 2.0. Cheers, Jan Jan Vcelak (1): gnutls_x509_privkey_import: add missing algorithm setting for DSA keys lib/x509/privkey_pkcs8.c | 1 + 1 file changed, 1 insertion(+) -- 2.5.0 From jan.vcelak at nic.cz Thu Feb 25 16:43:36 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Thu, 25 Feb 2016 16:43:36 +0100 Subject: [gnutls-devel] [PATCH] gnutls_x509_privkey_import: add missing algorithm setting for DSA keys In-Reply-To: <1456415016-23206-1-git-send-email-jan.vcelak@nic.cz> References: <1456415016-23206-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456415016-23206-2-git-send-email-jan.vcelak@nic.cz> The algorithm number was set only in the private key structure, not in the nested structure with parameters. This made certain operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak --- lib/x509/privkey_pkcs8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 8b1471c..ca43865 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1326,6 +1326,7 @@ _decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) goto error; } + pkey->params.algo = GNUTLS_PK_DSA; pkey->params.params_nr = DSA_PRIVATE_PARAMS; ret = 0; -- 2.5.0 From nmav at gnutls.org Thu Feb 25 17:34:20 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 25 Feb 2016 17:34:20 +0100 Subject: [gnutls-devel] [PATCH 0/2] Support for DSA key pairs generating in PKCS #11 In-Reply-To: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> References: <1456410090-16029-1-git-send-email-jan.vcelak@nic.cz> Message-ID: On Thu, Feb 25, 2016 at 3:21 PM, Jan Vcelak wrote: > Hello, > this patch set adds support for generating DSA key pairs via PKCS#11. > The former code was incorrectly passing CKA_MODULUS_BITS directy to the > C_GenerateKeyPair function. However, according to the specification, the > implementation expects CKA_PRIME, CKA_SUBPRIME, and CKA_BASE attributes. > The new code uses CKM_DSA_PARAMETER_GEN mechanism for C_GenerateKey to generate > the DSA parameters to be later used with C_GenerateKeyPair. > The implementation has been tested with SoftHSM 2.0. Thank you Jan, Could you add that test in tests/suite along the other pkcs11 checks? That would prevent a future breakage especially since DSA keys aren't widely used. regards, Nikos From nmav at gnutls.org Fri Feb 26 13:43:48 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Feb 2016 13:43:48 +0100 Subject: [gnutls-devel] [PATCH] gnutls_x509_privkey_import: add missing algorithm setting for DSA keys In-Reply-To: <1456415016-23206-2-git-send-email-jan.vcelak@nic.cz> References: <1456415016-23206-1-git-send-email-jan.vcelak@nic.cz> <1456415016-23206-2-git-send-email-jan.vcelak@nic.cz> Message-ID: On Thu, Feb 25, 2016 at 4:43 PM, Jan Vcelak wrote: > The algorithm number was set only in the private key structure, not in > the nested structure with parameters. This made certain operations to > fail (e.g., copying the key into a PKCS #11 token). > > Signed-off-by: Jan Vcelak Thank you; applied. Again it would be very nice to have a test case with the operations that failed because of that. regards, Nikos From jan.vcelak at nic.cz Fri Feb 26 16:17:46 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Fri, 26 Feb 2016 16:17:46 +0100 Subject: [gnutls-devel] [PATCH 0/2] PKCS #11 tests for key import and generating Message-ID: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> Hello, the following patches should cover the code from my recent submissions with tests. The first patch enables DSA key generating. It's basically the same as the existing code for RSA and ECC. The second patch adds RSA/ECC/DSA private key import into the tests. The keys are generated with certtool first, and then imported into the token. There is one unresolved issue with the second test. It seems that there is a bug in the p11tool. The p11tool --write ignores the GNUTLS_PIN environment variable. Therefore the tests will fail. I have used 'pin-value=' URI attribute to workaround this problem when developing this test. Again, tested with SoftHSM 2.0. Best regards, Jan Jan Vcelak (2): pkcs11: tests for DSA key generating pkcs11: tests for RSA, ECC, DSA private key import tests/suite/testpkcs11.sh | 73 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) -- 2.5.0 From jan.vcelak at nic.cz Fri Feb 26 16:17:47 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Fri, 26 Feb 2016 16:17:47 +0100 Subject: [gnutls-devel] [PATCH 1/2] pkcs11: tests for DSA key generating In-Reply-To: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> References: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456499868-3555-2-git-send-email-jan.vcelak@nic.cz> Signed-off-by: Jan Vcelak --- tests/suite/testpkcs11.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/suite/testpkcs11.sh b/tests/suite/testpkcs11.sh index 3eb2d2c..2c04dff 100755 --- a/tests/suite/testpkcs11.sh +++ b/tests/suite/testpkcs11.sh @@ -191,6 +191,22 @@ generate_temp_rsa_privkey () { # fi } +generate_temp_dsa_privkey () { + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating DSA private key ("${bits}")... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0; then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi +} + # $1: token # $2: PIN delete_temp_privkey () { @@ -537,6 +553,9 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 +generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072 + generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" -- 2.5.0 From jan.vcelak at nic.cz Fri Feb 26 16:17:48 2016 From: jan.vcelak at nic.cz (Jan Vcelak) Date: Fri, 26 Feb 2016 16:17:48 +0100 Subject: [gnutls-devel] [PATCH 2/2] pkcs11: tests for RSA, ECC, DSA private key import In-Reply-To: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> References: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456499868-3555-3-git-send-email-jan.vcelak@nic.cz> Signed-off-by: Jan Vcelak --- tests/suite/testpkcs11.sh | 54 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/tests/suite/testpkcs11.sh b/tests/suite/testpkcs11.sh index 2c04dff..3b9c450 100755 --- a/tests/suite/testpkcs11.sh +++ b/tests/suite/testpkcs11.sh @@ -322,6 +322,53 @@ generate_temp_ecc_privkey () { fi } +# $1: name +# $2: label prefix +# $3: generate option +# $4: token +# $5: PIN +# $6: bits +import_privkey () { + export GNUTLS_PIN="$5" + name="$1" + prefix="$2" + gen_option="$3" + token="$4" + bits="$6" + + outfile="tmp-${prefix}-${bits}.pem" + + echo -n "* Importing ${name} private key (${bits})... " + + "${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + RETCODE=1 + echo failed + return + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi +} + +import_temp_rsa_privkey () { + import_privkey RSA temp-rsa --rsa $@ +} + +import_temp_ecc_privkey () { + import_privkey ECC temp-ecc --ecc $@ +} + +import_temp_dsa_privkey () { + import_privkey DSA temp-dsa --dsa $@ +} + # $1: token # $2: PIN # $3: cakey: ${srcdir}/pkcs11-certs/ca.key @@ -556,6 +603,13 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072 delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072 +import_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-1024 +import_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 +import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 + generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" -- 2.5.0 From n.mavrogiannopoulos at gmail.com Sat Feb 27 22:38:54 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sat, 27 Feb 2016 22:38:54 +0100 Subject: [gnutls-devel] [PATCH 0/2] PKCS #11 tests for key import and generating In-Reply-To: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> References: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> Message-ID: <1456609134.3816.1.camel@gmail.com> On Fri, 2016-02-26 at 16:17 +0100, Jan Vcelak wrote: > Hello, > > the following patches should cover the code from my recent > submissions with > tests. > > The first patch enables DSA key generating. It's basically the same > as the > existing code for RSA and ECC. > > The second patch adds RSA/ECC/DSA private key import into the tests. > The keys > are generated with certtool first, and then imported into the token. > > There is one unresolved issue with the second test. It seems that > there is > a bug in the p11tool. The p11tool --write ignores the GNUTLS_PIN > environment > variable. Therefore the tests will fail. I have used 'pin-value=' URI > attribute > to workaround this problem when developing this test. > > Again, tested with SoftHSM 2.0. Thank you; both applied. I don't see the failure with the PIN in master though. From ametzler at bebt.de Sun Feb 28 15:45:32 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 28 Feb 2016 15:45:32 +0100 Subject: [gnutls-devel] p11tool: enhance --provider option Message-ID: <20160228144532.GA1238@argenau.bebt.de> Hello, p11-kit's p11_kit_module_load() function accepts either an absolute path or a path/filename relative to P11_MODULE_PATH.[1] Attached trivial patch enhances GnuTLS' p11tool --provider option, making it possible to also specify a filename in P11_MODULE_PATH. cu Andreas [1] https://lists.freedesktop.org/archives/p11-glue/2016-February/000587.html -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Let-p11tool-provider-option-accept-filenames.patch Type: text/x-diff Size: 797 bytes Desc: not available URL: From nmav at gnutls.org Sun Feb 28 16:14:00 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 28 Feb 2016 16:14:00 +0100 Subject: [gnutls-devel] p11tool: enhance --provider option In-Reply-To: <20160228144532.GA1238@argenau.bebt.de> References: <20160228144532.GA1238@argenau.bebt.de> Message-ID: On Sun, Feb 28, 2016 at 3:45 PM, Andreas Metzler wrote: > Hello, > p11-kit's p11_kit_module_load() function accepts either an absolute path > or a path/filename relative to P11_MODULE_PATH.[1] Attached trivial > patch enhances GnuTLS' p11tool --provider option, making it possible to > also specify a filename in P11_MODULE_PATH. Applied, thank you. From jan.vcelak at nic.cz Mon Feb 29 15:39:58 2016 From: jan.vcelak at nic.cz (=?UTF-8?Q?Jan_V=c4=8delak?=) Date: Mon, 29 Feb 2016 15:39:58 +0100 Subject: [gnutls-devel] [PATCH 0/2] PKCS #11 tests for key import and generating In-Reply-To: <1456609134.3816.1.camel@gmail.com> References: <1456499868-3555-1-git-send-email-jan.vcelak@nic.cz> <1456609134.3816.1.camel@gmail.com> Message-ID: <56D4583E.1050902@nic.cz> On 27.2.2016 22:38, Nikos Mavrogiannopoulos wrote: > Thank you; both applied. I don't see the failure with the PIN in master > though. You are very welcome. I can't see the failure as well now. My master was probably a bit older. Cheers, Jam From bj at SerNet.DE Fri Feb 5 18:28:37 2016 From: bj at SerNet.DE (=?iso-8859-1?Q?Bj=F6rn?= JACKE) Date: Fri, 05 Feb 2016 17:28:37 -0000 Subject: [gnutls-devel] usage of --dane option without dane support should fail Message-ID: <20160205170042.GA18501@SerNet.DE> Hi, when gnutls is built without dane support this is not visible to the user. The man page says that there is the --date option, gnutls-cli shows that there is a --dane option, using the option succeeds. Even though gnutls-cli was not linked agains libunbound and no dane support exists. This might people use and truse the dane support even though is is non-existent. I suggest that without dane support the use of the --dane option whould result in a certificate trust check failure - or gnutls-cli should refuse to accept the --dane option right from the start. Bj?rn From stlman at poczta.fm Sun Feb 14 12:03:13 2016 From: stlman at poczta.fm (=?utf-8?Q?=C5=81ukasz?= Stelmach) Date: Sun, 14 Feb 2016 11:03:13 -0000 Subject: [gnutls-devel] [WISH] support SOCKS5 in gnutls-cli Message-ID: <87egcf8tjf.fsf%stlman@poczta.fm> Dear Developers, I wish gnutls-cli supported SOCKS5 for establishing connection so it could be used to connect via Tor. Kind regards, -- By?o mi bardzo mi?o. --- Rurku. --- ... >?ukasz< --- To dobrze, ?e mnie s?uchasz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 602 bytes Desc: not available URL: From kuleshovmail at gmail.com Sun Feb 21 17:35:25 2016 From: kuleshovmail at gmail.com (Alexnader Kuleshov) Date: Sun, 21 Feb 2016 22:35:25 +0600 Subject: [gnutls-devel] DCO Message-ID: <20160221163525.GA2246@localhost> Hello, below the DCO for my contributions. Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. From nmav at gnutls.org Mon Feb 29 17:09:55 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 29 Feb 2016 17:09:55 +0100 Subject: [gnutls-devel] change in posting policy Message-ID: <1456762195.1861.3.camel@gnutls.org> Hello, Due to a large amount of spam received by the list, it is no longer practical to go through the list of held postings and approve them. As such, I've switched the posting policy to members only. regards, Nikos