From simon at josefsson.org  Sun May  3 21:41:55 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 03 May 2009 21:41:55 +0200
Subject: GnuTLS 2.7.8
Message-ID: <87hc02c6t8.fsf@mocca.josefsson.org>

The GnuTLS 2.7.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2 (5.8MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.8.tar.bz2.sig

Known open issues holding back the next stable release:

 * Make gnutls-cli/gnutls-serv work under Windows again
 * Resolve how to treat the partial TLS 1.2 implementation
 * Fix the API man page for priority strings
 * Confirm that Cedric BAIL's copyright assignment has arrived with the FSF

The earlier plan to release on April 1th didn't work out, but I'm going
to try work through these issues again now.  If you want to see anything
else done in the next stable release, now is the time to speak!

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.8 (released 2009-05-03)

** libgnutls: Fix DSA key generation.
Merged from stable branch.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

** libgnutls: Check expiration/activation time on untrusted certificates.
Merged from stable branch.  Reported by Romain Francoise
<romain at orebokech.com>.  This changes the semantics of
gnutls_x509_crt_list_verify, which in turn is used by
gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2.
We add two new gnutls_certificate_status_t codes for reporting the new
error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.
We also add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.  [GNUTLS-SA-2009-3] [CVE-2009-1417]

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version
scripts.

** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols.
This should have been done in the last release.

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
Reported by Peter Hendrickson <pdh at wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3476>.

** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use.  In particular, libgnutls moved from the
'GNU Libraries' section to the 'Software libraries' and the command
line tools moved from 'Network Applications' to 'System
Administration'.

** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090503/92ca09a7/attachment.pgp>

From arfrever.fta at gmail.com  Sun May  3 22:51:30 2009
From: arfrever.fta at gmail.com (Arfrever Frehtes Taifersar Arahesis)
Date: Sun, 3 May 2009 22:51:30 +0200
Subject: GnuTLS 2.7.8 fails to build
Message-ID: <200905032251.31280.Arfrever.FTA@gmail.com>

GnuTLS 2.7.8 fails to build:

/bin/sh ../libtool --tag=CC   --mode=link x86_64-pc-linux-gnu-gcc -std=gnu99 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack-protector -Woverlength-strings -Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-parameter -fdiagnostics-show-option -march=core2 -pipe -O3  -Wl,-O1,--as-needed,--gc-sections,--hash-style=gnu,--sort-common -o gnutls-serv serv.o common.o ../lib/libgnutls.la ../libextra/libgnutls-extra.la libcmd-serv.la ../gl/libgnu.la
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack-protector -Woverlength-strings -Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-parameter -fdiagnostics-show-option -march=core2 -pipe -O3 -Wl,-O1 -Wl,--as-needed -Wl,--gc-sections -Wl,--hash-style=gnu -Wl,--sort-common -o .libs/gnutls-serv serv.o common.o  ../lib/.libs/libgnutls.so -L/usr/lib64 ../libextra/.libs/libgnutls-extra.so /usr/lib64/liblzo2.so /var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/lib/.libs/libgnutls.so /usr/lib64/libtasn1.so -lz /usr/lib64/libgcrypt.so /usr/lib64/libgpg-error.so ./.libs/libcmd-serv.a ../gl/.libs/libgnu.a
../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_compression_algorithms'
../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_comp_algorithms_size'
../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_decompress_safe'
../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_1_compress'
collect2: ld returned 1 exit status
make[3]: *** [gnutls-serv] Error 1
make[3]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-libs/gnutls-2.7.8/work/gnutls-2.7.8'
make: *** [all] Error 2

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090503/8c7af846/attachment.pgp>

From simon at josefsson.org  Sun May  3 23:33:08 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 03 May 2009 23:33:08 +0200
Subject: GnuTLS 2.7.8 fails to build
In-Reply-To: <200905032251.31280.Arfrever.FTA@gmail.com> (Arfrever Frehtes
	Taifersar Arahesis's message of "Sun, 3 May 2009 22:51:30 +0200")
References: <200905032251.31280.Arfrever.FTA@gmail.com>
Message-ID: <87d4apdg8b.fsf@mocca.josefsson.org>

Arfrever Frehtes Taifersar Arahesis <arfrever.fta at gmail.com> writes:

> ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_compression_algorithms'
> ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_comp_algorithms_size'
> ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_decompress_safe'
> ../libextra/.libs/libgnutls-extra.so: undefined reference to `_gnutls_lzo1x_1_compress'

Thanks for testing!  This only happens if you build --with-lzo.  I've
fixed it on master, it was a consequence of the new tighter symbol
export list.

But really, I think you should remove --with-lzo from your build.  LZO
compression is not standardized.  Do you need it?

Perhaps we should disable LZO more thoroughly before 2.8, there are some
distributions that build gnutls with lzo enabled by default, and I don't
think the reasons for enabling it are always well motivated.  We could
also just change --with-lzo to --with-experimental-lzo.  People building
--with-lzo will no longer get LZO.  If they investigate why, they would
end up reading the NEWS blurb where we can explain why users in general
should not enable LZO.

Thoughts?

/Simon




From tgc at jupiterrise.com  Mon May  4 21:45:30 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Mon, 4 May 2009 21:45:30 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
Message-ID: <20090504194530.GA30365@ares.tgcnet>

I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails
in src/serv.c because AF_INET6 is undefined.

gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c
serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list
serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want
serv.c: In function 'get_port':
serv.c:785: error: dereferencing pointer to incomplete type
serv.c:787: error: 'AF_INET6' undeclared (first use in this function)
serv.c:787: error: (Each undeclared identifier is reported only once
serv.c:787: error: for each function it appears in.)
serv.c:788: error: dereferencing pointer to incomplete type
serv.c: In function 'main':
serv.c:813: error: storage size of 'client_address' isn't known
make[3]: *** [serv.o] Error 1

Grepping for AF_INET6 reveals the same issue in src/certtool-cfg.c

I looked at 2.7.8 and there seems to have been no change in the
situation there.

The buildlog from 2.6.6 is available here:
http://jupiterrise.com/tmp

-tgc




From simon at josefsson.org  Tue May  5 12:01:00 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 05 May 2009 12:01:00 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <20090504194530.GA30365@ares.tgcnet> (Tom G. Christensen's
	message of "Mon, 4 May 2009 21:45:30 +0200")
References: <20090504194530.GA30365@ares.tgcnet>
Message-ID: <87skjjq36r.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails
> in src/serv.c because AF_INET6 is undefined.
>
> gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c
> serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list
> serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want
> serv.c: In function 'get_port':
> serv.c:785: error: dereferencing pointer to incomplete type
> serv.c:787: error: 'AF_INET6' undeclared (first use in this function)
> serv.c:787: error: (Each undeclared identifier is reported only once
> serv.c:787: error: for each function it appears in.)
> serv.c:788: error: dereferencing pointer to incomplete type
> serv.c: In function 'main':
> serv.c:813: error: storage size of 'client_address' isn't known
> make[3]: *** [serv.o] Error 1
>
> Grepping for AF_INET6 reveals the same issue in src/certtool-cfg.c
>
> I looked at 2.7.8 and there seems to have been no change in the
> situation there.
>
> The buildlog from 2.6.6 is available here:
> http://jupiterrise.com/tmp

Thanks for the report.  For 2.6.6, can you try the patch below?  If it
works, we can port it to GnuTLS 2.7.x as well.

/Simon

diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 796dc7e..6acf01c 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
  *
  * This file is part of GNUTLS.
  *
@@ -732,6 +732,7 @@ static int string_to_ip( unsigned char *ip, const char * str)
   int len = strlen( str);
   int ret;
 
+#if HAVE_IPV6
   if ( strchr(str, ':') != NULL || len > 16) { /* IPv6 */
     ret = inet_pton(AF_INET6, str, ip);
     if (ret <= 0) {
@@ -741,7 +742,9 @@ static int string_to_ip( unsigned char *ip, const char * str)
 
     /* To be done */
     return 16;
-  } else { /* IPv4 */
+  } else
+#endif
+  { /* IPv4 */
     ret = inet_pton(AF_INET, str, ip);
     if (ret <= 0) {
         fprintf(stderr, "Error in IPv4 address %s\n", str);
diff --git a/src/serv.c b/src/serv.c
index c138bff..a8e0910 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2004, 2006, 2007, 2008, 2009 Free Software Foundation
  * Copyright (C) 2001,2002 Paul Sheer
  * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
  *
@@ -784,8 +784,10 @@ get_port (const struct sockaddr_storage *addr)
 {
   switch (addr->ss_family)
     {
+#if HAVE_IPV6
     case AF_INET6:
       return ntohs (((const struct sockaddr_in6 *) addr)->sin6_port);
+#endif
     case AF_INET:
       return ntohs (((const struct sockaddr_in *) addr)->sin_port);
     }




From simon at josefsson.org  Tue May  5 17:29:52 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 05 May 2009 17:29:52 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <20090505152415.GA5223@ares.tgcnet> (Tom G. Christensen's message
	of "Tue, 5 May 2009 17:24:15 +0200")
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
Message-ID: <87eiv3mutr.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote:
>> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
>> 
>> > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails
>> > in src/serv.c because AF_INET6 is undefined.
>> >
> <snip>
>> Thanks for the report.  For 2.6.6, can you try the patch below?  If it
>> works, we can port it to GnuTLS 2.7.x as well.
>> 
> It works fine but it fails in src/serv.c on a related error in that
> Solaris 2.6 does not define sockaddr_storage.
>
> gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c
> serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list
> serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want
> serv.c: In function 'get_port':
> serv.c:785: error: dereferencing pointer to incomplete type
> serv.c: In function 'main':
> serv.c:815: error: storage size of 'client_address' isn't known
> make[3]: *** [serv.o] Error 1

Interesting.  Does adding this to the top of serv.c work:

#ifndef HAVE_IPV6
# define sockaddr_storage sockaddr_in
#endif

/Simon




From tgc at jupiterrise.com  Tue May  5 17:24:15 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Tue, 5 May 2009 17:24:15 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <87skjjq36r.fsf@mocca.josefsson.org>
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
Message-ID: <20090505152415.GA5223@ares.tgcnet>

On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> 
> > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails
> > in src/serv.c because AF_INET6 is undefined.
> >
<snip>
> Thanks for the report.  For 2.6.6, can you try the patch below?  If it
> works, we can port it to GnuTLS 2.7.x as well.
> 
It works fine but it fails in src/serv.c on a related error in that
Solaris 2.6 does not define sockaddr_storage.

gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c
serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list
serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want
serv.c: In function 'get_port':
serv.c:785: error: dereferencing pointer to incomplete type
serv.c: In function 'main':
serv.c:815: error: storage size of 'client_address' isn't known
make[3]: *** [serv.o] Error 1

-tgc




From tgc at jupiterrise.com  Tue May  5 19:26:37 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Tue, 5 May 2009 19:26:37 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <87eiv3mutr.fsf@mocca.josefsson.org>
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
	<87eiv3mutr.fsf@mocca.josefsson.org>
Message-ID: <20090505172637.GA9699@ares.tgcnet>

On Tue, May 05, 2009 at 05:29:52PM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> 
> > On Tue, May 05, 2009 at 12:01:00PM +0200, Simon Josefsson wrote:
> >> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> >> 
> >> > I just attempted a build of GnuTLS 2.6.6 on Solaris 2.6 but it fails
> >> > in src/serv.c because AF_INET6 is undefined.
> >> >
> > <snip>
> >> Thanks for the report.  For 2.6.6, can you try the patch below?  If it
> >> works, we can port it to GnuTLS 2.7.x as well.
> >> 
> > It works fine but it fails in src/serv.c on a related error in that
> > Solaris 2.6 does not define sockaddr_storage.
> >
> > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF .deps/serv.Tpo -c -o serv.o serv.c
> > serv.c:783: warning: 'struct sockaddr_storage' declared inside parameter list
> > serv.c:783: warning: its scope is only this definition or declaration, which is probably not what you want
> > serv.c: In function 'get_port':
> > serv.c:785: error: dereferencing pointer to incomplete type
> > serv.c: In function 'main':
> > serv.c:815: error: storage size of 'client_address' isn't known
> > make[3]: *** [serv.o] Error 1
> 
> Interesting.  Does adding this to the top of serv.c work:
> 
> #ifndef HAVE_IPV6
> # define sockaddr_storage sockaddr_in
> #endif
> 
This causes another error:

gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes
-I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include
-I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF
.deps/serv.Tpo -c -o serv.o serv.c
serv.c: In function 'get_port':
serv.c:789: error: 'const struct sockaddr_in' has no member named
'ss_family'
make[3]: *** [serv.o] Error 1

-tgc




From Jeff.Cai at Sun.COM  Wed May  6 09:46:59 2009
From: Jeff.Cai at Sun.COM (Jeff Cai)
Date: Wed, 06 May 2009 15:46:59 +0800
Subject: Libtasn1 2.1
In-Reply-To: <87skk8xjyo.fsf@mocca.josefsson.org>
References: <87skk8xjyo.fsf@mocca.josefsson.org>
Message-ID: <1241596019.2110.15.camel@par>

Simon,

I also found that libtasn1.pc also licensed under GPLv3. It this true?

A library of LGPL v2 lives with a .pc file with GPL v3? 

Jeff


On Fri, 2009-04-17 at 01:22 +0200, Simon Josefsson wrote:
> Libtasn1 is a standalone library written in C for manipulating ASN.1
> objects including DER/BER encoding and DER/BER decoding.  Libtasn1 is
> used by GnuTLS to manipulate X.509 objects and by Shishi to handle
> Kerberos V5 packets.
> 
> Version 2.1 (released 2009-04-17)
> - Fix compilation failure on platforms that can't generate empty archives,
>   e.g., Mac OS X.  Reported by David Reiser <dbreiser at gmail.com>.
> 
> Commercial support contracts for Libtasn1 are available, and they help
> finance continued maintenance.  Simon Josefsson Datakonsult AB, a
> Stockholm based privately held company, is currently funding Libtasn1
> maintenance.  We are always looking for interesting development
> projects.  See http://josefsson.org/ for more details.
> 
> If you need help to use Libtasn1, or want to help others, you are
> invited to join the help-gnutls mailing list, see:
> <http://lists.gnu.org/mailman/listinfo/help-gnutls>.
> 
> Homepage:
>   http://josefsson.org/libtasn1/
> 
> Here are the compressed sources (1.6MB):
>   ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz
>   http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz
> 
> Here are GPG detached signatures using key 0xB565716F:
>   ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig
>   http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig
> 
> The software is cryptographically signed by the author using an
> OpenPGP key identified by the following information:
> 
> pub   1280R/B565716F 2002-05-05 [expires: 2010-02-22]
>       Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
> uid                  Simon Josefsson <simon at josefsson.org>
> uid                  Simon Josefsson <jas at extundo.com>
> sub   1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]
> 
> The key is available from:
>   http://josefsson.org/key.txt
>   dns:b565716f.josefsson.org?TYPE=CERT
> 
> Here are the SHA-1 and SHA-224 checksums:
> 
> 884cc6609d7694a834a767b4b2975d6c5ab0d566  libtasn1-2.1.tar.gz
> 
> 3e78a2af893cde0eda9820d46077bde6f1a6b083b3cc2ed90df2420d  libtasn1-2.1.tar.gz
> 
> Happy hacking,
> Simon
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel





From simon at josefsson.org  Wed May  6 09:56:59 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 06 May 2009 09:56:59 +0200
Subject: Libtasn1 2.1
In-Reply-To: <1241596019.2110.15.camel@par> (Jeff Cai's message of "Wed, 06
	May 2009 15:46:59 +0800")
References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par>
Message-ID: <878wlall4k.fsf@mocca.josefsson.org>

Jeff Cai <Jeff.Cai at Sun.COM> writes:

> Simon,
>
> I also found that libtasn1.pc also licensed under GPLv3. It this true?
>
> A library of LGPL v2 lives with a .pc file with GPL v3? 

Hi.  I've re-licensed it to LGPLv2.1+, see:

http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=009b6c20ffc0164189691b47ad5f172518b97169

/Simon




From simon at josefsson.org  Wed May  6 10:01:20 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 06 May 2009 10:01:20 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <20090505172637.GA9699@ares.tgcnet> (Tom G. Christensen's message
	of "Tue, 5 May 2009 19:26:37 +0200")
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
	<87eiv3mutr.fsf@mocca.josefsson.org>
	<20090505172637.GA9699@ares.tgcnet>
Message-ID: <874ovylkxb.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

>> Interesting.  Does adding this to the top of serv.c work:
>> 
>> #ifndef HAVE_IPV6
>> # define sockaddr_storage sockaddr_in
>> #endif
>> 
> This causes another error:
>
> gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes
> -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include
> -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF
> .deps/serv.Tpo -c -o serv.o serv.c
> serv.c: In function 'get_port':
> serv.c:789: error: 'const struct sockaddr_in' has no member named
> 'ss_family'
> make[3]: *** [serv.o] Error 1

Oops, try this instead:

#ifndef HAVE_IPV6
# define sockaddr_storage sockaddr
#endif

There is another more complex work around mentioned at the end of:

http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html

Maybe the above won't work, and then maybe we need something like that.

/Simon




From Jeff.Cai at Sun.COM  Wed May  6 10:21:09 2009
From: Jeff.Cai at Sun.COM (Jeff Cai)
Date: Wed, 06 May 2009 16:21:09 +0800
Subject: Libtasn1 2.1
In-Reply-To: <878wlall4k.fsf@mocca.josefsson.org>
References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par>
	<878wlall4k.fsf@mocca.josefsson.org>
Message-ID: <1241598069.2110.18.camel@par>

Thanks for your quick response.

Do you think that Makefile.am under lib also needs to be licensed to
LGPL?

Jeff


On Wed, 2009-05-06 at 09:56 +0200, Simon Josefsson wrote:
> Jeff Cai <Jeff.Cai at Sun.COM> writes:
> 
> > Simon,
> >
> > I also found that libtasn1.pc also licensed under GPLv3. It this true?
> >
> > A library of LGPL v2 lives with a .pc file with GPL v3? 
> 
> Hi.  I've re-licensed it to LGPLv2.1+, see:
> 
> http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=009b6c20ffc0164189691b47ad5f172518b97169
> 
> /Simon





From simon at josefsson.org  Wed May  6 10:31:23 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 06 May 2009 10:31:23 +0200
Subject: Libtasn1 2.1
In-Reply-To: <1241598069.2110.18.camel@par> (Jeff Cai's message of "Wed, 06
	May 2009 16:21:09 +0800")
References: <87skk8xjyo.fsf@mocca.josefsson.org>
	<1241596019.2110.15.camel@par> <878wlall4k.fsf@mocca.josefsson.org>
	<1241598069.2110.18.camel@par>
Message-ID: <87zldqk4ys.fsf@mocca.josefsson.org>

Jeff Cai <Jeff.Cai at Sun.COM> writes:

> Thanks for your quick response.
>
> Do you think that Makefile.am under lib also needs to be licensed to
> LGPL?

I don't think so, since it is not something that is include in the
installed software.  The GPLv3 Makefile.am is needed to build libtasn1,
but so is other GPLv3 tools (e.g., bison) so I don't see the difference.

/Simon




From tgc at jupiterrise.com  Wed May  6 19:34:28 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Wed, 6 May 2009 19:34:28 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <874ovylkxb.fsf@mocca.josefsson.org>
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
	<87eiv3mutr.fsf@mocca.josefsson.org>
	<20090505172637.GA9699@ares.tgcnet>
	<874ovylkxb.fsf@mocca.josefsson.org>
Message-ID: <20090506173428.GA18697@ares.tgcnet>

On Wed, May 06, 2009 at 10:01:20AM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> 
> >> Interesting.  Does adding this to the top of serv.c work:
> >> 
> >> #ifndef HAVE_IPV6
> >> # define sockaddr_storage sockaddr_in
> >> #endif
> >> 
> > This causes another error:
> >
> > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..  -I../includes -I../includes
> > -I../lgl -I../lgl -I../gl -I../gl -I./cfg -I/usr/tgcware/include
> > -I/usr/tgcware/include -g -O2 -Wno-pointer-sign -MT serv.o -MD -MP -MF
> > .deps/serv.Tpo -c -o serv.o serv.c
> > serv.c: In function 'get_port':
> > serv.c:789: error: 'const struct sockaddr_in' has no member named
> > 'ss_family'
> > make[3]: *** [serv.o] Error 1
> 
> Oops, try this instead:
> 
> #ifndef HAVE_IPV6
> # define sockaddr_storage sockaddr
> #endif
> 
> There is another more complex work around mentioned at the end of:
> 
> http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html
> 
> Maybe the above won't work, and then maybe we need something like that.
> 
If I'm reading the referenced manpage correctly struct sockaddr is not
expected to have an ss_family member so the above define will not work
as is.
Instead I replaced the reference to ss_family with sa_family and now it
builds to completion.
I also ran the testsuite and it passes all tests.
The full log from running the testsuite is available at
http://jupiterrise.com/tmp

I noticed that the compiler complained when building some of the test
programs:
x509self.c: In function 'server_start':
x509self.c:360: warning: passing argument 4 of 'setsockopt' from
incompatible pointer type
x509self.c: In function 'server':
x509self.c:434: warning: implicit declaration of function 'bzero'
x509self.c:434: warning: incompatible implicit declaration of built-in
function 'bzero'

-tgc




From simon at josefsson.org  Thu May  7 14:31:38 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 07 May 2009 14:31:38 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <20090506173428.GA18697@ares.tgcnet> (Tom G. Christensen's
	message of "Wed, 6 May 2009 19:34:28 +0200")
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
	<87eiv3mutr.fsf@mocca.josefsson.org>
	<20090505172637.GA9699@ares.tgcnet>
	<874ovylkxb.fsf@mocca.josefsson.org>
	<20090506173428.GA18697@ares.tgcnet>
Message-ID: <87iqkdccwl.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

>> Oops, try this instead:
>> 
>> #ifndef HAVE_IPV6
>> # define sockaddr_storage sockaddr
>> #endif
>> 
>> There is another more complex work around mentioned at the end of:
>> 
>> http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/socket.h.html
>> 
>> Maybe the above won't work, and then maybe we need something like that.
>> 
> If I'm reading the referenced manpage correctly struct sockaddr is not
> expected to have an ss_family member so the above define will not work
> as is.
> Instead I replaced the reference to ss_family with sa_family and now it
> builds to completion.

Ok, so adding the following to the top of src/serv.c works?

#define sockaddr_storage sockaddr
#define ss_family sa_family

I've applied the earlier more obvious patch to GnuTLS 2.6.x and GnuTLS
2.7.x, but the sockaddr_storage part needs to be solved properly -- via
gnulib.

> I also ran the testsuite and it passes all tests.
> The full log from running the testsuite is available at
> http://jupiterrise.com/tmp

Thanks!

> I noticed that the compiler complained when building some of the test
> programs:
> x509self.c: In function 'server_start':
> x509self.c:360: warning: passing argument 4 of 'setsockopt' from
> incompatible pointer type
> x509self.c: In function 'server':
> x509self.c:434: warning: implicit declaration of function 'bzero'
> x509self.c:434: warning: incompatible implicit declaration of built-in
> function 'bzero'

Thanks, both looks easily fixable.

/Simon




From tgc at jupiterrise.com  Thu May  7 19:06:08 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Thu, 7 May 2009 19:06:08 +0200
Subject: GnuTLS 2.6.6/2.7.8 assumes AF_INET6 is available
In-Reply-To: <87iqkdccwl.fsf@mocca.josefsson.org>
References: <20090504194530.GA30365@ares.tgcnet>
	<87skjjq36r.fsf@mocca.josefsson.org>
	<20090505152415.GA5223@ares.tgcnet>
	<87eiv3mutr.fsf@mocca.josefsson.org>
	<20090505172637.GA9699@ares.tgcnet>
	<874ovylkxb.fsf@mocca.josefsson.org>
	<20090506173428.GA18697@ares.tgcnet>
	<87iqkdccwl.fsf@mocca.josefsson.org>
Message-ID: <20090507170608.GB32501@ares.tgcnet>

On Thu, May 07, 2009 at 02:31:38PM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> 
> Ok, so adding the following to the top of src/serv.c works?
> 
> #define sockaddr_storage sockaddr
> #define ss_family sa_family
> 
Yes.

> I've applied the earlier more obvious patch to GnuTLS 2.6.x and GnuTLS
> 2.7.x, but the sockaddr_storage part needs to be solved properly -- via
> gnulib.
> 
That sounds fine.

-tgc




From rpremuz at hera.hr  Thu May  7 16:53:03 2009
From: rpremuz at hera.hr (=?iso-8859-2?Q?Robert_Premu=BE?=)
Date: Thu, 7 May 2009 16:53:03 +0200
Subject: typos
Message-ID: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local>

Hi!

On http://www.gnu.org/software/gnutls/openpgp.html
the following should be corrected:

exprerimental -> experimental

and

traditionaly -> traditionally 

Regards,

-- Robert Premu?




From simon at josefsson.org  Fri May  8 12:54:16 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 08 May 2009 12:54:16 +0200
Subject: typos
In-Reply-To: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local>
	("Robert =?iso-8859-2?Q?Premu=BE=22's?= message of "Thu, 7 May 2009
	16:53:03 +0200")
References: <8FE2776E1E42344AA7A92E41FDDC803D76C2FC@dervdk.vred.local>
Message-ID: <874ovvyief.fsf@mocca.josefsson.org>

Robert Premu? <rpremuz at hera.hr> writes:

> Hi!
>
> On http://www.gnu.org/software/gnutls/openpgp.html
> the following should be corrected:
>
> exprerimental -> experimental
>
> and
>
> traditionaly -> traditionally 

Hi.  Fixed, thank you!

/Simon




From simon at josefsson.org  Mon May 11 16:55:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 11 May 2009 16:55:53 +0200
Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug
In-Reply-To: <20090430175944.14170.qmail@wiredyne.com> (Peter Hendrickson's
	message of "30 Apr 2009 17:59:44 -0000")
References: <20090417061402.13985.qmail@wiredyne.com>
	<87ws9juxlm.fsf@mocca.josefsson.org>
	<20090417192332.GA5390@manyfish.co.uk>
	<87skjykkp3.fsf@mocca.josefsson.org>
	<20090430031525.3676.qmail@wiredyne.com>
	<87hc06bk8i.fsf@mocca.josefsson.org>
	<20090430175944.14170.qmail@wiredyne.com>
Message-ID: <87fxfbd6yu.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> Simon Josefsson wrote:
>> > When bind() is called in listen_socket(), it is given two "res->"
>> > arguments, but it should be two "ptr->" arguments.  Otherwise it
>> > doesn't move to ptr->ai_next the second time through the for loop.
>> 
>> Oops.  Thanks, committed, please try the next daily snapshot.
>
> I'm not seeing the fix in the 20090430 snapshot.  I assume it will
> show up in tomorrow's snapshot.

Please try again.

/Simon




From simon at josefsson.org  Mon May 11 16:57:18 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 11 May 2009 16:57:18 +0200
Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug
In-Reply-To: <20090430135914.GA2034@manyfish.co.uk> (Joe Orton's message of
	"Thu, 30 Apr 2009 14:59:14 +0100")
References: <20090417061402.13985.qmail@wiredyne.com>
	<87ws9juxlm.fsf@mocca.josefsson.org>
	<20090417192332.GA5390@manyfish.co.uk>
	<87skjykkp3.fsf@mocca.josefsson.org>
	<20090430135914.GA2034@manyfish.co.uk>
Message-ID: <87bppzd6wh.fsf@mocca.josefsson.org>

Joe Orton <joe at manyfish.co.uk> writes:

> On Fri, Apr 24, 2009 at 07:47:36PM +0200, Simon Josefsson wrote:
>> I'm not sure what you mean with v6-mapped IPv4 addresses, though.  Is
>> there anything extra the code needs to do?
>
> I meant v4-mapped IPv6 addresses, not sure the inverse exists ;) You get 
> different behaviour on different platforms w.r.t. attempts to bind to 
> ::/port and 0.0.0.0/port for a given port, depending on whether
> v4-mapped IPv6 addresses are supported, and which order you attempt the 
> binds, etc.  For a test app it's probably sufficient to simply ignore 
> bind() errors and hope for the best.

Since we are changing how binding to sockets works, printing the error
may provide more debug information in case someone runs into a problem.
So I suggest we try the current code in GnuTLS 2.8.x and see if it
handles IPv4 and/or IPv6 properly on various platforms.

/Simon




From simon at josefsson.org  Mon May 11 18:53:22 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 11 May 2009 18:53:22 +0200
Subject: gdoc replacement (was: Re: Default record version)
In-Reply-To: <49A8667D.6000608@gmx.net> (Martin von Gagern's message of "Fri, 
	27 Feb 2009 23:17:33 +0100")
References: <4997EB28.8090100@gmx.net> <49985133.4010508@gnutls.org>
	<49986DCC.3030102@gmx.net> <499FE4A1.3000805@gnutls.org>
	<499FF411.40009@gmx.net> <49A00856.1040707@gmx.net>
	<49A01C69.2000708@gnutls.org> <49A02932.6060306@gmx.net>
	<49A1166C.6000703@gnutls.org> <87wsbh2j31.fsf@mocca.josefsson.org>
	<49A32436.60503@gmx.net> <87k57c8ekl.fsf@mocca.josefsson.org>
	<49A8667D.6000608@gmx.net>
Message-ID: <87fxfbbmyl.fsf@mocca.josefsson.org>

Hi Martin.  I had finally time to look into this, and I believe I have
solved it in git master.  You can depend on the order things are
substituted: they seems to be done in ASCII order.  Your initial patch
seems to be the correct thing.  However, it changed the order of how the
substitutions were applied.  So rather than working around that problem
using your patch (which caused other problems) I modified your initial
regexp so that it does the same thing but is applied later.

I really prefer to stop messing with the gdoc script.  It should be
rewritten cleanly and added to gnulib.  Before doing that, it begs the
question why we don't abandon the GTK-DOC style and use the doxygen
format instead, which probably has conversion tools already.  I'm not
sure what the answer is.  I think the GTK-DOC HTML manual and
integration into the GNOME environment is a good thing.  But maybe that
can be achieved via doxygen anyway, through a conversion script?
Changing to doxygen instead of gtk-doc will require source-code changes,
too.

What do people generally think of GTK-DOC vs Doxygen?

/Simon




From simon at josefsson.org  Mon May 11 20:16:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 11 May 2009 20:16:43 +0200
Subject: GnuTLS 2.7.9 - release candidate 1 of GnuTLS 2.8.0
Message-ID: <8763g7bj3o.fsf@mocca.josefsson.org>

To accelerate the GnuTLS 2.8.0 release, I've prepared a first release
candidate.  Please test this as if it were a new stable release.  If I
don't hear any complains about regressions compared to 2.6.x I will
release this as 2.8.0 in two weeks.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2 (5.9MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.9.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.9.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.9.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.9.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.9-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.9 (released 2009-05-11)

** doc: Fix strings in man page of gnutls_priority_init.

** doc: Fix tables of error codes and supported algorithms.

** Fix build failure when cross-compiled using MinGW.

** Fix build failure when LZO is enabled.
Reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta at gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3522>.

** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6.
Reported by "Tom G. Christensen" <tgc at jupiterrise.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3524>.

** Fix warnings in self-tests.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090511/802a8d9a/attachment.pgp>

From pdh at wiredyne.com  Tue May 12 04:08:49 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 12 May 2009 02:08:49 -0000
Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug
In-Reply-To: <87fxfbd6yu.fsf@mocca.josefsson.org> (message from Simon
	Josefsson on Mon, 11 May 2009 16:55:53 +0200)
References: <20090417061402.13985.qmail@wiredyne.com>
	<87ws9juxlm.fsf@mocca.josefsson.org>
	<20090417192332.GA5390@manyfish.co.uk>
	<87skjykkp3.fsf@mocca.josefsson.org>
	<20090430031525.3676.qmail@wiredyne.com>
	<87hc06bk8i.fsf@mocca.josefsson.org>
	<20090430175944.14170.qmail@wiredyne.com>
	<87fxfbd6yu.fsf@mocca.josefsson.org>
Message-ID: <20090512020849.4030.qmail@wiredyne.com>

Simon Josefsson wrote:
> Peter Hendrickson <pdh at wiredyne.com> writes:
> > Simon Josefsson wrote:
> >> > When bind() is called in listen_socket(), it is given two "res->"
> >> > arguments, but it should be two "ptr->" arguments.  Otherwise it
> >> > doesn't move to ptr->ai_next the second time through the for loop.
> >> 
> >> Oops.  Thanks, committed, please try the next daily snapshot.
> >
> > I'm not seeing the fix in the 20090430 snapshot.  I assume it will
> > show up in tomorrow's snapshot.

I checked the gnutls-20090512.tar.gz snapshot and it looks good.  Both
IPv4 and IPv6 ports are opened and the server correctly reports what
it is doing.  I tested IPv4 connections and it works.

Peter




From simon at josefsson.org  Tue May 12 08:09:22 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 12 May 2009 08:09:22 +0200
Subject: OpenBSD 4.4 gnutls-serv IPv6 Only Bug
In-Reply-To: <20090512020849.4030.qmail@wiredyne.com> (Peter Hendrickson's
	message of "12 May 2009 02:08:49 -0000")
References: <20090417061402.13985.qmail@wiredyne.com>
	<87ws9juxlm.fsf@mocca.josefsson.org>
	<20090417192332.GA5390@manyfish.co.uk>
	<87skjykkp3.fsf@mocca.josefsson.org>
	<20090430031525.3676.qmail@wiredyne.com>
	<87hc06bk8i.fsf@mocca.josefsson.org>
	<20090430175944.14170.qmail@wiredyne.com>
	<87fxfbd6yu.fsf@mocca.josefsson.org>
	<20090512020849.4030.qmail@wiredyne.com>
Message-ID: <87vdo6am3x.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> Simon Josefsson wrote:
>> Peter Hendrickson <pdh at wiredyne.com> writes:
>> > Simon Josefsson wrote:
>> >> > When bind() is called in listen_socket(), it is given two "res->"
>> >> > arguments, but it should be two "ptr->" arguments.  Otherwise it
>> >> > doesn't move to ptr->ai_next the second time through the for loop.
>> >> 
>> >> Oops.  Thanks, committed, please try the next daily snapshot.
>> >
>> > I'm not seeing the fix in the 20090430 snapshot.  I assume it will
>> > show up in tomorrow's snapshot.
>
> I checked the gnutls-20090512.tar.gz snapshot and it looks good.  Both
> IPv4 and IPv6 ports are opened and the server correctly reports what
> it is doing.  I tested IPv4 connections and it works.

Great!  Thanks for confirming.

/Simon




From nmav at gnutls.org  Tue May 12 21:05:30 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 12 May 2009 22:05:30 +0300
Subject: gdoc replacement
In-Reply-To: <87fxfbbmyl.fsf@mocca.josefsson.org>
References: <4997EB28.8090100@gmx.net>
	<49985133.4010508@gnutls.org>	<49986DCC.3030102@gmx.net>
	<499FE4A1.3000805@gnutls.org>	<499FF411.40009@gmx.net>
	<49A00856.1040707@gmx.net>	<49A01C69.2000708@gnutls.org>
	<49A02932.6060306@gmx.net>	<49A1166C.6000703@gnutls.org>
	<87wsbh2j31.fsf@mocca.josefsson.org>	<49A32436.60503@gmx.net>
	<87k57c8ekl.fsf@mocca.josefsson.org>	<49A8667D.6000608@gmx.net>
	<87fxfbbmyl.fsf@mocca.josefsson.org>
Message-ID: <4A09C87A.6070802@gnutls.org>

Simon Josefsson wrote:
> Hi Martin.  I had finally time to look into this, and I believe I have
> solved it in git master.  You can depend on the order things are
> substituted: they seems to be done in ASCII order.  Your initial patch
> seems to be the correct thing.  However, it changed the order of how the
> substitutions were applied.  So rather than working around that problem
> using your patch (which caused other problems) I modified your initial
> regexp so that it does the same thing but is applied later.
> 
> I really prefer to stop messing with the gdoc script.  It should be
> rewritten cleanly and added to gnulib.  Before doing that, it begs the
> question why we don't abandon the GTK-DOC style and use the doxygen
> format instead, which probably has conversion tools already.  I'm not
> sure what the answer is.  I think the GTK-DOC HTML manual and
> integration into the GNOME environment is a good thing.  But maybe that
> can be achieved via doxygen anyway, through a conversion script?
> Changing to doxygen instead of gtk-doc will require source-code changes,
> too.
> What do people generally think of GTK-DOC vs Doxygen?

I used doxygen some time after I messed up with gdoc and I liked the
output. The only reason I didn't port gnutls to it was lack of time :)

best regards,
Nikos




From andrew.w.nosenko at gmail.com  Wed May 13 11:13:52 2009
From: andrew.w.nosenko at gmail.com (Andrew W. Nosenko)
Date: Wed, 13 May 2009 12:13:52 +0300
Subject: gdoc replacement
In-Reply-To: <4A09C87A.6070802@gnutls.org>
References: <4997EB28.8090100@gmx.net> <49A01C69.2000708@gnutls.org>
	<49A02932.6060306@gmx.net> <49A1166C.6000703@gnutls.org>
	<87wsbh2j31.fsf@mocca.josefsson.org> <49A32436.60503@gmx.net>
	<87k57c8ekl.fsf@mocca.josefsson.org> <49A8667D.6000608@gmx.net>
	<87fxfbbmyl.fsf@mocca.josefsson.org> <4A09C87A.6070802@gnutls.org>
Message-ID: <6161f3180905130213g575af903yaa39ceb76bea18e6@mail.gmail.com>

On Tue, May 12, 2009 at 10:05 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Simon Josefsson wrote:
>> Hi Martin. ?I had finally time to look into this, and I believe I have
>> solved it in git master. ?You can depend on the order things are
>> substituted: they seems to be done in ASCII order. ?Your initial patch
>> seems to be the correct thing. ?However, it changed the order of how the
>> substitutions were applied. ?So rather than working around that problem
>> using your patch (which caused other problems) I modified your initial
>> regexp so that it does the same thing but is applied later.
>>
>> I really prefer to stop messing with the gdoc script. ?It should be
>> rewritten cleanly and added to gnulib. ?Before doing that, it begs the
>> question why we don't abandon the GTK-DOC style and use the doxygen
>> format instead, which probably has conversion tools already. ?I'm not
>> sure what the answer is. ?I think the GTK-DOC HTML manual and
>> integration into the GNOME environment is a good thing. ?But maybe that
>> can be achieved via doxygen anyway, through a conversion script?
>> Changing to doxygen instead of gtk-doc will require source-code changes,
>> too.
>> What do people generally think of GTK-DOC vs Doxygen?
>
> I used doxygen some time after I messed up with gdoc and I liked the
> output. The only reason I didn't port gnutls to it was lack of time :)
>

The most important disadvantage of doxygen, from my personal point of
view, and the main reason why I stoped to use it is its inability to
integrate with devhelp.

-- 
Andrew W. Nosenko <andrew.w.nosenko at gmail.com>




From simon at josefsson.org  Wed May 13 19:31:11 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 13 May 2009 19:31:11 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
Message-ID: <87octwkizk.fsf@mocca.josefsson.org>

The GnuTLS 2.8.0 release is getting closer; no major problem has been
feedback in 2.7.9 so far.  This is a second release candidate.  Please
test this as if it were the new stable release.  If I don't hear any
complains about regressions compared to 2.6.x I will release this as
2.8.0 within two weeks.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2 (5.9MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.10.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.10.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.10.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.10.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.10 (released 2009-05-13)

** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.

** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** libgnutls: Fix crash in signature verification
The fix for the CVE-2009-1415 problem wasn't merged completely.

** doc: Fixes for GTK-DOC output.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090513/cdf13e8d/attachment.pgp>

From tgc at jupiterrise.com  Wed May 13 21:05:38 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Wed, 13 May 2009 21:05:38 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
Message-ID: <20090513190538.GA18880@ares.tgcnet>

I've got a new build error on Solaris 2.6:

make[4]: Entering directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.9/lib/minitasn1'
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..  -I../lib -I../lgl -I../lgl -I/usr/tgcware/include  -g -O2 -MT decoding.lo -MD -MP -MF .deps/decoding.Tpo -c -o decoding.lo decoding.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../lgl -I../lgl -I/usr/tgcware/include -g -O2 -MT decoding.lo -MD -MP -MF .deps/decoding.Tpo -c decoding.c  -fPIC -DPIC -o .libs/decoding.o
In file included from decoding.c:29:
./int.h:34:20: error: stdint.h: No such file or directory
make[4]: *** [decoding.lo] Error 1
make[4]: Leaving directory `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.9/lib/minitasn1'

Full log at
http://jupiterrise.com/tmp/gnutls-2.7.9-sunos56s-gcc433-build.log

-tgc




From ankush.vaid at tcs.com  Wed May 13 17:49:17 2009
From: ankush.vaid at tcs.com (Ankush Vaid)
Date: Wed, 13 May 2009 21:19:17 +0530
Subject: About gnutls windows handshake problem
Message-ID: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>


Hi,

This is regarding handshaking failure on qualcomm mobile 6280 using
security, after digging into the problem I come to know about that error is
coming at finished message which is found of size 208 bytes.

There is link given below which suggest that some mobiles don't support non
minimal record padding.

http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html

If this the case probably there is a workaround in gnutls library we are
using to resolve/fix this issue.

Thanks and Regards
Ankush Vaid
Tata Consultancy Services
TCS Towers, 249 D&E Udyog Vihar,
Phase IV,
Gurgaon
Gurgaon - 122001,Haryana
India
Cell:- 09718290491
Mailto: ankush.vaid at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                  Business Solutions
                  Outsourcing
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you







From nmav at gnutls.org  Thu May 14 06:23:45 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 14 May 2009 07:23:45 +0300
Subject: About gnutls windows handshake problem
In-Reply-To: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>
Message-ID: <4A0B9CD1.50000@gnutls.org>

Ankush Vaid wrote:
> Hi,
> 
> This is regarding handshaking failure on qualcomm mobile 6280 using
> security, after digging into the problem I come to know about that error is
> coming at finished message which is found of size 208 bytes.
> 
> There is link given below which suggest that some mobiles don't support non
> minimal record padding.
> 
> http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html
> 
> If this the case probably there is a workaround in gnutls library we are
> using to resolve/fix this issue.

Hi,
 I do not understand what is the question here. If you ask for a
workaround this is discussed in the page you refer to (the %COMPAT
priority string).

regards,
Nikos




From simon at josefsson.org  Thu May 14 13:28:27 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 14 May 2009 13:28:27 +0200
Subject: draft release announcement text
Message-ID: <87ab5fhqjo.fsf@mocca.josefsson.org>

I'm preparing the release announcement for 2.8.0.  Comments?

/Simon

We are proud to announce a new stable GnuTLS release: Version 2.8.0.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed under
the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

Version 2.8.0 is the first stable release on the 2.8.x branch and is the
result of 7 months of work on the experimental 2.7.x branch.

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version
scripts.

** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively.  The old symbols will continue to
work but are deprecated.

** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.

** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library.  This will enable a new
domain 'gnutls' for translations of the command line tools.

** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.

** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.

** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.

** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information.  This avoids code duplication.

** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.

** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.

** libgnutls: gnutls_openpgp_crt_print supports oneline mode.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.

** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.

** libgnutls: gnutls_x509_crq_print will now also print public key id.

** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm.  Now this command print a new final
line with header 'Chain verification output:' that contains the result
from using the internal verification algorithm on the same chain.

** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory.  Initialize
libgcrypt explicitly in your application if you want to enable secure
memory.  Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.

** libgnutls: Small byte reads via gnutls_record_recv() optimized.

** gnutls-cli: Return non-zero exit code on error conditions.

** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

** certtool: allow setting arbitrary key purpose object identifiers.

** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.

** Fix warnings and build GnuTLS with more warnings enabled.

** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED

** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.

** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED

** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED

** certtool: Print and set CRL and CRQ extensions.

** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.

** The Texinfo and GTK-DOC manuals were improved.

** Several self-tests were added and others improved.

API/ABI changes in GnuTLS 2.8
=============================

No functions have been removed or modified.  The library should be fully
backwards compatible on both the source and binary level.

Although the same patch has also been applied to the 2.6.x branch, we'd
like to remind you functions have been changed so that X.509 chain
verification now also checks activation/expiration times on
certificates.  The affected functions are:

gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

The following functions or symbols have been added to the library or
header files:

gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.

The following symbols have been deprecated:

LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (4.9MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.8.0.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

d1693e611aa7270f14bc500bd56ef529ffcb1703  gnutls-2.6.6.tar.bz2

5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61  gnutls-2.6.6.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.1, and GnuTLS v2.8.0.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig

The checksum values for SHA-1 and SHA-224 are:

8a86a846cbdc16b6c21442c706854a5c02416336  gnutls-2.6.6.exe

555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc  gnutls-2.6.6.exe

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)

The checksum values for SHA-1 and SHA-224 are:

b141f97c196d408bf12b8a58ede6bda8fb291be6  mingw32-gnutls_2.6.6-1_all.deb

541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93  mingw32-gnutls_2.6.6-1_all.deb

Internationalization
====================

The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
addition of more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon




From simon at josefsson.org  Thu May 14 13:34:39 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 14 May 2009 13:34:39 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
In-Reply-To: <20090513190538.GA18880@ares.tgcnet> (Tom G. Christensen's
	message of "Wed, 13 May 2009 21:05:38 +0200")
References: <20090513190538.GA18880@ares.tgcnet>
Message-ID: <8763g3hq9c.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> I've got a new build error on Solaris 2.6:

Thanks, should be fixed in git master now.  Please try a daily snapshot,
a new one should be ready in a few hours.

/Simon




From simon at josefsson.org  Thu May 14 15:15:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 14 May 2009 15:15:53 +0200
Subject: How to send in build logs
In-Reply-To: <20090513190538.GA18880@ares.tgcnet> (Tom G. Christensen's
	message of "Wed, 13 May 2009 21:05:38 +0200")
References: <20090513190538.GA18880@ares.tgcnet>
Message-ID: <87tz3ng706.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> Full log at
> http://jupiterrise.com/tmp/gnutls-2.7.9-sunos56s-gcc433-build.log

Btw, if you e-mail that log to gnutls at autobuild.josefsson.org it will
end up on this page:

http://autobuild.josefsson.org/gnutls/

I regularly monitor that page for errors.  So if you want to make sure
GnuTLS remains buildable on Solaris 2.6, and don't want to manually
build it every time, consider setting up a script to download and build
the daily snapshots, and e-mail the result.  I'm using this script on
some systems:

http://git.josefsson.org/cgi-bin/gitweb.cgi?p=tools.git;a=blob;f=scripts/daily-build-simple;hb=HEAD

Of course this applies to anyone that wants to help improving build
quality of GnuTLS for any platform.

/Simon




From simon at josefsson.org  Thu May 14 15:10:35 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 14 May 2009 15:10:35 +0200
Subject: About gnutls windows handshake problem
In-Reply-To: <4A0B9CD1.50000@gnutls.org> (Nikos Mavrogiannopoulos's message of
	"Thu, 14 May 2009 07:23:45 +0300")
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>
	<4A0B9CD1.50000@gnutls.org>
Message-ID: <871vqrhltg.fsf@mocca.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Ankush Vaid wrote:
>> Hi,
>> 
>> This is regarding handshaking failure on qualcomm mobile 6280 using
>> security, after digging into the problem I come to know about that error is
>> coming at finished message which is found of size 208 bytes.
>> 
>> There is link given below which suggest that some mobiles don't support non
>> minimal record padding.
>> 
>> http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html
>> 
>> If this the case probably there is a workaround in gnutls library we are
>> using to resolve/fix this issue.
>
> Hi,
>  I do not understand what is the question here. If you ask for a
> workaround this is discussed in the page you refer to (the %COMPAT
> priority string).

Indeed %COMPAT seems like the answer.  However, isn't that keyword
confusing?  How about adding %DISABLE_MAC_PADDING?  Today those two
keywords would do the same, but if we encounter other compatibility
hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would
only disable MAC padding.  It seems better to introduce this today
rather than when the next compatibility hack is introduced.

/Simon




From ametzler at downhill.at.eu.org  Thu May 14 19:47:29 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Thu, 14 May 2009 19:47:29 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <87octwkizk.fsf@mocca.josefsson.org>
References: <87octwkizk.fsf@mocca.josefsson.org>
Message-ID: <20090514174729.GA3585@downhill.g.la>

On 2009-05-13 Simon Josefsson <simon at josefsson.org> wrote:
> The GnuTLS 2.8.0 release is getting closer; no major problem has been
> feedback in 2.7.9 so far.  This is a second release candidate.  Please
> test this as if it were the new stable release.  If I don't hear any
> complains about regressions compared to 2.6.x I will release this as
> 2.8.0 within two weeks.

It fails to configure if --disable-cxx is set:
[...]
checking for shutdown... (cached) yes
configure: error: conditional "am__fastdepCXX" was never defined.
Usually this means the macro was only invoked conditionally.
configure: error: ./configure failed for lib
[...]

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From tgc at jupiterrise.com  Thu May 14 20:49:52 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Thu, 14 May 2009 20:49:52 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
In-Reply-To: <8763g3hq9c.fsf@mocca.josefsson.org>
References: <20090513190538.GA18880@ares.tgcnet>
	<8763g3hq9c.fsf@mocca.josefsson.org>
Message-ID: <20090514184952.GA803@ares.tgcnet>

On Thu, May 14, 2009 at 01:34:39PM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
> 
> > I've got a new build error on Solaris 2.6:
> 
> Thanks, should be fixed in git master now.  Please try a daily snapshot,
> a new one should be ready in a few hours.
> 
With gnutls-20090514 it gets past the previous point only to fail later:

make[5]: Entering directory
`/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl'
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
-I..  -I../lgl -I../lgl -I/usr/tgcware/include  -g -O2 -MT hmac-md5.lo
-MD -MP -MF .deps/hmac-md5.Tpo -c -o hmac-md5.lo hmac-md5.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../lgl -I../lgl
-I/usr/tgcware/include -g -O2 -MT hmac-md5.lo -MD -MP -MF
.deps/hmac-md5.Tpo -c hmac-md5.c  -fPIC -DPIC -o .libs/hmac-md5.o
In file included from hmac-md5.c:25:
md5.h:25:20: error: stdint.h: No such file or directory
In file included from hmac-md5.c:25:
md5.h:60: error: expected specifier-qualifier-list before 'uint32_t'
make[5]: *** [hmac-md5.lo] Error 1
make[5]: Leaving directory
`/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl'


-tgc




From ametzler at downhill.at.eu.org  Fri May 15 20:13:27 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Fri, 15 May 2009 20:13:27 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <20090514174729.GA3585@downhill.g.la>
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090514174729.GA3585@downhill.g.la>
Message-ID: <20090515181326.GA3768@downhill.g.la>

On 2009-05-14 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> On 2009-05-13 Simon Josefsson <simon at josefsson.org> wrote:
> > The GnuTLS 2.8.0 release is getting closer; no major problem has been
> > feedback in 2.7.9 so far.  This is a second release candidate.  Please
> > test this as if it were the new stable release.  If I don't hear any
> > complains about regressions compared to 2.6.x I will release this as
> > 2.8.0 within two weeks.

> It fails to configure if --disable-cxx is set:
> [...]
> checking for shutdown... (cached) yes
> configure: error: conditional "am__fastdepCXX" was never defined.
> Usually this means the macro was only invoked conditionally.
> configure: error: ./configure failed for lib
> [...]

> cu andreas

This seems to be the culprit:

./lib/configure.ac--------------------
# Finish things from ../configure.ac.
AC_SUBST([WARN_CFLAGS])
AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no")
if test "$use_cxx" != "no"; then
  AC_PROG_CXX
fi
-------------------------------------

Running AC_PROG_CXX no matter whether $use_cxx was set makes the error
go away.[1] I have not got a system without C++ compiler, so I
cannot say whether this would break compilation there.

cu andreas

[1] No idea why
AS_IF([test "$use_cxx" != "no"],
  [AC_PROG_CXX])
seems to also run the test unconditionally.

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From simon at josefsson.org  Sat May 16 16:27:14 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sat, 16 May 2009 16:27:14 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
In-Reply-To: <20090514184952.GA803@ares.tgcnet> (Tom G. Christensen's message
	of "Thu, 14 May 2009 20:49:52 +0200")
References: <20090513190538.GA18880@ares.tgcnet>
	<8763g3hq9c.fsf@mocca.josefsson.org>
	<20090514184952.GA803@ares.tgcnet>
Message-ID: <87k54hktrx.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> On Thu, May 14, 2009 at 01:34:39PM +0200, Simon Josefsson wrote:
>> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
>> 
>> > I've got a new build error on Solaris 2.6:
>> 
>> Thanks, should be fixed in git master now.  Please try a daily snapshot,
>> a new one should be ready in a few hours.
>> 
> With gnutls-20090514 it gets past the previous point only to fail later:
>
> make[5]: Entering directory
> `/export/home/tgc/buildpkg/gnutls/src/gnutls-2.7.11/libextra/gl'
> /bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
> -I..  -I../lgl -I../lgl -I/usr/tgcware/include  -g -O2 -MT hmac-md5.lo
> -MD -MP -MF .deps/hmac-md5.Tpo -c -o hmac-md5.lo hmac-md5.c
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../lgl -I../lgl
> -I/usr/tgcware/include -g -O2 -MT hmac-md5.lo -MD -MP -MF
> .deps/hmac-md5.Tpo -c hmac-md5.c  -fPIC -DPIC -o .libs/hmac-md5.o
> In file included from hmac-md5.c:25:
> md5.h:25:20: error: stdint.h: No such file or directory

Thanks.  Variation on the same problem as before actually.  Should be
fixed now.  I looked for other occurrences of the same problem, but I
didn't find any.

/Simon




From simon at josefsson.org  Sun May 17 10:42:03 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 17 May 2009 10:42:03 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <20090515181326.GA3768@downhill.g.la> (Andreas Metzler's message
	of "Fri, 15 May 2009 20:13:27 +0200")
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090514174729.GA3585@downhill.g.la>
	<20090515181326.GA3768@downhill.g.la>
Message-ID: <871vqoglyc.fsf@mocca.josefsson.org>

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> On 2009-05-14 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
>> On 2009-05-13 Simon Josefsson <simon at josefsson.org> wrote:
>> > The GnuTLS 2.8.0 release is getting closer; no major problem has been
>> > feedback in 2.7.9 so far.  This is a second release candidate.  Please
>> > test this as if it were the new stable release.  If I don't hear any
>> > complains about regressions compared to 2.6.x I will release this as
>> > 2.8.0 within two weeks.
>
>> It fails to configure if --disable-cxx is set:
>> [...]
>> checking for shutdown... (cached) yes
>> configure: error: conditional "am__fastdepCXX" was never defined.
>> Usually this means the macro was only invoked conditionally.
>> configure: error: ./configure failed for lib
>> [...]
>
>> cu andreas
>
> This seems to be the culprit:
>
> ./lib/configure.ac--------------------
> # Finish things from ../configure.ac.
> AC_SUBST([WARN_CFLAGS])
> AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no")
> if test "$use_cxx" != "no"; then
>   AC_PROG_CXX
> fi
> -------------------------------------
>
> Running AC_PROG_CXX no matter whether $use_cxx was set makes the error
> go away.[1] I have not got a system without C++ compiler, so I
> cannot say whether this would break compilation there.

We've switched back and forth on this:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e0ed8d655f76b1a856773ed2d5b4155d1d840211
https://savannah.gnu.org/support/?106542

I was able to reproduce your problem. This suggests that AC_PROG_CXX
really cannot be invoked optionally.

I have pushed a patch now:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4f155e7109699fdf98683549e48142f018f6546e

Looking through the original 106542 bug report, I'm unsure what the real
problem was.  Detecting g++ but never using it does not hurt anything
(except a tiny performance price), as far as I understand.  Daniel, can
you test tomorrow's daily snapshot and see if it works for you?  It
seems clear now that we cannot run AC_PROG_CXX conditionally, so if this
patch does not work for you we need to solve your problem in some other
way.

We'll need another release candidate, I'll prepare it tomorrow.

/Simon




From tgc at jupiterrise.com  Sun May 17 12:16:44 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Sun, 17 May 2009 12:16:44 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
In-Reply-To: <87k54hktrx.fsf@mocca.josefsson.org>
References: <20090513190538.GA18880@ares.tgcnet>
	<8763g3hq9c.fsf@mocca.josefsson.org>
	<20090514184952.GA803@ares.tgcnet>
	<87k54hktrx.fsf@mocca.josefsson.org>
Message-ID: <20090517101644.GA28643@ares.tgcnet>

On Sat, May 16, 2009 at 04:27:14PM +0200, Simon Josefsson wrote:
> Thanks.  Variation on the same problem as before actually.  Should be
> fixed now.  I looked for other occurrences of the same problem, but I
> didn't find any.
> 
I'm still not able to complete the build.
I've sent the full log to your autobuild service but these are the two
problems I see:

serv.c: In function 'listen_socket':
serv.c:650: error: 'NI_MAXHOST' undeclared (first use in this function)
serv.c:650: error: (Each undeclared identifier is reported only once
serv.c:650: error: for each function it appears in.)
serv.c:650: error: 'NI_MAXSERV' undeclared (first use in this function)
serv.c:650: warning: unused variable 'service' [-Wunused-variable]
serv.c:650: warning: unused variable 'host' [-Wunused-variable]
make[3]: *** [serv.o] Error 1

And this:

ld: warning: file
/export/home/tgc/tmp/daily-build/gnutls/gnutls-2.7.11/lib/.libs/libgnutls.so:
linked to ../lib/.libs/libgnutls.so: attempted multiple inclusion of
file
Undefined                       first referenced
 symbol                             in file
 gethostbyname                       ../gl/.libs/libgnu.a(getaddrinfo.o)
 (symbol belongs to implicit dependency /usr/lib/libnsl.so.1)
 ld: fatal: Symbol referencing errors. No output written to
 .libs/gnutls-cli
 collect2: ld returned 1 exit status
 make[3]: *** [gnutls-cli] Error 1


-tgc




From dragonheart at gentoo.org  Mon May 18 04:45:53 2009
From: dragonheart at gentoo.org (Daniel Black)
Date: Mon, 18 May 2009 12:45:53 +1000
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <871vqoglyc.fsf@mocca.josefsson.org>
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090515181326.GA3768@downhill.g.la>
	<871vqoglyc.fsf@mocca.josefsson.org>
Message-ID: <200905181245.56068.dragonheart@gentoo.org>

Folks,

>Looking through the original 106542 bug report, I'm unsure what the real
>problem was.

was more building on embedded machines without a g++ compiler.

>Detecting g++ but never using it does not hurt anything
>(except a tiny performance price), as far as I understand.  Daniel, can
>you test tomorrow's daily snapshot and see if it works for you?

gnutls-20090518

well it configures ok unless I don't have g++ installed which I do admit is an edge case.

>It
>seems clear now that we cannot run AC_PROG_CXX conditionally,

Did you see this patch? is seems to account for the 
"configure: error: conditional "am__fastdepCXX" was never defined.:"
error by defining it.
from:
https://savannah.gnu.org/support/?106542#comment3
patch:
https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234

>so if this
>patch does not work for you we need to solve your problem in some other
>way.
>
>We'll need another release candidate, I'll prepare it tomorrow.

Daniel




From simon at josefsson.org  Mon May 18 11:12:07 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 18 May 2009 11:12:07 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <200905181245.56068.dragonheart@gentoo.org> (Daniel Black's
	message of "Mon, 18 May 2009 12:45:53 +1000")
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090515181326.GA3768@downhill.g.la>
	<871vqoglyc.fsf@mocca.josefsson.org>
	<200905181245.56068.dragonheart@gentoo.org>
Message-ID: <873ab2rd08.fsf@mocca.josefsson.org>

Daniel Black <dragonheart at gentoo.org> writes:

> Folks,
>
>>Looking through the original 106542 bug report, I'm unsure what the real
>>problem was.
>
> was more building on embedded machines without a g++ compiler.
>
>>Detecting g++ but never using it does not hurt anything
>>(except a tiny performance price), as far as I understand.  Daniel, can
>>you test tomorrow's daily snapshot and see if it works for you?
>
> gnutls-20090518
>
> well it configures ok unless I don't have g++ installed which I do
> admit is an edge case.

What happens if you don't have g++ installed?  As far as I could tell,
AM_PROG_CXX should not fail in this situation, so building should work.
Isn't this the case?

>>It
>>seems clear now that we cannot run AC_PROG_CXX conditionally,
>
> Did you see this patch? is seems to account for the 
> "configure: error: conditional "am__fastdepCXX" was never defined.:"
> error by defining it.
> from:
> https://savannah.gnu.org/support/?106542#comment3
> patch:
> https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234

That relies on internal magic in automake, so that's not something I'd
want to integrate.  I can try to come up with something better, or
report it as an automake bug, if I can understand better what the real
problem is (see above).

/Simon




From simon at josefsson.org  Mon May 18 14:58:18 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 18 May 2009 14:58:18 +0200
Subject: GnuTLS 2.7.9 fails to build on Solaris 2.6
In-Reply-To: <20090517101644.GA28643@ares.tgcnet> (Tom G. Christensen's
	message of "Sun, 17 May 2009 12:16:44 +0200")
References: <20090513190538.GA18880@ares.tgcnet>
	<8763g3hq9c.fsf@mocca.josefsson.org>
	<20090514184952.GA803@ares.tgcnet>
	<87k54hktrx.fsf@mocca.josefsson.org>
	<20090517101644.GA28643@ares.tgcnet>
Message-ID: <871vqmpnyt.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> On Sat, May 16, 2009 at 04:27:14PM +0200, Simon Josefsson wrote:
>> Thanks.  Variation on the same problem as before actually.  Should be
>> fixed now.  I looked for other occurrences of the same problem, but I
>> didn't find any.
>> 
> I'm still not able to complete the build.
> I've sent the full log to your autobuild service but these are the two
> problems I see:
>
> serv.c: In function 'listen_socket':
> serv.c:650: error: 'NI_MAXHOST' undeclared (first use in this function)
> serv.c:650: error: (Each undeclared identifier is reported only once
> serv.c:650: error: for each function it appears in.)
> serv.c:650: error: 'NI_MAXSERV' undeclared (first use in this function)
> serv.c:650: warning: unused variable 'service' [-Wunused-variable]
> serv.c:650: warning: unused variable 'host' [-Wunused-variable]
> make[3]: *** [serv.o] Error 1
>
> And this:
>
> ld: warning: file
> /export/home/tgc/tmp/daily-build/gnutls/gnutls-2.7.11/lib/.libs/libgnutls.so:
> linked to ../lib/.libs/libgnutls.so: attempted multiple inclusion of
> file
> Undefined                       first referenced
>  symbol                             in file
>  gethostbyname                       ../gl/.libs/libgnu.a(getaddrinfo.o)
>  (symbol belongs to implicit dependency /usr/lib/libnsl.so.1)
>  ld: fatal: Symbol referencing errors. No output written to
>  .libs/gnutls-cli
>  collect2: ld returned 1 exit status
>  make[3]: *** [gnutls-cli] Error 1

Both should be fixed in master now, I'm going to release another RC so
please that.

/Simon




From simon at josefsson.org  Mon May 18 15:01:34 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 18 May 2009 15:01:34 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <873ab2rd08.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 18 May 2009 11:12:07 +0200")
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090515181326.GA3768@downhill.g.la>
	<871vqoglyc.fsf@mocca.josefsson.org>
	<200905181245.56068.dragonheart@gentoo.org>
	<873ab2rd08.fsf@mocca.josefsson.org>
Message-ID: <87ws8eo98x.fsf@mocca.josefsson.org>

I just removed my g++, and tried to rebuild GnuTLS.  It correctly
detected that no C++ compiler was available, and disable the C++ library
automatically.  So if you still have problem building the very soon to
be released new RC, please let me know and quote the error messages.

/Simon




From ametzler at downhill.at.eu.org  Mon May 18 18:38:41 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Mon, 18 May 2009 18:38:41 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <87ws8eo98x.fsf@mocca.josefsson.org>
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090515181326.GA3768@downhill.g.la>
	<871vqoglyc.fsf@mocca.josefsson.org>
	<200905181245.56068.dragonheart@gentoo.org>
	<873ab2rd08.fsf@mocca.josefsson.org>
	<87ws8eo98x.fsf@mocca.josefsson.org>
Message-ID: <20090518163841.GA5613@downhill.g.la>

On 2009-05-18 Simon Josefsson <simon at josefsson.org> wrote:
> I just removed my g++, and tried to rebuild GnuTLS.  It correctly
> detected that no C++ compiler was available, and disable the C++ library
> automatically.  So if you still have problem building the very soon to
> be released new RC, please let me know and quote the error messages.

FWIW I ran a similar test yesterday, moving /usr/bin/*++* away from
$PATH, and I also had a successful build.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From ametzler at downhill.at.eu.org  Mon May 18 18:40:53 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Mon, 18 May 2009 18:40:53 +0200
Subject: GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0
In-Reply-To: <200905181245.56068.dragonheart@gentoo.org>
References: <87octwkizk.fsf@mocca.josefsson.org>
	<20090515181326.GA3768@downhill.g.la>
	<871vqoglyc.fsf@mocca.josefsson.org>
	<200905181245.56068.dragonheart@gentoo.org>
Message-ID: <20090518164053.GB5613@downhill.g.la>

On 2009-05-18 Daniel Black <dragonheart at gentoo.org> wrote:
[...]
> Did you see this patch? is seems to account for the 
> "configure: error: conditional "am__fastdepCXX" was never defined.:"
> error by defining it.
> from:
> https://savannah.gnu.org/support/?106542#comment3
> patch:
> https://savannah.gnu.org:443/file/gnutls-2.6.0-cxx-configure.in.patch?file_id=17234
[...]

--------------
   AC_LANG_POP(C++)
+  AC_PROG_CXX
+else
+  AM_CONDITIONAL([am__fastdepCXX], [false])
 fi
--------------

Looks like something that is going to break again with every other new
upstream release of automake. :-(

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From simon at josefsson.org  Mon May 18 22:21:39 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 18 May 2009 22:21:39 +0200
Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0
Message-ID: <87eium17sc.fsf@mocca.josefsson.org>

A few build problems has been fixed, but nothing critical has been
reported, so we are on track to release 2.8.0 within a week or so.

Please test this release as if it were the new stable release.

There have been many e-mails (both on-list and off-list) about different
problems lately, and I have probably forgotten to reply to some of them.
Some of the patches introduced may also lead to new problems, of course.
So, please try and build 2.7.11 again, even if you tried earlier RCs.
If you can reproduce a problem with 2.7.11 that you have reported
earlier, please send me a ping about it.  I'm not actively working on
fixing anything right now.

Btw, josefsson.org and gnutls.org is currently down and may remain so
for a few days.  But when it is back up, the URLs below will start to
work.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2 (5.9MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.11.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.11.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.11.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.11.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.11-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.11 (released 2009-05-18)

** minitasn1: Fix build failure when using internal libtasn1.
Reported by "Tom G. Christensen" <tgc at jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3548>.

** libgnutls: Fix build failure with --disable-cxx.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3557>.

** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV.
Reported by "Tom G. Christensen" <tgc at jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3560>

** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090518/39178090/attachment.pgp>

From ankush.vaid at tcs.com  Sun May 17 14:00:00 2009
From: ankush.vaid at tcs.com (Ankush Vaid)
Date: Sun, 17 May 2009 17:30:00 +0530
Subject: About gnutls windows handshake problem
In-Reply-To: <871vqrhltg.fsf@mocca.josefsson.org>
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>	<4A0B9CD1.50000@gnutls.org>
	<871vqrhltg.fsf@mocca.josefsson.org>
Message-ID: <OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>

Hi Nikos/Simon

I have implemented disable padding function, but after that it also got 
failed, I guess reason of failure is something else.

I am sending the log details of the failure.


The whole log follows below:-

Please help me in decoding this log

Thanks 




Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\trinitypc>cd c:\

C:\>gnutls-serv --http --port 7070 --debug 10 --x509cafile cacert.pem 
--x509keyf
ile server-key.pem --x509certfile server-cert.pem
Set static Diffie Hellman parameters, consider --dhparams.
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_x509.c:1376
Error reading 'cacert.pem'
Error: Error while reading file.

C:\>

C:\>cd program files

C:\Program Files>cd gnutls-2.0.0

C:\Program Files\GnuTLS-2.0.0>cd bin

C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 
10 --x5
09cafile cacert.pem --x509keyfile server-key.pem --x509certfile 
server-cert.pem
Set static Diffie Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server ready. Listening to port '7070'.

|<7>| READ: Got 5 bytes from 20
|<7>| READ: read 5 bytes from 20
|<7>| 0000 - 16 03 01 00 2d
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[ac33d8]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[ac33d8]: Received Packet[0] Handshake(22) with length: 45
|<7>| READ: Got 45 bytes from 20
|<7>| READ: read 45 bytes from 20
|<7>| 0000 - 01 00 00 29 03 01 37 11 00 00 ce 21 55 ca 9e 30
|<7>| 0001 - 3b 6a c5 bb 87 03 d7 c0 1a 4a 04 ce 17 d2 db 21
|<7>| 0002 - 7e 57 eb 05 4b a8 00 00 02 00 2f 01 00
|<7>| RB: Have 5 bytes into buffer. Adding 45 bytes.
|<7>| RB: Requested 50 bytes
|<4>| REC[ac33d8]: Decrypted Packet[0] Handshake(22) with length: 45
|<6>| BUF[HSK]: Inserted 45 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[ac33d8]: CLIENT HELLO was received [45 bytes]
|<6>| BUF[REC][HD]: Read 41 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 41 bytes of Data
|<3>| HSK[ac33d8]: Client's version: 3.1
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:327
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:247
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_algorithms.c:1628
|<3>| HSK[ac33d8]: Selected Compression Method: NULL
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_extensions.c:162
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:180
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:237
|<3>| HSK[ac33d8]: SessionID: 
d509786573e00a3e5306e75185294329676485f91c60fe3460
d50d65bd52aa47
|<3>| HSK[ac33d8]: SERVER HELLO was send [74 bytes]
|<6>| BUF[HSK]: Peeked 45 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[0] Handshake(22) with length: 74
|<7>| WRITE: Will write 79 bytes to 20.
|<7>| WRITE: wrote 79 bytes to 20. Left 0 bytes. Total 79 bytes.
|<7>| 0000 - 16 03 01 00 4a 02 00 00 46 03 01 4a 0d 39 24 a0
|<7>| 0001 - b7 35 6e 9f c8 88 0d 37 55 4e 67 63 88 10 db ca
|<7>| 0002 - 3c 80 3f ba c9 f7 1c 51 b8 7b 6a 20 d5 09 78 65
|<7>| 0003 - 73 e0 0a 3e 53 06 e7 51 85 29 43 29 67 64 85 f9
|<7>| 0004 - 1c 60 fe 34 60 d5 0d 65 bd 52 aa 47 00 2f 00
|<4>| REC[ac33d8]: Sent Packet[1] Handshake(22) with length: 79
|<3>| HSK[ac33d8]: CERTIFICATE was send [930 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[1] Handshake(22) with length: 930
|<7>| WRITE: Will write 935 bytes to 20.
|<7>| WRITE: wrote 935 bytes to 20. Left 0 bytes. Total 935 bytes.
|<7>| 0000 - 16 03 01 03 a2 0b 00 03 9e 00 03 9b 00 03 98 30
|<7>| 0001 - 82 03 94 30 82 02 7c a0 03 02 01 02 02 03 10 00
|<7>| 0002 - 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00
|<7>| 0003 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31
|<7>| 0004 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e
|<7>| 0005 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65
|<7>| 0006 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41
|<7>| 0007 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03
|<7>| 0008 - 13 08 41 65 72 6f 66 6c 65 78 30 1e 17 0d 30 38
|<7>| 0009 - 30 37 32 33 30 38 31 38 32 33 5a 17 0d 31 33 30
|<7>| 000a - 37 32 32 30 38 31 38 32 33 5a 30 44 31 0b 30 09
|<7>| 000b - 06 03 55 04 06 13 02 55 4b 31 0f 30 0d 06 03 55
|<7>| 000c - 04 08 13 06 4c 6f 6e 64 6f 6e 31 11 30 0f 06 03
|<7>| 000d - 55 04 0a 13 08 41 65 72 6f 66 6c 65 78 31 11 30
|<7>| 000e - 0f 06 03 55 04 03 13 08 41 65 72 6f 66 6c 65 78
|<7>| 000f - 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01
|<7>| 0010 - 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01
|<7>| 0011 - 00 be 17 70 dc 6c 04 ba 89 ce 7a a6 77 ba 3f 2c
|<7>| 0012 - 13 4e b4 65 8a c8 9c dd f3 32 73 14 e8 03 f8 8f
|<7>| 0013 - f3 7c 53 a2 b4 d6 b0 7b 88 e4 0e 1b c6 fa b6 93
|<7>| 0014 - 47 4e 41 08 8c 40 83 44 78 5c a2 ab f9 1d 28 53
|<7>| 0015 - da fb f1 a6 dd a0 1b 28 ad a3 12 79 e0 60 bb dd
|<7>| 0016 - a7 b8 ea ea 9d 54 4d f0 ac 65 a8 1c c7 f3 d2 5e
|<7>| 0017 - 99 b5 ec 04 93 ad 58 ed bc 07 43 32 61 4f 21 00
|<7>| 0018 - 38 a4 df 49 a5 d2 aa 14 72 c7 98 18 18 86 b4 80
|<7>| 0019 - 52 0a d2 c8 09 d8 f3 09 ee b4 d8 42 fb 18 18 6b
|<7>| 001a - 8c 19 be 05 55 29 ef be 85 14 eb 33 05 8d c0 7f
|<7>| 001b - 7b 88 59 cb f3 0c bc ac d5 bf 2b 27 79 b7 44 be
|<7>| 001c - eb f3 8c 92 9c 1a ec c1 fb 3c 91 5c 18 1f 3b 0b
|<7>| 001d - 52 1b 7c d7 57 61 22 80 2d 28 8a c7 25 bf 3e 92
|<7>| 001e - 50 96 3d 35 81 cd ea 04 b0 59 bc f3 5f 8d df b3
|<7>| 001f - 00 22 9c 6c 59 f2 de 57 34 ab ff 45 ec 91 25 8f
|<7>| 0020 - a7 0e c2 61 4b 0a 36 c5 99 1f cf 90 e8 24 40 bc
|<7>| 0021 - d7 02 03 01 00 01 a3 7b 30 79 30 09 06 03 55 1d
|<7>| 0022 - 13 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42
|<7>| 0023 - 01 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65
|<7>| 0024 - 6e 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63
|<7>| 0025 - 61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 42 15
|<7>| 0026 - 35 c7 fc ba 91 0f 9e 99 09 fa 68 26 6a e4 a0 d4
|<7>| 0027 - 2c a1 30 1f 06 03 55 1d 23 04 18 30 16 80 14 90
|<7>| 0028 - c1 e9 00 e7 db fe 76 9e f8 b8 7c 00 66 ed ef 0a
|<7>| 0029 - 3d 30 30 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05
|<7>| 002a - 05 00 03 82 01 01 00 01 27 e4 9f 51 3d 42 1a 20
|<7>| 002b - fd a9 28 91 fe 2d e2 bf 04 c1 bd 52 38 e5 2e de
|<7>| 002c - 31 f2 10 ea c6 d3 f5 74 34 89 9a 91 fe db 98 5a
|<7>| 002d - 77 d4 9e 6b 67 b5 2f fa 0e 79 96 c2 cd 86 8f b1
|<7>| 002e - 0f 8e f1 0c a3 fd 3e d6 2b 85 7b 36 15 3f 76 69
|<7>| 002f - f3 c2 9c 28 6d a1 4e 19 ae 82 8a 17 a2 f3 57 eb
|<7>| 0030 - 18 74 a9 f6 cc 0c 17 db 7e 4e 47 d9 cc 3b 87 7a
|<7>| 0031 - 74 98 c3 43 c3 69 55 f4 a8 a2 7a 9d b2 d6 76 f4
|<7>| 0032 - c2 23 a3 ae f2 e5 6e 34 5c a6 60 fe 8e d9 13 68
|<7>| 0033 - 49 61 b5 f7 ed b2 e3 6a 06 73 88 65 32 b7 42 de
|<7>| 0034 - 8d 5d a6 09 94 bb c4 21 48 1a 2b c0 04 cb b5 d3
|<7>| 0035 - 01 8b 90 9a ee a3 2a 10 7f cd d3 ea 26 da 82 a2
|<7>| 0036 - 0f b3 33 10 0f 09 fc e2 ee c6 26 a5 25 6e ab d9
|<7>| 0037 - cd 1d f2 2b eb 9d d5 3f 04 14 f3 f5 3c a1 3c 1c
|<7>| 0038 - 94 a7 dd 5a 24 4e 60 9c 01 0e a4 78 8b c2 18 1a
|<7>| 0039 - 38 b8 87 3d 2a 32 b8 c5 06 a9 bc 40 94 cf f7 6e
|<7>| 003a - 7e c9 d7 de 49 1c de
|<4>| REC[ac33d8]: Sent Packet[2] Handshake(22) with length: 935
|<3>| HSK[ac33d8]: CERTIFICATE REQUEST was send [101 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[2] Handshake(22) with length: 101
|<7>| WRITE: Will write 106 bytes to 20.
|<7>| WRITE: wrote 106 bytes to 20. Left 0 bytes. Total 106 bytes.
|<7>| 0000 - 16 03 01 00 65 0d 00 00 61 02 01 02 00 5c 00 5a
|<7>| 0001 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31
|<7>| 0002 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e
|<7>| 0003 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65
|<7>| 0004 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41
|<7>| 0005 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03
|<7>| 0006 - 13 08 41 65 72 6f 66 6c 65 78
|<4>| REC[ac33d8]: Sent Packet[3] Handshake(22) with length: 106
|<3>| HSK[ac33d8]: SERVER HELLO DONE was send [4 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[3] Handshake(22) with length: 4
|<7>| WRITE: Will write 9 bytes to 20.
|<7>| WRITE: wrote 9 bytes to 20. Left 0 bytes. Total 9 bytes.
|<7>| 0000 - 16 03 01 00 04 0e 00 00 00
|<4>| REC[ac33d8]: Sent Packet[4] Handshake(22) with length: 9
|<7>| READ: Got 5 bytes from 20
|<7>| READ: read 5 bytes from 20
|<7>| 0000 - 15 03 01 00 02
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[ac33d8]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 20
|<7>| READ: read 2 bytes from 20
|<7>| 0000 - 02 28
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2
|<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:681
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:1028
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_buffers.c:1188
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:962
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568
|<6>| BUF[HSK]: Cleared Data from buffer
* Received alert '40': Handshake failed.
Error in handshake
Error: A TLS fatal alert has been received.
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:241

Ankush Vaid
Tata Consultancy Services
TCS Towers, 249 D&E Udyog Vihar,
Phase IV,
Gurgaon
Gurgaon - 122001,Haryana
India
Cell:- 09718290491
Mailto: ankush.vaid at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Outsourcing
____________________________________________



Simon Josefsson <simon at josefsson.org> 
05/14/2009 06:40 PM

To
Nikos Mavrogiannopoulos <nmav at gnutls.org>
cc
Ankush Vaid <ankush.vaid at tcs.com>, Gnutls-dev at gnupg.org
Subject
Re: About gnutls windows handshake problem






Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Ankush Vaid wrote:
>> Hi,
>> 
>> This is regarding handshaking failure on qualcomm mobile 6280 using
>> security, after digging into the problem I come to know about that 
error is
>> coming at finished message which is found of size 208 bytes.
>> 
>> There is link given below which suggest that some mobiles don't support 
non
>> minimal record padding.
>> 
>> 
http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html
>> 
>> If this the case probably there is a workaround in gnutls library we 
are
>> using to resolve/fix this issue.
>
> Hi,
>  I do not understand what is the question here. If you ask for a
> workaround this is discussed in the page you refer to (the %COMPAT
> priority string).

Indeed %COMPAT seems like the answer.  However, isn't that keyword
confusing?  How about adding %DISABLE_MAC_PADDING?  Today those two
keywords would do the same, but if we encounter other compatibility
hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would
only disable MAC padding.  It seems better to introduce this today
rather than when the next compatibility hack is introduced.

/Simon

ForwardSourceID:NT000040F2 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090517/8e0f7f68/attachment.htm>

From ankush.vaid at tcs.com  Sun May 17 14:00:00 2009
From: ankush.vaid at tcs.com (Ankush Vaid)
Date: Sun, 17 May 2009 17:30:00 +0530
Subject: About gnutls windows handshake problem
In-Reply-To: <871vqrhltg.fsf@mocca.josefsson.org>
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>	<4A0B9CD1.50000@gnutls.org>
	<871vqrhltg.fsf@mocca.josefsson.org>
Message-ID: <OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>

Hi Nikos/Simon

I have implemented disable padding function, but after that it also got 
failed, I guess reason of failure is something else.

I am sending the log details of the failure.


The whole log follows below:-

Please help me in decoding this log

Thanks 




Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\trinitypc>cd c:\

C:\>gnutls-serv --http --port 7070 --debug 10 --x509cafile cacert.pem 
--x509keyf
ile server-key.pem --x509certfile server-cert.pem
Set static Diffie Hellman parameters, consider --dhparams.
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_x509.c:1376
Error reading 'cacert.pem'
Error: Error while reading file.

C:\>

C:\>cd program files

C:\Program Files>cd gnutls-2.0.0

C:\Program Files\GnuTLS-2.0.0>cd bin

C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 
10 --x5
09cafile cacert.pem --x509keyfile server-key.pem --x509certfile 
server-cert.pem
Set static Diffie Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server ready. Listening to port '7070'.

|<7>| READ: Got 5 bytes from 20
|<7>| READ: read 5 bytes from 20
|<7>| 0000 - 16 03 01 00 2d
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[ac33d8]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[ac33d8]: Received Packet[0] Handshake(22) with length: 45
|<7>| READ: Got 45 bytes from 20
|<7>| READ: read 45 bytes from 20
|<7>| 0000 - 01 00 00 29 03 01 37 11 00 00 ce 21 55 ca 9e 30
|<7>| 0001 - 3b 6a c5 bb 87 03 d7 c0 1a 4a 04 ce 17 d2 db 21
|<7>| 0002 - 7e 57 eb 05 4b a8 00 00 02 00 2f 01 00
|<7>| RB: Have 5 bytes into buffer. Adding 45 bytes.
|<7>| RB: Requested 50 bytes
|<4>| REC[ac33d8]: Decrypted Packet[0] Handshake(22) with length: 45
|<6>| BUF[HSK]: Inserted 45 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[ac33d8]: CLIENT HELLO was received [45 bytes]
|<6>| BUF[REC][HD]: Read 41 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 41 bytes of Data
|<3>| HSK[ac33d8]: Client's version: 3.1
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:327
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_db.c:247
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_algorithms.c:1628
|<3>| HSK[ac33d8]: Selected Compression Method: NULL
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_extensions.c:162
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[ac33d8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[ac33d8]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:180
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/ext_authz.c:237
|<3>| HSK[ac33d8]: SessionID: 
d509786573e00a3e5306e75185294329676485f91c60fe3460
d50d65bd52aa47
|<3>| HSK[ac33d8]: SERVER HELLO was send [74 bytes]
|<6>| BUF[HSK]: Peeked 45 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[0] Handshake(22) with length: 74
|<7>| WRITE: Will write 79 bytes to 20.
|<7>| WRITE: wrote 79 bytes to 20. Left 0 bytes. Total 79 bytes.
|<7>| 0000 - 16 03 01 00 4a 02 00 00 46 03 01 4a 0d 39 24 a0
|<7>| 0001 - b7 35 6e 9f c8 88 0d 37 55 4e 67 63 88 10 db ca
|<7>| 0002 - 3c 80 3f ba c9 f7 1c 51 b8 7b 6a 20 d5 09 78 65
|<7>| 0003 - 73 e0 0a 3e 53 06 e7 51 85 29 43 29 67 64 85 f9
|<7>| 0004 - 1c 60 fe 34 60 d5 0d 65 bd 52 aa 47 00 2f 00
|<4>| REC[ac33d8]: Sent Packet[1] Handshake(22) with length: 79
|<3>| HSK[ac33d8]: CERTIFICATE was send [930 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[1] Handshake(22) with length: 930
|<7>| WRITE: Will write 935 bytes to 20.
|<7>| WRITE: wrote 935 bytes to 20. Left 0 bytes. Total 935 bytes.
|<7>| 0000 - 16 03 01 03 a2 0b 00 03 9e 00 03 9b 00 03 98 30
|<7>| 0001 - 82 03 94 30 82 02 7c a0 03 02 01 02 02 03 10 00
|<7>| 0002 - 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00
|<7>| 0003 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31
|<7>| 0004 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e
|<7>| 0005 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65
|<7>| 0006 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41
|<7>| 0007 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03
|<7>| 0008 - 13 08 41 65 72 6f 66 6c 65 78 30 1e 17 0d 30 38
|<7>| 0009 - 30 37 32 33 30 38 31 38 32 33 5a 17 0d 31 33 30
|<7>| 000a - 37 32 32 30 38 31 38 32 33 5a 30 44 31 0b 30 09
|<7>| 000b - 06 03 55 04 06 13 02 55 4b 31 0f 30 0d 06 03 55
|<7>| 000c - 04 08 13 06 4c 6f 6e 64 6f 6e 31 11 30 0f 06 03
|<7>| 000d - 55 04 0a 13 08 41 65 72 6f 66 6c 65 78 31 11 30
|<7>| 000e - 0f 06 03 55 04 03 13 08 41 65 72 6f 66 6c 65 78
|<7>| 000f - 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01
|<7>| 0010 - 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01
|<7>| 0011 - 00 be 17 70 dc 6c 04 ba 89 ce 7a a6 77 ba 3f 2c
|<7>| 0012 - 13 4e b4 65 8a c8 9c dd f3 32 73 14 e8 03 f8 8f
|<7>| 0013 - f3 7c 53 a2 b4 d6 b0 7b 88 e4 0e 1b c6 fa b6 93
|<7>| 0014 - 47 4e 41 08 8c 40 83 44 78 5c a2 ab f9 1d 28 53
|<7>| 0015 - da fb f1 a6 dd a0 1b 28 ad a3 12 79 e0 60 bb dd
|<7>| 0016 - a7 b8 ea ea 9d 54 4d f0 ac 65 a8 1c c7 f3 d2 5e
|<7>| 0017 - 99 b5 ec 04 93 ad 58 ed bc 07 43 32 61 4f 21 00
|<7>| 0018 - 38 a4 df 49 a5 d2 aa 14 72 c7 98 18 18 86 b4 80
|<7>| 0019 - 52 0a d2 c8 09 d8 f3 09 ee b4 d8 42 fb 18 18 6b
|<7>| 001a - 8c 19 be 05 55 29 ef be 85 14 eb 33 05 8d c0 7f
|<7>| 001b - 7b 88 59 cb f3 0c bc ac d5 bf 2b 27 79 b7 44 be
|<7>| 001c - eb f3 8c 92 9c 1a ec c1 fb 3c 91 5c 18 1f 3b 0b
|<7>| 001d - 52 1b 7c d7 57 61 22 80 2d 28 8a c7 25 bf 3e 92
|<7>| 001e - 50 96 3d 35 81 cd ea 04 b0 59 bc f3 5f 8d df b3
|<7>| 001f - 00 22 9c 6c 59 f2 de 57 34 ab ff 45 ec 91 25 8f
|<7>| 0020 - a7 0e c2 61 4b 0a 36 c5 99 1f cf 90 e8 24 40 bc
|<7>| 0021 - d7 02 03 01 00 01 a3 7b 30 79 30 09 06 03 55 1d
|<7>| 0022 - 13 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42
|<7>| 0023 - 01 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65
|<7>| 0024 - 6e 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63
|<7>| 0025 - 61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 42 15
|<7>| 0026 - 35 c7 fc ba 91 0f 9e 99 09 fa 68 26 6a e4 a0 d4
|<7>| 0027 - 2c a1 30 1f 06 03 55 1d 23 04 18 30 16 80 14 90
|<7>| 0028 - c1 e9 00 e7 db fe 76 9e f8 b8 7c 00 66 ed ef 0a
|<7>| 0029 - 3d 30 30 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05
|<7>| 002a - 05 00 03 82 01 01 00 01 27 e4 9f 51 3d 42 1a 20
|<7>| 002b - fd a9 28 91 fe 2d e2 bf 04 c1 bd 52 38 e5 2e de
|<7>| 002c - 31 f2 10 ea c6 d3 f5 74 34 89 9a 91 fe db 98 5a
|<7>| 002d - 77 d4 9e 6b 67 b5 2f fa 0e 79 96 c2 cd 86 8f b1
|<7>| 002e - 0f 8e f1 0c a3 fd 3e d6 2b 85 7b 36 15 3f 76 69
|<7>| 002f - f3 c2 9c 28 6d a1 4e 19 ae 82 8a 17 a2 f3 57 eb
|<7>| 0030 - 18 74 a9 f6 cc 0c 17 db 7e 4e 47 d9 cc 3b 87 7a
|<7>| 0031 - 74 98 c3 43 c3 69 55 f4 a8 a2 7a 9d b2 d6 76 f4
|<7>| 0032 - c2 23 a3 ae f2 e5 6e 34 5c a6 60 fe 8e d9 13 68
|<7>| 0033 - 49 61 b5 f7 ed b2 e3 6a 06 73 88 65 32 b7 42 de
|<7>| 0034 - 8d 5d a6 09 94 bb c4 21 48 1a 2b c0 04 cb b5 d3
|<7>| 0035 - 01 8b 90 9a ee a3 2a 10 7f cd d3 ea 26 da 82 a2
|<7>| 0036 - 0f b3 33 10 0f 09 fc e2 ee c6 26 a5 25 6e ab d9
|<7>| 0037 - cd 1d f2 2b eb 9d d5 3f 04 14 f3 f5 3c a1 3c 1c
|<7>| 0038 - 94 a7 dd 5a 24 4e 60 9c 01 0e a4 78 8b c2 18 1a
|<7>| 0039 - 38 b8 87 3d 2a 32 b8 c5 06 a9 bc 40 94 cf f7 6e
|<7>| 003a - 7e c9 d7 de 49 1c de
|<4>| REC[ac33d8]: Sent Packet[2] Handshake(22) with length: 935
|<3>| HSK[ac33d8]: CERTIFICATE REQUEST was send [101 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[2] Handshake(22) with length: 101
|<7>| WRITE: Will write 106 bytes to 20.
|<7>| WRITE: wrote 106 bytes to 20. Left 0 bytes. Total 106 bytes.
|<7>| 0000 - 16 03 01 00 65 0d 00 00 61 02 01 02 00 5c 00 5a
|<7>| 0001 - 30 58 31 0b 30 09 06 03 55 04 06 13 02 55 4b 31
|<7>| 0002 - 0f 30 0d 06 03 55 04 08 13 06 4c 6f 6e 64 6f 6e
|<7>| 0003 - 31 12 30 10 06 03 55 04 07 13 09 53 74 65 76 65
|<7>| 0004 - 6e 61 67 65 31 11 30 0f 06 03 55 04 0a 13 08 41
|<7>| 0005 - 65 72 6f 66 6c 65 78 31 11 30 0f 06 03 55 04 03
|<7>| 0006 - 13 08 41 65 72 6f 66 6c 65 78
|<4>| REC[ac33d8]: Sent Packet[3] Handshake(22) with length: 106
|<3>| HSK[ac33d8]: SERVER HELLO DONE was send [4 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[ac33d8]: Sending Packet[3] Handshake(22) with length: 4
|<7>| WRITE: Will write 9 bytes to 20.
|<7>| WRITE: wrote 9 bytes to 20. Left 0 bytes. Total 9 bytes.
|<7>| 0000 - 16 03 01 00 04 0e 00 00 00
|<4>| REC[ac33d8]: Sent Packet[4] Handshake(22) with length: 9
|<7>| READ: Got 5 bytes from 20
|<7>| READ: read 5 bytes from 20
|<7>| 0000 - 15 03 01 00 02
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[ac33d8]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 20
|<7>| READ: read 2 bytes from 20
|<7>| 0000 - 02 28
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2
|<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:681
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:1028
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_buffers.c:1188
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:962
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568
|<6>| BUF[HSK]: Cleared Data from buffer
* Received alert '40': Handshake failed.
Error in handshake
Error: A TLS fatal alert has been received.
|<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_record.c:241

Ankush Vaid
Tata Consultancy Services
TCS Towers, 249 D&E Udyog Vihar,
Phase IV,
Gurgaon
Gurgaon - 122001,Haryana
India
Cell:- 09718290491
Mailto: ankush.vaid at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Outsourcing
____________________________________________



Simon Josefsson <simon at josefsson.org> 
05/14/2009 06:40 PM

To
Nikos Mavrogiannopoulos <nmav at gnutls.org>
cc
Ankush Vaid <ankush.vaid at tcs.com>, Gnutls-dev at gnupg.org
Subject
Re: About gnutls windows handshake problem






Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Ankush Vaid wrote:
>> Hi,
>> 
>> This is regarding handshaking failure on qualcomm mobile 6280 using
>> security, after digging into the problem I come to know about that 
error is
>> coming at finished message which is found of size 208 bytes.
>> 
>> There is link given below which suggest that some mobiles don't support 
non
>> minimal record padding.
>> 
>> 
http://www.gnu.org/software/gnutls/manual/html_node/On-Record-Padding.html
>> 
>> If this the case probably there is a workaround in gnutls library we 
are
>> using to resolve/fix this issue.
>
> Hi,
>  I do not understand what is the question here. If you ask for a
> workaround this is discussed in the page you refer to (the %COMPAT
> priority string).

Indeed %COMPAT seems like the answer.  However, isn't that keyword
confusing?  How about adding %DISABLE_MAC_PADDING?  Today those two
keywords would do the same, but if we encounter other compatibility
hacks, %COMPAT would also enable them, but %DISABLE_MAC_PADDING would
only disable MAC padding.  It seems better to introduce this today
rather than when the next compatibility hack is introduced.

/Simon

ForwardSourceID:NT000040F2 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090517/8e0f7f68/attachment-0001.htm>

From simon at josefsson.org  Tue May 19 17:18:00 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 19 May 2009 17:18:00 +0200
Subject: About gnutls windows handshake problem
In-Reply-To: <OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>
	(Ankush Vaid's message of "Sun, 17 May 2009 17:30:00 +0530")
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>
	<4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org>
	<OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>
Message-ID: <87r5ylazpz.fsf@mocca.josefsson.org>

Ankush Vaid <ankush.vaid at tcs.com> writes:

> Hi Nikos/Simon
>
> I have implemented disable padding function, but after that it also got 
> failed, I guess reason of failure is something else.
>
> I am sending the log details of the failure.
...
> C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 
> 10 --x5
> 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile 
> server-cert.pem

I don't see any --priority NORMAL:%COMPAT parameter here?  Are you
developing a GnuTLS client too?

> |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2
> |<7>| READ: Got 2 bytes from 20
> |<7>| READ: read 2 bytes from 20
> |<7>| 0000 - 02 28
> |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
> |<7>| RB: Requested 7 bytes
> |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2
> |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received

This means the client refused to handshake with the gnutls-serv
instance.

What kind of error message do you get on the client side?  I think you
need to debug the client side to understand what the problem is.  Enable
debug logging on that side too.

/Simon




From ametzler at downhill.at.eu.org  Tue May 19 19:53:04 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Tue, 19 May 2009 19:53:04 +0200
Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0
In-Reply-To: <87eium17sc.fsf@mocca.josefsson.org>
References: <87eium17sc.fsf@mocca.josefsson.org>
Message-ID: <20090519175304.GB4547@downhill.g.la>

On 2009-05-18 Simon Josefsson <simon at josefsson.org> wrote:
> A few build problems has been fixed, but nothing critical has been
> reported, so we are on track to release 2.8.0 within a week or so.

> Please test this release as if it were the new stable release.
[...]

Hello,

is it just me, or does the crq_key_id test take ages? It seems to need
_huge_ amounts of entropy to successfully complete. Here on my local
workstation it takes about 30 seconds (with constant intentional mouse
movements, the fasted way to gather entropy) to complete.

This patch works for me:
--------------------------------------
--- gnutls-2.7.11.orig/tests/crq_key_id.c	2009-05-11 18:15:43.000000000 +0200
+++ gnutls-2.7.11/tests/crq_key_id.c	2009-05-19 19:44:58.000000000 +0200
@@ -55,6 +55,9 @@
 
   int ret;
 
+  /* initialize gcrypt explicitely */
+  gcry_check_version (NULL);
+
   gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 
   ret = gnutls_global_init ();
--------------------------------------
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From tgc at jupiterrise.com  Tue May 19 22:12:13 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Tue, 19 May 2009 22:12:13 +0200
Subject: Buildreport for GnuTLS 2.7.11
Message-ID: <20090519201213.GA437@ares.tgcnet>

The new release builds and passes all tests on Solaris 2.6.

Unfortunately there's a few issues on IRIX 5.3 and 6.2.

First is a problem with the 'struct sockaddr_storage' replacement in the
gnulib sys_socket module:
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I./../gl -I./../gl
-I./../includes -I./../includes -I./.. -I./../minitasn1
-I/usr/tgcware/include -g -O2 -MT common.lo -MD -MP -MF .deps/common.Tpo
-c common.c  -DPIC -o .libs/common.o
In file included from ../gnutls_int.h:48,
                 from common.c:25:
		 ./../gl/sys/socket.h:61: error: expected
		 specifier-qualifier-list before 'sa_family_t'
		 make[4]: *** [common.lo] Error 1

The problem is that sa_family_t is not defined instead 'struct sockaddr'
uses unsigned short for sa_family.
I temporarily added a typedef to sys_socket.in.h to bypass this problem.

The second problem is that these older IRIX releases lack vsnprintf
(used in lib/gnutls_errors.c):
12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool:
rld: Error: unresolvable symbol in
/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/lib/.libs/libgnutls.so.27:
vsnprintf
12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool:
rld: Fatal Error: this executable has unresolvable symbols

Thirdly I see variations on this warning repeatedly:
In file included from ../gnutls_int.h:29,
                 from opencdk.h:30,
                 from kbnode.c:31:
../config.h:357:1: warning: "SIZE_MAX" redefined
In file included from ./../gl/stdlib.h:52,
                 from kbnode.c:28:
./../gl/stdint.h:473:1: warning: this is the location of the previous definition

My guess is that config.h is unconditionally defining SIZE_MAX after the
definition in the stdint.h replacement has been activated.
Perhaps config.h should not define SIZE_MAX but leave it to stdint.h?

When linking libgnutls.so on IRIX 5.3 I also see this error from the
linker:
ld: ERROR 4: Conflicting flag setting: -exports_file

I'm not familiar with how this ld option should be used but apparently
libtool is doing it wrong. Also this option was not used on IRIX 6.2
which leads me to believe that some libtool test has guessed wrong.
I know this is probably not something you can fix in gnutls but it's here
for the record.

Logs are here:
http://jupiterrise.com/tmp

Beware that the log for IRIX 6.2 is a bit messy since it contains a few
restarts and whatnot.

-tgc




From simon at josefsson.org  Wed May 20 08:03:51 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 20 May 2009 08:03:51 +0200
Subject: GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0
In-Reply-To: <20090519175304.GB4547@downhill.g.la> (Andreas Metzler's message
	of "Tue, 19 May 2009 19:53:04 +0200")
References: <87eium17sc.fsf@mocca.josefsson.org>
	<20090519175304.GB4547@downhill.g.la>
Message-ID: <87bppo8g54.fsf@mocca.josefsson.org>

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> On 2009-05-18 Simon Josefsson <simon at josefsson.org> wrote:
>> A few build problems has been fixed, but nothing critical has been
>> reported, so we are on track to release 2.8.0 within a week or so.
>
>> Please test this release as if it were the new stable release.
> [...]
>
> Hello,
>
> is it just me, or does the crq_key_id test take ages? It seems to need
> _huge_ amounts of entropy to successfully complete. Here on my local
> workstation it takes about 30 seconds (with constant intentional mouse
> movements, the fasted way to gather entropy) to complete.
>
> This patch works for me:

Thanks, the patch seems to be the right thing, and it has been pushed.
The self-test generates RSA/DSA private keys, and the default is to use
/dev/random for this.

/Simon

> --------------------------------------
> --- gnutls-2.7.11.orig/tests/crq_key_id.c	2009-05-11 18:15:43.000000000 +0200
> +++ gnutls-2.7.11/tests/crq_key_id.c	2009-05-19 19:44:58.000000000 +0200
> @@ -55,6 +55,9 @@
>  
>    int ret;
>  
> +  /* initialize gcrypt explicitely */
> +  gcry_check_version (NULL);
> +
>    gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
>  
>    ret = gnutls_global_init ();
> --------------------------------------
> cu andreas




From simon at josefsson.org  Wed May 20 09:08:25 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 20 May 2009 09:08:25 +0200
Subject: Buildreport for GnuTLS 2.7.11
In-Reply-To: <20090519201213.GA437@ares.tgcnet> (Tom G. Christensen's message
	of "Tue, 19 May 2009 22:12:13 +0200")
References: <20090519201213.GA437@ares.tgcnet>
Message-ID: <873ab0uu8m.fsf@mocca.josefsson.org>

"Tom G. Christensen" <tgc at jupiterrise.com> writes:

> The new release builds and passes all tests on Solaris 2.6.

Great!

> Unfortunately there's a few issues on IRIX 5.3 and 6.2.

Ouch.

> First is a problem with the 'struct sockaddr_storage' replacement in the
> gnulib sys_socket module:
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I./../gl -I./../gl
> -I./../includes -I./../includes -I./.. -I./../minitasn1
> -I/usr/tgcware/include -g -O2 -MT common.lo -MD -MP -MF .deps/common.Tpo
> -c common.c  -DPIC -o .libs/common.o
> In file included from ../gnutls_int.h:48,
>                  from common.c:25:
> 		 ./../gl/sys/socket.h:61: error: expected
> 		 specifier-qualifier-list before 'sa_family_t'
> 		 make[4]: *** [common.lo] Error 1
>
> The problem is that sa_family_t is not defined instead 'struct sockaddr'
> uses unsigned short for sa_family.
> I temporarily added a typedef to sys_socket.in.h to bypass this problem.

Should be fixed in master now, please try a snapshot in a few hours.

> The second problem is that these older IRIX releases lack vsnprintf
> (used in lib/gnutls_errors.c):
> 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool:
> rld: Error: unresolvable symbol in
> /usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/lib/.libs/libgnutls.so.27:
> vsnprintf
> 12000:/usr/people/tgc/buildpkg/gnutls/src/gnutls-2.7.11/src/.libs/certtool:
> rld: Fatal Error: this executable has unresolvable symbols

Should be fixed as well, by adding the 'vsnprintf' module.

> Thirdly I see variations on this warning repeatedly:
> In file included from ../gnutls_int.h:29,
>                  from opencdk.h:30,
>                  from kbnode.c:31:
> ../config.h:357:1: warning: "SIZE_MAX" redefined
> In file included from ./../gl/stdlib.h:52,
>                  from kbnode.c:28:
> ./../gl/stdint.h:473:1: warning: this is the location of the previous definition
>
> My guess is that config.h is unconditionally defining SIZE_MAX after the
> definition in the stdint.h replacement has been activated.
> Perhaps config.h should not define SIZE_MAX but leave it to stdint.h?

I agree.  I've brought it up on the gnulib list.

> When linking libgnutls.so on IRIX 5.3 I also see this error from the
> linker:
> ld: ERROR 4: Conflicting flag setting: -exports_file
>
> I'm not familiar with how this ld option should be used but apparently
> libtool is doing it wrong. Also this option was not used on IRIX 6.2
> which leads me to believe that some libtool test has guessed wrong.
> I know this is probably not something you can fix in gnutls but it's here
> for the record.

Thanks for information.  It seems like a libtool problem, so it would be
useful to report it as such.  There is some discussion about
exported_symbol and exports_file in libtool.m4.

> Logs are here:
> http://jupiterrise.com/tmp

Thanks,
Simon




From simon at josefsson.org  Wed May 20 12:12:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 20 May 2009 12:12:53 +0200
Subject: Libtasn2 2.2
Message-ID: <873ab0hyl6.fsf@mocca.josefsson.org>

Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding.  Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.

Version 2.2 (released 2009-05-20)
- Change how the ASN1_API decorator is used in libtasn1.h, for GTK-DOC.
- Changed license of libtasn1.pc from GPLv3+ to LGPLv2.1+.
  Reported by Jeff Cai <Jeff.Cai at Sun.COM>.
- Building with many warning flags now requires --enable-gcc-warnings.
- Some warnings fixed.

Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

If you need help to use Libtasn1, or want to help others, you are
invited to join the help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

Homepage:
  http://josefsson.org/libtasn1/

Here are the compressed sources (1.6MB):
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz

Here are GPG detached signatures using key 0xB565716F:
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig

A ZIP archive containing the Windows binaries (284KB):
  http://josefsson.org/gnutls4win/libtasn1-2.2.zip
  http://josefsson.org/gnutls4win/libtasn1-2.2.zip.sig

A Debian mingw32 package is also available (256KB):
  http://josefsson.org/gnutls4win/mingw32-libtasn1_2.2-1_all.deb

The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Here are the SHA-1 and SHA-224 checksums:

d6e0d449cf2da04c93f498d2cf4415f572611b46  libtasn1-2.2.tar.gz

312f9db820bab1203032215c99f44c038381c940952e92cafef23aca  libtasn1-2.2.tar.gz

fb176e35da39d8c767aa881512dc07aac35b7d35  libtasn1-2.2.zip

a30bbdbca8bd4efffbd43b1d1bfcde4b3c891080e4010fafe66f061f  libtasn1-2.2.zip

b73cee7d754fec2451b208bb17a383da95b4b1b0  mingw32-libtasn1_2.2-1_all.deb

2ea355177983beb522423b983c4105e933ede1822e05130352b18a75  mingw32-libtasn1_2.2-1_all.deb

Happy hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090520/2dc8e8f2/attachment.pgp>

From simon at josefsson.org  Wed May 20 13:15:23 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 20 May 2009 13:15:23 +0200
Subject: GnuTLS 2.7.12 - release candidate 4 of GnuTLS 2.8.0
Message-ID: <87r5ykgh4k.fsf@mocca.josefsson.org>

This makes gnutls-serv and gnutls-cli-debug work on Windows, and fixes
some other minor things.  We are on track to release this as 2.8.0
within a week or so.  I'll be away on vacation in Budapest until Monday,
so don't expect any quick replies.  Use the time to test the RC!  :)

Please test this release as if it were the new stable release!

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2 (6.0MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.12.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.12.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.12.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.12.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.12-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.12 (released 2009-05-20)

** gnutls-serv, gnutls-cli-debug: Make them work on Windows.

** tests/crq_key_id: Don't read entropy from /dev/random in self-test.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3570>.

** Fix build failures.
Missing sa_family_t and vsnprintf on IRIX.  Reported by "Tom
G. Christensen" <tgc at jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3571>.

** minitasn1: Internal copy updated to libtasn1 v2.2.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090520/237455f2/attachment.pgp>

From ametzler at downhill.at.eu.org  Wed May 20 21:28:51 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Wed, 20 May 2009 21:28:51 +0200
Subject: Enhanced symbol versioning in 2.7.x
Message-ID: <20090520192851.GA4298@downhill.g.la>

Hello,

with 2.7.x you seem to have started to use a different symbol
versioning for newly added symbols (since 2.6.x). Well, at least that
is my understanding. ;-) I am not sure abut the point, is this for
RedHats automatically versioned library dependencies?

Anyway, I think this patch should be applied,
gnutls_x509_crq_set_key is already present in 2.6.6, versioning it
@GNUTLS_2_8 would break the ABI, afaik.

--- libgnutls.map.orig  2009-05-20 20:53:15.000000000 +0200
+++ libgnutls.map       2009-05-20 20:54:14.000000000 +0200
@@ -414,6 +414,7 @@
     gnutls_x509_crq_set_basic_constraints;
     gnutls_x509_crq_set_challenge_password;
     gnutls_x509_crq_set_dn_by_oid;
+    gnutls_x509_crq_set_key;
     gnutls_x509_crq_set_key_rsa_raw;
     gnutls_x509_crq_set_key_usage;
     gnutls_x509_crq_set_version;
@@ -564,7 +565,6 @@
     gnutls_x509_crq_get_subject_alt_othername_oid;
     gnutls_x509_crq_get_extension_by_oid;
     gnutls_x509_crq_set_subject_alt_name;
-    gnutls_x509_crq_set_key;
     gnutls_x509_crq_get_key_purpose_oid;
     gnutls_x509_crq_set_key_purpose_oid;
     gnutls_x509_crq_print;

I assume that if there was a soname bump we would change from
--------------
GNUTLS_1_4
{
...
};

GNUTLS_2_8
{
...
} GNUTLS_1_4;

GNUTLS_PRIVATE {
};
--------------

to 

--------------
GNUTLS_2_10
{
[symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here]
};


GNUTLS_PRIVATE_2_10 {
[symbols listed previously in GNUTLS_PRIVATE go here]
};
--------------
Am I correct?

cu andreas

 
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From tgc at jupiterrise.com  Wed May 20 23:27:25 2009
From: tgc at jupiterrise.com (Tom G. Christensen)
Date: Wed, 20 May 2009 23:27:25 +0200
Subject: Buildreport for GnuTLS 2.7.11
In-Reply-To: <873ab0uu8m.fsf@mocca.josefsson.org>
References: <20090519201213.GA437@ares.tgcnet>
	<873ab0uu8m.fsf@mocca.josefsson.org>
Message-ID: <20090520212725.GA15931@ares.tgcnet>

On Wed, May 20, 2009 at 09:08:25AM +0200, Simon Josefsson wrote:
> "Tom G. Christensen" <tgc at jupiterrise.com> writes:
<snip>

Latest snapshot builds and passes the testsuite on IRIX 6.2 and I assume
IRIX 5.3 if can I figure out the libtool problem.

-tgc




From ametzler at downhill.at.eu.org  Thu May 21 11:17:46 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Thu, 21 May 2009 11:17:46 +0200
Subject: Enhanced symbol versioning in 2.7.x
In-Reply-To: <20090520192851.GA4298@downhill.g.la>
References: <20090520192851.GA4298@downhill.g.la>
Message-ID: <20090521091746.GB3443@downhill.g.la>

On 2009-05-20 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> with 2.7.x you seem to have started to use a different symbol
> versioning for newly added symbols (since 2.6.x). Well, at least that
> is my understanding. ;-) I am not sure abut the point, is this for
> RedHats automatically versioned library dependencies?

> Anyway, I think this patch should be applied,
> gnutls_x509_crq_set_key is already present in 2.6.6, versioning it
> @GNUTLS_2_8 would break the ABI, afaik.
[...]

On a sidenote gnutls_x509_crq_set_basic_constraints and
gnutls_x509_crq_set_key_usage are new in 2.7.x. If my understanding
were correct they should be versioned @GNUTLS_2_8 instead of
@GNUTLS_1_4.
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From ankush.vaid at tcs.com  Wed May 20 06:43:17 2009
From: ankush.vaid at tcs.com (Ankush Vaid)
Date: Wed, 20 May 2009 10:13:17 +0530
Subject: About gnutls windows handshake problem
In-Reply-To: <87r5ylazpz.fsf@mocca.josefsson.org>
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>	<4A0B9CD1.50000@gnutls.org>
	<871vqrhltg.fsf@mocca.josefsson.org>
	<OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>
	<87r5ylazpz.fsf@mocca.josefsson.org>
Message-ID: <OF23B51D67.DB149CFF-ON652575BC.00196DEF-652575BC.0019F01C@tcs.com>

Hi Simon,

Thanks for the info.

I am developing gnutls client.

I have used gnutls_record_disable_padding function to disbale padding and 
log I have sent to you.  later I have used 
gnutls_priority_set_direct(session, "NORMAL:%COMPAT", NULL); function but 
got the same result.

I will debug client side (UE) by using some diagnostic tool and come back 
to you with useful information.
 
Regards
Ankush Vaid




Simon Josefsson <simon at josefsson.org> 
05/19/2009 08:48 PM

To
Ankush Vaid <ankush.vaid at tcs.com>
cc
Gnutls-dev at gnupg.org
Subject
Re: About gnutls windows handshake problem






Ankush Vaid <ankush.vaid at tcs.com> writes:

> Hi Nikos/Simon
>
> I have implemented disable padding function, but after that it also got 
> failed, I guess reason of failure is something else.
>
> I am sending the log details of the failure.
...
> C:\Program Files\GnuTLS-2.0.0\bin>gnutls-serv --http --port 7070 --debug 

> 10 --x5
> 09cafile cacert.pem --x509keyfile server-key.pem --x509certfile 
> server-cert.pem

I don't see any --priority NORMAL:%COMPAT parameter here?  Are you
developing a GnI am 
> |<4>| REC[ac33d8]: Received Packet[1] Alert(21) with length: 2
> |<7>| READ: Got 2 bytes from 20
> |<7>| READ: read 2 bytes from 20
> |<7>| 0000 - 02 28
> |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
> |<7>| RB: Requested 7 bytes
> |<4>| REC[ac33d8]: Decrypted Packet[1] Alert(21) with length: 2
> |<4>| REC[ac33d8]: Alert[2|40] - Handshake failed - was received

This means the client refused to handshake with the gnutls-serv
instance.

What kind of error message do you get on the client side?  I think you
need to debug the client side to understand what the problem is.  Enable
debug logging on that side too.

/Simon

ForwardSourceID:NT0000424E 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090520/7d843ee1/attachment.htm>

From ametzler at downhill.at.eu.org  Sat May 23 13:50:37 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sat, 23 May 2009 13:50:37 +0200
Subject: 2.7.12 test suite error on chainverify
Message-ID: <20090523115037.GJ3498@downhill.g.la>

Hello,

The chainverify test does not complete successfully anymore. 

This is rather strange, it worked two days ago (on the 21st).

Strange data points:
 * This is not limited to my local system.
 * Neither build-depencies nor toolchain (gcc, g++, binutils) nor
   kernel has changed.
 * I still had the build tree of 2.7.11 including all binaries from
   2009-05-19. If I run this old chainverify binary I still get the
   error.
 * It fails both on up to date Debian sid and Debian lenny.

The only thing I can think of that has changed for sure is the date.
Hmm. Is this the cause?

Chain 'v1ca ok' (15)...
   Adding certificate 0...done
   Certificate 0: subject `C=US,ST=Illinois,L=Du Page,O=Argonne
   National Laboratory,CN=auth2.it.anl.gov', issuer `C=US,O=VeriSign\,
   Inc.,OU=VeriSign Trust Network,OU=Terms of use at
   https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server
   CA', RSA key 1024 bits, signed using RSA-SHA, activated `2008-05-05
   00:00:00 UTC', expires `2009-05-22 23:59:59 UTC', SHA-1 fingerprint
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: success.gz
Type: application/octet-stream
Size: 2908 bytes
Desc: not available
URL: </pipermail/attachments/20090523/6fc5fc02/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.gz
Type: application/octet-stream
Size: 2925 bytes
Desc: not available
URL: </pipermail/attachments/20090523/6fc5fc02/attachment-0001.obj>

From dg at ulysium.net  Sat May 23 22:01:39 2009
From: dg at ulysium.net (Didier Godefroy)
Date: Sat, 23 May 2009 22:01:39 +0200
Subject: libtasn1 compile issue in ANS1.c
Message-ID: <C63E22C3.225DA%dg@ulysium.net>

Hello,

Trying to compile the stand alone libtans1 on a tru64 5.1b system.
I get errors in lib/ASN1.c on the TRUE and FALSE enumerators:

source='ASN1.c' object='ASN1.lo' libtool=yes \
    DEPDIR=.deps depmode=tru64 /bin/bash ../build-aux/depcomp \
    /bin/bash ../libtool --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I.
-I..  -I./gllib -DASN1_BUILDING -pthread -I/usr/local/include    -O4 -g3 -w
-c -o ASN1.lo ASN1.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING
-pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c  -DPIC -o
.libs/ASN1.o
cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum)
     TRUE = 277,
-----^
cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum)
     FALSE = 278,
-----^

They look to me to be the same as all the others, but only TRUE and FALSE
are causing the error.
I haven't found any hints on possible fixes and the latest daily snapshot
doesn't fix that either.

I'm using the tru64 native compiler and I only use the configure flags as
follows:

--prefix=/usr/local
--enable-gtk-doc-html=no

I'm not a C programmer and I couldn't find a fix for this...


Thanks,


-- 
Didier Godefroy
mailto:dg at ulysium.net
Support anti-Spam legislation.
Join the fight http://www.cauce.org/






From trixter at 0xdecafbad.com  Sun May 24 12:47:57 2009
From: trixter at 0xdecafbad.com (Trixter aka Bret McDanel)
Date: Sun, 24 May 2009 03:47:57 -0700
Subject: tls iwthout sockets
Message-ID: <1243162077.6071.263.camel@trixeee>

I have a quirky app that while connection based is not tcp based.  I am
looking for some way to use tls (or something comparable in terms of
peer review, security, etc) for authentication of both ends of the
connection.

Is there an example of how to use gnutls without it managing the socket?

Is there something better than TLS for authentication (may be anonymous
or certificate based) given the fact that it wont be over a tcp link?

Thanks

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721






From nmav at gnutls.org  Sun May 24 19:41:11 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 24 May 2009 20:41:11 +0300
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C63E22C3.225DA%dg@ulysium.net>
References: <C63E22C3.225DA%dg@ulysium.net>
Message-ID: <4A1986B7.7090908@gnutls.org>

Didier Godefroy wrote:
> Hello,
> 
> Trying to compile the stand alone libtans1 on a tru64 5.1b system.
> I get errors in lib/ASN1.c on the TRUE and FALSE enumerators:
> 
> source='ASN1.c' object='ASN1.lo' libtool=yes \
>     DEPDIR=.deps depmode=tru64 /bin/bash ../build-aux/depcomp \
>     /bin/bash ../libtool --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I.
> -I..  -I./gllib -DASN1_BUILDING -pthread -I/usr/local/include    -O4 -g3 -w
> -c -o ASN1.lo ASN1.c
> libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING
> -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c  -DPIC -o
> .libs/ASN1.o
> cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum)
>      TRUE = 277,
> -----^
> cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum)
>      FALSE = 278,
> -----^
> 
> They look to me to be the same as all the others, but only TRUE and FALSE
> are causing the error.
> I haven't found any hints on possible fixes and the latest daily snapshot
> doesn't fix that either.

maybe TRUE and FALSE are reserved in this compiler. If you replace them
with ASN1_TRUE and ASN1_FALSE the compiler complains?

regards,
Nikos




From nmav at gnutls.org  Sun May 24 19:43:38 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 24 May 2009 20:43:38 +0300
Subject: tls iwthout sockets
In-Reply-To: <1243162077.6071.263.camel@trixeee>
References: <1243162077.6071.263.camel@trixeee>
Message-ID: <4A19874A.4090100@gnutls.org>

Trixter aka Bret McDanel wrote:
> I have a quirky app that while connection based is not tcp based.  I am
> looking for some way to use tls (or something comparable in terms of
> peer review, security, etc) for authentication of both ends of the
> connection.
> 
> Is there an example of how to use gnutls without it managing the socket?

Yes, you can set hooks to replace the push and pull functions. Check
gnutls_transport_set_push_function and
gnutls_transport_set_pull_function. As long as the underlying layer is
reliable it would work.

> Is there something better than TLS for authentication (may be anonymous
> or certificate based) given the fact that it wont be over a tcp link?

TLS is not for TCP connections only. Anyway if it is not for a reliable
transport you should check DTLS as well (not implemented in gnutls).

regards,
Nikos




From simon at josefsson.org  Mon May 25 10:07:55 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 10:07:55 +0200
Subject: tls iwthout sockets
In-Reply-To: <1243162077.6071.263.camel@trixeee> (Trixter aka Bret McDanel's
	message of "Sun, 24 May 2009 03:47:57 -0700")
References: <1243162077.6071.263.camel@trixeee>
Message-ID: <871vqdbo6c.fsf@mocca.josefsson.org>

Trixter aka Bret McDanel <trixter at 0xdecafbad.com> writes:

> I have a quirky app that while connection based is not tcp based.  I am
> looking for some way to use tls (or something comparable in terms of
> peer review, security, etc) for authentication of both ends of the
> connection.
>
> Is there an example of how to use gnutls without it managing the socket?

Nikos answered, but I just wanted to add that you can see the mini.c for
an example how to write a GnuTLS application with both client and server
code in it without any sockets:

http://git.savannah.gnu.org/cgit/gnutls.git/tree/tests/mini.c

> Is there something better than TLS for authentication (may be anonymous
> or certificate based) given the fact that it wont be over a tcp link?

There is IPSEC but it seems TLS is better here.  You could also consider
stored security formats like OpenPGP or S/MIME.

/Simon




From simon at josefsson.org  Mon May 25 10:11:10 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 10:11:10 +0200
Subject: About gnutls windows handshake problem
In-Reply-To: <OF23B51D67.DB149CFF-ON652575BC.00196DEF-652575BC.0019F01C@tcs.com>
	(Ankush Vaid's message of "Wed, 20 May 2009 10:13:17 +0530")
References: <OF9B05F7B4.72694E8D-ON652575B5.0056E8C5-652575B5.0056E8DC@tcs.com>
	<4A0B9CD1.50000@gnutls.org> <871vqrhltg.fsf@mocca.josefsson.org>
	<OF4F3DFA71.E9883FBD-ON65256A4D.005138F3-652575B9.0041EB58@tcs.com>
	<87r5ylazpz.fsf@mocca.josefsson.org>
	<OF23B51D67.DB149CFF-ON652575BC.00196DEF-652575BC.0019F01C@tcs.com>
Message-ID: <87ws85a9gh.fsf@mocca.josefsson.org>

Ankush Vaid <ankush.vaid at tcs.com> writes:

> Hi Simon,
>
> Thanks for the info.
>
> I am developing gnutls client.
>
> I have used gnutls_record_disable_padding function to disbale padding and 
> log I have sent to you.  later I have used 
> gnutls_priority_set_direct(session, "NORMAL:%COMPAT", NULL); function but 
> got the same result.

There must be some other problem.  You only need to disable MAC padding
when talking to buggy TLS implementations (e.g., Symbian's).  When both
the client and server uses GnuTLS, it is never needed.

> I will debug client side (UE) by using some diagnostic tool and come back 
> to you with useful information.

Thanks.

/Simon




From simon at josefsson.org  Mon May 25 10:05:27 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 10:05:27 +0200
Subject: 2.7.12 test suite error on chainverify
In-Reply-To: <20090523115037.GJ3498@downhill.g.la> (Andreas Metzler's message
	of "Sat, 23 May 2009 13:50:37 +0200")
References: <20090523115037.GJ3498@downhill.g.la>
Message-ID: <8763fpboag.fsf@mocca.josefsson.org>

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> Hello,
>
> The chainverify test does not complete successfully anymore. 
>
> This is rather strange, it worked two days ago (on the 21st).
>
> Strange data points:
>  * This is not limited to my local system.
>  * Neither build-depencies nor toolchain (gcc, g++, binutils) nor
>    kernel has changed.
>  * I still had the build tree of 2.7.11 including all binaries from
>    2009-05-19. If I run this old chainverify binary I still get the
>    error.
>  * It fails both on up to date Debian sid and Debian lenny.
>
> The only thing I can think of that has changed for sure is the date.
> Hmm. Is this the cause?
>
> Chain 'v1ca ok' (15)...
>    Adding certificate 0...done
>    Certificate 0: subject `C=US,ST=Illinois,L=Du Page,O=Argonne
>    National Laboratory,CN=auth2.it.anl.gov', issuer `C=US,O=VeriSign\,
>    Inc.,OU=VeriSign Trust Network,OU=Terms of use at
>    https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server
>    CA', RSA key 1024 bits, signed using RSA-SHA, activated `2008-05-05
>    00:00:00 UTC', expires `2009-05-22 23:59:59 UTC', SHA-1 fingerprint
>                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Indeed, that certificate just expired.  I have split the test into two,
one that should fail due to an expired certificate, and one with a flag
to disable activation time checks that should succeed.  There was
another similar one too.

Thanks,
/Simon




From simon at josefsson.org  Mon May 25 10:27:25 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 10:27:25 +0200
Subject: Enhanced symbol versioning in 2.7.x
In-Reply-To: <20090520192851.GA4298@downhill.g.la> (Andreas Metzler's message
	of "Wed, 20 May 2009 21:28:51 +0200")
References: <20090520192851.GA4298@downhill.g.la>
Message-ID: <87skita8pe.fsf@mocca.josefsson.org>

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> Hello,
>
> with 2.7.x you seem to have started to use a different symbol
> versioning for newly added symbols (since 2.6.x). Well, at least that
> is my understanding. ;-) I am not sure abut the point, is this for
> RedHats automatically versioned library dependencies?

It helps to track ABI versioning, and can be useful even in Debian:
http://wiki.debian.org/Projects/ImprovedDpkgShlibdeps

> Anyway, I think this patch should be applied,
> gnutls_x509_crq_set_key is already present in 2.6.6, versioning it
> @GNUTLS_2_8 would break the ABI, afaik.

Thanks!

I'm going to build the latest gnutls 2.6.x release and compare the
exported symbols with what's in the file now, it would be bad if
mistakes like this made it into the 2.8.0 release.

> I assume that if there was a soname bump we would change from
> --------------
> GNUTLS_1_4
> {
> ...
> };
>
> GNUTLS_2_8
> {
> ...
> } GNUTLS_1_4;
>
> GNUTLS_PRIVATE {
> };
> --------------
>
> to 
>
> --------------
> GNUTLS_2_10
> {
> [symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here]
> };
>
>
> GNUTLS_PRIVATE_2_10 {
> [symbols listed previously in GNUTLS_PRIVATE go here]
> };
> --------------
> Am I correct?

That's not required, but I don't see how it would hurt from a technical
point of view.

I don't see any advantage in that, though, because having the old
version names even in the new soname bump can be informative.

On the other hand, the current name GNUTLS_1_4 is confusing because even
symbols added up until GnuTLS 2.6 is included under that label.

So if we do a soname bump at some point maybe we could rename GNUTLS_1_4
to GNUTLS_LEGACY or similar.  But it doesn't really matter, since the
symbol names are only for human interpretation.

> On a sidenote gnutls_x509_crq_set_basic_constraints and
> gnutls_x509_crq_set_key_usage are new in 2.7.x. If my understanding
> were correct they should be versioned @GNUTLS_2_8 instead of
> @GNUTLS_1_4.

Also fixed.  Thanks.

/Simon




From simon at josefsson.org  Mon May 25 12:00:42 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 12:00:42 +0200
Subject: draft release announcement text
In-Reply-To: <87ab5fhqjo.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Thu, 14 May 2009 13:28:27 +0200")
References: <87ab5fhqjo.fsf@mocca.josefsson.org>
Message-ID: <87skit8pth.fsf@mocca.josefsson.org>

Updated release notes below, in particular the API/ABI section has been
improved.

/Simon

We are proud to announce a new stable GnuTLS release: Version 2.8.0.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

Version 2.8.0 is the first stable release on the 2.8.x branch and is
the result of 7 months of work on the experimental 2.7.x branch.

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version
scripts.

** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively.  The old symbols will continue to
work but are deprecated.

** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.

** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library.  This will enable a new
domain 'gnutls' for translations of the command line tools.

** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.

** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.

** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.

** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information.  This avoids code duplication.

** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.

** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.

** libgnutls: gnutls_openpgp_crt_print supports oneline mode.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.

** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.

** libgnutls: gnutls_x509_crq_print will now also print public key id.

** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm.  Now this command print a new final
line with header 'Chain verification output:' that contains the result
from using the internal verification algorithm on the same chain.

** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory.  Initialize
libgcrypt explicitly in your application if you want to enable secure
memory.  Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.

** libgnutls: Small byte reads via gnutls_record_recv() optimized.

** gnutls-cli: Return non-zero exit code on error conditions.

** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

** certtool: allow setting arbitrary key purpose object identifiers.

** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.

** Fix warnings and build GnuTLS with more warnings enabled.

** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED

** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.

** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED

** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED

** certtool: Print and set CRL and CRQ extensions.

** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.

** The Texinfo and GTK-DOC manuals were improved.

** Several self-tests were added and others improved.

API/ABI changes in GnuTLS 2.8
=============================

No offically supported interfaces have been modified or removed.  The
library should be completely backwards compatible on both the source
and binary level.

The shared library no longer exports some symbols that have never been
officially supported, i.e., not mentioned in any of the header files.
The symbols are:

  _gnutls*
  gnutls_asn1_tab
  
Normally when symbols are removed, the shared library version has to
be incremented.  This leads to a significant cost for everyone using
the library.  Because none of the above symbols have ever been
intended for use by well-behaved applications, we decided that the it
would be better for those applications to pay the price rather than
incurring problems on the majority of applications.

If it turns out that applications have been using unofficial
interfaces, we will need to release a follow-on release on the v2.8
branch to exports additional interfaces.  However, initial testing
suggests that few if any applications have been using any of the
internal symbols.

Although not a new change compared to 2.6.x, we'd like to remind you
interfaces have been modified so that X.509 chain verification now
also checks activation/expiration times on certificates.  The affected
functions are:

gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

This change in behaviour was made during the GnuTLS 2.6.x cycle, and
we gave our rationale for it in earlier release notes.

The following symbols have been added to the library:

gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_key_id: ADDED.
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
gnutls_x509_crt_verify_hash: ADDED

The following interfaces have been added to the header files:

GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.

The following interfaces have been deprecated:

LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (6.0MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.8.0.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

d1693e611aa7270f14bc500bd56ef529ffcb1703  gnutls-2.8.0.tar.bz2

5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61  gnutls-2.8.0.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig

The checksum values for SHA-1 and SHA-224 are:

8a86a846cbdc16b6c21442c706854a5c02416336  gnutls-2.8.0.exe

555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc  gnutls-2.8.0.exe

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)

The checksum values for SHA-1 and SHA-224 are:

b141f97c196d408bf12b8a58ede6bda8fb291be6  mingw32-gnutls_2.8.0-1_all.deb

541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93  mingw32-gnutls_2.8.0-1_all.deb

Internationalization
====================

The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
addition of more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon




From simon at josefsson.org  Mon May 25 12:32:36 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 25 May 2009 12:32:36 +0200
Subject: GnuTLS 2.7.13 - release candidate 5 of GnuTLS 2.8.0
Message-ID: <87k5458ocb.fsf@mocca.josefsson.org>

Hopefully this will be the final RC.  I'll release this as v2.8.0
tomorrow morning unless I hear objections.  Meanwhile, please build it
and proof read the release notes:
http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2 (6.0MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.13.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.13.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.13.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.13.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.13-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.13 (released 2009-05-25)

** libgnutls: Fix version of some exported symbols in the shared library.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3576>.

** tests: Handle recently expired certificates in chainverify self-test.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3580>.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090525/dd68189e/attachment.pgp>

From ametzler at downhill.at.eu.org  Mon May 25 18:53:51 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Mon, 25 May 2009 18:53:51 +0200
Subject: Enhanced symbol versioning in 2.7.x
In-Reply-To: <87skita8pe.fsf@mocca.josefsson.org>
References: <20090520192851.GA4298@downhill.g.la>
	<87skita8pe.fsf@mocca.josefsson.org>
Message-ID: <20090525165351.GB4402@downhill.g.la>

On 2009-05-25 Simon Josefsson <simon at josefsson.org> wrote:
> Andreas Metzler <ametzler at downhill.at.eu.org> writes:
[...]
> > I assume that if there was a soname bump we would change from
> > --------------
> > GNUTLS_1_4
> > {
> > ...
> > };
> >
> > GNUTLS_2_8
> > {
> > ...
> > } GNUTLS_1_4;
> >
> > GNUTLS_PRIVATE {
> > };
> > --------------
> >
> > to 
> >
> > --------------
> > GNUTLS_2_10
> > {
> > [symbols listed previously in GNUTLS_1_4 or GNUTLS_2_8 go here]
> > };
> >
> >
> > GNUTLS_PRIVATE_2_10 {
> > [symbols listed previously in GNUTLS_PRIVATE go here]
> > };
> > --------------
> > Am I correct?

> That's not required, but I don't see how it would hurt from a technical
> point of view.

> I don't see any advantage in that, though, because having the old
> version names even in the new soname bump can be informative.

Well I am not sure either. I know that *without* symbol versioning you
get crashes due to symbol clashes whenever two different versions of
the library are linked (indirectly) into a single binary. Versioning
the symbols in the different library versions (I am always taling
about sonames) protects against that. I *assume* you would have the
same problem if the two versions of the library were using the same
versioning, the symbols would clash.
cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From nmav at gnutls.org  Tue May 26 04:16:01 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 26 May 2009 05:16:01 +0300
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C63F5D98.22609%dg@ulysium.net>
References: <C63F5D98.22609%dg@ulysium.net>
Message-ID: <4A1B50E1.3090404@gnutls.org>

Didier Godefroy wrote:

>>> libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING
>>> -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c  -DPIC -o
>>> .libs/ASN1.o
>>> cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum)
>>>      TRUE = 277,
>>> -----^
>>> cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum)
>>>      FALSE = 278,
>>> -----^
>>>
>>> They look to me to be the same as all the others, but only TRUE and FALSE
>>> are causing the error.
>>> I haven't found any hints on possible fixes and the latest daily snapshot
>>> doesn't fix that either.
>> maybe TRUE and FALSE are reserved in this compiler. If you replace them
>> with ASN1_TRUE and ASN1_FALSE the compiler complains?
> That did it!!!
> It didn't complain, built all the way and all 5 tests passed.
> One more porting issue fixed.

I just noticed that this enumeration is auto-generated with bison from
the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However
would adding #undef TRUE and #undef FALSE solve the compilation issue
for you?

regards,
Nikos





From dkg at fifthhorseman.net  Tue May 26 07:13:42 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 26 May 2009 01:13:42 -0400
Subject: 2.7.12 test suite error on chainverify
In-Reply-To: <8763fpboag.fsf@mocca.josefsson.org>
References: <20090523115037.GJ3498@downhill.g.la>
	<8763fpboag.fsf@mocca.josefsson.org>
Message-ID: <4A1B7A86.7050900@fifthhorseman.net>

On 05/25/2009 04:05 AM, Simon Josefsson wrote:
> Indeed, that certificate just expired.  I have split the test into two,
> one that should fail due to an expired certificate, and one with a flag
> to disable activation time checks that should succeed.  There was
> another similar one too.

Perhaps the tests could run with something like faketime or datefudge to
ensure that the date validations are reasonable?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090526/3110191a/attachment.pgp>

From simon at josefsson.org  Tue May 26 11:05:39 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 26 May 2009 11:05:39 +0200
Subject: Enhanced symbol versioning in 2.7.x
In-Reply-To: <20090525165351.GB4402@downhill.g.la> (Andreas Metzler's message
	of "Mon, 25 May 2009 18:53:51 +0200")
References: <20090520192851.GA4298@downhill.g.la>
	<87skita8pe.fsf@mocca.josefsson.org>
	<20090525165351.GB4402@downhill.g.la>
Message-ID: <87r5ycz124.fsf@mocca.josefsson.org>

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> Well I am not sure either. I know that *without* symbol versioning you
> get crashes due to symbol clashes whenever two different versions of
> the library are linked (indirectly) into a single binary. Versioning
> the symbols in the different library versions (I am always taling
> about sonames) protects against that. I *assume* you would have the
> same problem if the two versions of the library were using the same
> versioning, the symbols would clash.

Ah, good point.  Yes, that seems to suggest that whenever a soname bump
is done, you can no longer use the old version symbols.  That was rather
non-obvious to me.

Maybe a tutorial on "shared library versioning for maintainers" howto
would be useful, I don't think Uri's documentation is well suited for
that purpose.

/Simon




From simon at josefsson.org  Tue May 26 11:08:36 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 26 May 2009 11:08:36 +0200
Subject: 2.7.12 test suite error on chainverify
In-Reply-To: <4A1B7A86.7050900@fifthhorseman.net> (Daniel Kahn Gillmor's
	message of "Tue, 26 May 2009 01:13:42 -0400")
References: <20090523115037.GJ3498@downhill.g.la>
	<8763fpboag.fsf@mocca.josefsson.org>
	<4A1B7A86.7050900@fifthhorseman.net>
Message-ID: <87my90z0x7.fsf@mocca.josefsson.org>

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> On 05/25/2009 04:05 AM, Simon Josefsson wrote:
>> Indeed, that certificate just expired.  I have split the test into two,
>> one that should fail due to an expired certificate, and one with a flag
>> to disable activation time checks that should succeed.  There was
>> another similar one too.
>
> Perhaps the tests could run with something like faketime or datefudge to
> ensure that the date validations are reasonable?

This is kind of tested now, isn't it?  I split the test into two parts:
one that is expected to fail because of an expired cert, and one that is
expected to succeed (because time checks are disabled).

But using datefudge or something similar seems useful for improving the
chain validation test further.

/Simon




From simon at josefsson.org  Tue May 26 11:11:33 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 26 May 2009 11:11:33 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <4A1B50E1.3090404@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Tue, 26 May 2009 05:16:01 +0300")
References: <C63F5D98.22609%dg@ulysium.net> <4A1B50E1.3090404@gnutls.org>
Message-ID: <87iqjoz0sa.fsf@mocca.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Didier Godefroy wrote:
>
>>>> libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I./gllib -DASN1_BUILDING
>>>> -pthread -I/usr/local/include -O4 -g3 -w -c -MD ASN1.c  -DPIC -o
>>>> .libs/ASN1.o
>>>> cc: Error: ASN1.c, line 153: Invalid enumerator. (badenum)
>>>>      TRUE = 277,
>>>> -----^
>>>> cc: Error: ASN1.c, line 154: Invalid enumerator. (badenum)
>>>>      FALSE = 278,
>>>> -----^
>>>>
>>>> They look to me to be the same as all the others, but only TRUE and FALSE
>>>> are causing the error.
>>>> I haven't found any hints on possible fixes and the latest daily snapshot
>>>> doesn't fix that either.
>>> maybe TRUE and FALSE are reserved in this compiler. If you replace them
>>> with ASN1_TRUE and ASN1_FALSE the compiler complains?
>> That did it!!!
>> It didn't complain, built all the way and all 5 tests passed.
>> One more porting issue fixed.
>
> I just noticed that this enumeration is auto-generated with bison from
> the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However
> would adding #undef TRUE and #undef FALSE solve the compilation issue
> for you?

We can change the bison source, can't we?  Like this:

/Simon

diff --git a/lib/ASN1.y b/lib/ASN1.y
index b335cbc..14e2eb6 100644
--- a/lib/ASN1.y
+++ b/lib/ASN1.y
@@ -85,8 +85,8 @@ static int _asn1_yylex(void);
 %token OBJECT
 %token STR_IDENTIFIER
 %token BOOLEAN
-%token TRUE
-%token FALSE
+%token ASN1_TRUE
+%token ASN1_FALSE
 %token TOKEN_NULL
 %token ANY
 %token DEFINED
@@ -195,8 +195,8 @@ tag :  tag_type           {$$=$1;}
 
 default :  DEFAULT pos_neg_identifier {$$=_asn1_add_node(TYPE_DEFAULT);
                                        _asn1_set_value($$,$2,strlen($2)+1);}
-         | DEFAULT TRUE           {$$=_asn1_add_node(TYPE_DEFAULT|CONST_TRUE);}
-         | DEFAULT FALSE          {$$=_asn1_add_node(TYPE_DEFAULT|CONST_FALSE);}
+         | DEFAULT ASN1_TRUE	{$$=_asn1_add_node(TYPE_DEFAULT|CONST_TRUE);}
+         | DEFAULT ASN1_FALSE	{$$=_asn1_add_node(TYPE_DEFAULT|CONST_FALSE);}
 ;
 
 
@@ -415,7 +415,7 @@ static const int key_word_token[] = {
   ASSIG,OPTIONAL,INTEGER,SIZE,OCTET,STRING
   ,SEQUENCE,BIT,UNIVERSAL,PRIVATE,OPTIONAL
   ,DEFAULT,CHOICE,OF,OBJECT,STR_IDENTIFIER
-  ,BOOLEAN,TRUE,FALSE,APPLICATION,ANY,DEFINED
+  ,BOOLEAN,ASN1_TRUE,ASN1_FALSE,APPLICATION,ANY,DEFINED
   ,SET,BY,EXPLICIT,IMPLICIT,DEFINITIONS,TAGS
   ,BEGIN,END,UTCTime,GeneralizedTime
   ,GeneralString,FROM,IMPORTS,TOKEN_NULL,ENUMERATED};




From simon at josefsson.org  Tue May 26 11:46:32 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 26 May 2009 11:46:32 +0200
Subject: GnuTLS 2.7.14 - release candidate 6 of GnuTLS 2.8.0
Message-ID: <87eiucyz5z.fsf@mocca.josefsson.org>

Good feedback on RC5 resulted in one important change, so let's do a
RC6.  I'll release this as v2.8.0 tomorrow morning unless I hear
objections.  Meanwhile, please build it and proof read the release
notes:
http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2 (6.0MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.7.14.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.14.exe.sig

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.7.14.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.7.14.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.14-1_all.deb (4.8MB)

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.7.14 (released 2009-05-26)

** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
GNUTLS_EXTRA_VERSION.  The old symbol will continue to work but is
deprecated.

** Doc: Several typo fixes in documentation.
Reported by Peter Hendrickson <pdh at wiredyne.com>.

** API and ABI modifications:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090526/ec30d827/attachment.pgp>

From simon at josefsson.org  Thu May 28 10:10:00 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 10:10:00 +0200
Subject: GnuTLS 2.8.0
Message-ID: <878wkhabs7.fsf@mocca.josefsson.org>

We are proud to announce a new stable GnuTLS release: Version 2.8.0.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

Version 2.8.0 is the first stable release on the 2.8.x branch and is the
result of 7 months of work on the experimental 2.7.x branch.  The GnuTLS
2.8.x branch replaces the GnuTLS 2.6.x branch as the supported stable
branch, although we will continue to support GnuTLS 2.6.x for some time.

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version
scripts.

** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively.  The old symbols will continue to
work but are deprecated.

** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
GNUTLS_EXTRA_VERSION.  The old symbol will continue to work but is
deprecated.

** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.

** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library.  This will enable a new
domain 'gnutls' for translations of the command line tools.

** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.

** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.

** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.

** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information.  This avoids code duplication.

** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.

** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.

** libgnutls: gnutls_openpgp_crt_print supports oneline mode.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.

** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.

** libgnutls: gnutls_x509_crq_print will now also print public key id.

** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm.  Now this command print a new final
line with header 'Chain verification output:' that contains the result
From using the internal verification algorithm on the same chain.

** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory.  Initialize
libgcrypt explicitly in your application if you want to enable secure
memory.  Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.

** libgnutls: Small byte reads via gnutls_record_recv() optimized.

** gnutls-cli: Return non-zero exit code on error conditions.

** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

** certtool: allow setting arbitrary key purpose object identifiers.

** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.

** Fix warnings and build GnuTLS with more warnings enabled.

** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED

** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.

** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED

** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED

** certtool: Print and set CRL and CRQ extensions.

** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.

** The Texinfo and GTK-DOC manuals were improved.

** Several self-tests were added and others improved.

API/ABI changes in GnuTLS 2.8
=============================

No offically supported interfaces have been modified or removed.  The
library should be completely backwards compatible on both the source
and binary level.

The shared library no longer exports some symbols that have never been
officially supported, i.e., not mentioned in any of the header files.
The symbols are:

  _gnutls*
  gnutls_asn1_tab

Normally when symbols are removed, the shared library version has to
be incremented.  This leads to a significant cost for everyone using
the library.  Because none of the above symbols have ever been
intended for use by well-behaved applications, we decided that the it
would be better for those applications to pay the price rather than
incurring problems on the majority of applications.

If it turns out that applications have been using unofficial
interfaces, we will need to release a follow-on release on the v2.8
branch to exports additional interfaces.  However, initial testing
suggests that few if any applications have been using any of the
internal symbols.

Although not a new change compared to 2.6.x, we'd like to remind you
interfaces have been modified so that X.509 chain verification now
also checks activation/expiration times on certificates.  The affected
functions are:

gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

This change in behaviour was made during the GnuTLS 2.6.x cycle, and
we gave our rationale for it in earlier release notes.

The following symbols have been added to the library:

gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_key_id: ADDED.
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
gnutls_x509_crt_verify_hash: ADDED

The following interfaces have been added to the header files:

GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.

The following interfaces have been deprecated:

LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (6.0MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.8.0.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

7c102253bb4e817f393b9979a62c647010312eac  gnutls-2.8.0.tar.bz2

57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b  gnutls-2.8.0.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig

The checksum values for SHA-1 and SHA-224 are:

8a7965168c542edec3259469b6c0e87a9a2b4626  gnutls-2.8.0.exe

5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3  gnutls-2.8.0.exe

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)

The checksum values for SHA-1 and SHA-224 are:

aca9f9f1adba09b952e095039595d4c5d9e67d46  mingw32-gnutls_2.8.0-1_all.deb

269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc  mingw32-gnutls_2.8.0-1_all.deb

Internationalization
====================

The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
addition of more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090528/5ca3f74a/attachment.pgp>

From simon at josefsson.org  Thu May 28 10:42:41 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 10:42:41 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C64327D1.2276C%dg@ulysium.net> (Didier Godefroy's message of
	"Wed, 27 May 2009 17:24:33 +0200")
References: <C64327D1.2276C%dg@ulysium.net>
Message-ID: <87vdnl8vpa.fsf@mocca.josefsson.org>

Didier Godefroy <dg at ulysium.net> writes:

> on 5/27/09 7:41 AM, Simon Josefsson at simon at josefsson.org uttered the
> following:
>
>>> Ok, I applied the patch and reverted ASN1.c to original, but configure
>>> doesn't cause the generation of a new ASN1.c it appears (making my patch on
>>> it useless).
>>> How do we get the new ASN1.c regenerated?
>> 
>> Make sure ASN1.y has a newer timestamp than ASN1.c, and it should be
>> re-built automatically.  E.g., try 'touch lib/ASN1.y'.  You could also
>> remove the built file, 'rm lib/ASN1.c', then it will be re-built for
>> sure.  Thanks for testing!
>
> Ok, thanks, I tried that and along the way I got this message:
>
> lib/ASN1.y:81.8-15: warning: symbol OPTIONAL redeclared

That is harmless.

> But I also found out I had a serious problem with bison, it hangs and grabs
> almost a full cpu, so I'm looking into this issue and I'll see what happens
> when/if I can fix bison..

Try bison 2.4.1.

/Simon




From simon at josefsson.org  Thu May 28 12:03:54 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 12:03:54 +0200
Subject: GnuTLS 2.9.0
Message-ID: <87ab4x8rxx.fsf@mocca.josefsson.org>

The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

This is a quick release to jump-start the next v2.9.x development
branch.  It would be nice to complete the TLS 1.2 support in it.  What
else do you think we should do?

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2 (5.9MB)
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.0.tar.bz2.sig

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.9.0 (released 2009-05-28)

** Doc fixes.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090528/296dd0c7/attachment.pgp>

From simon at josefsson.org  Thu May 28 12:31:08 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 12:31:08 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C6443177.227B7%dg@ulysium.net> (Didier Godefroy's message of
	"Thu, 28 May 2009 12:17:59 +0200")
References: <C6443177.227B7%dg@ulysium.net>
Message-ID: <874ov58qoj.fsf@mocca.josefsson.org>

Didier, please also reply to the list, to archive the discussion.

Didier Godefroy <dg at ulysium.net> writes:

>>> But I also found out I had a serious problem with bison, it hangs and grabs
>>> almost a full cpu, so I'm looking into this issue and I'll see what happens
>>> when/if I can fix bison..
>> 
>> Try bison 2.4.1.
>
> I had 2.3 and now 2.4.1 does the same thing, on more than one machine.
> I don't know what's causing this, it hangs thee, grabbing nearly a full cpu
> by itself. During the tests, many tests hang that way and I have to kill the
> hung process to go on to the next.
> There must be something specific to tru64, because it does this on different
> machines. I run 5.1b on all systems.
>
> I'm stuck with bison, so I can regenerate that new ASN1.c for now..

Strange, you should probably report that as a bison bug.

I have applied the patch to libtasn1, so please try to build this
snapshot:

http://daily.josefsson.org/libtasn1/libtasn1-20090528.tar.gz

/Simon




From simon at josefsson.org  Thu May 28 13:33:51 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 13:33:51 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C6443A4B.227BC%dg@ulysium.net> (Didier Godefroy's message of
	"Thu, 28 May 2009 12:55:31 +0200")
References: <C6443A4B.227BC%dg@ulysium.net>
Message-ID: <87vdnl797k.fsf@mocca.josefsson.org>

Didier Godefroy <dg at ulysium.net> writes:

> on 5/28/09 12:31 PM, Simon Josefsson at simon at josefsson.org uttered the
> following:
>
>> Didier, please also reply to the list, to archive the discussion.
>
> Sorry about that ;-/
>
>> Strange, you should probably report that as a bison bug.
>
> I will probably end up doing that, I can't figure out what's causing this.
>
>> I have applied the patch to libtasn1, so please try to build this
>> snapshot:
>> 
>> http://daily.josefsson.org/libtasn1/libtasn1-20090528.tar.gz
>
> Ok, it built nicely.
> I'm attaching data from the build you might be interested in (attachments
> may not be useful on the list...).

Ok, great, thanks for confirming.

> Here are the variables I put in the environment before configure:
>
> CC=cc
> CFLAGS="-O4 -g3 -w"
> CPPFLAGS="-pthread -I/usr/local/include"
> LDFLAGS="-L/usr/local/lib"
> LD_LIBRARY_PATH=/usr/local/lib
> MAKE=gmake
> PATH=/usr/bin:/bin:/usr/sbin:/sbin:.:/usr/local/bin
>
> And this is all I have for configure:
>
> ./configure \
> --prefix=/usr/local \
> --enable-gtk-doc-html=no \
> --verbose
>
> I turn off the compiler warnings with -w but if you wanted to clean up a few
> more things, I could re-run the build without it and send you that log.
> This should give you a pretty good look into tru64's building of tasn1 now.
> It's working nicely out of the box now, aside from a few small details such
> as the "cannot open ./.prev-version" and maybe some compiler warnings, it's
> looking good.

Please do a -w compile.  The .prev-version is harmless.

/Simon




From pdh at wiredyne.com  Thu May 28 18:02:47 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 28 May 2009 16:02:47 -0000
Subject: gnutls_record_check_pending() broken?
Message-ID: <20090528160247.2497.qmail@wiredyne.com>

gnutls_record_check_pending() doesn't work for me.  It always returns
0, even when data is pending.

I've seen this behavior under Ubuntu 8.10 which has GnuTLS 2.4.1 as
well as under OpenBSD 4.4 running GnuTLS 2.7.11.

I followed the 2.7.11 version in the debugger and it quickly ends up
in gnutls_buffers.c:_gnutls_record_buffer_get_size().  That function
just returns the value kept in
session->internals.application_data_buffer.length -- and that value
seems to be consistently zero.  I haven't figured out what is supposed
to be setting it.

I don't see a test for this function in the self checking code.  Is
anybody else seeing it work?

Peter




From simon at josefsson.org  Thu May 28 18:38:12 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 18:38:12 +0200
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <20090528160247.2497.qmail@wiredyne.com> (Peter Hendrickson's
	message of "28 May 2009 16:02:47 -0000")
References: <20090528160247.2497.qmail@wiredyne.com>
Message-ID: <87octd5gjv.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> gnutls_record_check_pending() doesn't work for me.  It always returns
> 0, even when data is pending.

How did you test this?  A small code demonstrating the problem would
help.  I'll see if I can get something to work too...

Note that the function doesn't peek in the socket, it just returns
what's stored in the internal buffer.  You need to use poll or select to
check whether data is pending in the socket.

Presumably, if you set up a server that returns a large buffer, and
writes a client that reads just one byte, then the g_r_check_pending
function should return non-0.

> I followed the 2.7.11 version in the debugger and it quickly ends up
> in gnutls_buffers.c:_gnutls_record_buffer_get_size().  That function
> just returns the value kept in
> session->internals.application_data_buffer.length -- and that value
> seems to be consistently zero.  I haven't figured out what is supposed
> to be setting it.

It is typically set by, e.g., _gnutls_record_buffer_put.

/Simon





From simon at josefsson.org  Thu May 28 18:46:03 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 18:46:03 +0200
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <87octd5gjv.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Thu, 28 May 2009 18:38:12 +0200")
References: <20090528160247.2497.qmail@wiredyne.com>
	<87octd5gjv.fsf@mocca.josefsson.org>
Message-ID: <87k5415g6s.fsf@mocca.josefsson.org>

Simon Josefsson <simon at josefsson.org> writes:

> Peter Hendrickson <pdh at wiredyne.com> writes:
>
>> gnutls_record_check_pending() doesn't work for me.  It always returns
>> 0, even when data is pending.
>
> How did you test this?  A small code demonstrating the problem would
> help.  I'll see if I can get something to work too...

Indeed, the patch below against mini.c demonstrate it working.  For me
it prints:

...
ret 1
waiting 8
...

/Simon

diff --git a/tests/mini.c b/tests/mini.c
index b64401d..a883c67 100644
--- a/tests/mini.c
+++ b/tests/mini.c
@@ -218,7 +218,12 @@ doit (void)
   ns = gnutls_record_send (server, MSG, strlen (MSG));
   success ("server: sent %d\n", ns);
 
-  ret = gnutls_record_recv (client, buffer, MAX_BUF);
+  ret = gnutls_record_recv (client, buffer, 1);
+  printf ("ret %d\n", ret);
+
+  printf ("waiting %d\n", gnutls_record_check_pending (client));
+
+  ret = gnutls_record_recv (client, buffer + 1, MAX_BUF);
   if (ret == 0)
     {
       fail ("client: Peer has closed the TLS connection\n");




From pdh at wiredyne.com  Thu May 28 19:56:32 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 28 May 2009 17:56:32 -0000
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <87k5415g6s.fsf@mocca.josefsson.org> (message from Simon
	Josefsson on Thu, 28 May 2009 18:46:03 +0200)
References: <20090528160247.2497.qmail@wiredyne.com>
	<87octd5gjv.fsf@mocca.josefsson.org>
	<87k5415g6s.fsf@mocca.josefsson.org>
Message-ID: <20090528175632.28741.qmail@wiredyne.com>

Simon writes:
> Simon Josefsson <simon at josefsson.org> writes:
> > Peter Hendrickson <pdh at wiredyne.com> writes:
> >
> >> gnutls_record_check_pending() doesn't work for me.  It always returns
> >> 0, even when data is pending.
> >
> > How did you test this?  A small code demonstrating the problem would
> > help.  I'll see if I can get something to work too...
> 
> Indeed, the patch below against mini.c demonstrate it working.  For me
> it prints:

It prints for me, too.

What happens if you put the record_check_pending() call before you do
the gnutls_record_recv()?  For me, it reports no bytes pending, even
if I do a sleep(10).

Peter




From pdh at wiredyne.com  Thu May 28 20:25:31 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 28 May 2009 18:25:31 -0000
Subject: gnutls_dh_get_prime_bits() returns wrong values
Message-ID: <20090528182531.1883.qmail@wiredyne.com>

When I run gnutls_dh_get_prime_bits() it returns a value 8 bits larger
than the actual length of the prime.  For example, if I load a
Diffie-Hellman parameter with 4096 bits, I am told after the
negotiation that the prime was 4104 bits long.

It looks like it's getting something from dh->prime.size and
multiplying it by 8 and that prime.size is one larger than is correct.

In the debugger I watched gnutls_dh_params_import_pkcs3() load the
parameters and it looks like one-larger prime.size is getting set in
the process of ASN.1 parsing and MPI construction.  Probably that's
correct and dh_get_prime_bits() should be doing a little more work to
report the right value.  For one thing, if it's reporting the number
of bits, it can't multiply an integer by 8 and always be correct.

Peter




From simon at josefsson.org  Thu May 28 20:28:34 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 20:28:34 +0200
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <20090528175632.28741.qmail@wiredyne.com> (Peter Hendrickson's
	message of "28 May 2009 17:56:32 -0000")
References: <20090528160247.2497.qmail@wiredyne.com>
	<87octd5gjv.fsf@mocca.josefsson.org>
	<87k5415g6s.fsf@mocca.josefsson.org>
	<20090528175632.28741.qmail@wiredyne.com>
Message-ID: <87r5y9w08d.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> Simon writes:
>> Simon Josefsson <simon at josefsson.org> writes:
>> > Peter Hendrickson <pdh at wiredyne.com> writes:
>> >
>> >> gnutls_record_check_pending() doesn't work for me.  It always returns
>> >> 0, even when data is pending.
>> >
>> > How did you test this?  A small code demonstrating the problem would
>> > help.  I'll see if I can get something to work too...
>> 
>> Indeed, the patch below against mini.c demonstrate it working.  For me
>> it prints:
>
> It prints for me, too.
>
> What happens if you put the record_check_pending() call before you do
> the gnutls_record_recv()?  For me, it reports no bytes pending, even
> if I do a sleep(10).

That won't work: the purpose of gnutls_record_check_pending() is to
check if there is data stored in buffers within GnuTLS.  Before you call
gnutls_record_recv, there won't be any data in the buffers.  After a
call to gnutls_record_recv, the data that was not returned to the caller
of the function will be stored in an internal buffer.  The purpose of
the function is to find out if there is such data pending.

So I don't see a problem here actually.  It sounds as if you should use
poll/select to check if there is data pending to be read from the
socket.  When that is true, you should call gnutls_record_recv.  Of that
returns a complete buffer, you can call gnutls_record_check_pending how
much data is stored in a buffer -- that amount of data can be read
without a blocking socket read, again by calling gnutls_record_recv.

/Simon




From nmav at gnutls.org  Thu May 28 20:49:01 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 28 May 2009 21:49:01 +0300
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <87iqjoz0sa.fsf@mocca.josefsson.org>
References: <C63F5D98.22609%dg@ulysium.net> <4A1B50E1.3090404@gnutls.org>
	<87iqjoz0sa.fsf@mocca.josefsson.org>
Message-ID: <4A1EDC9D.90608@gnutls.org>

Simon Josefsson wrote:

>>> That did it!!!
>>> It didn't complain, built all the way and all 5 tests passed.
>>> One more porting issue fixed.
>> I just noticed that this enumeration is auto-generated with bison from
>> the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However
>> would adding #undef TRUE and #undef FALSE solve the compilation issue
>> for you?
> 
> We can change the bison source, can't we?  Like this:

It seems I'm no longer familiar with bison :)

regards,
Nikos




From pdh at wiredyne.com  Thu May 28 21:02:55 2009
From: pdh at wiredyne.com (Peter Hendrickson)
Date: 28 May 2009 19:02:55 -0000
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <87r5y9w08d.fsf@mocca.josefsson.org> (message from Simon
	Josefsson on Thu, 28 May 2009 20:28:34 +0200)
References: <20090528160247.2497.qmail@wiredyne.com>
	<87octd5gjv.fsf@mocca.josefsson.org>
	<87k5415g6s.fsf@mocca.josefsson.org>
	<20090528175632.28741.qmail@wiredyne.com>
	<87r5y9w08d.fsf@mocca.josefsson.org>
Message-ID: <20090528190255.14915.qmail@wiredyne.com>

Simon writes:
> That won't work: the purpose of gnutls_record_check_pending() is to
> check if there is data stored in buffers within GnuTLS.  Before you
> call gnutls_record_recv, there won't be any data in the buffers.
> After a call to gnutls_record_recv, the data that was not returned
> to the caller of the function will be stored in an internal buffer.
> The purpose of the function is to find out if there is such data
> pending.

Okay, that makes sense to me.  This should be elaborated upon in the
documentation because the obvious use for this function is to ask "if
I run gnutls_record_recv() will it block?" which is apparently not
what it does.

> So I don't see a problem here actually.  It sounds as if you should use
> poll/select to check if there is data pending to be read from the
> socket.  When that is true, you should call gnutls_record_recv.

I needed to do that anyway, so no great loss. ;-)

Peter




From simon at josefsson.org  Thu May 28 22:18:58 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 22:18:58 +0200
Subject: gnutls_record_check_pending() broken?
In-Reply-To: <20090528190255.14915.qmail@wiredyne.com> (Peter Hendrickson's
	message of "28 May 2009 19:02:55 -0000")
References: <20090528160247.2497.qmail@wiredyne.com>
	<87octd5gjv.fsf@mocca.josefsson.org>
	<87k5415g6s.fsf@mocca.josefsson.org>
	<20090528175632.28741.qmail@wiredyne.com>
	<87r5y9w08d.fsf@mocca.josefsson.org>
	<20090528190255.14915.qmail@wiredyne.com>
Message-ID: <87ws81nfpp.fsf@mocca.josefsson.org>

Peter Hendrickson <pdh at wiredyne.com> writes:

> Simon writes:
>> That won't work: the purpose of gnutls_record_check_pending() is to
>> check if there is data stored in buffers within GnuTLS.  Before you
>> call gnutls_record_recv, there won't be any data in the buffers.
>> After a call to gnutls_record_recv, the data that was not returned
>> to the caller of the function will be stored in an internal buffer.
>> The purpose of the function is to find out if there is such data
>> pending.
>
> Okay, that makes sense to me.  This should be elaborated upon in the
> documentation because the obvious use for this function is to ask "if
> I run gnutls_record_recv() will it block?" which is apparently not
> what it does.

It can be used for that -- gnutls_record_recv will never invoke the pull
function (and thus will never block) if you call it with a sizeofdata
parameter less/equal to what gnutls_record_check_pending has just
returned.

/Simon




From dg at ulysium.net  Thu May 28 22:54:14 2009
From: dg at ulysium.net (Didier Godefroy)
Date: Thu, 28 May 2009 22:54:14 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <87vdnl797k.fsf@mocca.josefsson.org>
Message-ID: <XCC.C644C697.227E6%dg@ulysium.net>

on 5/28/09 1:33 PM, Simon Josefsson at simon at josefsson.org uttered the
following:

>> Here are the variables I put in the environment before configure:
>> 
>> CC=cc
>> CFLAGS="-O4 -g3 -w"
>> CPPFLAGS="-pthread -I/usr/local/include"
>> LDFLAGS="-L/usr/local/lib"
>> LD_LIBRARY_PATH=/usr/local/lib
>> MAKE=gmake
>> PATH=/usr/bin:/bin:/usr/sbin:/sbin:.:/usr/local/bin
>> 
>> And this is all I have for configure:
>> 
>> ./configure \
>> --prefix=/usr/local \
>> --enable-gtk-doc-html=no \
>> --verbose
>> 
>> I turn off the compiler warnings with -w but if you wanted to clean up a few
>> more things, I could re-run the build without it and send you that log.
>> This should give you a pretty good look into tru64's building of tasn1 now.
>> It's working nicely out of the box now, aside from a few small details such
>> as the "cannot open ./.prev-version" and maybe some compiler warnings, it's
>> looking good.
> 
> Please do a -w compile.  The .prev-version is harmless.

Ok, I rebuilt from scratch with the warnings turned on, and there are many
warnings.

Make log attached.

I will re-test if you find fixes and you wish to get this tested again on my
platform.


Thanks,


-- 
Didier Godefroy
mailto:dg at ulysium.net
Support anti-Spam legislation.
Join the fight http://www.cauce.org/






From simon at josefsson.org  Thu May 28 23:08:14 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 23:08:14 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C644C697.227E6%dg@ulysium.net> (Didier Godefroy's message of
	"Thu, 28 May 2009 22:54:14 +0200")
References: <C644C697.227E6%dg@ulysium.net>
Message-ID: <87k541ndfl.fsf@mocca.josefsson.org>

Didier Godefroy <dg at ulysium.net> writes:

> Ok, I rebuilt from scratch with the warnings turned on, and there are many
> warnings.
>
> Make log attached.

Thanks, all warnings were of the 'ptrmismatch1' type which are rather
harmless.  Patches welcome. ;)

/Simon




From dg at ulysium.net  Thu May 28 23:12:16 2009
From: dg at ulysium.net (Didier Godefroy)
Date: Thu, 28 May 2009 23:12:16 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <87k541ndfl.fsf@mocca.josefsson.org>
Message-ID: <C644CAD0.227EB%dg@ulysium.net>

on 5/28/09 11:08 PM, Simon Josefsson at simon at josefsson.org uttered the
following:

> Didier Godefroy <dg at ulysium.net> writes:
> 
>> Ok, I rebuilt from scratch with the warnings turned on, and there are many
>> warnings.
>> 
>> Make log attached.
> 
> Thanks, all warnings were of the 'ptrmismatch1' type which are rather
> harmless.  Patches welcome. ;)

I wouldn't know how to fix that, so patches wouldn't come from me
unfortunately. I'm not a C programmer and I would be too afraid of screwing
something up if I changed some code...

:-/

-- 
Didier Godefroy
mailto:dg at ulysium.net
Support anti-Spam legislation.
Join the fight http://www.cauce.org/






From simon at josefsson.org  Thu May 28 23:24:08 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 28 May 2009 23:24:08 +0200
Subject: libtasn1 compile issue in ANS1.c
In-Reply-To: <C644CAD0.227EB%dg@ulysium.net> (Didier Godefroy's message of
	"Thu, 28 May 2009 23:12:16 +0200")
References: <87k541ndfl.fsf@mocca.josefsson.org>
	<C644CAD0.227EB%dg@ulysium.net>
Message-ID: <87fxeoor9j.fsf@mocca.josefsson.org>

Didier Godefroy <dg at ulysium.net> writes:

> on 5/28/09 11:08 PM, Simon Josefsson at simon at josefsson.org uttered the
> following:
>
>> Didier Godefroy <dg at ulysium.net> writes:
>> 
>>> Ok, I rebuilt from scratch with the warnings turned on, and there are many
>>> warnings.
>>> 
>>> Make log attached.
>> 
>> Thanks, all warnings were of the 'ptrmismatch1' type which are rather
>> harmless.  Patches welcome. ;)
>
> I wouldn't know how to fix that, so patches wouldn't come from me
> unfortunately. I'm not a C programmer and I would be too afraid of screwing
> something up if I changed some code...

Until someone else steps up to work on this, don't worry, as I believe
the warnings are harmless.

/Simon




From matej at svrcek.org  Sat May 30 21:41:25 2009
From: matej at svrcek.org (=?iso-8859-2?q?Mat=ECj_=A9vr=E8ek?=)
Date: Sat, 30 May 2009 21:41:25 +0200
Subject: Libtasn1
Message-ID: <200905302141.25676.matej@svrcek.org>

Hallo,

I would like to report a broken link on your site 
http://www.gnu.org/software/gnutls/download.html

I tried several links to download libtasn1, but none of the links worked for 
me, it seems as libtasn1 is no longer part of GNU project.

Hope it helps

Matthew
--
Matej Svrcek
gsm 777711818
skype matejsvrcek
jabber prom at jabbim.cz





From nmav at gnutls.org  Sun May 31 09:04:10 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 31 May 2009 10:04:10 +0300
Subject: gnutls_dh_get_prime_bits() returns wrong values
In-Reply-To: <20090528182531.1883.qmail@wiredyne.com>
References: <20090528182531.1883.qmail@wiredyne.com>
Message-ID: <4A222BEA.1020107@gnutls.org>

Peter Hendrickson wrote:
> When I run gnutls_dh_get_prime_bits() it returns a value 8 bits larger
> than the actual length of the prime.  For example, if I load a
> Diffie-Hellman parameter with 4096 bits, I am told after the
> negotiation that the prime was 4104 bits long.
> 
> It looks like it's getting something from dh->prime.size and
> multiplying it by 8 and that prime.size is one larger than is correct.
> 
> In the debugger I watched gnutls_dh_params_import_pkcs3() load the
> parameters and it looks like one-larger prime.size is getting set in
> the process of ASN.1 parsing and MPI construction.  Probably that's
> correct and dh_get_prime_bits() should be doing a little more work to
> report the right value.  For one thing, if it's reporting the number
> of bits, it can't multiply an integer by 8 and always be correct.

Indeed you are right and thank you for the bug report. The number is
being rounded on byte level. I have noted it down as bug.

regards,
Nikos




From nmav at gnutls.org  Sun May 31 08:57:04 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 31 May 2009 09:57:04 +0300
Subject: Libtasn1
In-Reply-To: <200905302141.25676.matej@svrcek.org>
References: <200905302141.25676.matej@svrcek.org>
Message-ID: <4A222A40.20308@gnutls.org>

Mat?j ?vr?ek wrote:
> Hallo,
> 
> I would like to report a broken link on your site 
> http://www.gnu.org/software/gnutls/download.html
> 
> I tried several links to download libtasn1, but none of the links worked for 
> me, it seems as libtasn1 is no longer part of GNU project.

Until the link is fixed. You can download it from the gnutls directory:
http://ftp.gnu.org/pub/gnu/gnutls/

regards,
Nikos