From ametzler at downhill.at.eu.org  Sun Nov  1 13:34:36 2009
From: ametzler at downhill.at.eu.org (Andreas Metzler)
Date: Sun, 1 Nov 2009 13:34:36 +0100
Subject: Timebombs in testsuite
In-Reply-To: <87hbtik4px.fsf@mocca.josefsson.org>
References: <20091026132616.GF3347@downhill.g.la>
	<87hbtik4px.fsf@mocca.josefsson.org>
Message-ID: <20091101123436.GB3320@downhill.g.la>

On 2009-10-29 Simon Josefsson <simon at josefsson.org> wrote:
> Andreas Metzler <ametzler at downhill.at.eu.org> writes:
[cert expiry timebomb]
> ...
> > Can these be handled proactively before they actually break?

> Good point.  I'm thinking of using something like the patch below.
> Thoughts?

> /Simon

> diff --git a/tests/chainverify.c b/tests/chainverify.c
> index 19b27eb..13d4710 100644
> --- a/tests/chainverify.c
> +++ b/tests/chainverify.c
> @@ -32,6 +32,21 @@
>  #include <gnutls/gnutls.h>
>  #include <gnutls/x509.h>

> +/* GnuTLS internally calls time() to find out the current time when
> +   verifying certificates.  To avoid a time bomb, we hard code the
> +   current time.  This should work fine on systems where the library
> +   call to time is resolved at run-time.  */
> +time_t
> +time (time_t *t)
> +{
> +  time_t then = 1256803113;
> +
> +  if (t)
> +    *t = then;
> +
> +  return then;
> +}
> +
>  /* *INDENT-OFF* */

>  /* Triggers incorrect verification success on older versions */

Works for me. Applied and uploaded to Debian.

thanks, cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




From david.kirkby at onetel.net  Sun Nov  1 16:14:58 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 01 Nov 2009 15:14:58 +0000
Subject: Build + test problems on OpenSolaris (aka Solaris 11)
Message-ID: <4AEDA5F2.5000502@onetel.net>

I'm trying to build gnutls-2.8.4 on a Sun Ultra 27 running OpenSolaris (aka 
Solaris 11). The Ultra 27 has 3.333 GHz Quad core Intel Xeon processor, so is 
*not* one of Sun's SPARC processors.

I'm using gcc 3.4.3.

First gnutils-2.8.4  would not build at all, but would give this error message:

Undefined                       first referenced
  symbol                             in file
inet_ntop                           ex-serv1.o  (symbol belongs to implicit 
dependency /lib/libnsl.so.1)
ld: fatal: symbol referencing errors. No output written to ex-serv1

A web search found someone else having the exact same problem on Solaris 10 (not 
11).

http://mail-index.netbsd.org/pkgsrc-bugs/2009/06/17/msg032744.html

A look in the man page for inet_ntop showed:

SYNOPSIS
      cc [ flag... ] file... -lsocket  -lnsl  [ library... ]

so I tried to configure again, this time adding the 'nsl' library.

$ ./configure 'LIBS=-lnsl'


That worked, and the code built ok. But it fails one test.


...
|<2>| ASSERT: mpi.c:620
|<2>| ASSERT: dn.c:1210
         Verifying...sh: line 10: 18564: Memory fault(coredump)
FAIL: chainverify
...
===================================
1 of 35 tests failed
Please report to bug-gnutls at gnu.org
===================================

I noticed someone else had a problem on Solaris with a test failure, which was 
resolved by changing HUGE_VAL to HUGE, but this was thought to be a compiler bug.

http://old.nabble.com/On-dropping--D_REENTRANT--D_THREAD_SAFE-td14620552.html

I do not want to waste your time on this test failures until I have verified it 
with a recent version of gcc.

But the requirement to add the library does seem to be necessary with Solaris on 
x86 platforms. I think it is x86, rather than Solaris 10 vs 11, as the post 
above shows problems with Solaris 10 on x86, but I know Solaris 10 on SPARC has 
presented no such issue.

Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: typescript.gz
Type: application/x-gzip
Size: 19050 bytes
Desc: not available
URL: </pipermail/attachments/20091101/212e9e82/attachment.bin>

From simon at josefsson.org  Mon Nov  2 11:40:49 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 02 Nov 2009 11:40:49 +0100
Subject: Build + test problems on OpenSolaris (aka Solaris 11)
In-Reply-To: <4AEDA5F2.5000502@onetel.net> (David Kirkby's message of "Sun, 01
	Nov 2009 15:14:58 +0000")
References: <4AEDA5F2.5000502@onetel.net>
Message-ID: <87bpjlnr9q.fsf@mocca.josefsson.org>

"Dr. David Kirkby" <david.kirkby at onetel.net> writes:

> I'm trying to build gnutls-2.8.4 on a Sun Ultra 27 running OpenSolaris
> (aka Solaris 11). The Ultra 27 has 3.333 GHz Quad core Intel Xeon
> processor, so is *not* one of Sun's SPARC processors.
>
> I'm using gcc 3.4.3.
>
> First gnutils-2.8.4  would not build at all, but would give this error message:
>
> Undefined                       first referenced
>  symbol                             in file
> inet_ntop                           ex-serv1.o  (symbol belongs to
> implicit dependency /lib/libnsl.so.1)
> ld: fatal: symbol referencing errors. No output written to ex-serv1
>
> A web search found someone else having the exact same problem on
> Solaris 10 (not 11).
>
> http://mail-index.netbsd.org/pkgsrc-bugs/2009/06/17/msg032744.html
>
> A look in the man page for inet_ntop showed:
>
> SYNOPSIS
>      cc [ flag... ] file... -lsocket  -lnsl  [ library... ]
>
> so I tried to configure again, this time adding the 'nsl' library.
>
> $ ./configure 'LIBS=-lnsl'
>
>
> That worked, and the code built ok.

When you don't use the workaround, what is the value of LIBSOCKET in
doc/examples/Makefile?  I think it should contain -lnsl, and should be
used when linking ex-serv1.  Can you show the build output?

> But it fails one test.
>
>
> ...
> FAIL: chainverify

Yep -- known problem, but you could ignore it.  It will be fixed in soon
to be released 2.8.5.

> I noticed someone else had a problem on Solaris with a test failure,
> which was resolved by changing HUGE_VAL to HUGE, but this was thought
> to be a compiler bug.
>
> http://old.nabble.com/On-dropping--D_REENTRANT--D_THREAD_SAFE-td14620552.html
>
> I do not want to waste your time on this test failures until I have
> verified it with a recent version of gcc.

That was a different problem.  But trying with a more recent gcc version
may be useful anyway, for the -lnsl issue.

> But the requirement to add the library does seem to be necessary with
> Solaris on x86 platforms. I think it is x86, rather than Solaris 10 vs
> 11, as the post above shows problems with Solaris 10 on x86, but I
> know Solaris 10 on SPARC has presented no such issue.

Gnulib modules should take care of the -lnsl issue, but it may be that
for some reason it is not working properly.

/Simon




From simon at josefsson.org  Mon Nov  2 12:55:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 02 Nov 2009 12:55:43 +0100
Subject: GnuTLS 2.8.5
Message-ID: <87eiohm98g.fsf@mocca.josefsson.org>

We are proud to announce a new stable GnuTLS release: Version 2.8.5.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

** libgnutls: In server side when resuming a session do not overwrite the 
** initial session data with the resumed session data.

** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.".  Problem
introduced for the v2.8.x branch in 2.7.6.

** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes at laas.fr>.

** tests: Fix expired cert in chainverify self-test.

** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (6.0MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.8.5.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

5121c52efd4718ad3d8b641d28343b0c6abaa571  gnutls-2.8.5.tar.bz2
9d6f1906e380cc7366e2427493c33b72a137e438cdc9080fba3d84f6  gnutls-2.8.5.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

For developers interested in improving code quality, we publish
Cyclomatic code complexity charts that help you find code that may need
review and improvements:

  http://www.gnu.org/software/gnutls/cyclo/

Also useful are code coverage charts which indicate parts of the source
code that needs to be tested better by the included self-tests:

  http://www.gnu.org/software/gnutls/coverage/

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer includes
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.3, and GnuTLS v2.8.5.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.8.5.exe (15MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.5.exe.sig

The checksum values for SHA-1 and SHA-224 are:

5dadd78a630f30d3b4b3a34261068e74cba28d80  gnutls-2.8.5.exe
53af38a54ff2f971d9eecfb44f4ab39cc6dbad371ad6425d312eaccd  gnutls-2.8.5.exe

A ZIP archive containing the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.8.5.zip (5.3MB)
  http://josefsson.org/gnutls4win/gnutls-2.8.5.zip.sig

The checksum values for SHA-1 and SHA-224 are:

b41c0ac3088620bf78996d719b335317cb90405a  gnutls-2.8.5.zip
73ca7da90ebac569948114735d6899a08431ebbe15be3d619bec05a3  gnutls-2.8.5.zip

A Debian mingw32 package is also available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.5-1_all.deb (4.8MB)

The checksum values for SHA-1 and SHA-224 are:

4ecb2e7617d8722d090ec96138ce595647c06a82  mingw32-gnutls_2.8.5-1_all.deb
cbdd418aea622dfaf9876f563ebc1e192ec0ab90bca8748277501e76  mingw32-gnutls_2.8.5-1_all.deb

Internationalization
====================

The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
addition of more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 420 bytes
Desc: not available
URL: </pipermail/attachments/20091102/7722542a/attachment.pgp>

From bkasarov at gmail.com  Mon Nov  2 13:13:15 2009
From: bkasarov at gmail.com (Boyan Kasarov)
Date: Mon, 02 Nov 2009 14:13:15 +0200
Subject: Build + test problems on OpenSolaris (aka Solaris 11)
In-Reply-To: <87bpjlnr9q.fsf@mocca.josefsson.org>
References: <4AEDA5F2.5000502@onetel.net> <87bpjlnr9q.fsf@mocca.josefsson.org>
Message-ID: <1257163995.3375.200.camel@175-58.evo.bg>

Hello,

This is the build output for the example

gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../..  -I../../lib/includes
-I../../lib/includes -I../../libextra/includes -I../../gl -I../../gl
-g -O2 -MT ex-serv-export.o -MD -MP -MF .deps/ex-serv-export.Tpo -c -o
ex-serv-export.o ex-serv-export.c
mv -f .deps/ex-serv-export.Tpo .deps/ex-serv-export.Po
/bin/sh ../../libtool --tag=CC   --mode=link gcc -std=gnu99   -g -O2
-no-install  -o ex-serv-export ex-serv-export.o
libexamples.la ../../lib/libgnutls.la ../../libextra/libgnutls-extra.la ../../gl/libgnu.la -lsocket 

libtool: link: gcc -std=gnu99 -g -O2 -o ex-serv-export
ex-serv-export.o  ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../libextra/.libs/libgnutls-extra.so /export/home/derex/workspace/gnutls-2.9.8/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt ../../gl/.libs/libgnu.a -lsocket -R/export/home/derex/workspace/gnutls-2.9.8/lib/.libs -R/export/home/derex/workspace/gnutls-2.9.8/libextra/.libs -R/tmp/gnutls/lib

ld: warning:
file /export/home/derex/workspace/gnutls-2.9.8/lib/.libs/libgnutls.so:
linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of
file
Undefined                       first referenced
symbol                             in file
inet_ntop                           ex-serv-export.o  (symbol belongs to
implicit dependency /lib/libnsl.so.1)
ld: fatal: symbol referencing errors. No output written to
ex-serv-export

On Mon, 2009-11-02 at 11:40 +0100, Simon Josefsson wrote:
> When you don't use the workaround, what is the value of LIBSOCKET in
> doc/examples/Makefile?  I think it should contain -lnsl, and should be
> used when linking ex-serv1.  Can you show the build output?

LIBSOCKET = -lsocket

Boyan






From david.kirkby at onetel.net  Mon Nov  2 13:58:53 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Mon, 02 Nov 2009 12:58:53 +0000
Subject: Build + test problems on OpenSolaris (aka Solaris 11)
In-Reply-To: <87iqdtcd9l.fsf@mocca.josefsson.org>
References: <4AEDA5F2.5000502@onetel.net>
	<87bpjlnr9q.fsf@mocca.josefsson.org>	<1257163995.3375.200.camel@175-58.evo.bg>
	<87iqdtcd9l.fsf@mocca.josefsson.org>
Message-ID: <4AEED78D.5090206@onetel.net>

Simon Josefsson wrote:
> The GnuTLS team received the bug report below, but it appears to be a
> gnulib issue.

<SNIP>

> How about this patch?  Not tested on Solaris systems, but posted for
> review of my general idea.
> 
> /Simon

I'll check that later.

I would add, if any developer wants access to a Solaris system, I can arrange 
that on a permanent basis.

Sun donated a Sun T5240 (16 cores) to the Sage project.

http://www.sagemath.org/

Anyone writing code used in Sage in any way, would be welcome to an account on 
that SPARC machine. Just drop me a private email with your preferred username 
and I'll set you an account up on that at the University of Washington.

This particular issue is only seen on Solaris 11 to my knowledge, despite the 
fact that the library function has not changed between Solaris 10 and 11. I will 
need to sort out the best way to get you an account on a Solaris 11 (OpenSolaris 
x86) system, but doing it will be no problem. It would take me a bit longer. (As 
a short term solution, I do not mind doing do on my own personal machine, but a 
better longer term solution would be at the university.)

BTW, if you want to install OpenSolaris on a linux box, you can use VirtualBox. 
Both VirtualBox and Solaris are free. Just run Solaris as a virtual machine.

PS, for what it is worth, this builds fine on HP C3600 workstation with a 
PA-RISC processor running HP-UX 11.11. At some point over the next few months, I 
might try it on IBM's AIX.


Dave




From nmav at gnutls.org  Mon Nov  2 20:13:39 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 02 Nov 2009 21:13:39 +0200
Subject: TLS 1.2 server
In-Reply-To: <873a56cxty.fsf@mocca.josefsson.org>
References: <87iqf1p592.fsf@broken.deisui.org>	<87r5tp56c4.fsf@mocca.josefsson.org>	<87ske44pfy.fsf@mocca.josefsson.org>	<87pr98eha4.fsf@broken.deisui.org>	<87eipo4jgc.fsf@mocca.josefsson.org>	<87ljjwdv8c.fsf@broken.deisui.org>	<87zl8buyc2.fsf@mocca.josefsson.org>
	<4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org>
Message-ID: <4AEF2F63.4080103@gnutls.org>

Simon Josefsson wrote:

> That's missing, right.  Client-authentication with TLS 1.2 and
> certificate signing callbacks doesn't seem to be working right either,
> the sign callback receives a string of size 36 (SHA1+MD5) but it should
> be a PKCS#1 SHA1/SHA2 structure.

Hi,
 I think I fixed this part during the weekend, however I don't know if
the value received by the callback is what it is expected.

> Yeah, I know. :-(
> 
> My plan was to create some helper functions to do the hashing, and set
> up separate hashing for all of MD5, SHA-1, SHA-2 and let the later code
> figure out which hash to actually use.  This is wasteful, but that is
> the TLS 1.2 design.

I now use only SHA-1 and SHA-256 and wait for a fix in TLS 1.3 :)
(MD5 is no use for a signature anyway, and the rest... just allow SHA-256 :)

regards,
Nikos




From simon at josefsson.org  Tue Nov  3 07:35:54 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 03 Nov 2009 07:35:54 +0100
Subject: TLS 1.2 server
In-Reply-To: <4AEF2F63.4080103@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Mon, 02 Nov 2009 21:13:39 +0200")
References: <87iqf1p592.fsf@broken.deisui.org>
	<87r5tp56c4.fsf@mocca.josefsson.org>
	<87ske44pfy.fsf@mocca.josefsson.org>
	<87pr98eha4.fsf@broken.deisui.org>
	<87eipo4jgc.fsf@mocca.josefsson.org>
	<87ljjwdv8c.fsf@broken.deisui.org>
	<87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org>
	<873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org>
Message-ID: <87k4y89ktx.fsf@mocca.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Simon Josefsson wrote:
>
>> That's missing, right.  Client-authentication with TLS 1.2 and
>> certificate signing callbacks doesn't seem to be working right either,
>> the sign callback receives a string of size 36 (SHA1+MD5) but it should
>> be a PKCS#1 SHA1/SHA2 structure.
>
> Hi,
>  I think I fixed this part during the weekend, however I don't know if
> the value received by the callback is what it is expected.

Great, I'll check it.

Btw, I backed out some patch from the gnutls-2.8 branch because it was
added after I made the release candidate and I didn't want to delay the
release.  The patch looked quite large though, is it really appropriate
for 2.8.x?  TLS 1.2 isn't enabled by default in 2.8 because it never
worked well, so I don't think TLS 1.2 related fixes are suitable for
that branch.

>> Yeah, I know. :-(
>> 
>> My plan was to create some helper functions to do the hashing, and set
>> up separate hashing for all of MD5, SHA-1, SHA-2 and let the later code
>> figure out which hash to actually use.  This is wasteful, but that is
>> the TLS 1.2 design.
>
> I now use only SHA-1 and SHA-256 and wait for a fix in TLS 1.3 :)
> (MD5 is no use for a signature anyway, and the rest... just allow SHA-256 :)

Let's see if it gets fixed...  I'm not holding my breath.

/Simon




From nmav at gnutls.org  Tue Nov  3 19:20:14 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 03 Nov 2009 20:20:14 +0200
Subject: TLS 1.2 server
In-Reply-To: <87k4y89ktx.fsf@mocca.josefsson.org>
References: <87iqf1p592.fsf@broken.deisui.org>	<87r5tp56c4.fsf@mocca.josefsson.org>	<87ske44pfy.fsf@mocca.josefsson.org>	<87pr98eha4.fsf@broken.deisui.org>	<87eipo4jgc.fsf@mocca.josefsson.org>	<87ljjwdv8c.fsf@broken.deisui.org>	<87zl8buyc2.fsf@mocca.josefsson.org>
	<4AE26E73.4070907@gnutls.org>	<873a56cxty.fsf@mocca.josefsson.org>
	<4AEF2F63.4080103@gnutls.org> <87k4y89ktx.fsf@mocca.josefsson.org>
Message-ID: <4AF0745E.4030702@gnutls.org>

Simon Josefsson wrote:

> Btw, I backed out some patch from the gnutls-2.8 branch because it was
> added after I made the release candidate and I didn't want to delay the
> release.  The patch looked quite large though, is it really appropriate
> for 2.8.x?  TLS 1.2 isn't enabled by default in 2.8 because it never
> worked well, so I don't think TLS 1.2 related fixes are suitable for
> that branch.

I was also worrying about it since it was many fixes in one. The only
reason I committed it, was because it fixed the memory leak issue in
interrupted handshake.

regards,
Nikos




From simon at josefsson.org  Wed Nov  4 12:31:26 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 04 Nov 2009 12:31:26 +0100
Subject: TLS 1.2 server
In-Reply-To: <4AF0745E.4030702@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Tue, 03 Nov 2009 20:20:14 +0200")
References: <87iqf1p592.fsf@broken.deisui.org>
	<87r5tp56c4.fsf@mocca.josefsson.org>
	<87ske44pfy.fsf@mocca.josefsson.org>
	<87pr98eha4.fsf@broken.deisui.org>
	<87eipo4jgc.fsf@mocca.josefsson.org>
	<87ljjwdv8c.fsf@broken.deisui.org>
	<87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org>
	<873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org>
	<87k4y89ktx.fsf@mocca.josefsson.org> <4AF0745E.4030702@gnutls.org>
Message-ID: <87bpjijzld.fsf@mocca.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Simon Josefsson wrote:
>
>> Btw, I backed out some patch from the gnutls-2.8 branch because it was
>> added after I made the release candidate and I didn't want to delay the
>> release.  The patch looked quite large though, is it really appropriate
>> for 2.8.x?  TLS 1.2 isn't enabled by default in 2.8 because it never
>> worked well, so I don't think TLS 1.2 related fixes are suitable for
>> that branch.
>
> I was also worrying about it since it was many fixes in one. The only
> reason I committed it, was because it fixed the memory leak issue in
> interrupted handshake.

Is it possible to fix only that leak without the other stuff?

/Simon




From bradh at frogmouth.net  Thu Nov  5 02:32:26 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Thu, 5 Nov 2009 12:32:26 +1100
Subject: building recent git
Message-ID: <200911051232.26679.bradh@frogmouth.net>

Hi,

I'm having a problem with building a recent git checkout.
"make bootstrap" results in
configure: summary of build options:

  version:          2.9.8 shared 42:3:16
  Host type:        i686-pc-linux-gnu
  Install prefix:   /usr/local
  Compiler:         gcc -std=gnu99
  Warning flags:    errors:  -Werror warnings:  -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-
pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-
strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -
Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-
optimization -Wstack-protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand -
Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-
sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector -fdiagnostics-show-option
  Library types:    Shared=yes, Static=yes
  Valgrind:         valgrind
  Guile wrappers:   yes
  C++ library:      yes
  OpenSSL library:  yes

makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git'


I then make, and it dies with:

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -DLOCALEDIR=\"/usr/local/share/locale\" -I./gl -I./gl -I./includes -I./includes -I./x509 -
I./opencdk -Werror -Wframe-larger-than=2100 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-
pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-
strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute -
Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-
optimization -Wstack-protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand -
Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-
sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector -fdiagnostics-show-option -g -O2 -MT auth_cert.lo -MD -
MP -MF .deps/auth_cert.Tpo -c auth_cert.c  -fPIC -DPIC -o .libs/auth_cert.o                                                                    
cc1: warnings being treated as errors                                                                             
auth_cert.c: In function '_gnutls_proc_x509_server_certificate':
auth_cert.c:1030: error: implicit declaration of function '_gnutls_session_sign_algo_enabled' [-Wimplicit-function-declaration]
auth_cert.c:1030: error: nested extern declaration of '_gnutls_session_sign_algo_enabled' [-Wnested-externs]
auth_cert.c: In function '_gnutls_proc_cert_cert_req':
auth_cert.c:1371: error: implicit declaration of function '_gnutls_sign_algorithm_parse_data' [-Wimplicit-function-declaration]
auth_cert.c:1371: error: nested extern declaration of '_gnutls_sign_algorithm_parse_data' [-Wnested-externs]
auth_cert.c: In function '_gnutls_gen_cert_server_cert_req':
auth_cert.c:1617: error: implicit declaration of function '_gnutls_sign_algorithm_write_params' [-Wimplicit-function-declaration]
auth_cert.c:1617: error: nested extern declaration of '_gnutls_sign_algorithm_write_params' [-Wnested-externs]
auth_cert.c: In function '_gnutls_server_select_cert':
auth_cert.c:1929: error: implicit declaration of function '_gnutls_session_sign_algo_requested' [-Wimplicit-function-declaration]
auth_cert.c:1929: error: nested extern declaration of '_gnutls_session_sign_algo_requested' [-Wnested-externs]
make[4]: *** [auth_cert.lo] Error 1
make[4]: Leaving directory `/home/bradh-dev/gnutls-git/lib'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/bradh-dev/gnutls-git/lib'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/bradh-dev/gnutls-git/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/bradh-dev/gnutls-git'
make: *** [all] Error 2
makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git'

Does that look familiar to anyone?

Brad




From bradh at frogmouth.net  Thu Nov  5 03:14:21 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Thu, 5 Nov 2009 13:14:21 +1100
Subject: [patch] Re: building recent git
In-Reply-To: <200911051232.26679.bradh@frogmouth.net>
References: <200911051232.26679.bradh@frogmouth.net>
Message-ID: <200911051314.21558.bradh@frogmouth.net>

On Thursday 05 November 2009 12:32:26 Brad Hards wrote:
[snip build problem]
Just a missing header. See below for the fix.

diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index d637316..2cd8b58 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -35,6 +35,7 @@
 #include "gnutls_num.h"
 #include "libtasn1.h"
 #include "gnutls_datum.h"
+#include "ext_signature.h"
 #include <gnutls_pk.h>
 #include <gnutls_algorithms.h>
 #include <gnutls_global.h>

There are a couple more fixes required.

Brad





From bradh at frogmouth.net  Thu Nov  5 03:17:56 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Thu, 5 Nov 2009 13:17:56 +1100
Subject: [patch] building recent git
In-Reply-To: <200911051232.26679.bradh@frogmouth.net>
References: <200911051232.26679.bradh@frogmouth.net>
Message-ID: <200911051317.56581.bradh@frogmouth.net>

On Thursday 05 November 2009 12:32:26 Brad Hards wrote:
Next problem:

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -
DLOCALEDIR=\"/usr/local/share/locale\" -I./gl -I./gl -I./includes -I./includes 
-I./x509 -I./opencdk -Werror -Wframe-larger-than=2100 -Wall -W -Wformat-
security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas -
Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -
Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-
prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-
attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -
Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack-
protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked-
bitfield-compat -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -
Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer-
sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector -
fdiagnostics-show-option -g -O2 -MT ext_signature.lo -MD -MP -MF 
.deps/ext_signature.Tpo -c ext_signature.c  -fPIC -DPIC -o 
.libs/ext_signature.o
cc1: warnings being treated as errors
ext_signature.c: In function '_gnutls_sign_algorithm_write_params':
ext_signature.c:44: error: unused variable 'ret' [-Wunused-variable]

Fix:
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index cd12fc7..93a0d08 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -41,7 +41,6 @@ int _gnutls_sign_algorithm_write_params(gnutls_session_t 
session, opaque *data,
 {
 opaque* p = data;
 int len, i ,j;
-int ret;
 sign_algorithm_st aid;

           len = session->internals.priorities.sign_algo.algorithms * 2;





From bradh at frogmouth.net  Thu Nov  5 03:44:45 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Thu, 5 Nov 2009 13:44:45 +1100
Subject: [patch] update M4 for INET_NTOP and INET_PTON checks.
In-Reply-To: <200911051232.26679.bradh@frogmouth.net>
References: <200911051232.26679.bradh@frogmouth.net>
Message-ID: <200911051344.45826.bradh@frogmouth.net>

                                                                                                         
libtool: link: gcc -std=gnu99 -g -O2 -o ex-client2 ex-client2.o none required 
none required  ./.libs/libexamples.a ../../lib/.libs/libgnutls.so -
L/usr/local/lib ../../libextra/.libs/libgnutls-extra.so /home/bradh-
dev/gnutls-git/lib/.libs/libgnutls.so -ltasn1 -lz /usr/local/lib/libgcrypt.so 
-lgpg-error ../../gl/.libs/libgnu.a -Wl,-rpath -Wl,/home/bradh-dev/gnutls-
git/lib/.libs -Wl,-rpath -Wl,/home/bradh-dev/gnutls-git/libextra/.libs                     
gcc: none: No such file or directory                                                                              
gcc: required: No such file or directory                                                                          
gcc: none: No such file or directory                                                                              
gcc: required: No such file or directory                                                                          
make[4]: *** [ex-client2] Error 1                                                                                 
make[4]: Leaving directory `/home/bradh-dev/gnutls-git/doc/examples'                                              
make[3]: *** [all-recursive] Error 1                                                                              
make[3]: Leaving directory `/home/bradh-dev/gnutls-git/doc'                                                       
make[2]: *** [all] Error 2                                                                                        
make[2]: Leaving directory `/home/bradh-dev/gnutls-git/doc'                                                       
make[1]: *** [all-recursive] Error 1                                                                              
make[1]: Leaving directory `/home/bradh-dev/gnutls-git'                                                           
make: *** [all] Error 2                                                                                           
makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git'   

Fix:
diff --git a/gl/m4/inet_ntop.m4 b/gl/m4/inet_ntop.m4                        
index 85a6bb6..ea645f2 100644
--- a/gl/m4/inet_ntop.m4
+++ b/gl/m4/inet_ntop.m4
@@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_NTOP],
     [AC_REPLACE_FUNCS([inet_ntop])])
   LIBS=$gl_save_LIBS
   INET_NTOP_LIB=
-  if test "$ac_cv_search_inet_ntop" != "none needed"; then
+  if test "$ac_cv_search_inet_ntop" != "none needed" &&
+     test "$ac_cv_search_inet_ntop" != "none required"; then
     INET_NTOP_LIB="$ac_cv_search_inet_ntop"
   fi
   AC_SUBST([INET_NTOP_LIB])
diff --git a/gl/m4/inet_pton.m4 b/gl/m4/inet_pton.m4
index f071801..068deee 100644
--- a/gl/m4/inet_pton.m4
+++ b/gl/m4/inet_pton.m4
@@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_PTON],
     [AC_REPLACE_FUNCS([inet_pton])])
   LIBS=$gl_save_LIBS
   INET_PTON_LIB=
-  if test "$ac_cv_search_inet_pton" != "none needed"; then
+  if test "$ac_cv_search_inet_pton" != "none needed" &&
+     test "$ac_cv_search_inet_pton" != "none required"; then
     INET_PTON_LIB="$ac_cv_search_inet_pton"
   fi
   AC_SUBST([INET_PTON_LIB])

Brad




From dispensa at phonefactor.com  Thu Nov  5 04:53:38 2009
From: dispensa at phonefactor.com (Steve Dispensa)
Date: Wed, 04 Nov 2009 21:53:38 -0600
Subject: TLS renegotiation MITM 
Message-ID: <C717A866.24C47%dispensa@phonefactor.com>

Hi,

A colleague and I have released details of a new attack against TLS in the
area of renegotiation. Information is here:

http://extendedsubset.com/?p=8

During the process of running this bug (and its proposed solution) to
ground, I implemented a patch to GNUTLS, attached. There are also two new
files that implement the extension that solves the problem.

There is lots of background in the above link, but the one missing part is
the Internet Draft that has been tentatively agreed on by most of the major
vendors (pending IETF action, of course). That draft is what I have
implemented, and you should see it posted to the TLS IETF list tomorrow
morning.

I'd be happy to help in any way I can.

Thanks.

 -Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ext_safe_renegotiation.c
Type: application/octet-stream
Size: 3381 bytes
Desc: not available
URL: </pipermail/attachments/20091104/19b7058e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ext_safe_renegotiation.h
Type: application/octet-stream
Size: 1283 bytes
Desc: not available
URL: </pipermail/attachments/20091104/19b7058e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-safe-renegotiation.patch
Type: application/octet-stream
Size: 6298 bytes
Desc: not available
URL: </pipermail/attachments/20091104/19b7058e/attachment-0002.obj>

From simon at josefsson.org  Thu Nov  5 08:50:36 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 08:50:36 +0100
Subject: [patch] Re: building recent git
In-Reply-To: <200911051314.21558.bradh@frogmouth.net> (Brad Hards's message of
	"Thu, 5 Nov 2009 13:14:21 +1100")
References: <200911051232.26679.bradh@frogmouth.net>
	<200911051314.21558.bradh@frogmouth.net>
Message-ID: <87eiodif5f.fsf@mocca.josefsson.org>

Brad Hards <bradh at frogmouth.net> writes:

> +#include "ext_signature.h"

Pushed, thanks!

> -int ret;

This too.

> Fix:
> diff --git a/gl/m4/inet_ntop.m4 b/gl/m4/inet_ntop.m4                        
> index 85a6bb6..ea645f2 100644
> --- a/gl/m4/inet_ntop.m4
> +++ b/gl/m4/inet_ntop.m4
> @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_NTOP],
>      [AC_REPLACE_FUNCS([inet_ntop])])
>    LIBS=$gl_save_LIBS
>    INET_NTOP_LIB=
> -  if test "$ac_cv_search_inet_ntop" != "none needed"; then
> +  if test "$ac_cv_search_inet_ntop" != "none needed" &&
> +     test "$ac_cv_search_inet_ntop" != "none required"; then
>      INET_NTOP_LIB="$ac_cv_search_inet_ntop"
>    fi
>    AC_SUBST([INET_NTOP_LIB])
> diff --git a/gl/m4/inet_pton.m4 b/gl/m4/inet_pton.m4
> index f071801..068deee 100644
> --- a/gl/m4/inet_pton.m4
> +++ b/gl/m4/inet_pton.m4
> @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_PTON],
>      [AC_REPLACE_FUNCS([inet_pton])])
>    LIBS=$gl_save_LIBS
>    INET_PTON_LIB=
> -  if test "$ac_cv_search_inet_pton" != "none needed"; then
> +  if test "$ac_cv_search_inet_pton" != "none needed" &&
> +     test "$ac_cv_search_inet_pton" != "none required"; then
>      INET_PTON_LIB="$ac_cv_search_inet_pton"
>    fi
>    AC_SUBST([INET_PTON_LIB])

Applied, but also forwarded to the gnulib list since this seems like a
potential bigger issue.

/Simon




From bradh at frogmouth.net  Thu Nov  5 11:10:05 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Thu, 5 Nov 2009 21:10:05 +1100
Subject: Running "make check" under valgrind
Message-ID: <200911052110.06021.bradh@frogmouth.net>

Hi,

When I run "make check" with valgrind support, I'm seeing about 20 tests that 
are showing valgrind errors. Looks like a common backtrace:

==28786== Conditional jump or move depends on uninitialised value(s)               
==28786==    at 0x4130789: _gcry_mpi_print (mpicoder.c:583)                        
==28786==    by 0x40E4A48: gcry_mpi_print (visibility.c:308)                       
==28786==    by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76)                
==28786==    by 0x4044109: _gnutls_dh_common_print_server_kx 
(auth_dh_common.c:326)
==28786==    by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157)                  
==28786==    by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200)        
==28786==    by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762)      
==28786==    by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435)              
==28786==    by 0x8049717: doit (dhepskself.c:272)                                 
==28786==    by 0x80499EC: main (utils.c:148)                                      
==28786==                                                                          
==28786== Conditional jump or move depends on uninitialised value(s)               
==28786==    at 0x4130789: _gcry_mpi_print (mpicoder.c:583)                        
==28786==    by 0x40E4A48: gcry_mpi_print (visibility.c:308)                       
==28786==    by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76)                
==28786==    by 0x404412C: _gnutls_dh_common_print_server_kx 
(auth_dh_common.c:327)
==28786==    by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157)                  
==28786==    by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200)        
==28786==    by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762)      
==28786==    by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435)              
==28786==    by 0x8049717: doit (dhepskself.c:272)                                 
==28786==    by 0x80499EC: main (utils.c:148)                                      
==28786==                                                                          
==28786== Conditional jump or move depends on uninitialised value(s)               
==28786==    at 0x4130789: _gcry_mpi_print (mpicoder.c:583)                        
==28786==    by 0x40E4A48: gcry_mpi_print (visibility.c:308)                       
==28786==    by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76)                
==28786==    by 0x404414F: _gnutls_dh_common_print_server_kx 
(auth_dh_common.c:328)
==28786==    by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157)                  
==28786==    by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200)        
==28786==    by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762)      
==28786==    by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435)              
==28786==    by 0x8049717: doit (dhepskself.c:272)                                 
==28786==    by 0x80499EC: main (utils.c:148)                                      
==28787== Conditional jump or move depends on uninitialised value(s)               
==28787==    at 0x4130789: _gcry_mpi_print (mpicoder.c:583)                        
==28787==    by 0x40E4A48: gcry_mpi_print (visibility.c:308)                       
==28787==    by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76)                
==28787==    by 0x40447A6: _gnutls_gen_dh_common_client_kx 
(auth_dh_common.c:142)  
==28787==    by 0x404F1D9: gen_psk_client_kx (auth_dhe_psk.c:89)                   
==28787==    by 0x4027A1F: _gnutls_send_client_kx_message (gnutls_kx.c:295)        
==28787==    by 0x4023F5F: _gnutls_handshake_client (gnutls_handshake.c:2576)      
==28787==    by 0x4024D07: gnutls_handshake (gnutls_handshake.c:2431)              
==28787==    by 0x8049304: client (dhepskself.c:93)                                
==28787==    by 0x8049566: doit (dhepskself.c:351)                                 
==28787==    by 0x80499EC: main (utils.c:148)    

Is anyone else seeing this?

Brad




From dam at opencsw.org  Thu Nov  5 12:32:38 2009
From: dam at opencsw.org (Dagobert Michelsen)
Date: Thu, 5 Nov 2009 12:32:38 +0100
Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc
Message-ID: <F673EBD4-BFBD-430A-8554-8377BC387A4A@opencsw.org>

Hi,

I have a failed test in 2.8.5 on Solaris 8 Sparc with Sun Studio 11:

> gmake  check-TESTS
> gmake[9]: Entering directory `/home/dam/mgar/pkg/gnutls/trunk/work/ 
> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/gl/tests'
> PASS: test-alloca-opt
> PASS: test-byteswap
> PASS: test-c-ctype
> PASS: test-errno
> PASS: test-fseeko.sh
> PASS: test-fseeko2.sh
> test-func.c:40: assertion failed
> FAIL: test-func
> PASS: test-netdb
> PASS: test-read-file
> PASS: test-snprintf


I adjust the code to show what exactly is failing:

> int
> main ()
> {
>   printf( "%d %d\n", strlen (__func__), sizeof __func__ );
>   ASSERT (strlen (__func__) + 1 == sizeof __func__);
>   return 0;
> }
> build8s% ./test-func
> 4 0
> test-func.c:41: assertion failed
> zsh: IOT instruction (core dumped)  ./test-func

I guess __func__ is kindof empty... Should this concern me?


Best regards

   -- Dago






From dam at opencsw.org  Thu Nov  5 13:27:35 2009
From: dam at opencsw.org (Dagobert Michelsen)
Date: Thu, 5 Nov 2009 13:27:35 +0100
Subject: Problem with linking when compiling GNUTLS
Message-ID: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>

Hi,

when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun Studio 11
against libgcrypt the configure-script has problems linking to it:

> configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 - 
> xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/ 
> lib conftest.c  /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5
> Undefined                       first referenced
>  symbol                             in file
> gpg_err_code_from_errno             conftest.o  (symbol belongs to  
> implicit dependency /opt/csw/lib/libgpg-error.so.0)
> gpg_err_code_from_syserror          conftest.o  (symbol belongs to  
> implicit dependency /opt/csw/lib/libgpg-error.so.0)
> ld: fatal: Symbol referencing errors. No output written to conftest

The problem is that configure links directly to libgcrypt.so instead
of what is correctly reported:

> build8s% /opt/csw/bin/libgcrypt-config --libs
> -L/opt/csw/lib -lgcrypt -lgpg-error

Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem.

Additionally, there is an issue with missing networks libs on Solaris:

>         DEPDIR=.deps depmode=none /bin/bash ../../build-aux/depcomp \
>         /opt/studio/SOS11/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. - 
> I../..  -I../../lib/includes -I../../lib/includes -I../../libextra/ 
> includes -I../../gl -I../../gl -I/opt/csw/include   -xO3 -xarch=v8 - 
> I/opt/csw/include -c ex-serv1.c
> "ex-serv1.c", line 195: warning: statement not reached
> /bin/bash ../../libtool --tag=CC   --mode=link /opt/studio/SOS11/ 
> SUNWspro/bin/cc   -xO3 -xarch=v8 -I/opt/csw/include -no-install - 
> xarch=v8 -L/opt/csw/lib -lgpg-error -L/opt/csw/lib -o ex-serv1 ex- 
> serv1.o libexamples.la ../../lib/libgnutls.la ../../libextra/ 
> libgnutls-extra.la ../../gl/libgnu.la -lsocket
> libtool: link: /opt/studio/SOS11/SUNWspro/bin/cc -xO3 -xarch=v8 -I/ 
> opt/csw/include -xarch=v8 -o ex-serv1 ex-serv1.o  -L/opt/csw/ 
> lib ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../ 
> libextra/.libs/libgnutls-extra.so /home/dam/mgar/pkg/gnutls/trunk/ 
> work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/ 
> libgnutls.so -ltasn1 -lz -lgcrypt -lintl ../../gl/.libs/libgnu.a - 
> lgpg-error -lsocket -R/home/dam/mgar/pkg/gnutls/trunk/work/solaris8- 
> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs -R/home/dam/mgar/pkg/ 
> gnutls/trunk/work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/ 
> libextra/.libs -R/opt/csw/lib
> ld: warning: file /home/dam/mgar/pkg/gnutls/trunk/work/solaris8- 
> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/libgnutls.so: linked  
> to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file
> Undefined                       first referenced
>  symbol                             in file
> inet_ntop                           ex-serv1.o  (symbol belongs to  
> implicit dependency /lib/libnsl.so.1)
> ld: fatal: Symbol referencing errors. No output written to ex-serv1
> gmake[6]: *** [ex-serv1] Error 1
> gmake[6]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ 
> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc/examples'
> gmake[5]: *** [all-recursive] Error 1
> gmake[5]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ 
> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc'

This can be solved by adding -lsocket -lnsl which shoud be
autodetected during configure.


Best regards

   -- Dago





From simon at josefsson.org  Thu Nov  5 13:58:18 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 13:58:18 +0100
Subject: Running "make check" under valgrind
In-Reply-To: <200911052110.06021.bradh@frogmouth.net> (Brad Hards's message of
	"Thu, 5 Nov 2009 21:10:05 +1100")
References: <200911052110.06021.bradh@frogmouth.net>
Message-ID: <87hbt9f7rp.fsf@mocca.josefsson.org>

Brad Hards <bradh at frogmouth.net> writes:

> Hi,
>
> When I run "make check" with valgrind support, I'm seeing about 20 tests that 
> are showing valgrind errors. Looks like a common backtrace:
>
> ==28786== Conditional jump or move depends on uninitialised value(s)               
> ==28786==    at 0x4130789: _gcry_mpi_print (mpicoder.c:583)                        
...
> Is anyone else seeing this?

Nope.   Which libgcrypt version are you using?

/Simon




From simon at josefsson.org  Thu Nov  5 14:02:50 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 14:02:50 +0100
Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc
In-Reply-To: <F673EBD4-BFBD-430A-8554-8377BC387A4A@opencsw.org> (Dagobert
	Michelsen's message of "Thu, 5 Nov 2009 12:32:38 +0100")
References: <F673EBD4-BFBD-430A-8554-8377BC387A4A@opencsw.org>
Message-ID: <87d43xf7k5.fsf@mocca.josefsson.org>

Dagobert Michelsen <dam at opencsw.org> writes:

> Hi,
>
> I have a failed test in 2.8.5 on Solaris 8 Sparc with Sun Studio 11:
>
>> gmake  check-TESTS
>> gmake[9]: Entering directory `/home/dam/mgar/pkg/gnutls/trunk/work/
>> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/gl/tests'
>> PASS: test-alloca-opt
>> PASS: test-byteswap
>> PASS: test-c-ctype
>> PASS: test-errno
>> PASS: test-fseeko.sh
>> PASS: test-fseeko2.sh
>> test-func.c:40: assertion failed
>> FAIL: test-func
>> PASS: test-netdb
>> PASS: test-read-file
>> PASS: test-snprintf
>
>
> I adjust the code to show what exactly is failing:
>
>> int
>> main ()
>> {
>>   printf( "%d %d\n", strlen (__func__), sizeof __func__ );
>>   ASSERT (strlen (__func__) + 1 == sizeof __func__);
>>   return 0;
>> }
>> build8s% ./test-func
>> 4 0
>> test-func.c:41: assertion failed
>> zsh: IOT instruction (core dumped)  ./test-func
>
> I guess __func__ is kindof empty... Should this concern me?

__func__ is only used in the guile wrapper:

guile/src/utils.c:    scm_gnutls_error (GNUTLS_E_UNIMPLEMENTED_FEATURE, __func__);

If you don't build the guile libraries, you could ignore it.

A sizeof(__func__) == 0 seems odd.  What is __func__ on Solaris?  Is
there some other variable that contains the current function name on
Solaris?

I think this is a bug in gnulib's func module, so let's continue
discussion on the gnulib list.

/Simon




From simon at josefsson.org  Thu Nov  5 14:09:33 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 14:09:33 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> (Dagobert
	Michelsen's message of "Thu, 5 Nov 2009 13:27:35 +0100")
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
Message-ID: <87639pf78y.fsf@mocca.josefsson.org>

Dagobert Michelsen <dam at opencsw.org> writes:

> Additionally, there is an issue with missing networks libs on Solaris:
>
>>         DEPDIR=.deps depmode=none /bin/bash ../../build-aux/depcomp \
>>         /opt/studio/SOS11/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. -
>> I../..  -I../../lib/includes -I../../lib/includes -I../../libextra/
>> includes -I../../gl -I../../gl -I/opt/csw/include   -xO3 -xarch=v8 -
>> I/opt/csw/include -c ex-serv1.c
>> "ex-serv1.c", line 195: warning: statement not reached
>> /bin/bash ../../libtool --tag=CC   --mode=link /opt/studio/SOS11/
>> SUNWspro/bin/cc   -xO3 -xarch=v8 -I/opt/csw/include -no-install -
>> xarch=v8 -L/opt/csw/lib -lgpg-error -L/opt/csw/lib -o ex-serv1 ex-
>> serv1.o libexamples.la ../../lib/libgnutls.la ../../libextra/
>> libgnutls-extra.la ../../gl/libgnu.la -lsocket
>> libtool: link: /opt/studio/SOS11/SUNWspro/bin/cc -xO3 -xarch=v8 -I/
>> opt/csw/include -xarch=v8 -o ex-serv1 ex-serv1.o  -L/opt/csw/
>> lib ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../
>> libextra/.libs/libgnutls-extra.so /home/dam/mgar/pkg/gnutls/trunk/
>> work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/
>> libgnutls.so -ltasn1 -lz -lgcrypt -lintl ../../gl/.libs/libgnu.a -
>> lgpg-error -lsocket -R/home/dam/mgar/pkg/gnutls/trunk/work/solaris8-
>> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs -R/home/dam/mgar/pkg/
>> gnutls/trunk/work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/
>> libextra/.libs -R/opt/csw/lib
>> ld: warning: file /home/dam/mgar/pkg/gnutls/trunk/work/solaris8-
>> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/libgnutls.so: linked
>> to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of
>> file
>> Undefined                       first referenced
>>  symbol                             in file
>> inet_ntop                           ex-serv1.o  (symbol belongs to
>> implicit dependency /lib/libnsl.so.1)
>> ld: fatal: Symbol referencing errors. No output written to ex-serv1
>> gmake[6]: *** [ex-serv1] Error 1
>> gmake[6]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/
>> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc/examples'
>> gmake[5]: *** [all-recursive] Error 1
>> gmake[5]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/
>> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc'
>
> This can be solved by adding -lsocket -lnsl which shoud be
> autodetected during configure.

This should be fixed by the latest changes made to gnulib right now.
I'm going to release 2.9.7 shortly, you could test that so that 2.10.x
will work OK.

/Simon




From simon at josefsson.org  Thu Nov  5 14:13:34 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 14:13:34 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> (Dagobert
	Michelsen's message of "Thu, 5 Nov 2009 13:27:35 +0100")
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
Message-ID: <871vkdf729.fsf@mocca.josefsson.org>

Dagobert Michelsen <dam at opencsw.org> writes:

> Hi,
>
> when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun Studio 11
> against libgcrypt the configure-script has problems linking to it:
>
>> configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 -
>> xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/
>> lib conftest.c  /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5
>> Undefined                       first referenced
>>  symbol                             in file
>> gpg_err_code_from_errno             conftest.o  (symbol belongs to
>> implicit dependency /opt/csw/lib/libgpg-error.so.0)
>> gpg_err_code_from_syserror          conftest.o  (symbol belongs to
>> implicit dependency /opt/csw/lib/libgpg-error.so.0)
>> ld: fatal: Symbol referencing errors. No output written to conftest
>
> The problem is that configure links directly to libgcrypt.so instead
> of what is correctly reported:
>
>> build8s% /opt/csw/bin/libgcrypt-config --libs
>> -L/opt/csw/lib -lgcrypt -lgpg-error
>
> Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem.

Hi.  GnuTLS isn't using libgcrypt-config to detect the libgrypt
libraries, but the following patch hopefully fixes it.  Will be part of
upcoming 2.9.8, so please test that.

/Simon

>From 65e184ffdcf0441b51cd447f519d929376f7e06b Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon at josefsson.org>
Date: Thu, 5 Nov 2009 14:12:16 +0100
Subject: [PATCH] Make sure libgcrypt's dependency on libgpg-error is known.

---
 lib/m4/hooks.m4 |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4
index 2973d6d..8e3ec92 100644
--- a/lib/m4/hooks.m4
+++ b/lib/m4/hooks.m4
@@ -34,7 +34,7 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
   DLL_VERSION=`expr ${LT_CURRENT} - ${LT_AGE}`
   AC_SUBST(DLL_VERSION)
 
-  AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include <gcrypt.h>],
+  AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include <gcrypt.h>],
     [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128])
   if test "$ac_cv_libgcrypt" != yes; then
     AC_MSG_ERROR([[
-- 
1.6.5.2





From simon at josefsson.org  Thu Nov  5 14:23:32 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 14:23:32 +0100
Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc
In-Reply-To: <4AF2D0A3.8040904@byu.net> (Eric Blake's message of "Thu, 05 Nov
	2009 06:18:27 -0700")
References: <F673EBD4-BFBD-430A-8554-8377BC387A4A@opencsw.org>
	<87d43xf7k5.fsf@mocca.josefsson.org> <4AF2D0A3.8040904@byu.net>
Message-ID: <87k4y5ds17.fsf@mocca.josefsson.org>

Eric Blake <ebb9 at byu.net> writes:

> According to Simon Josefsson on 11/5/2009 6:02 AM:
>> A sizeof(__func__) == 0 seems odd.  What is __func__ on Solaris?  Is
>> there some other variable that contains the current function name on
>> Solaris?
>
> This is a known bug in the Solaris compiler, and gnulib just ignores the
> error.  This line from test-func.c is telling:
>
>>   /* On SunPRO C 5.9, sizeof __func__ evaluates to 0.  The compiler warns:
>>      "warning: null dimension: sizeof()".  */
>> #if !defined __SUNPRO_C
>>   ASSERT (strlen (__func__) + 1 == sizeof __func__);
>> #endif

Ah, thanks.  But does __func__ work on Solaris?  Would it make sense to
improve the self-test like this?

/Simon

diff --git a/tests/test-func.c b/tests/test-func.c
index 8a3c465..3c2de3c 100644
--- a/tests/test-func.c
+++ b/tests/test-func.c
@@ -45,5 +45,8 @@ main ()
   ASSERT (strlen (__func__) + 1 == sizeof __func__);
 #endif
 
+  assert (strcmp (__func__, "main") == 0
+	  || strcmp (__func__, "<unknown function>") == 0);
+
   return 0;
 }




From dam at opencsw.org  Thu Nov  5 15:50:47 2009
From: dam at opencsw.org (Dagobert Michelsen)
Date: Thu, 5 Nov 2009 15:50:47 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <871vkdf729.fsf@mocca.josefsson.org>
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
	<871vkdf729.fsf@mocca.josefsson.org>
Message-ID: <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org>

Hi Simon,

Am 05.11.2009 um 14:13 schrieb Simon Josefsson:
> Dagobert Michelsen <dam at opencsw.org> writes:
>> when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun  
>> Studio 11
>> against libgcrypt the configure-script has problems linking to it:
>>
>>> configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 -
>>> xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/
>>> lib conftest.c  /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5
>>> Undefined                       first referenced
>>> symbol                             in file
>>> gpg_err_code_from_errno             conftest.o  (symbol belongs to
>>> implicit dependency /opt/csw/lib/libgpg-error.so.0)
>>> gpg_err_code_from_syserror          conftest.o  (symbol belongs to
>>> implicit dependency /opt/csw/lib/libgpg-error.so.0)
>>> ld: fatal: Symbol referencing errors. No output written to conftest
>>
>> The problem is that configure links directly to libgcrypt.so instead
>> of what is correctly reported:
>>
>>> build8s% /opt/csw/bin/libgcrypt-config --libs
>>> -L/opt/csw/lib -lgcrypt -lgpg-error
>>
>> Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem.
>
> Hi.  GnuTLS isn't using libgcrypt-config to detect the libgrypt
> libraries, but the following patch hopefully fixes it.  Will be part  
> of
> upcoming 2.9.8, so please test that.
>
> /Simon
>
> From 65e184ffdcf0441b51cd447f519d929376f7e06b Mon Sep 17 00:00:00 2001
> From: Simon Josefsson <simon at josefsson.org>
> Date: Thu, 5 Nov 2009 14:12:16 +0100
> Subject: [PATCH] Make sure libgcrypt's dependency on libgpg-error is  
> known.
>
> ---
> lib/m4/hooks.m4 |    2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4
> index 2973d6d..8e3ec92 100644
> --- a/lib/m4/hooks.m4
> +++ b/lib/m4/hooks.m4
> @@ -34,7 +34,7 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
>   DLL_VERSION=`expr ${LT_CURRENT} - ${LT_AGE}`
>   AC_SUBST(DLL_VERSION)
>
> -  AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include <gcrypt.h>],
> +  AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include <gcrypt.h>],
>     [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128])
>   if test "$ac_cv_libgcrypt" != yes; then
>     AC_MSG_ERROR([[
> -- 
> 1.6.5.2

Yes, this solves the problem with the missing libgpg-error. Now only
the -lsocket -lnsl issue needs to be resolved :-)


Best regards

   -- Dago





From simon at josefsson.org  Thu Nov  5 16:17:16 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 16:17:16 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> (Dagobert
	Michelsen's message of "Thu, 5 Nov 2009 15:50:47 +0100")
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
	<871vkdf729.fsf@mocca.josefsson.org>
	<95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org>
Message-ID: <87hbt9atmr.fsf@mocca.josefsson.org>

Dagobert Michelsen <dam at opencsw.org> writes:

>> -  AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include <gcrypt.h>],
>> +  AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include <gcrypt.h>],
>>     [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128])
>>   if test "$ac_cv_libgcrypt" != yes; then
>>     AC_MSG_ERROR([[
>> --
>> 1.6.5.2
>
> Yes, this solves the problem with the missing libgpg-error. Now only
> the -lsocket -lnsl issue needs to be resolved :-)

Great.  The -lnsl issue could be fixed by using more recent gnulib here.

/Simon




From dam at opencsw.org  Thu Nov  5 16:27:48 2009
From: dam at opencsw.org (Dagobert Michelsen)
Date: Thu, 5 Nov 2009 16:27:48 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <87hbt9atmr.fsf@mocca.josefsson.org>
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
	<871vkdf729.fsf@mocca.josefsson.org>
	<95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org>
	<87hbt9atmr.fsf@mocca.josefsson.org>
Message-ID: <F2B74262-685B-4B7B-B9F0-2A87BA43BA3E@opencsw.org>

Hi Simon,

Am 05.11.2009 um 16:17 schrieb Simon Josefsson:
> Dagobert Michelsen <dam at opencsw.org> writes:
>
>>> -  AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include <gcrypt.h>],
>>> +  AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include  
>>> <gcrypt.h>],
>>>    [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128])
>>>  if test "$ac_cv_libgcrypt" != yes; then
>>>    AC_MSG_ERROR([[
>>> --
>>> 1.6.5.2
>>
>> Yes, this solves the problem with the missing libgpg-error. Now only
>> the -lsocket -lnsl issue needs to be resolved :-)
>
> Great.  The -lnsl issue could be fixed by using more recent gnulib  
> here.

It would be great if you had an updated tarball of the release-to-come
will all known errors fixed so I can verify it.


Best regards

   -- Dago




From simon at josefsson.org  Thu Nov  5 16:35:41 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 16:35:41 +0100
Subject: Problem with linking when compiling GNUTLS
In-Reply-To: <F2B74262-685B-4B7B-B9F0-2A87BA43BA3E@opencsw.org> (Dagobert
	Michelsen's message of "Thu, 5 Nov 2009 16:27:48 +0100")
References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org>
	<871vkdf729.fsf@mocca.josefsson.org>
	<95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org>
	<87hbt9atmr.fsf@mocca.josefsson.org>
	<F2B74262-685B-4B7B-B9F0-2A87BA43BA3E@opencsw.org>
Message-ID: <878welass2.fsf@mocca.josefsson.org>

Dagobert Michelsen <dam at opencsw.org> writes:

> Hi Simon,
>
> Am 05.11.2009 um 16:17 schrieb Simon Josefsson:
>> Dagobert Michelsen <dam at opencsw.org> writes:
>>
>>>> -  AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include <gcrypt.h>],
>>>> +  AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include
>>>> <gcrypt.h>],
>>>>    [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128])
>>>>  if test "$ac_cv_libgcrypt" != yes; then
>>>>    AC_MSG_ERROR([[
>>>> --
>>>> 1.6.5.2
>>>
>>> Yes, this solves the problem with the missing libgpg-error. Now only
>>> the -lsocket -lnsl issue needs to be resolved :-)
>>
>> Great.  The -lnsl issue could be fixed by using more recent gnulib
>> here.
>
> It would be great if you had an updated tarball of the release-to-come
> will all known errors fixed so I can verify it.

Of 2.8.x or 2.9.x?  I'll see if I can push out a 2.9.x release today.

/Simon




From simon at josefsson.org  Thu Nov  5 17:40:10 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 05 Nov 2009 17:40:10 +0100
Subject: GnuTLS 2.9.8
Message-ID: <87639p9b85.fsf@mocca.josefsson.org>

The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources (6.0MB):
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2.sig

Windows build:
  http://josefsson.org/gnutls4win/gnutls-2.9.8.exe
  http://josefsson.org/gnutls4win/gnutls-2.9.8.exe.sig
  http://josefsson.org/gnutls4win/gnutls-2.9.8.zip
  http://josefsson.org/gnutls4win/gnutls-2.9.8.zip.sig
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.8-1_all.deb

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.9.8 (released 2009-11-05)

** libgnutls: Fix for memory leaks on interrupted handshake.
Reported by Tang Tong.

** libgnutls: Addition of support for TLS 1.2 signature algorithms
** extension and certificate verify field.
This requires changes for TLS 1.2 servers and clients that use
callbacks for certificate retrieval.  They are now required to check
with gnutls_sign_algorithm_get_requested() whether the certificate
they send complies with the peer's preferences in signature
algorithms.

** libgnutls: In server side when resuming a session do not overwrite the 
** initial session data with the resumed session data.

** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8
** encryption.
This affects also PKCS #12 encoded files.  This adds the following new
enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128,
GNUTLS_PKCS_USE_PBES2_AES_192, GNUTLS_PKCS_USE_PBES2_AES_256.

** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.".  Problem
introduced for the v2.8.x branch in 2.7.6.

** certtool: Added the --pkcs-cipher option.
To explicitely specify the encryption algorithm to use.

** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions.

** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.

** tests: Fix expired cert in chainverify self-test.

** i18n: Vietnamese translation updated.
Thanks to Clytie Siddall.

** API and ABI modifications:
GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h.
GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h.
GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h.
GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h.
gnutls_sign_algorithm_get_requested: ADDED.

I appear to have forgotten to announce 2.9.7, so I'm including the NEWS
entries for it too:

* Version 2.9.7 (released 2009-10-06)

** libgnutls: TLS 1.2 server mode fixes.
Now interoperates against Opera.  Contributed by Daiki Ueno.

** libgnutlsxx: Fix link problems.
Tiny patch from Boyan Kasarov <bkasarov at gmail.com>.

** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes at laas.fr>.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 420 bytes
Desc: not available
URL: </pipermail/attachments/20091105/fcae8237/attachment.pgp>

From nmav at gnutls.org  Thu Nov  5 22:05:21 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 05 Nov 2009 23:05:21 +0200
Subject: TLS renegotiation MITM
In-Reply-To: <C717A866.24C47%dispensa@phonefactor.com>
References: <C717A866.24C47%dispensa@phonefactor.com>
Message-ID: <4AF33E11.6060304@gnutls.org>

Steve Dispensa wrote:
> Hi,
> 
> A colleague and I have released details of a new attack against TLS in the
> area of renegotiation. Information is here:
> 
> http://extendedsubset.com/?p=8
> 
> During the process of running this bug (and its proposed solution) to
> ground, I implemented a patch to GNUTLS, attached. There are also two new
> files that implement the extension that solves the problem.
> 
> There is lots of background in the above link, but the one missing part is
> the Internet Draft that has been tentatively agreed on by most of the major
> vendors (pending IETF action, of course). That draft is what I have
> implemented, and you should see it posted to the TLS IETF list tomorrow
> morning.

Hi thank you for the patch and for identifying the issue as well. I like
both your patch and the fix itself. Would you be interested in signing
the copyright assignment papers for FSF?

best regards,
Nikos




From nmav at gnutls.org  Thu Nov  5 22:29:59 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 05 Nov 2009 23:29:59 +0200
Subject: TLS 1.2 server
In-Reply-To: <87bpjijzld.fsf@mocca.josefsson.org>
References: <87iqf1p592.fsf@broken.deisui.org>	<87r5tp56c4.fsf@mocca.josefsson.org>	<87ske44pfy.fsf@mocca.josefsson.org>	<87pr98eha4.fsf@broken.deisui.org>	<87eipo4jgc.fsf@mocca.josefsson.org>	<87ljjwdv8c.fsf@broken.deisui.org>	<87zl8buyc2.fsf@mocca.josefsson.org>
	<4AE26E73.4070907@gnutls.org>	<873a56cxty.fsf@mocca.josefsson.org>
	<4AEF2F63.4080103@gnutls.org>	<87k4y89ktx.fsf@mocca.josefsson.org>
	<4AF0745E.4030702@gnutls.org> <87bpjijzld.fsf@mocca.josefsson.org>
Message-ID: <4AF343D7.8060002@gnutls.org>

Simon Josefsson wrote:

> Is it possible to fix only that leak without the other stuff?

Could be but currently I don't have the time.





From bradh at frogmouth.net  Fri Nov  6 01:23:14 2009
From: bradh at frogmouth.net (Brad Hards)
Date: Fri, 6 Nov 2009 11:23:14 +1100
Subject: Running "make check" under valgrind
In-Reply-To: <87hbt9f7rp.fsf@mocca.josefsson.org>
References: <200911052110.06021.bradh@frogmouth.net>
	<87hbt9f7rp.fsf@mocca.josefsson.org>
Message-ID: <200911061123.14795.bradh@frogmouth.net>

On Thursday 05 November 2009 23:58:18 you wrote:
> Nope.   Which libgcrypt version are you using?
As it turned out, it was some svn version that I had installed. However I've 
removed that, rebuilt everything, and I can repeat that with 1.4.4 packages 
from my distro (libgcrypt-1.4.4-6.fc11).

I also tried a more up-to-date svn version of libgcrypt (At revision 1406.) 
but no difference. A svn version of libgpg-error also made no difference.

Brad





From dispensa at phonefactor.com  Fri Nov  6 02:24:31 2009
From: dispensa at phonefactor.com (Steve Dispensa)
Date: Thu, 5 Nov 2009 19:24:31 -0600
Subject: TLS renegotiation MITM
In-Reply-To: <4AF33E11.6060304@gnutls.org>
References: <C717A866.24C47%dispensa@phonefactor.com>
	<4AF33E11.6060304@gnutls.org>
Message-ID: <0ABAC5C4-2C41-4641-B07A-349C4A8DED64@phonefactor.com>

Yes, I'd be glad to. It will take me a couple of days to get to a  
printer/scanner, but meanwhile, if an email can do this, take this as  
my official intent to assign copyright to fsf.

  -Steve

On Nov 5, 2009, at 3:03 PM, "Nikos Mavrogiannopoulos"  
<nmav at gnutls.org> wrote:

> Steve Dispensa wrote:
>> Hi,
>>
>> A colleague and I have released details of a new attack against TLS  
>> in the
>> area of renegotiation. Information is here:
>>
>> http://extendedsubset.com/?p=8
>>
>> During the process of running this bug (and its proposed solution) to
>> ground, I implemented a patch to GNUTLS, attached. There are also  
>> two new
>> files that implement the extension that solves the problem.
>>
>> There is lots of background in the above link, but the one missing  
>> part is
>> the Internet Draft that has been tentatively agreed on by most of  
>> the major
>> vendors (pending IETF action, of course). That draft is what I have
>> implemented, and you should see it posted to the TLS IETF list  
>> tomorrow
>> morning.
>
> Hi thank you for the patch and for identifying the issue as well. I  
> like
> both your patch and the fix itself. Would you be interested in signing
> the copyright assignment papers for FSF?
>
> best regards,
> Nikos




From simon at josefsson.org  Fri Nov  6 08:37:32 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 06 Nov 2009 08:37:32 +0100
Subject: Running "make check" under valgrind
In-Reply-To: <200911061123.14795.bradh@frogmouth.net> (Brad Hards's message of
	"Fri, 6 Nov 2009 11:23:14 +1100")
References: <200911052110.06021.bradh@frogmouth.net>
	<87hbt9f7rp.fsf@mocca.josefsson.org>
	<200911061123.14795.bradh@frogmouth.net>
Message-ID: <87hbt885oj.fsf@mocca.josefsson.org>

Brad Hards <bradh at frogmouth.net> writes:

> On Thursday 05 November 2009 23:58:18 you wrote:
>> Nope.   Which libgcrypt version are you using?
> As it turned out, it was some svn version that I had installed. However I've 
> removed that, rebuilt everything, and I can repeat that with 1.4.4 packages 
> from my distro (libgcrypt-1.4.4-6.fc11).
>
> I also tried a more up-to-date svn version of libgcrypt (At revision 1406.) 
> but no difference. A svn version of libgpg-error also made no difference.

Strange, I'm using libgcrypt from debian and don't see this.  Could you
try to debug it further to see if there is a genuine memory leak?

Hm, I realized I have a ~/.valgrind:

--memcheck:leak-check=full
--memcheck:leak-resolution=high
--memcheck:show-reachable=yes
--memcheck:num-callers=50
--suppressions=/home/jas/src/gnutls/tests/libgcrypt.supp

The libgcrypt.supp file in GnuTLS lists some known memory leaks in
libgcrypt.  However, your leaks doesn't look like any of them, but maybe
you could check that file to make sure.

/Simon




From simon at josefsson.org  Fri Nov  6 12:38:24 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 06 Nov 2009 12:38:24 +0100
Subject: TLS renegotiation MITM
In-Reply-To: <C717A866.24C47%dispensa@phonefactor.com> (Steve Dispensa's
	message of "Wed, 04 Nov 2009 21:53:38 -0600")
References: <C717A866.24C47%dispensa@phonefactor.com>
Message-ID: <87tyx7zxvz.fsf@mocca.josefsson.org>

Steve Dispensa <dispensa at phonefactor.com> writes:

> Hi,
>
> A colleague and I have released details of a new attack against TLS in the
> area of renegotiation. Information is here:
>
> http://extendedsubset.com/?p=8
>
> During the process of running this bug (and its proposed solution) to
> ground, I implemented a patch to GNUTLS, attached. There are also two new
> files that implement the extension that solves the problem.
>
> There is lots of background in the above link, but the one missing part is
> the Internet Draft that has been tentatively agreed on by most of the major
> vendors (pending IETF action, of course). That draft is what I have
> implemented, and you should see it posted to the TLS IETF list tomorrow
> morning.
>
> I'd be happy to help in any way I can.

What GnuTLS version is your patch for?  We haven't used a configure.in
file in a long time.  Would you mind reworking it for GnuTLS 2.8.x
and/or 2.9.x?  Those are the latest stable and experimental branches.

Once the copyright paper issue has been resolved, we could integrate it.

/Simon




From dispensa at phonefactor.com  Fri Nov  6 16:30:44 2009
From: dispensa at phonefactor.com (Steve Dispensa)
Date: Fri, 6 Nov 2009 09:30:44 -0600
Subject: TLS renegotiation MITM
In-Reply-To: <87tyx7zxvz.fsf@mocca.josefsson.org>
References: <C717A866.24C47%dispensa@phonefactor.com>
	<87tyx7zxvz.fsf@mocca.josefsson.org>
Message-ID: <815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com>

Glad to. What's the best git tree? I thought I had the right one based  
on the site.

Thanks.

  -Steve

On Nov 6, 2009, at 5:36 AM, "Simon Josefsson" <simon at josefsson.org>  
wrote:

> Steve Dispensa <dispensa at phonefactor.com> writes:
>
>> Hi,
>>
>> A colleague and I have released details of a new attack against TLS  
>> in the
>> area of renegotiation. Information is here:
>>
>> http://extendedsubset.com/?p=8
>>
>> During the process of running this bug (and its proposed solution) to
>> ground, I implemented a patch to GNUTLS, attached. There are also  
>> two new
>> files that implement the extension that solves the problem.
>>
>> There is lots of background in the above link, but the one missing  
>> part is
>> the Internet Draft that has been tentatively agreed on by most of  
>> the major
>> vendors (pending IETF action, of course). That draft is what I have
>> implemented, and you should see it posted to the TLS IETF list  
>> tomorrow
>> morning.
>>
>> I'd be happy to help in any way I can.
>
> What GnuTLS version is your patch for?  We haven't used a configure.in
> file in a long time.  Would you mind reworking it for GnuTLS 2.8.x
> and/or 2.9.x?  Those are the latest stable and experimental branches.
>
> Once the copyright paper issue has been resolved, we could integrate  
> it.
>
> /Simon




From simon at josefsson.org  Fri Nov  6 16:50:17 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 06 Nov 2009 16:50:17 +0100
Subject: TLS renegotiation MITM
In-Reply-To: <815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com> (Steve
	Dispensa's message of "Fri, 6 Nov 2009 09:30:44 -0600")
References: <C717A866.24C47%dispensa@phonefactor.com>
	<87tyx7zxvz.fsf@mocca.josefsson.org>
	<815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com>
Message-ID: <87d43vps92.fsf@mocca.josefsson.org>

"Steve Dispensa" <dispensa at phonefactor.com> writes:

> Glad to. What's the best git tree? I thought I had the right one based
> on the site.

What link did you find on our site?  I created a new page at
http://www.gnu.org/software/gnutls/devel.html with some information.

/Simon

> Thanks.
>
>  -Steve
>
> On Nov 6, 2009, at 5:36 AM, "Simon Josefsson" <simon at josefsson.org>
> wrote:
>
>> Steve Dispensa <dispensa at phonefactor.com> writes:
>>
>>> Hi,
>>>
>>> A colleague and I have released details of a new attack against TLS
>>> in the
>>> area of renegotiation. Information is here:
>>>
>>> http://extendedsubset.com/?p=8
>>>
>>> During the process of running this bug (and its proposed solution) to
>>> ground, I implemented a patch to GNUTLS, attached. There are also
>>> two new
>>> files that implement the extension that solves the problem.
>>>
>>> There is lots of background in the above link, but the one missing
>>> part is
>>> the Internet Draft that has been tentatively agreed on by most of
>>> the major
>>> vendors (pending IETF action, of course). That draft is what I have
>>> implemented, and you should see it posted to the TLS IETF list
>>> tomorrow
>>> morning.
>>>
>>> I'd be happy to help in any way I can.
>>
>> What GnuTLS version is your patch for?  We haven't used a configure.in
>> file in a long time.  Would you mind reworking it for GnuTLS 2.8.x
>> and/or 2.9.x?  Those are the latest stable and experimental branches.
>>
>> Once the copyright paper issue has been resolved, we could integrate
>> it.
>>
>> /Simon




From ludo at gnu.org  Sat Nov  7 00:02:07 2009
From: ludo at gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=)
Date: Sat, 07 Nov 2009 00:02:07 +0100
Subject: =?utf-8?b?4oCYZ251dGxzLWNsaeKAmQ==?= should be linked against
 libgcrypt
Message-ID: <87ljijfea8.fsf@gnu.org>

Hello!

I just compiled GnuTLS 2.8.5 for NixOS [0].  Unless I?m mistaken,
?gnutls-cli? must now explicitly be linked against libgcrypt since it?s
a direct dependency:

-gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
+gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la -lgcrypt

Thanks,
Ludo?.

[0] http://hydra.nixos.org/job/nixpkgs/trunk/gnutls/all





From ebb9 at byu.net  Thu Nov  5 14:18:27 2009
From: ebb9 at byu.net (Eric Blake)
Date: Thu, 05 Nov 2009 06:18:27 -0700
Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc
In-Reply-To: <87d43xf7k5.fsf@mocca.josefsson.org>
References: <F673EBD4-BFBD-430A-8554-8377BC387A4A@opencsw.org>
	<87d43xf7k5.fsf@mocca.josefsson.org>
Message-ID: <4AF2D0A3.8040904@byu.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Simon Josefsson on 11/5/2009 6:02 AM:
> A sizeof(__func__) == 0 seems odd.  What is __func__ on Solaris?  Is
> there some other variable that contains the current function name on
> Solaris?

This is a known bug in the Solaris compiler, and gnulib just ignores the
error.  This line from test-func.c is telling:

>   /* On SunPRO C 5.9, sizeof __func__ evaluates to 0.  The compiler warns:
>      "warning: null dimension: sizeof()".  */
> #if !defined __SUNPRO_C
>   ASSERT (strlen (__func__) + 1 == sizeof __func__);
> #endif

- --
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9 at byu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkry0KMACgkQ84KuGfSFAYCPIgCeLJ0jmtbSKx/+UnvwX/IWEt1Q
5OYAn3oUOpCdSTukmrU4HZXP4dwZTIOk
=lVxd
-----END PGP SIGNATURE-----




From simon at josefsson.org  Mon Nov  9 15:46:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 09 Nov 2009 15:46:43 +0100
Subject: =?utf-8?b?4oCYZ251dGxzLWNsaeKAmQ==?= should be linked against
 libgcrypt
In-Reply-To: <87ljijfea8.fsf@gnu.org> ("Ludovic =?iso-8859-1?Q?Court=E8s?=
	=?iso-8859-1?Q?=22's?= message of "Sat, 07
	Nov 2009 00:02:07 +0100")
References: <87ljijfea8.fsf@gnu.org>
Message-ID: <87ws1zwyb0.fsf@mocca.josefsson.org>

ludo at gnu.org (Ludovic Court?s) writes:

> Hello!
>
> I just compiled GnuTLS 2.8.5 for NixOS [0].  Unless I?m mistaken,
> ?gnutls-cli? must now explicitly be linked against libgcrypt since it?s
> a direct dependency:
>
> -gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
> +gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la -lgcrypt

Thanks, I happened to fix this recently on master but I backported it to
2.8.x now.

/Simon




From simon at josefsson.org  Mon Nov  9 16:19:50 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 09 Nov 2009 16:19:50 +0100
Subject: TLS Renegotiation problem
Message-ID: <87d43rwwrt.fsf@mocca.josefsson.org>

As you may have heard, people how found out how to attack TLS as used in
many application protocols.  For more info see:

http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://extendedsubset.com/
http://www.imperialviolet.org/2009/11/05/tls-reneg.html

It is important to understand that you are not vulnerable unless you use
renegotiation, which is not typical.  If you use renegotiation, perhaps
to request client certificates in a web server, the simplest "fix" is to
disable any use of renegotiation.  You don't need to do this if your
application protocol is robust -- for example XMPP/Jabber appears to be
robust against the problem.  HTTPS is not robust.

There is work ongoing to specify a new extension to make TLS
renegotiation safe against this attack, and hopefully GnuTLS will
support it soon.  Patches have been published in
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944 but
not yet tested or verified, and the IETF/IANA has not allocated a TLS
extension number for it yet either.

/Simon




From dkg at fifthhorseman.net  Mon Nov  9 19:01:23 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 09 Nov 2009 13:01:23 -0500
Subject: TLS Renegotiation problem
In-Reply-To: <87d43rwwrt.fsf@mocca.josefsson.org>
References: <87d43rwwrt.fsf@mocca.josefsson.org>
Message-ID: <4AF858F3.9000204@fifthhorseman.net>

On 11/09/2009 10:19 AM, Simon Josefsson wrote:
> It is important to understand that you are not vulnerable unless you use
> renegotiation, which is not typical.  If you use renegotiation, perhaps
> to request client certificates in a web server, the simplest "fix" is to
> disable any use of renegotiation.

My understanding is that the published attacks are undetectable from the
client-side without the use of the newly-proposed extension.  So barring
that extension, it seems that that the protective workaround you
describe (disabling renegotiation) needs to be done on the server side.

Is there a way that this can be done generically with GnuTLS (e.g. a
priority string, which could conceivably be passed into gnutls by an
administrator without needing a rebuild), or should the server simply
avoid calling gnutls_handshake() more than once per session?

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091109/2ac2ef6c/attachment.pgp>

From simon at josefsson.org  Tue Nov 10 08:02:48 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 08:02:48 +0100
Subject: GnuTLS 2.9.9
Message-ID: <874op29813.fsf@mocca.josefsson.org>

The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources (6.1MB):
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2.sig

Windows build:
  http://josefsson.org/gnutls4win/gnutls-2.9.9.exe
  http://josefsson.org/gnutls4win/gnutls-2.9.9.exe.sig
  http://josefsson.org/gnutls4win/gnutls-2.9.9.zip
  http://josefsson.org/gnutls4win/gnutls-2.9.9.zip.sig
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.9-1_all.deb

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.9.9 (released 2009-11-09)

** libgnutls: Cleanups and several bug fixes.
Found by Steve Grubb and Tomas Mraz.

** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv.

** Fix --disable-valgrind-tests.
Reported by Ingmar Vanhassel in
<https://savannah.gnu.org/support/?107029>.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 420 bytes
Desc: not available
URL: </pipermail/attachments/20091110/7ebc55b7/attachment.pgp>

From simon at josefsson.org  Tue Nov 10 08:08:49 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 08:08:49 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <4AF858F3.9000204@fifthhorseman.net> (Daniel Kahn Gillmor's
	message of "Mon, 09 Nov 2009 13:01:23 -0500")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
Message-ID: <87zl6u7t6m.fsf@mocca.josefsson.org>

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> On 11/09/2009 10:19 AM, Simon Josefsson wrote:
>> It is important to understand that you are not vulnerable unless you use
>> renegotiation, which is not typical.  If you use renegotiation, perhaps
>> to request client certificates in a web server, the simplest "fix" is to
>> disable any use of renegotiation.
>
> My understanding is that the published attacks are undetectable from the
> client-side without the use of the newly-proposed extension.

Yes.

> So barring that extension, it seems that that the protective
> workaround you describe (disabling renegotiation) needs to be done on
> the server side.
>
> Is there a way that this can be done generically with GnuTLS (e.g. a
> priority string, which could conceivably be passed into gnutls by an
> administrator without needing a rebuild), or should the server simply
> avoid calling gnutls_handshake() more than once per session?

In GnuTLS, rehandshaking needs to be done explicitly by servers when
they get the GNUTLS_E_REHANDSHAKE error back from gnutls_record_recv.
If servers don't call gnutls_handshake when that happens, there is no
problem.  So people can check their applications if they are vulnerable
to this problem.

For example, the mod_gnutls Apache plugin does not support renegotiation
so there is no problem with it (this was the main case that I were
concerned with):

            if (rc == GNUTLS_E_REHANDSHAKE) {
                /* A client has asked for a new Hankshake. Currently, we don't do it */
                ap_log_error(APLOG_MARK, APLOG_INFO, ctxt->input_rc,
                             ctxt->c->base_server,
                             "GnuTLS: Error reading data. Client Requested a New Handshake."
                             " (%d) '%s'", rc, gnutls_strerror(rc));
            }

Possibly we could indeed have a new mode where GnuTLS refuses to do
renegotiation based on a priority string.

/Simon




From simon at josefsson.org  Tue Nov 10 09:55:52 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 09:55:52 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87zl6u7t6m.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Tue, 10 Nov 2009 08:08:49 +0100")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
Message-ID: <87ws1y4v3b.fsf@mocca.josefsson.org>

Simon Josefsson <simon at josefsson.org> writes:

> For example, the mod_gnutls Apache plugin does not support renegotiation
> so there is no problem with it (this was the main case that I were
> concerned with):

Other servers that use GnuTLS is Exim4 and GNU Mailutils.  I checked the
sources and cannot find any place where they performs TLS renegotiation.
So as far as I can tell, they are safe too.

(Of course, this assume that it is even possible to exploit this problem
with SMTP/IMAP/POP3 which I haven't seen explained yet.)

What other popular servers use GnuTLS?

Is there _any_ GnuTLS server that is vulnerable?  Not even our
gnutls-serv appears to support renegotiation as far as I can tell.

/Simon




From simon at josefsson.org  Tue Nov 10 12:29:04 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 12:29:04 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <20091110111754.GA14025@redhat.com> (Tomas Hoger's message of
	"Tue, 10 Nov 2009 12:17:54 +0100")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
	<20091110111754.GA14025@redhat.com>
Message-ID: <87zl6u39fj.fsf@mocca.josefsson.org>

Tomas Hoger <thoger at redhat.com> writes:

> On Tue, Nov 10, 2009 at 09:55:52AM +0100, Simon Josefsson wrote:
>> What other popular servers use GnuTLS?
>
> CUPS and libvirt(d).  No GNUTLS_E_REHANDSHAKE in their sources, client
> requested renegotiations seem to fail.

Thanks for checking.  So to summarize, so far the following servers
appears to not be affected by this problem when used with GnuTLS:

gnutls-serv
mod_gnutls
exim4
mailutils
CUPS
libvirtd

If the servers are linked with OpenSSL I don't know if they are
vulnerable or not, it would depend on whether OpenSSL perform
renegotiation without application interaction.  So make sure they are
linked to GnuTLS before declaring victory.

I think we now have some evidence to suggest GnuTLS needn't do anything
about this.  It seems any use of rehandshake with GnuTLS is
application-specific and then the answer is probably to fix that
application instead of GnuTLS.  Any more insight or thoughts on this is
welcome.

What GnuTLS needs to do, though, is to have a discussion of the issue in
the manual where renegotiation is discussed, so application writers are
aware of the problem.

/Simon




From thoger at redhat.com  Tue Nov 10 14:22:16 2009
From: thoger at redhat.com (Tomas Hoger)
Date: Tue, 10 Nov 2009 14:22:16 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87zl6u39fj.fsf@mocca.josefsson.org>
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
	<20091110111754.GA14025@redhat.com>
	<87zl6u39fj.fsf@mocca.josefsson.org>
Message-ID: <20091110132216.GA15446@redhat.com>

On Tue, Nov 10, 2009 at 12:29:04PM +0100, Simon Josefsson wrote:
> If the servers are linked with OpenSSL I don't know if they are
> vulnerable or not, it would depend on whether OpenSSL perform
> renegotiation without application interaction.

OpenSSL and NSS both do renegotiation transparently for application.

> I think we now have some evidence to suggest GnuTLS needn't do anything
> about this.  It seems any use of rehandshake with GnuTLS is
> application-specific and then the answer is probably to fix that
> application instead of GnuTLS.

Is that meant as meant as "no change needed" or "no urgent temporary hotfix
needed"?  Is the implementation of the proposed extension still the
long-term plan, so that apps needing rehandshakes can do them safely?

Thanks!

th.





From dispensa at phonefactor.com  Tue Nov 10 15:08:00 2009
From: dispensa at phonefactor.com (Steve Dispensa)
Date: Tue, 10 Nov 2009 08:08:00 -0600
Subject: TLS Renegotiation problem
In-Reply-To: <20091110132216.GA15446@redhat.com>
Message-ID: <C71ECFE0.250A3%dispensa@phonefactor.com>

On 11/10/09 7:22 AM, "Tomas Hoger" <thoger at redhat.com> wrote:
>> I think we now have some evidence to suggest GnuTLS needn't do anything
>> about this.  It seems any use of rehandshake with GnuTLS is
>> application-specific and then the answer is probably to fix that
>> application instead of GnuTLS.
> 
> Is that meant as meant as "no change needed" or "no urgent temporary hotfix
> needed"?  Is the implementation of the proposed extension still the
> long-term plan, so that apps needing rehandshakes can do them safely?

[sorry if I'm late to the game; we had a baby a few days ago and I'm sadly
behind on e-mail and most other things.]

I agree with Tomas. When I wrote up the patch, I noticed that there were a
few impediments to doing renegotiation at all in the way things are
currently implemented (unless I misunderstood, which I always quite
possible). Still, at some point, someone is going to really need the feature
(or decide that the implementation is incomplete without perfect support for
it), and once that happens, the bug will magically appear unless the TLS
extension I supported.

There's also a good reason to support the extension from an interop
standpoint - servers will want to detect patched clients in the (near?)
future, so sending the extension along will be helpful.

 -Steve
  





From simon at josefsson.org  Tue Nov 10 17:43:55 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 17:43:55 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <20091110132216.GA15446@redhat.com> (Tomas Hoger's message of
	"Tue, 10 Nov 2009 14:22:16 +0100")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
	<20091110111754.GA14025@redhat.com>
	<87zl6u39fj.fsf@mocca.josefsson.org>
	<20091110132216.GA15446@redhat.com>
Message-ID: <87my2u2uus.fsf@mocca.josefsson.org>

Tomas Hoger <thoger at redhat.com> writes:

>> I think we now have some evidence to suggest GnuTLS needn't do anything
>> about this.  It seems any use of rehandshake with GnuTLS is
>> application-specific and then the answer is probably to fix that
>> application instead of GnuTLS.
>
> Is that meant as meant as "no change needed" or "no urgent temporary hotfix
> needed"?

Both. ;-)

The situation appears to be that 1) there is no patch against GnuTLS
that we can use as a temporary hotfix, and 2) there appears (so far) to
be no servers that use GnuTLS in a way that is vulnerable to this
problem.

There _could_ be servers that use GnuTLS which were vulnerable.  For
these applications, the simplest short-term solution appears to be to
remove/disable the TLS renegotiation code.  That would be an urgent
problem that needs to be addressed quickly, if there actually are
deployed instances of that situation.

If a majority of servers that used GnuTLS were vulnerable to this
problem, I think we'd have to consider patching GnuTLS instead of
recommending patching application.  Compare when we changed X.509 path
validation in GnuTLS to check expiry/activation times: it was not a
GnuTLS problem but it affected so many applications and it made more
sense to fix it in GnuTLS than change all the applications.  Our survey
of servers using GnuTLS indicates that we are not close to being in this
situation for this problem.

Daniel suggested to add a priority string to allow admin's to disable
TLS renegotiation unconditionally without having to recompile
application/libraries.  That seems like a good idea, but there are no
instances where we known that it would improve anything.  Priority
strings is a quite new features, so the application would have to make
use of priority strings AND do renegotiation AND implement a protocol
that is vulnerable to this attack (e.g., HTTP) in order for things to
work.  That situation seems unlikely, but could happen, and then we'll
certainly implement Daniel's suggestion.

We could also release a GnuTLS that does not support TLS renegotiation
at all.  Right now, that is not known to fix anything, so I don't see
what you would gain in doing so.  But we could end up needing to do that
too.

So, in summary, given (my) current knowledge there is no need to either
patch GnuTLS or any server application using GnuTLS.

> Is the implementation of the proposed extension still the long-term
> plan, so that apps needing rehandshakes can do them safely?

Yes.

/Simon




From simon at josefsson.org  Tue Nov 10 17:49:28 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 10 Nov 2009 17:49:28 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <C71ECFE0.250A3%dispensa@phonefactor.com> (Steve Dispensa's
	message of "Tue, 10 Nov 2009 08:08:00 -0600")
References: <20091110132216.GA15446@redhat.com>
	<C71ECFE0.250A3%dispensa@phonefactor.com>
Message-ID: <87iqdi2ulj.fsf@mocca.josefsson.org>

Steve Dispensa <dispensa at phonefactor.com> writes:

> On 11/10/09 7:22 AM, "Tomas Hoger" <thoger at redhat.com> wrote:
>>> I think we now have some evidence to suggest GnuTLS needn't do anything
>>> about this.  It seems any use of rehandshake with GnuTLS is
>>> application-specific and then the answer is probably to fix that
>>> application instead of GnuTLS.
>> 
>> Is that meant as meant as "no change needed" or "no urgent temporary hotfix
>> needed"?  Is the implementation of the proposed extension still the
>> long-term plan, so that apps needing rehandshakes can do them safely?
>
> [sorry if I'm late to the game; we had a baby a few days ago and I'm sadly
> behind on e-mail and most other things.]

Congratulations!  Perfect timing.. ;)

> I agree with Tomas. When I wrote up the patch, I noticed that there were a
> few impediments to doing renegotiation at all in the way things are
> currently implemented (unless I misunderstood, which I always quite
> possible). Still, at some point, someone is going to really need the feature
> (or decide that the implementation is incomplete without perfect support for
> it), and once that happens, the bug will magically appear unless the TLS
> extension I supported.
>
> There's also a good reason to support the extension from an interop
> standpoint - servers will want to detect patched clients in the (near?)
> future, so sending the extension along will be helpful.

Definitely.  Given a patch (and copyright assignment) for this, we could
add it to the experimental branch today, and once the IANA has allocated
a code point it could even be backported into the stable branch.

But that would be completely unrelated to fixing any short-term security
problem.

/Simon




From fw at deneb.enyo.de  Tue Nov 10 19:13:27 2009
From: fw at deneb.enyo.de (Florian Weimer)
Date: Tue, 10 Nov 2009 19:13:27 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87my2u2uus.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Tue, 10 Nov 2009 17:43:55 +0100")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
	<20091110111754.GA14025@redhat.com>
	<87zl6u39fj.fsf@mocca.josefsson.org>
	<20091110132216.GA15446@redhat.com>
	<87my2u2uus.fsf@mocca.josefsson.org>
Message-ID: <87eio6b648.fsf@mid.deneb.enyo.de>

* Simon Josefsson:

> So, in summary, given (my) current knowledge there is no need to either
> patch GnuTLS or any server application using GnuTLS.

But GNUTLS would have to implement the extension to secure connections
to servers which support renegotiation.




From dispensa at phonefactor.com  Tue Nov 10 20:27:00 2009
From: dispensa at phonefactor.com (Steve Dispensa)
Date: Tue, 10 Nov 2009 13:27:00 -0600
Subject: TLS Renegotiation problem
In-Reply-To: <87eio6b648.fsf@mid.deneb.enyo.de>
Message-ID: <C71F1AA4.25191%dispensa@phonefactor.com>

On 11/10/09 12:13 PM, "Florian Weimer" <fw at deneb.enyo.de> wrote:

> * Simon Josefsson:
> 
>> So, in summary, given (my) current knowledge there is no need to either
>> patch GnuTLS or any server application using GnuTLS.
> 
> But GNUTLS would have to implement the extension to secure connections
> to servers which support renegotiation.

(...which support safe renegotiation using the extension - no such thing as
safe renegotiation absent both client and server supporting the extension.)

 -Steve





From fw at deneb.enyo.de  Tue Nov 10 20:28:04 2009
From: fw at deneb.enyo.de (Florian Weimer)
Date: Tue, 10 Nov 2009 20:28:04 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <C71F1AA4.25191%dispensa@phonefactor.com> (Steve Dispensa's
	message of "Tue, 10 Nov 2009 13:27:00 -0600")
References: <C71F1AA4.25191%dispensa@phonefactor.com>
Message-ID: <87y6me89iz.fsf@mid.deneb.enyo.de>

* Steve Dispensa:

> On 11/10/09 12:13 PM, "Florian Weimer" <fw at deneb.enyo.de> wrote:
>
>> * Simon Josefsson:
>> 
>>> So, in summary, given (my) current knowledge there is no need to either
>>> patch GnuTLS or any server application using GnuTLS.
>> 
>> But GNUTLS would have to implement the extension to secure connections
>> to servers which support renegotiation.
>
> (...which support safe renegotiation using the extension - no such thing as
> safe renegotiation absent both client and server supporting the extension.)

Eh, yes, this was sort-of implied.  Thanks for the correction.




From thoger at redhat.com  Wed Nov 11 11:03:54 2009
From: thoger at redhat.com (Tomas Hoger)
Date: Wed, 11 Nov 2009 11:03:54 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87eio6b648.fsf@mid.deneb.enyo.de>
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
	<20091110111754.GA14025@redhat.com>
	<87zl6u39fj.fsf@mocca.josefsson.org>
	<20091110132216.GA15446@redhat.com>
	<87my2u2uus.fsf@mocca.josefsson.org>
	<87eio6b648.fsf@mid.deneb.enyo.de>
Message-ID: <20091111110354.5e39bc93@redhat.com>

On Tue, 10 Nov 2009 19:13:27 +0100 Florian Weimer <fw at deneb.enyo.de>
wrote:

> > So, in summary, given (my) current knowledge there is no need to
> > either patch GnuTLS or any server application using GnuTLS.
> 
> But GNUTLS would have to implement the extension to secure connections
> to servers which support renegotiation.

Simon confirmed that the implementation of the extension is planned.
I apologize for not properly specifying that "no change needed" was
actually meant as "no change needed, not even reneg extension
implemented", which caused the confusion.

th.




From thoger at redhat.com  Tue Nov 10 12:17:54 2009
From: thoger at redhat.com (Tomas Hoger)
Date: Tue, 10 Nov 2009 12:17:54 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87ws1y4v3b.fsf@mocca.josefsson.org>
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87ws1y4v3b.fsf@mocca.josefsson.org>
Message-ID: <20091110111754.GA14025@redhat.com>

On Tue, Nov 10, 2009 at 09:55:52AM +0100, Simon Josefsson wrote:
> What other popular servers use GnuTLS?

CUPS and libvirt(d).  No GNUTLS_E_REHANDSHAKE in their sources, client
requested renegotiations seem to fail.

th.




From trupti.wilankar at hp.com  Tue Nov 17 08:14:19 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Tue, 17 Nov 2009 07:14:19 +0000
Subject: Help required for CSR validation
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>

Hello,

I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
 Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.

We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.



The output from OpenSSL asn1parse for CSR generated by OpenSSL (with similar DN attributes):



$ openssl asn1parse -in openssl.req

    0:d=0  hl=4 l= 452 cons: SEQUENCE

    4:d=1  hl=4 l= 301 cons: SEQUENCE

    8:d=2  hl=2 l=   1 prim: INTEGER           :00

   11:d=2  hl=3 l= 131 cons: SEQUENCE

   14:d=3  hl=2 l=  11 cons: SET

   16:d=4  hl=2 l=   9 cons: SEQUENCE

   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName

   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN

   27:d=3  hl=2 l=  20 cons: SET

   29:d=4  hl=2 l=  18 cons: SEQUENCE

   31:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName

   36:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra

   49:d=3  hl=2 l=  15 cons: SET

   51:d=4  hl=2 l=  13 cons: SEQUENCE

   53:d=5  hl=2 l=   3 prim: OBJECT            :localityName

   58:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai

   66:d=3  hl=2 l=  34 cons: SET

   68:d=4  hl=2 l=  32 cons: SEQUENCE

   70:d=5  hl=2 l=   3 prim: OBJECT            :organizationName

   75:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services

  102:d=3  hl=2 l=  15 cons: SET

  104:d=4  hl=2 l=  13 cons: SEQUENCE

  106:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  111:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED

  119:d=3  hl=2 l=  24 cons: SET

  121:d=4  hl=2 l=  22 cons: SEQUENCE

  123:d=5  hl=2 l=   3 prim: OBJECT            :commonName

  128:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com

  145:d=2  hl=3 l= 159 cons: SEQUENCE

  148:d=3  hl=2 l=  13 cons: SEQUENCE

  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption

  161:d=4  hl=2 l=   0 prim: NULL                                    <==========

  163:d=3  hl=3 l= 141 prim: BIT STRING

  307:d=2  hl=2 l=   0 cons: cont [ 0 ]

  309:d=1  hl=2 l=  13 cons: SEQUENCE

  311:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption

  322:d=2  hl=2 l=   0 prim: NULL                                    <==========

  324:d=1  hl=3 l= 129 prim: BIT STRING





The output from OpenSSL asn1parse for CSR generated by GnuTLS:



$ openssl asn1parse -in gnu.req

    0:d=0  hl=4 l= 447 cons: SEQUENCE

    4:d=1  hl=4 l= 298 cons: SEQUENCE

    8:d=2  hl=2 l=   1 prim: INTEGER           :00

   11:d=2  hl=3 l= 131 cons: SEQUENCE

   14:d=3  hl=2 l=  11 cons: SET

   16:d=4  hl=2 l=   9 cons: SEQUENCE

   18:d=5  hl=2 l=   3 prim: OBJECT            :countryName

   23:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IN

   27:d=3  hl=2 l=  15 cons: SET

   29:d=4  hl=2 l=  13 cons: SEQUENCE

   31:d=5  hl=2 l=   3 prim: OBJECT            :localityName

   36:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Mumbai

   44:d=3  hl=2 l=  20 cons: SET

   46:d=4  hl=2 l=  18 cons: SEQUENCE

   48:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName

   53:d=5  hl=2 l=  11 prim: PRINTABLESTRING   :Maharashtra

   66:d=3  hl=2 l=  24 cons: SET

   68:d=4  hl=2 l=  22 cons: SEQUENCE

   70:d=5  hl=2 l=   3 prim: OBJECT            :commonName

   75:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :www.scarlet.com

   92:d=3  hl=2 l=  15 cons: SET

   94:d=4  hl=2 l=  13 cons: SEQUENCE

   96:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  101:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :HP NED

  109:d=3  hl=2 l=  34 cons: SET

  111:d=4  hl=2 l=  32 cons: SEQUENCE

  113:d=5  hl=2 l=   3 prim: OBJECT            :organizationName

  118:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Tata Consultancy Services

  145:d=2  hl=3 l= 156 cons: SEQUENCE

  148:d=3  hl=2 l=  11 cons: SEQUENCE

  150:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption

                                              --> NULL field missing

  161:d=3  hl=3 l= 140 prim: BIT STRING

  304:d=2  hl=2 l=   0 cons: cont [ 0 ]

  306:d=1  hl=2 l=  11 cons: SEQUENCE

  308:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption

                                              --> NULL field missing

  319:d=1  hl=3 l= 129 prim: BIT STRING


The CSR generated using GnuTLS APIs:


-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvzCCASoCAQAwgYMxCzAJBgNVBAYTAklOMQ8wDQYDVQQHEwZNdW1iYWkxFDAS
BgNVBAgTC01haGFyYXNodHJhMRgwFgYDVQQDEw93d3cuc2NhcmxldC5jb20xDzAN
BgNVBAsTBkhQIE5FRDEiMCAGA1UEChMZVGF0YSBDb25zdWx0YW5jeSBTZXJ2aWNl
czCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAv/FlDNjp+Jer0dfnHpOMu06eaocT
WWugFEZTIJHsq1h2cQAu3aox/aP047umkyvndEFB3lB3wDoIIeu42sC3rvanWXrN
u5QYYxJbqSFjQNjncK5ZBuOkDpT+mr40THP5XasHJpDtyBi/eFLjkG5y8vncM9xM
7i9lwfWEsRHESmkCAwEAAaAAMAsGCSqGSIb3DQEBBQOBgQC8kcFxRVuPKaXZYxBT
AH1uvH7kTr/yeC8L5A3ctdzMX0KR2JSN1eB5PhYXhMzZRfhLrFtx0IP0RJS7uc0/
0mJ30lZpufbQSmJT+EIiamSm+zWvH3+SBn5VrP0gCyD0z5O3AK91YB9QXVFkCS/u
3WDjubwSoK4BmHY1W3z3xRSO1Q==
-----END NEW CERTIFICATE REQUEST-----





Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

Thanks,
Trupti





-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091117/a236c877/attachment.htm>

From simon at josefsson.org  Tue Nov 17 11:32:46 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 17 Nov 2009 11:32:46 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87zl6u7t6m.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Tue, 10 Nov 2009 08:08:49 +0100")
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
Message-ID: <87bpj11lwx.fsf@mocca.josefsson.org>

Simon Josefsson <simon at josefsson.org> writes:

> In GnuTLS, rehandshaking needs to be done explicitly by servers when
> they get the GNUTLS_E_REHANDSHAKE error back from gnutls_record_recv.
> If servers don't call gnutls_handshake when that happens, there is no
> problem.  So people can check their applications if they are vulnerable
> to this problem.

For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in code
is not be sufficient: that only takes care of the situation where the
local client reacts on a renegotiation request from the remote server.

You also have to search for "gnutls_rehandshake" to take care of the
situation where the local server initiates the renegotiation request.

I believe one still has to look carefully at each example to understand
whether a particular instance is vulnerable or not: not all instances of
TLS reneg appears vulnerable.  For example, a server could make sure
that before calling gnutls_rehandshake it reads all data coming from the
client and performs input sanitizing on it because there is no guarantee
that data comes from the same identity who performs the TLS rehandshake
and sends more data later on.

/Simon




From nmav at gnutls.org  Wed Nov 18 19:14:48 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 18 Nov 2009 20:14:48 +0200
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <4B043998.8050102@gnutls.org>

Wilankar, Trupti wrote:
> Hello,
> 
> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
>  Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
> 
> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.
[...]
> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

Hi,
 Thanks for bringing that up to me. Probably it might be some error in
the parsing library of the CA. I attach you a quick fix and if it works
for you I will add an option to encode using this format in certtool.

regards,
Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: null-encoding.patch
Type: text/x-patch
Size: 955 bytes
Desc: not available
URL: </pipermail/attachments/20091118/45310f0a/attachment.bin>

From thoger at redhat.com  Wed Nov 18 19:28:52 2009
From: thoger at redhat.com (Tomas Hoger)
Date: Wed, 18 Nov 2009 19:28:52 +0100
Subject: TLS Renegotiation problem
In-Reply-To: <87bpj11lwx.fsf@mocca.josefsson.org>
References: <87d43rwwrt.fsf@mocca.josefsson.org>
	<4AF858F3.9000204@fifthhorseman.net>
	<87zl6u7t6m.fsf@mocca.josefsson.org>
	<87bpj11lwx.fsf@mocca.josefsson.org>
Message-ID: <20091118192852.15c4563c@redhat.com>

On Tue, 17 Nov 2009 11:32:46 +0100 Simon Josefsson
<simon at josefsson.org> wrote:

> > In GnuTLS, rehandshaking needs to be done explicitly by servers when
> > they get the GNUTLS_E_REHANDSHAKE error back from
> > gnutls_record_recv. If servers don't call gnutls_handshake when
> > that happens, there is no problem.  So people can check their
> > applications if they are vulnerable to this problem.
> 
> For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in
> code is not be sufficient: that only takes care of the situation
> where the local client reacts on a renegotiation request from the
> remote server.
> 
> You also have to search for "gnutls_rehandshake" to take care of the
> situation where the local server initiates the renegotiation request.

I did a search for that in Red Hat Enterprise Linux sources and I've
not found anything using it.  Google codesearch finds it in mod_gnutls
though.  From a 30sec look, it may be using it in similar cases as
mod_ssl / mod_nss.

th.




From trupti.wilankar at hp.com  Thu Nov 19 11:43:22 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Thu, 19 Nov 2009 10:43:22 +0000
Subject: Help required for CSR validation
In-Reply-To: <4B043998.8050102@gnutls.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>

Hi Nikos,
Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte,  GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.'
Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works.

Regards,
Trupti

-----Original Message-----
From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
Sent: Wednesday, November 18, 2009 11:45 PM
To: Wilankar, Trupti
Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan
Subject: Re: Help required for CSR validation

Wilankar, Trupti wrote:
> Hello,
> 
> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
>  Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
> 
> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.
[...]
> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

Hi,
 Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool.

regards,
Nikos




From simon at josefsson.org  Thu Nov 19 18:17:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 19 Nov 2009 18:17:43 +0100
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	(Trupti Wilankar's message of "Thu, 19 Nov 2009 10:43:22 +0000")
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <878we2303s.fsf@mocca.josefsson.org>

"Wilankar, Trupti" <trupti.wilankar at hp.com> writes:

> Hi Nikos,
> Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte,  GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.'
> Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works.

One common problem is that you add too much or too little information in
the DN -- try just adding a CN of the hostname, and skip everything
else, OR try make sure that all normal fields like O, OU, L, etc are
filled in.  I've used GnuTLS to generate CSRs for against some
commercial CAs and it did work but required quite some testing to see
what they expect -- but I assume when you use OpenSSL.  You may also
need a recent GnuTLS to make sure you assert the right key usage bits.

/Simon

> Regards,
> Trupti
>
> -----Original Message-----
> From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
> Sent: Wednesday, November 18, 2009 11:45 PM
> To: Wilankar, Trupti
> Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan
> Subject: Re: Help required for CSR validation
>
> Wilankar, Trupti wrote:
>> Hello,
>> 
>> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
>> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
>>  Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
>> 
>> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.
> [...]
>> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.
>
> Hi,
>  Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool.
>
> regards,
> Nikos




From trupti.wilankar at hp.com  Fri Nov 20 12:49:48 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Fri, 20 Nov 2009 11:49:48 +0000
Subject: Help required for CSR validation
In-Reply-To: <878we2303s.fsf@mocca.josefsson.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>

Hello Simon,

We have tried various combinations of DNs. But, we end up with the same error. 
We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. 
CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate.
We face the same problem when using GnuTLS APIs to generate a CSR.

However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate.

We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help.

Thanks,
Trupti

-----Original Message-----
From: Simon Josefsson [mailto:simon at josefsson.org] 
Sent: Thursday, November 19, 2009 10:48 PM
To: Wilankar, Trupti
Cc: Nikos Mavrogiannopoulos; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan
Subject: Re: Help required for CSR validation

"Wilankar, Trupti" <trupti.wilankar at hp.com> writes:

> Hi Nikos,
> Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte,  GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.'
> Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works.

One common problem is that you add too much or too little information in
the DN -- try just adding a CN of the hostname, and skip everything
else, OR try make sure that all normal fields like O, OU, L, etc are
filled in.  I've used GnuTLS to generate CSRs for against some
commercial CAs and it did work but required quite some testing to see
what they expect -- but I assume when you use OpenSSL.  You may also
need a recent GnuTLS to make sure you assert the right key usage bits.

/Simon

> Regards,
> Trupti
>
> -----Original Message-----
> From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
> Sent: Wednesday, November 18, 2009 11:45 PM
> To: Wilankar, Trupti
> Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan
> Subject: Re: Help required for CSR validation
>
> Wilankar, Trupti wrote:
>> Hello,
>> 
>> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
>> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
>>  Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
>> 
>> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.
> [...]
>> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.
>
> Hi,
>  Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool.
>
> regards,
> Nikos




From nmav at gnutls.org  Sat Nov 21 20:10:05 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 Nov 2009 21:10:05 +0200
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	<4B043998.8050102@gnutls.org>	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <4B083B0D.8070403@gnutls.org>

Wilankar, Trupti wrote:
> Hello Simon,
> 
> We have tried various combinations of DNs. But, we end up with the same error. 
> We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. 
> CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate.
> We face the same problem when using GnuTLS APIs to generate a CSR.
> 
> However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate.
> 
> We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help.

Could you send me two identical CSRs one with openssl and the other with
gnutls?




From david.kirkby at onetel.net  Sun Nov 22 03:38:06 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 22 Nov 2009 02:38:06 +0000
Subject: GnuTLS 2.9.9 - uses non-portable option to grep. 
In-Reply-To: <874op29813.fsf@mocca.josefsson.org>
References: <874op29813.fsf@mocca.josefsson.org>
Message-ID: <4B08A40E.6000705@onetel.net>

Simon Josefsson wrote:
> The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
> is intended for developers and experienced users.
> 
> Here are the compressed sources (6.1MB):
>   http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2

Well, I'm neither, but I thought I'd give it a try for you on a Sun Ultra 27 
running OpenSolaris.

configure: summary of build options:

   version:          2.9.9 shared 42:4:16
   Host type:        i386-pc-solaris2.11
   Install prefix:   /usr/local
   Compiler:         gcc -std=gnu99
   Warning flags:    errors:  warnings:
   Library types:    Shared=yes, Static=yes
   Valgrind:         no
   Guile wrappers:   no
   C++ library:      yes
   OpenSSL library:  yes

PASS: openpgpself
grep: illegal option -- q
Usage: grep -hblcnsviw pattern file . . .
RFC 2253 escaping not working?
FAIL: rfc2253-escape-test
===================================
1 of 43 tests failed
Please report to bug-gnutls at gnu.org
===================================


-q which is an option to GNU grep is not supported by the standard grep in 
Solaris. (There is a POSIX compatible version at /usr/xpg4/bin/grep,  but it is 
not the default grep in /usr/bin/grep.)

It would be better to send the output of grep to /dev/null, as that will work on 
any grep.

Dave





From trupti.wilankar at hp.com  Mon Nov 23 08:23:56 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Mon, 23 Nov 2009 07:23:56 +0000
Subject: Help required for CSR validation
In-Reply-To: <4B083B0D.8070403@gnutls.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>

Hi,

I have used Certtool from GnuTLS Windows version 2.9.9.
A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.

CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req)

-----BEGIN CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh
MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd
BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7
TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ
4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY
TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4
coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4
UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B
AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB
ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj
bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua
vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09
B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6
Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg==
-----END CERTIFICATE REQUEST-----

CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL
EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd
BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC
AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN
p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH
S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ
EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU
UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU
fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD
ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw
z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q
/a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q
OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+
AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e
f0HYlL3oOiHADwPtqJ9REuJb//s=
-----END NEW CERTIFICATE REQUEST-----

We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR.

Thanks,
Trupti


-----Original Message-----
From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
Sent: Sunday, November 22, 2009 12:40 AM
To: Wilankar, Trupti
Cc: Simon Josefsson; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan
Subject: Re: Help required for CSR validation

Wilankar, Trupti wrote:
> Hello Simon,
> 
> We have tried various combinations of DNs. But, we end up with the same error. 
> We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. 
> CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate.
> We face the same problem when using GnuTLS APIs to generate a CSR.
> 
> However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate.
> 
> We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help.

Could you send me two identical CSRs one with openssl and the other with
gnutls?




From simon at josefsson.org  Mon Nov 23 11:13:37 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 23 Nov 2009 11:13:37 +0100
Subject: GnuTLS 2.9.9 - uses non-portable option to grep.
In-Reply-To: <4B08A40E.6000705@onetel.net> (David Kirkby's message of "Sun, 22
	Nov 2009 02:38:06 +0000")
References: <874op29813.fsf@mocca.josefsson.org> <4B08A40E.6000705@onetel.net>
Message-ID: <876391v99q.fsf@mocca.josefsson.org>

"Dr. David Kirkby" <david.kirkby at onetel.net> writes:

> Simon Josefsson wrote:
>> The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
>> is intended for developers and experienced users.
>>
>> Here are the compressed sources (6.1MB):
>>   http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2
>
> Well, I'm neither, but I thought I'd give it a try for you on a Sun
> Ultra 27 running OpenSolaris.

Thank you very much!

> grep: illegal option -- q
> Usage: grep -hblcnsviw pattern file . . .
> RFC 2253 escaping not working?
> FAIL: rfc2253-escape-test
> ===================================
> 1 of 43 tests failed
> Please report to bug-gnutls at gnu.org
> ===================================
>
>
> -q which is an option to GNU grep is not supported by the standard
> grep in Solaris. (There is a POSIX compatible version at
> /usr/xpg4/bin/grep,  but it is not the default grep in /usr/bin/grep.)
>
> It would be better to send the output of grep to /dev/null, as that
> will work on any grep.

I agree, and have fixed this now:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=54e9b7ccb2bb724e7dffa4e2b6e7e7db2910ef16

Thanks,
/Simon




From dkg at fifthhorseman.net  Mon Nov 23 19:58:57 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 23 Nov 2009 13:58:57 -0500
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	<4B043998.8050102@gnutls.org>	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>	<878we2303s.fsf@mocca.josefsson.org>	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <4B0ADB71.4060107@fifthhorseman.net>

On 11/23/2009 02:23 AM, Wilankar, Trupti wrote:
> 
> CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req)
> 
> -----BEGIN CERTIFICATE REQUEST-----
 [...]
> -----END CERTIFICATE REQUEST-----
> 
> CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req)
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
 [...]
> -----END NEW CERTIFICATE REQUEST-----

this is perhaps a long shot, but could it be the "NEW" that VeriSign
doesn't like?  can you try changing the header and footer lines and
re-submitting?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091123/aa56b55a/attachment.pgp>

From trupti.wilankar at hp.com  Tue Nov 24 11:10:47 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Tue, 24 Nov 2009 10:10:47 +0000
Subject: Help required for CSR validation
In-Reply-To: <4B0ADB71.4060107@fifthhorseman.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
	<4B0ADB71.4060107@fifthhorseman.net>
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B18185@GVW0440EXB.americas.hpqcorp.net>

Hi Daniel,
We had tried removing "NEW" from the header and footer in the Certtool CSR and then submitting the CSR. It still gives the same error. 
We even tried adding "NEW" in the header and footer lines in OpenSSL CSR and that works. So, apparently VeriSign does not have a problem with the "NEW"
Regards,
Trupti

-----Original Message-----
From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net] 
Sent: Tuesday, November 24, 2009 12:29 AM
To: Wilankar, Trupti
Cc: Nikos Mavrogiannopoulos; Konjarla, Pavan; Simon Josefsson; gnutls-devel at gnu.org; Amburle, Rohan
Subject: Re: Help required for CSR validation

On 11/23/2009 02:23 AM, Wilankar, Trupti wrote:
> 
> CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out 
> openssl.req)
> 
> -----BEGIN CERTIFICATE REQUEST-----
 [...]
> -----END CERTIFICATE REQUEST-----
> 
> CSR from Certtool: (Command: certtool --generate-request 
> --load-privkey priv.key --outfile gnutls.req)
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
 [...]
> -----END NEW CERTIFICATE REQUEST-----

this is perhaps a long shot, but could it be the "NEW" that VeriSign doesn't like?  can you try changing the header and footer lines and re-submitting?

	--dkg


From nmav at gnutls.org  Tue Nov 24 20:15:19 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 24 Nov 2009 21:15:19 +0200
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	<4B043998.8050102@gnutls.org>	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <4B0C30C7.7050706@gnutls.org>

Wilankar, Trupti wrote:
> Hi,
> 
> I have used Certtool from GnuTLS Windows version 2.9.9.
> A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
> This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.
> 
> CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req)

Those certificate requests differ in the sense that the second has
extensions. I suspect that you already tried without (from your first
mail), but anyway a patch is attached to build without. In any case
if you can please send one certificate with certtool that doesn't
contain extensions and doesn't get accepted by the authority you try.
(is there an easy way for me to try that?)

best regards.
Nikos


> 
> -----BEGIN CERTIFICATE REQUEST-----
> MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh
> MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7
> TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ
> 4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY
> TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4
> coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4
> UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B
> AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB
> ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj
> bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua
> vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09
> B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6
> Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg==
> -----END CERTIFICATE REQUEST-----
> 
> CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req)
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL
> EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC
> AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN
> p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH
> S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ
> EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU
> UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU
> fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
> ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD
> ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw
> z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q
> /a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q
> OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+
> AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e
> f0HYlL3oOiHADwPtqJ9REuJb//s=
> -----END NEW CERTIFICATE REQUEST-----
> 
> We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR.
> 
> Thanks,
> Trupti
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch
URL: </pipermail/attachments/20091124/cc0a5e38/attachment.asc>

From nmav at gnutls.org  Tue Nov 24 20:34:25 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 24 Nov 2009 21:34:25 +0200
Subject: Help required for CSR validation
In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	<4B043998.8050102@gnutls.org>	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
Message-ID: <4B0C3541.7000000@gnutls.org>

Wilankar, Trupti wrote:
> Hi,
> 
> I have used Certtool from GnuTLS Windows version 2.9.9.
> A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
> This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.

Could you also try this patch? I noticed that integers in bit strings in
openssl contain a leading zero. This patch makes certtool behave the same.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-int
URL: </pipermail/attachments/20091124/14975223/attachment.txt>

From bkasarov at gmail.com  Tue Nov 24 20:54:22 2009
From: bkasarov at gmail.com (Boyan Kasarov)
Date: Tue, 24 Nov 2009 21:54:22 +0200
Subject: Help required for CSR validation
In-Reply-To: <4B0C3541.7000000@gnutls.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
	<4B0C3541.7000000@gnutls.org>
Message-ID: <1259092462.29095.43.camel@localhost>

Hello,

This patch works for RSA, but doesn't for DSA.

Greetings
Boyan

? 21:34 +0200 ?? 24.11.2009 (??), Nikos Mavrogiannopoulos ??????:
> Wilankar, Trupti wrote:
> > Hi,
> > 
> > I have used Certtool from GnuTLS Windows version 2.9.9.
> > A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
> > This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.
> 
> Could you also try this patch? I noticed that integers in bit strings in
> openssl contain a leading zero. This patch makes certtool behave the same.
> 
> ???????? ? ???????????? ????? ????????? ???? (patch-int)
> diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
> index dc18eaa..50ce873 100644
> --- a/lib/x509/mpi.c
> +++ b/lib/x509/mpi.c
> @@ -380,14 +380,14 @@ _gnutls_x509_write_rsa_params (bigint_t * params, int params_size,
>        return _gnutls_asn2err (result);
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "modulus", params[0], 0);
> +  result = _gnutls_x509_write_int (spk, "modulus", params[0], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
>        goto cleanup;
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 0);
> +  result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
> @@ -514,21 +514,21 @@ _gnutls_x509_write_dsa_params (bigint_t * params, int params_size,
>        return _gnutls_asn2err (result);
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "p", params[0], 0);
> +  result = _gnutls_x509_write_int (spk, "p", params[0], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
>        goto cleanup;
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "q", params[1], 0);
> +  result = _gnutls_x509_write_int (spk, "q", params[1], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
>        goto cleanup;
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "g", params[2], 0);
> +  result = _gnutls_x509_write_int (spk, "g", params[2], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
> @@ -580,7 +580,7 @@ _gnutls_x509_write_dsa_public_key (bigint_t * params, int params_size,
>        return _gnutls_asn2err (result);
>      }
>  
> -  result = _gnutls_x509_write_int (spk, "", params[3], 0);
> +  result = _gnutls_x509_write_int (spk, "", params[3], 1);
>    if (result < 0)
>      {
>        gnutls_assert ();
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel





From nmav at gnutls.org  Tue Nov 24 21:55:13 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 24 Nov 2009 22:55:13 +0200
Subject: Help required for CSR validation
In-Reply-To: <1259092462.29095.43.camel@localhost>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	
	<4B043998.8050102@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>	
	<878we2303s.fsf@mocca.josefsson.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>	
	<4B083B0D.8070403@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>	
	<4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost>
Message-ID: <4B0C4831.7060300@gnutls.org>

Boyan Kasarov wrote:
> Hello,
> 
> This patch works for RSA, but doesn't for DSA.

Hello,
 I do not understand. Did DSA keys got accepted before and now they
don't or no matter the patch or not they don't get accepted? If that
this the case, could you send me a DSA crq from gnutls that fails and a
crq with the same information from say openssl that gets accepted by
your CA?

regards,
Nikos




From bkasarov at gmail.com  Tue Nov 24 22:56:23 2009
From: bkasarov at gmail.com (Boyan Kasarov)
Date: Tue, 24 Nov 2009 23:56:23 +0200
Subject: Help required for CSR validation
In-Reply-To: <4B0C4831.7060300@gnutls.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
	<4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost>
	<4B0C4831.7060300@gnutls.org>
Message-ID: <1259099783.31433.93.camel@localhost>

Hello,

Soory for the short answer. Without the patch both RSA and DSA fail.
With the patch RSA works, but DSA still doesn't.

I am attaching 3 CSR.

dsa-no-patch - this is without the patch, it does not work with
VeriSign.

dsa-patch - this is the patched version, it also does not work with
VeriSign.

dsa-openssl- this one is generated with openssl, it works with VeriSign.

generate-request.c - I used this modified example from the documentation
to generate the requests.

I used VeriSign trial service from this link -
http://www.verisign.com/ssl/buy-ssl-certificates/free-ssl-certificate-trial/index.html

Greetings,
Boyan

? 22:55 +0200 ?? 24.11.2009 (??), Nikos Mavrogiannopoulos ??????:
> Boyan Kasarov wrote:
> > Hello,
> > 
> > This patch works for RSA, but doesn't for DSA.
> 
> Hello,
>  I do not understand. Did DSA keys got accepted before and now they
> don't or no matter the patch or not they don't get accepted? If that
> this the case, could you send me a DSA crq from gnutls that fails and a
> crq with the same information from say openssl that gets accepted by
> your CA?
> 
> regards,
> Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsa-no-patch.pem
Type: application/x-x509-ca-cert
Size: 2318 bytes
Desc: not available
URL: </pipermail/attachments/20091124/b7d99ce1/attachment.crt>
-------------- next part --------------
Offset| Len  |LenByte|
======+======+=======+======================================================================
     0|  1649|      3| SEQUENCE : 
     4|  1012|      3|    SEQUENCE : 
     8|     1|      1|       INTEGER : 0
    11|   145|      2|       SEQUENCE : 
    14|    11|      1|          SET : 
    16|     9|      1|             SEQUENCE : 
    18|     3|      1|                OBJECT IDENTIFIER : countryName [2.5.4.6]
    23|     2|      1|                PRINTABLE STRING : 'GB'
    27|    19|      1|          SET : 
    29|    17|      1|             SEQUENCE : 
    31|     3|      1|                OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8]
    36|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    48|    19|      1|          SET : 
    50|    17|      1|             SEQUENCE : 
    52|     3|      1|                OBJECT IDENTIFIER : localityName [2.5.4.7]
    57|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    69|    19|      1|          SET : 
    71|    17|      1|             SEQUENCE : 
    73|     3|      1|                OBJECT IDENTIFIER : organizationName [2.5.4.10]
    78|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    90|    19|      1|          SET : 
    92|    17|      1|             SEQUENCE : 
    94|     3|      1|                OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11]
    99|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   111|    19|      1|          SET : 
   113|    17|      1|             SEQUENCE : 
   115|     3|      1|                OBJECT IDENTIFIER : commonName [2.5.4.3]
   120|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   132|    25|      1|          SET : 
   134|    23|      1|             SEQUENCE : 
   136|     9|      1|                OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1]
   147|    10|      1|                IA5 STRING : 
      |      |       |                   'HelloWorld'
   159|   832|      3|       SEQUENCE : 
   163|   563|      3|          SEQUENCE : 
   167|     7|      1|             OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1]
   176|   550|      3|             SEQUENCE : 
   180|   256|      3|                INTEGER : 
      |      |       |                   EC74E240F166222E18158BBF610F682FC00A0C9BAE
      |      |       |                   1C04C46CF4EC7D64593ACDF16B831E02CF8E5814AC
      |      |       |                   831FA788004BCDADF9F9A0A3C2330C68677A6C2383
      |      |       |                   ADAF8A523EFABBA19E0B353BEE16F38F1DA9A99573
      |      |       |                   33C19BB1535C73587C45EB0CAF3BE0B540B1F02029
      |      |       |                   5C8AA52875DABD0CD409A78D195F1215CE4A6F8E63
      |      |       |                   C1B95BED3E1413B883F710865DD22F9942D6F14348
      |      |       |                   54B607B3ECF0EEB11A1FF122A583D79286FCCC9718
      |      |       |                   83CBE579FA07DA646BD73C940BB9D5FF0C50D779DD
      |      |       |                   CC5921E0D943671A7D7F3A48DB0A430956A7A501AF
      |      |       |                   26D4A8633C9D24162769C9B655A622258B797E4F4F
      |      |       |                   11C88C6963A4CC8E6FDC7AF7549A838C425B029F5C
      |      |       |                   E86920A3
   440|    28|      1|                INTEGER : 
      |      |       |                   F76CB1617AA68DBA84F6D88281ECD8C3E2E67773D1
      |      |       |                   5CFFD56768EC4B
   470|   256|      3|                INTEGER : 
      |      |       |                   660979C1FF3156343A9269969987A49F474A8D6F3C
      |      |       |                   444E907AC06479544EEF2785F6EE97A4C372E95DA6
      |      |       |                   FCC9A3C1F74E4DC5DAA04A9B57F606FAB01EF88AF2
      |      |       |                   FEBEC21944E589B7CC5EB1BC7B135D6A7753F690C8
      |      |       |                   5CD2D5B4430D4308CFD5D56535E66556213826D4E5
      |      |       |                   C62EEC2154F74908583F59CDC97304795FF8C288ED
      |      |       |                   13B412CE1F1F5513202A61087EAAAB04273CA36381
      |      |       |                   7B2D65CB52ED5629B0837BEE7D458D2C6B1D012F83
      |      |       |                   5B0DE22CCBC8B18B17CBA0A518AE7808DF422F1453
      |      |       |                   FB69A8EF12400B2CBB4E653114344B57FD56B6C1CA
      |      |       |                   EB9BBBC2E3370B72EDD1797F48B7D5779D43B55A72
      |      |       |                   7CD20C2779E11CD6E4CFDFF050E4C6F87F9EBB20F8
      |      |       |                   27843860
   730|   261|      3|          BIT STRING UnusedBits:0 : 
   735|   256|      3|             INTEGER : 
      |      |       |                1998E929B534D6FB258A64D6517A39F60F429F146822D
      |      |       |                A954E53FB453516459A74CF7CCBF6D96775B52292420E
      |      |       |                3BD9C2AAC2B0D8C1E923323264865CEBBFB7DEE18DB9F
      |      |       |                AE31DFBD763A7E4CF1AE32E44203015E944B14086DE69
      |      |       |                05D23B6BAFF544BCDE8CAB1602306A4F895A96035A5A5
      |      |       |                2009CF38B364EE9DADA417E892A7271A6A9771B492298
      |      |       |                55C7A8B03FBE71EF210A6746C8F1F710219ECA7C88EE6
      |      |       |                318A9A2900606AD5FA6D402EB9F144EABF65F00F87AF0
      |      |       |                03A7E4FB3AAE8DABC09827B8702FC7BA1B39FB6D9DB97
      |      |       |                0969CA4CDE035D9B2C8AB9AFEDE9DE2C2669C7BD30D68
      |      |       |                5DFD8F515A92EC4B25CAC399A1CF0639B12EBFF4658AF
      |      |       |                ACE22FBEE1A1170C1
   995|    23|      1|       CONTEXT SPECIFIC (0) : 
   997|    21|      1|          SEQUENCE : 
   999|     9|      1|             OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7]
  1010|     8|      1|             SET : 
  1012|     6|      1|                PRINTABLE STRING : 
      |      |       |                   '123456'
  1020|   563|      3|    SEQUENCE : 
  1024|     7|      1|       OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3]
  1033|   550|      3|       SEQUENCE : 
  1037|   256|      3|          INTEGER : 
      |      |       |             EC74E240F166222E18158BBF610F682FC00A0C9BAE1C04C4
      |      |       |             6CF4EC7D64593ACDF16B831E02CF8E5814AC831FA788004B
      |      |       |             CDADF9F9A0A3C2330C68677A6C2383ADAF8A523EFABBA19E
      |      |       |             0B353BEE16F38F1DA9A9957333C19BB1535C73587C45EB0C
      |      |       |             AF3BE0B540B1F020295C8AA52875DABD0CD409A78D195F12
      |      |       |             15CE4A6F8E63C1B95BED3E1413B883F710865DD22F9942D6
      |      |       |             F1434854B607B3ECF0EEB11A1FF122A583D79286FCCC9718
      |      |       |             83CBE579FA07DA646BD73C940BB9D5FF0C50D779DDCC5921
      |      |       |             E0D943671A7D7F3A48DB0A430956A7A501AF26D4A8633C9D
      |      |       |             24162769C9B655A622258B797E4F4F11C88C6963A4CC8E6F
      |      |       |             DC7AF7549A838C425B029F5CE86920A3
  1297|    28|      1|          INTEGER : 
      |      |       |             F76CB1617AA68DBA84F6D88281ECD8C3E2E67773D15CFFD5
      |      |       |             6768EC4B
  1327|   256|      3|          INTEGER : 
      |      |       |             660979C1FF3156343A9269969987A49F474A8D6F3C444E90
      |      |       |             7AC06479544EEF2785F6EE97A4C372E95DA6FCC9A3C1F74E
      |      |       |             4DC5DAA04A9B57F606FAB01EF88AF2FEBEC21944E589B7CC
      |      |       |             5EB1BC7B135D6A7753F690C85CD2D5B4430D4308CFD5D565
      |      |       |             35E66556213826D4E5C62EEC2154F74908583F59CDC97304
      |      |       |             795FF8C288ED13B412CE1F1F5513202A61087EAAAB04273C
      |      |       |             A363817B2D65CB52ED5629B0837BEE7D458D2C6B1D012F83
      |      |       |             5B0DE22CCBC8B18B17CBA0A518AE7808DF422F1453FB69A8
      |      |       |             EF12400B2CBB4E653114344B57FD56B6C1CAEB9BBBC2E337
      |      |       |             0B72EDD1797F48B7D5779D43B55A727CD20C2779E11CD6E4
      |      |       |             CFDFF050E4C6F87F9EBB20F827843860
  1587|    64|      1|    BIT STRING UnusedBits:0 : 
  1590|    61|      1|       SEQUENCE : 
  1592|    29|      1|          INTEGER : 
      |      |       |             00DA66983720B3091570356E132DBF6FF841A24C542ABA69
      |      |       |             F5290B9F48
  1623|    28|      1|          INTEGER : 
      |      |       |             78C7D74BC280FC91EE574AD02694A75094A5086FBC529E01
      |      |       |             840E65FA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsa-patch.pem
Type: application/x-x509-ca-cert
Size: 2322 bytes
Desc: not available
URL: </pipermail/attachments/20091124/b7d99ce1/attachment-0001.crt>
-------------- next part --------------
Offset| Len  |LenByte|
======+======+=======+======================================================================
     0|  1652|      3| SEQUENCE : 
     4|  1014|      3|    SEQUENCE : 
     8|     1|      1|       INTEGER : 0
    11|   145|      2|       SEQUENCE : 
    14|    11|      1|          SET : 
    16|     9|      1|             SEQUENCE : 
    18|     3|      1|                OBJECT IDENTIFIER : countryName [2.5.4.6]
    23|     2|      1|                PRINTABLE STRING : 'GB'
    27|    19|      1|          SET : 
    29|    17|      1|             SEQUENCE : 
    31|     3|      1|                OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8]
    36|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    48|    19|      1|          SET : 
    50|    17|      1|             SEQUENCE : 
    52|     3|      1|                OBJECT IDENTIFIER : localityName [2.5.4.7]
    57|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    69|    19|      1|          SET : 
    71|    17|      1|             SEQUENCE : 
    73|     3|      1|                OBJECT IDENTIFIER : organizationName [2.5.4.10]
    78|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    90|    19|      1|          SET : 
    92|    17|      1|             SEQUENCE : 
    94|     3|      1|                OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11]
    99|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   111|    19|      1|          SET : 
   113|    17|      1|             SEQUENCE : 
   115|     3|      1|                OBJECT IDENTIFIER : commonName [2.5.4.3]
   120|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   132|    25|      1|          SET : 
   134|    23|      1|             SEQUENCE : 
   136|     9|      1|                OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1]
   147|    10|      1|                IA5 STRING : 
      |      |       |                   'HelloWorld'
   159|   834|      3|       SEQUENCE : 
   163|   565|      3|          SEQUENCE : 
   167|     7|      1|             OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1]
   176|   552|      3|             SEQUENCE : 
   180|   257|      3|                INTEGER : 
      |      |       |                   00BD538597A862A719429AEA56B1F972DB9EDB9E4F
      |      |       |                   15280BFE3D69E2E2E8BB0BEBC56D1F81450A439EC0
      |      |       |                   C5BB63C5C2386267680FBEBAD4B03980C2AEC80D1F
      |      |       |                   A279624D45BE66D6C252B8C50FDFB6645E30F99E71
      |      |       |                   345BA2741CF61A44DB5725B3B5346711A1584A2F2A
      |      |       |                   A47D520709C48BDCDC1769E768A322B663160DA70C
      |      |       |                   72C9398C60D1D4D3AD0E40DB03532EF4CA9E0AAE3C
      |      |       |                   F467603DBD3555DE1512328E7B72EEDEEDD06C9F3C
      |      |       |                   A0C9EA4E54AC6A03E998A61A67438A5924713CB57C
      |      |       |                   D2ED9FA3AD1E814766ADE089D48B30A9ABC7500268
      |      |       |                   5669F1A5F6E25CAE6B6A63136E6470E1E90D17A4F2
      |      |       |                   98D0D159982D46A8183BBF3071EB430B47168E00A3
      |      |       |                   4E2F18B3BB
   441|    29|      1|                INTEGER : 
      |      |       |                   009D1B57C18AE27EF5A5D678FB8644E28C65CF463F
      |      |       |                   063DB578243A045D
   472|   256|      3|                INTEGER : 
      |      |       |                   185D4A09AF58A210A7955C7FC5FE5A9544054EEDD4
      |      |       |                   C66E666780C7E012F1EAE1B1B9B2D423EEDD85FF4F
      |      |       |                   459124782BF54985674911AA3D9FDA4076F71738B4
      |      |       |                   CD2E6351208635A33617BFB2B520C6E989DC5F98DC
      |      |       |                   8671B31491907BCDF66178264615702D4ED201EBF2
      |      |       |                   3C10127774B4D55D55A2C7FA60BC0AC64E09CCA253
      |      |       |                   B46F92B9CF13EF9E49232C7E10F0FD7CF6ACA8E6AA
      |      |       |                   CD359967972AE003260A36B2AC4781E885DF3342C3
      |      |       |                   68BE4FC9DA52C05A81EF2EB6C53DF9F0A7E36E8F06
      |      |       |                   0B21EB77ED12E0738D93C8C6658611ECA0AE5534F1
      |      |       |                   4E48A02F003BE081C6391ABBA9C4F120B7787B5DB2
      |      |       |                   9954E85FE006392B089888B0B38063201128899A0A
      |      |       |                   2728EC3E
   732|   261|      3|          BIT STRING UnusedBits:0 : 
   737|   256|      3|             INTEGER : 
      |      |       |                0511690574AD3A85637B39281E5474AC7FB210F6CD1D0
      |      |       |                2CA46FC7EAF80930DBB804F202BC261D020E249D4FCF1
      |      |       |                6372A1DEF9211E98685C28F6A20963974BB10134EACF4
      |      |       |                4220002E2F9B916BDD8CD9529A2DA7C19D187BD3A732B
      |      |       |                AA350923A09E019B0838BC7CD6145635B2F3E4E814201
      |      |       |                41FE2EBEF43087B149D0E6CA5FB7A2F5BB42060DBB326
      |      |       |                686EFD6FD1287D330CF52BBC3B20E9CB42C8BC7F925C5
      |      |       |                993CBA21896C45D5A27113C0AF13E2FDB37BC4850ED7F
      |      |       |                F2EED0CB2563BF143CD7AE31C8EDF96D1371B63D12F52
      |      |       |                BFB30853FD7F87DDDF43CBFA1BAF04FE2B3C417F3D7D8
      |      |       |                7638708EDC2E2797A570CCD8131DC55EF60EBB60771B6
      |      |       |                68726B041F084051A
   997|    23|      1|       CONTEXT SPECIFIC (0) : 
   999|    21|      1|          SEQUENCE : 
  1001|     9|      1|             OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7]
  1012|     8|      1|             SET : 
  1014|     6|      1|                PRINTABLE STRING : 
      |      |       |                   '123456'
  1022|   565|      3|    SEQUENCE : 
  1026|     7|      1|       OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3]
  1035|   552|      3|       SEQUENCE : 
  1039|   257|      3|          INTEGER : 
      |      |       |             00BD538597A862A719429AEA56B1F972DB9EDB9E4F15280B
      |      |       |             FE3D69E2E2E8BB0BEBC56D1F81450A439EC0C5BB63C5C238
      |      |       |             6267680FBEBAD4B03980C2AEC80D1FA279624D45BE66D6C2
      |      |       |             52B8C50FDFB6645E30F99E71345BA2741CF61A44DB5725B3
      |      |       |             B5346711A1584A2F2AA47D520709C48BDCDC1769E768A322
      |      |       |             B663160DA70C72C9398C60D1D4D3AD0E40DB03532EF4CA9E
      |      |       |             0AAE3CF467603DBD3555DE1512328E7B72EEDEEDD06C9F3C
      |      |       |             A0C9EA4E54AC6A03E998A61A67438A5924713CB57CD2ED9F
      |      |       |             A3AD1E814766ADE089D48B30A9ABC75002685669F1A5F6E2
      |      |       |             5CAE6B6A63136E6470E1E90D17A4F298D0D159982D46A818
      |      |       |             3BBF3071EB430B47168E00A34E2F18B3BB
  1300|    29|      1|          INTEGER : 
      |      |       |             009D1B57C18AE27EF5A5D678FB8644E28C65CF463F063DB5
      |      |       |             78243A045D
  1331|   256|      3|          INTEGER : 
      |      |       |             185D4A09AF58A210A7955C7FC5FE5A9544054EEDD4C66E66
      |      |       |             6780C7E012F1EAE1B1B9B2D423EEDD85FF4F459124782BF5
      |      |       |             4985674911AA3D9FDA4076F71738B4CD2E6351208635A336
      |      |       |             17BFB2B520C6E989DC5F98DC8671B31491907BCDF6617826
      |      |       |             4615702D4ED201EBF23C10127774B4D55D55A2C7FA60BC0A
      |      |       |             C64E09CCA253B46F92B9CF13EF9E49232C7E10F0FD7CF6AC
      |      |       |             A8E6AACD359967972AE003260A36B2AC4781E885DF3342C3
      |      |       |             68BE4FC9DA52C05A81EF2EB6C53DF9F0A7E36E8F060B21EB
      |      |       |             77ED12E0738D93C8C6658611ECA0AE5534F14E48A02F003B
      |      |       |             E081C6391ABBA9C4F120B7787B5DB29954E85FE006392B08
      |      |       |             9888B0B38063201128899A0A2728EC3E
  1591|    63|      1|    BIT STRING UnusedBits:0 : 
  1594|    60|      1|       SEQUENCE : 
  1596|    28|      1|          INTEGER : 
      |      |       |             782E4EC5E388E504A91F588840D89BD91548D2F4725FE62B
      |      |       |             ADA5D9A7
  1626|    28|      1|          INTEGER : 
      |      |       |             7C1A5BBBC3FF2A58318E88692DAF0FC4A79713012B43434A
      |      |       |             854DAB8F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: generate-request.c
Type: text/x-csrc
Size: 2459 bytes
Desc: not available
URL: </pipermail/attachments/20091124/b7d99ce1/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsa-openssl.pem
Type: application/x-x509-ca-cert
Size: 1529 bytes
Desc: not available
URL: </pipermail/attachments/20091124/b7d99ce1/attachment-0002.crt>
-------------- next part --------------
Offset| Len  |LenByte|
======+======+=======+======================================================================
     0|  1072|      3| SEQUENCE : 
     4|  1007|      3|    SEQUENCE : 
     8|     1|      1|       INTEGER : 0
    11|   145|      2|       SEQUENCE : 
    14|    11|      1|          SET : 
    16|     9|      1|             SEQUENCE : 
    18|     3|      1|                OBJECT IDENTIFIER : countryName [2.5.4.6]
    23|     2|      1|                PRINTABLE STRING : 'GB'
    27|    19|      1|          SET : 
    29|    17|      1|             SEQUENCE : 
    31|     3|      1|                OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8]
    36|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    48|    19|      1|          SET : 
    50|    17|      1|             SEQUENCE : 
    52|     3|      1|                OBJECT IDENTIFIER : localityName [2.5.4.7]
    57|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    69|    19|      1|          SET : 
    71|    17|      1|             SEQUENCE : 
    73|     3|      1|                OBJECT IDENTIFIER : organizationName [2.5.4.10]
    78|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
    90|    19|      1|          SET : 
    92|    17|      1|             SEQUENCE : 
    94|     3|      1|                OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11]
    99|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   111|    19|      1|          SET : 
   113|    17|      1|             SEQUENCE : 
   115|     3|      1|                OBJECT IDENTIFIER : commonName [2.5.4.3]
   120|    10|      1|                PRINTABLE STRING : 
      |      |       |                   'HelloWorld'
   132|    25|      1|          SET : 
   134|    23|      1|             SEQUENCE : 
   136|     9|      1|                OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1]
   147|    10|      1|                IA5 STRING : 
      |      |       |                   'HelloWorld'
   159|   827|      3|       SEQUENCE : 
   163|   558|      3|          SEQUENCE : 
   167|     7|      1|             OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1]
   176|   545|      3|             SEQUENCE : 
   180|   257|      3|                INTEGER : 
      |      |       |                   00CA6AA5D961C122E803AFC4DC215440C31AF21DBB
      |      |       |                   8B4E32138D1BAAB0E8EBED2623B10AD41FCDF10EF2
      |      |       |                   38162D6F838707389AB4F9FE3A9DA8482EDA94DC72
      |      |       |                   579776478A36419E2EFA157908AA284BAC55E9AABB
      |      |       |                   677114615BCF9B83F8364BC582D04CAB89E21C69E0
      |      |       |                   4D72BEDB1558386FB0A867787576EB3B9629A68A2E
      |      |       |                   0C6B9F76DC96568FB1B1C5222215C9A3F1071EDD79
      |      |       |                   EA0055E2649AE0B3EC234CEB7C25EFD26061F77836
      |      |       |                   4F120877A282A5BDA015ED9521AC5ABF7A588859A5
      |      |       |                   2E9691CB816F739AE2FAABAD11B34E5EB86A607F74
      |      |       |                   2DC927A89934005706DEE7EFB167DF4DFD7F1632F1
      |      |       |                   B2C0EC674CC95CD0E46E53687DDAAD8DC22485BAFE
      |      |       |                   AD1C36DCA5
   441|    21|      1|                INTEGER : 
      |      |       |                   00B2381ABDC2E070F172E2BB1ECE6E8F3C54AB98CB
   464|   257|      3|                INTEGER : 
      |      |       |                   00AEF9955B3AE9D1E0FA2E1520F12C0381EFA252C7
      |      |       |                   BF958B881466ADA04565BE9635C1E6BA15FB6CA258
      |      |       |                   BD2F800A1829EA2E6621CA62C7E32D7E6ACF3B10C6
      |      |       |                   2936D6DE4BD4AE4ED2F78319B701337BB11A699C3B
      |      |       |                   8D4C13D38355AA8730781935B9345CF8581D9BDFB4
      |      |       |                   F56E875D6EC1902EAD64DC2608179CA867F6126075
      |      |       |                   333FBB345B27ED8A3FA332C87317327BFFDBC185B4
      |      |       |                   3A53C72C4E98F01BC7296C98E66F41F54090CA65EB
      |      |       |                   F013E515ACB15EDDE1684A1BACA02CD4FE982756DD
      |      |       |                   CF4B74BF1CCDD3110D490426CDA0D72A0E3A6A4BDC
      |      |       |                   5F7C855D92A0F6AC45872C1AC4F85C2CD96CF1C98C
      |      |       |                   6DD41B16EB42DA58DD9783BAC394C67F27C83FE748
      |      |       |                   A39A00AF42
   725|   261|      3|          BIT STRING UnusedBits:0 : 
   730|   256|      3|             INTEGER : 
      |      |       |                4BCAB085BD81CA06C0FD13CBEB555CDD0A6DB0650EC63
      |      |       |                C64C5BF0CEC3D6133387452DA5982610ACBE4AF1A31DC
      |      |       |                A719CF90D4455D5B664B3E8478D2B146638F6F8140871
      |      |       |                F1AD064A835EF1868CD1EDFE698E25AD77903F4F6C40E
      |      |       |                0B3656CEF63905049785A62039554F61BF905E07F0E8F
      |      |       |                1479C4BDEBE3F9FE3872B31D385AB952F44F9471C24BD
      |      |       |                2BCDF736E72E73BBA02336FA322824C564D4B59882BC9
      |      |       |                A4BA612658A4490334DCE026EDA0142A5C409C8510E9B
      |      |       |                764FE96A11D7303565CB439573C65D1F6C450F5407E24
      |      |       |                BA944466DAF2BEB6D65E52CF4326DBBA63687798E72F0
      |      |       |                9E44F7184C292D790D81B7AF1EA6A3CAF08D92A2A0E5F
      |      |       |                35C3CE6055E27B97D
   990|    23|      1|       CONTEXT SPECIFIC (0) : 
   992|    21|      1|          SEQUENCE : 
   994|     9|      1|             OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7]
  1005|     8|      1|             SET : 
  1007|     6|      1|                PRINTABLE STRING : 
      |      |       |                   '123456'
  1015|     9|      1|    SEQUENCE : 
  1017|     7|      1|       OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3]
  1026|    48|      1|    BIT STRING UnusedBits:0 : 
  1029|    45|      1|       SEQUENCE : 
  1031|    21|      1|          INTEGER : 
      |      |       |             00AA44085D22ED2E7F9F092C889AEFA09A7CED3C3C
  1054|    20|      1|          INTEGER : 
      |      |       |             5C28C370092B18F6491303196E1F11384C61FE9F

From david.kirkby at onetel.net  Wed Nov 25 02:57:27 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Wed, 25 Nov 2009 01:57:27 +0000
Subject: gnutls-2.2.1 fails to build on HP-UX
Message-ID: <4B0C8F07.6060205@onetel.net>

In the Sage project, gnutls is causing a problem on both OpenSolaris and HP-UX. 
The latter is not a supported OS, but I have tried building parts of Sage on it.

This is the HP-UX error.

http://trac.sagemath.org/sage_trac/ticket/7511

Any thoughts why this may be happening?

We tried a later version, and that was causing problems not only on HP-UX and 
OpenSolaris, but also on Solaris 10 (SPARC).

If any developer needs access to a Solaris 10 (SPARC) or HP-UX 11.11 (PA-RISC) 
processor, I can provide it. The SPARC is a newish 16-core machine. The latter 
is an old machine I personally own, but do allow others access to it.

Dave




From dlphsharma at gmail.com  Wed Nov 25 08:05:38 2009
From: dlphsharma at gmail.com (Ravi Sharma)
Date: Tue, 24 Nov 2009 23:05:38 -0800 (PST)
Subject: Invitation to connect on LinkedIn
Message-ID: <1804954522.8986017.1259132738817.JavaMail.app@ech3-cdn13.prod>

LinkedIn
------------



   
I'd like to add you to my professional network on LinkedIn.

- Ravi

Confirm that you know Ravi Sharma
https://www.linkedin.com/e/isd/887212062/s1Z2m7wA/

Every day, millions of professionals like Ravi Sharma use LinkedIn to connect with colleagues, find experts, and explore opportunities.



 
------
(c) 2009, LinkedIn Corporation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091124/92663a42/attachment.htm>

From lfinsto at gwdg.de  Wed Nov 25 10:03:22 2009
From: lfinsto at gwdg.de (lfinsto at gwdg.de)
Date: Wed, 25 Nov 2009 10:03:22 +0100 (CET)
Subject: Build error on 64-bit machine
Message-ID: <38097.134.76.5.25.1259139802.squirrel@mailbox.gwdg.de>

Hello,

When following the instructions for building GNUTLS using `autoreconf' on
a 64-bit machine (x86_64) with Linux kernel version 2.6.27.29-0.1-default
(OpenSuse), I got the following error:

serv.c: In function 'main':
serv.c:1170: error: cast to pointer from integer of different size
[-Wint-to-pointer-cast]
make[3]: *** [serv.o] Error 1
make[3]: Leaving directory `/home/lfinsto/gnutls/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/lfinsto/gnutls/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/lfinsto/gnutls'
make: *** [all] Error 2

The version of GNUTLS was from the GIT repository on Nov. 18, 2009;
version 2.9.10, assuming the version numbers of `certtool' and
`gnutls-cli' correspond with the package version numbers.

I was able to build the package by calling `configure' with the
appropriate argument for turning off the option for treating warnings as
errors, etc.

Laurence Finston







From trupti.wilankar at hp.com  Wed Nov 25 13:14:22 2009
From: trupti.wilankar at hp.com (Wilankar, Trupti)
Date: Wed, 25 Nov 2009 12:14:22 +0000
Subject: Help required for CSR validation
In-Reply-To: <4B0C3541.7000000@gnutls.org>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>
	<4B043998.8050102@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>
	<878we2303s.fsf@mocca.josefsson.org>
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>
	<4B083B0D.8070403@gnutls.org>
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>
	<4B0C3541.7000000@gnutls.org>
Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B1873D@GVW0440EXB.americas.hpqcorp.net>

Hi Nikos,
Thanks for the patch. CSR generated by Certtool is now accepted by VeriSign.
Regards,
Trupti

-----Original Message-----
From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
Sent: Wednesday, November 25, 2009 1:04 AM
To: Wilankar, Trupti
Cc: Simon Josefsson; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan
Subject: Re: Help required for CSR validation

Wilankar, Trupti wrote:
> Hi,
> 
> I have used Certtool from GnuTLS Windows version 2.9.9.
> A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
> This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.

Could you also try this patch? I noticed that integers in bit strings in openssl contain a leading zero. This patch makes certtool behave the same.





From simon at josefsson.org  Thu Nov 26 11:18:19 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 26 Nov 2009 11:18:19 +0100
Subject: gnutls-2.2.1 fails to build on HP-UX
In-Reply-To: <4B0C8F07.6060205@onetel.net> (David Kirkby's message of "Wed, 25
	Nov 2009 01:57:27 +0000")
References: <4B0C8F07.6060205@onetel.net>
Message-ID: <87iqcxfv2s.fsf@mocca.josefsson.org>

"Dr. David Kirkby" <david.kirkby at onetel.net> writes:

> In the Sage project, gnutls is causing a problem on both OpenSolaris
> and HP-UX. The latter is not a supported OS, but I have tried building
> parts of Sage on it.
>
> This is the HP-UX error.
>
> http://trac.sagemath.org/sage_trac/ticket/7511
>
> Any thoughts why this may be happening?

HP-UX doesn't have sockaddr_storage, but I believe gnulib should work
around that problem -- however that is probably only in much more recent
GnuTLS releases than the 2.2.1 that you used.

> We tried a later version, and that was causing problems not only on
> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC).

Details?  The recent releases should work relatively fine on Solaris,
we've merged several patches for it lately.  Unless you back-port
security fixes to 2.2.x, you want to use the 2.8.x release to get proper
security fixes.

> If any developer needs access to a Solaris 10 (SPARC) or HP-UX 11.11
> (PA-RISC) processor, I can provide it. The SPARC is a newish 16-core
> machine. The latter is an old machine I personally own, but do allow
> others access to it.

You sent me login info on this earlier (thanks!), but I haven't had time
to test it yet -- will try to do it soon.

/Simon




From nmav at gnutls.org  Thu Nov 26 23:27:11 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 27 Nov 2009 00:27:11 +0200
Subject: Help required for CSR validation
In-Reply-To: <1259099783.31433.93.camel@localhost>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	
	<4B043998.8050102@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>	
	<878we2303s.fsf@mocca.josefsson.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>	
	<4B083B0D.8070403@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>	
	<4B0C3541.7000000@gnutls.org>
	<1259092462.29095.43.camel@localhost>	
	<4B0C4831.7060300@gnutls.org> <1259099783.31433.93.camel@localhost>
Message-ID: <4B0F00BF.5030001@gnutls.org>

Boyan Kasarov wrote:
> Hello,
> 
> Soory for the short answer. Without the patch both RSA and DSA fail.
> With the patch RSA works, but DSA still doesn't.
> 
> I am attaching 3 CSR.

Thank you. From a quick glimpse it seems there might be a problem with
the certtool's dsa structure. I'll check it as soon as I can.

regards,
Nikos




From nmav at gnutls.org  Fri Nov 27 23:50:41 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 28 Nov 2009 00:50:41 +0200
Subject: Help required for CSR validation
In-Reply-To: <1259099783.31433.93.camel@localhost>
References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net>	
	<4B043998.8050102@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net>	
	<878we2303s.fsf@mocca.josefsson.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net>	
	<4B083B0D.8070403@gnutls.org>	
	<0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net>	
	<4B0C3541.7000000@gnutls.org>
	<1259092462.29095.43.camel@localhost>	
	<4B0C4831.7060300@gnutls.org> <1259099783.31433.93.camel@localhost>
Message-ID: <4B1057C1.1030802@gnutls.org>

Boyan Kasarov wrote:

> Soory for the short answer. Without the patch both RSA and DSA fail.
> With the patch RSA works, but DSA still doesn't.

It should be now fixed with this patch. This patch removed some optional
parameters that were added for DSA. It seems that verisign didn't like
them to be there.

best regards,
Nikos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.dsa.crq
URL: </pipermail/attachments/20091128/df67389d/attachment.txt>

From david.kirkby at onetel.net  Sun Nov 29 02:06:50 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 29 Nov 2009 01:06:50 +0000
Subject: gnutls failure on Solaris 10 update 7 gcc 4.4.1
Message-ID: <4B11C92A.5010507@onetel.net>

I reported on the thread:

"gnutls-2.2.1 fails to build on HP-UX"

that upgrading to a later version of gnutls had not solved the problem on HP-UX, 
but had created one on Solaris 10. Simon Josefsson asked for the details, so 
here they are. (I thought it appropriate to start a new thread).

The setup is

  * Sun Blade 2000, 2 x 1200 MHz UltraSPARC III+ processors
  * 8 GB RAM.
  * gcc 4.4.1 configured to use the Sun linker and assembler.
  * Solaris 10 update 7 (released 05/2009)
  * GNU make
  * Nothing from GNU binutils - as, ar, ld, ranlib etc are all Sun.

This build took place inside Sage, but all that does is configure gnutls with 
some options, which I list below.

Sage is a large bit of maths software

http://www.sagemath.org/

which includes gnutls 2.2.1, but I created a new package for Sage, using gnutls 
2.8.5. But the build script it simply configures it as below. I've left a note 
which is in the build script, which may not be appropriate any more. You may 
wish to comment on that.

# --disable-cxx is needed to compile on OSX.
# See 
http://www.nabble.com/%22gnutls%22-under-Darwin-%28was%3A-CVS-commit%3A-pkgsrc-security-gnutls%29-tf3062958.html#a8573149

./configure --prefix="$SAGE_LOCAL" --enable-shared --disable-static 
--disable-cxx --enable-guile=no

Whether there are more appropriate options I do not know.

Note, gcc is configured to use both the Sun linker and assembler - not GNU ones. 
  This might be relevant to the final error message.


gnutls-2.8.5/src/src/tests.h
gnutls-2.8.5/src/src/psk-gaa.c
gnutls-2.8.5/src/src/tls_test-gaa.h
gnutls-2.8.5/src/src/prime.c
gnutls-2.8.5/src/src/serv-gaa.c
gnutls-2.8.5/src/src/serv.gaa
gnutls-2.8.5/src/configure.ac
Finished extraction
****************************************************
Host system
uname -a:
SunOS swan 5.10 Generic_141444-09 sun4u sparc SUNW,Sun-Blade-1000
****************************************************
****************************************************
CC Version
gcc -v
Using built-in specs.
Target: sparc-sun-solaris2.10
Configured with: ../gcc-4.4.1/configure 
--prefix=/usr/local/gcc-4.4.1-sun-linker/ --with-as=/usr/ccs/bin/as 
--without-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld 
--enable-languages=c,c++,fortran --with-mpfr-include=/usr/local/include 
--with-mpfr-lib=/usr/local/lib --with-gmp-include=/usr/local/include 
--with-gmp-lib=/usr/local/lib CC=/usr/sfw/bin/gcc CXX=/usr/sfw/bin/g++ 
LDFLAGS='-R /usr/local/lib -L /usr/local/lib'
Thread model: posix
gcc version 4.4.1 (GCC)
****************************************************
Deleting old gnutls libraries in /export/home/drkirkby/sage-4.2.1/local/lib
checking for a BSD-compatible install... /usr/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... build-aux/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
***
*** Checking for compilation programs...

checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether ln -s works... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gtkdoc-check... no
checking for gtkdoc-rebase... no
checking for gtkdoc-mkpdf... no
checking whether to build gtk-doc documentation... no
checking for gaa... no
configure: WARNING: ***
*** GAA was not found.  It is only needed if you wish to modify
*** the source code or command-line description files.  In this case,
*** you may want to get it from http://gaa.sourceforge.net/ and
*** read doc/README.gaa.
***
checking for ranlib... ranlib
checking build system type... sparc-sun-solaris2.10
checking host system type... sparc-sun-solaris2.10
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep
checking for egrep... /usr/sfw/bin/ggrep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for _LARGEFILE_SOURCE value needed for large files... no
checking for gcc option to accept ISO C99... -std=gnu99
checking for gcc -std=gnu99 option to accept ISO Standard C... (cached) -std=gnu99
configure: autobuild project... GnuTLS
configure: autobuild revision... 2.8.5
configure: autobuild hostname... swan
configure: autobuild timestamp... 20091129T004624Z
checking for inline... inline
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for ld used by GCC... ld
checking if the linker (ld) is GNU ld... no
checking for shared library run path origin... done
checking for 64-bit host... no
checking for libgcrypt... yes
checking how to link with libgcrypt... 
/export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so 
-L/export/home/drkirkby/sage-4.2.1/local/lib 
/export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket 
-R/export/home/drkirkby/sage-4.2.1/local/lib
checking for libtasn1... no
configure: WARNING:
   ***
   *** Libtasn1 was not found. Will use the included one.

checking whether to use the included minitasn1... yes
checking whether to include LZO compression support... no
checking whether C99 macros are supported... yes
checking whether to enable Opaque PRF input support... no
checking whether to disable SRP authentication support... no
checking whether to disable PSK authentication support... no
checking whether to disable anonymous authentication support... no
checking whether to disable Camellia cipher... no
checking whether to disable extra PKI stuff... no
checking whether to disable OpenPGP Certificate authentication support... no
checking size of void *... 4
checking size of long... 4
checking size of int... 4
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking float.h usability... yes
checking float.h presence... yes
checking for float.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking stdio_ext.h usability... yes
checking stdio_ext.h presence... yes
checking for stdio_ext.h... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking stdarg.h usability... yes
checking stdarg.h presence... yes
checking for stdarg.h... yes
checking for stdint.h... (cached) yes
checking wchar.h usability... yes
checking wchar.h presence... yes
checking for wchar.h... yes
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking sys/wait.h usability... yes
checking sys/wait.h presence... yes
checking for sys/wait.h... yes
checking sys/ioctl.h usability... yes
checking sys/ioctl.h presence... yes
checking for sys/ioctl.h... yes
checking whether to disable OpenSSL compatibility layer... yes
checking for library containing setsockopt... -lsocket
checking for ANSI C header files... (cached) yes
checking for fork... yes
checking for valgrind... no
checking whether self tests are run under valgrind... no
checking for uint... yes
checking whether building Guile bindings... no
checking for cfg_get_context in -lcfg+... no
configure: WARNING:
***
*** Libcfg+ was not found. Will use the included one.
checking whether to use the included libcfg... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/sfw/bin/ggrep -F
checking for ld used by gcc -std=gnu99... ld
checking if the linker (ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p
checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm
checking the maximum length of command line arguments... 786240
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... no
checking for ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for ar... ar
checking for strip... strip
checking for ranlib... (cached) ranlib
checking command to parse /usr/ccs/bin/nm -p output from gcc -std=gnu99 object... ok
checking for dlfcn.h... yes
checking whether we are using the GNU C++ compiler... (cached) yes
checking whether g++ accepts -g... (cached) yes
checking dependency style of g++... (cached) gcc3
checking how to run the C++ preprocessor... g++ -E
checking for objdir... .libs
checking if gcc -std=gnu99 supports -fno-rtti -fno-exceptions... no
checking for gcc -std=gnu99 option to produce PIC... -fPIC -DPIC
checking if gcc -std=gnu99 PIC flag -fPIC -DPIC works... yes
checking if gcc -std=gnu99 static flag -static works... no
checking if gcc -std=gnu99 supports -c -o file.o... conftest*: No such file or 
directory
yes
checking if gcc -std=gnu99 supports -c -o file.o... (cached) yes
checking whether the gcc -std=gnu99 linker (ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... conftest*: No such file 
or directory
yes
checking dynamic linker characteristics... solaris2.10 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for ld used by g++... ld
checking if the linker (ld) is GNU ld... no
checking whether the g++ linker (ld) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... conftest*: No such file or directory
yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (ld) supports shared libraries... yes
checking dynamic linker characteristics... solaris2.10 ld.so
checking how to hardcode library paths into programs... immediate
checking whether the preprocessor supports include_next... yes
checking whether <sys/socket.h> is self-contained... yes
checking for shutdown... no
checking for struct sockaddr_storage... yes
checking for sa_family_t... yes
checking for working alloca.h... yes
checking for alloca... yes
checking for complete errno.h... yes
checking whether strerror_r is declared... yes
checking for strerror_r... yes
checking whether strerror_r returns char *... no
checking whether stdin defaults to large file offsets... yes
checking for library containing gethostbyname... -lnsl
checking for library containing getservbyname... -lsocket
checking for C/C++ restrict keyword... __restrict
checking for IPv4 sockets... yes
checking for IPv6 sockets... yes
checking whether getdelim is declared... no
checking whether getline is declared... no
checking whether getpass is declared... yes
checking for __fsetlocking... yes
checking for tcgetattr... yes
checking for tcsetattr... yes
checking for lstat... yes
checking for vasnprintf... no
checking for gettimeofday... yes
checking whether fflush_unlocked is declared... no
checking whether flockfile is declared... yes
checking whether fputs_unlocked is declared... no
checking whether funlockfile is declared... yes
checking whether putc_unlocked is declared... yes
checking whether <limits.h> defines MIN and MAX... no
checking whether <sys/param.h> defines MIN and MAX... no
checking whether malloc, realloc, calloc are POSIX compliant... yes
checking whether <sys/select.h> is self-contained... yes
checking whether snprintf is declared... yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for long long int... yes
checking for unsigned long long int... yes
checking for working strerror function... yes
checking whether stat file-mode macros are broken... no
checking for struct timeval... yes
checking for wchar_t... yes
checking for wint_t... yes
checking for size_t... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for intmax_t... yes
checking for snprintf... yes
checking for strnlen... no
checking for wcslen... yes
checking for wcsnlen... no
checking for mbrtowc... yes
checking for wcrtomb... yes
checking whether _snprintf is declared... no
checking whether ungetc works on arbitrary bytes... yes
checking for alloca as a compiler built-in... yes
checking for error_at_line... no
checking for fseeko... yes
configure: checking how to do getaddrinfo, freeaddrinfo and getnameinfo
checking for library containing getaddrinfo... -lsocket
checking for getaddrinfo... yes
checking for gai_strerror (possibly via ws2tcpip.h)... yes
checking for struct sockaddr.sa_len... no
checking whether getaddrinfo is declared... yes
checking whether freeaddrinfo is declared... yes
checking whether gai_strerror is declared... yes
checking whether getnameinfo is declared... yes
checking for struct addrinfo... yes
checking for getdelim... no
checking for flockfile... yes
checking for funlockfile... yes
checking whether getc_unlocked is declared... yes
checking for getline... no
checking for getdelim... (cached) no
checking for flockfile... (cached) yes
checking for funlockfile... (cached) yes
checking whether getc_unlocked is declared... (cached) yes
checking whether __fsetlocking is declared... yes
checking for library containing gethostbyname... (cached) -lnsl
checking for library containing inet_ntop... -lnsl
checking whether inet_ntop is declared... yes
checking for inet_pton... no
checking whether inet_pton is declared... yes
checking whether lseek detects pipes... yes
checking whether <netinet/in.h> is self-contained... yes
checking for pmccabe... false
checking for readline...  -ltermcap
checking how to link with libreadline... 
/export/home/drkirkby/sage-4.2.1/local/lib/libreadline.so 
-R/export/home/drkirkby/sage-4.2.1/local/lib -ltermcap
checking readline/readline.h usability... yes
checking readline/readline.h presence... yes
checking for readline/readline.h... yes
checking whether select supports a 0 argument... yes
checking for library containing getservbyname... (cached) -lsocket
checking for stdint.h... (cached) yes
checking for SIZE_MAX... yes
checking for snprintf... (cached) yes
checking whether snprintf respects a size of 1... yes
checking for library containing setsockopt... (cached) -lsocket
checking for socklen_t... yes
checking for va_copy... yes
checking whether stdint.h conforms to C99... no
checking sys/inttypes.h usability... yes
checking sys/inttypes.h presence... yes
checking for sys/inttypes.h... yes
checking sys/bitypes.h usability... no
checking sys/bitypes.h presence... no
checking for sys/bitypes.h... no
checking for bit size of ptrdiff_t... 32
checking for bit size of size_t... 32
checking for bit size of sig_atomic_t... 32
checking for bit size of wchar_t... 32
checking for bit size of wint_t... 32
checking whether sig_atomic_t is signed... yes
checking whether wchar_t is signed... yes
checking whether wint_t is signed... yes
checking for ptrdiff_t integer literal suffix...
checking for size_t integer literal suffix... u
checking for sig_atomic_t integer literal suffix...
checking for wchar_t integer literal suffix... l
checking for wint_t integer literal suffix... l
checking for random.h... no
checking for struct random_data... no
checking whether <sys/select.h> is self-contained... (cached) yes
checking whether <sys/socket.h> is self-contained... (cached) yes
checking for shutdown... (cached) no
checking for struct sockaddr_storage... (cached) yes
checking for sa_family_t... (cached) yes
checking for nlink_t... yes
checking for ptrdiff_t... yes
checking whether <wchar.h> is standalone... yes
checking for stdint.h... (cached) yes
checking for gettimeofday with POSIX signature... yes
checking whether gettimeofday clobbers localtime buffer... no
checking for wchar_t... (cached) yes
checking for wint_t... (cached) yes
checking whether <sys/ioctl.h> declares ioctl... no
checking for shutdown... (cached) no
configure: creating ./config.status
config.status: creating guile/pre-inst-guile
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating doc/credentials/Makefile
config.status: creating doc/credentials/openpgp/Makefile
config.status: creating doc/credentials/srp/Makefile
config.status: creating doc/credentials/x509/Makefile
config.status: creating doc/cyclo/Makefile
config.status: creating doc/doxygen/Doxyfile
config.status: creating doc/examples/Makefile
config.status: creating doc/manpages/Makefile
config.status: creating doc/reference/Makefile
config.status: creating doc/scripts/Makefile
config.status: creating gl/Makefile
config.status: creating gl/tests/Makefile
config.status: creating guile/Makefile
config.status: creating guile/modules/Makefile
config.status: creating guile/src/Makefile
config.status: creating guile/tests/Makefile
config.status: creating src/Makefile
config.status: creating src/cfg/Makefile
config.status: creating src/cfg/platon/Makefile
config.status: creating src/cfg/platon/str/Makefile
config.status: creating tests/Makefile
config.status: creating tests/key-id/Makefile
config.status: creating tests/openpgp-certs/Makefile
config.status: creating tests/pathlen/Makefile
config.status: creating tests/pkcs1-padding/Makefile
config.status: creating tests/pkcs12-decode/Makefile
config.status: creating tests/pkcs8-decode/Makefile
config.status: creating tests/rsa-md5-collision/Makefile
config.status: creating tests/sha2/Makefile
config.status: creating tests/userid/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
libtoolT: No such file or directory
=== configuring in lib 
(/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib)
configure: running /bin/bash ./configure --disable-option-checking 
'--prefix=/export/home/drkirkby/sage-4.2.1/local'  '--enable-shared' 
'--disable-static' '--disable-cxx' '--enable-guile=no' 'CC=gcc' 'LDFLAGS=' 
'CXX=g++' --cache-file=/dev/null --srcdir=.
checking for a BSD-compatible install... /usr/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... build-aux/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for ranlib... ranlib
checking build system type... sparc-sun-solaris2.10
checking host system type... sparc-sun-solaris2.10
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep
checking for egrep... /usr/sfw/bin/ggrep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for _LARGEFILE_SOURCE value needed for large files... no
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/sfw/bin/ggrep -F
checking for ld used by gcc... ld
checking if the linker (ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p
checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 786240
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... no
checking for ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for ar... ar
checking for strip... strip
checking for ranlib... (cached) ranlib
checking command to parse /usr/ccs/bin/nm -p output from gcc object... ok
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... conftest*: No such file or directory
yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... conftest*: No such file 
or directory
yes
checking dynamic linker characteristics... solaris2.10 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for ld used by GCC... ld
checking if the linker (ld) is GNU ld... no
checking for shared library run path origin... done
checking for libgcrypt... yes
checking how to link with libgcrypt... 
/export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so 
-L/export/home/drkirkby/sage-4.2.1/local/lib 
/export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket 
-R/export/home/drkirkby/sage-4.2.1/local/lib
checking for libtasn1... no
configure: WARNING:
   ***
   *** Libtasn1 was not found. Will use the included one.

checking whether to use the included minitasn1... yes
checking whether to include LZO compression support... no
checking whether C99 macros are supported... yes
checking whether to enable Opaque PRF input support... no
checking whether to disable SRP authentication support... no
checking whether to disable PSK authentication support... no
checking whether to disable anonymous authentication support... no
checking whether to disable Camellia cipher... no
checking whether to disable extra PKI stuff... no
checking whether to disable OpenPGP Certificate authentication support... no
checking size of void *... 4
checking size of long... 4
checking size of int... 4
checking whether NLS is requested... yes
checking for msgfmt... no
checking for gmsgfmt... :
checking for xgettext... no
checking for msgmerge... no
checking for CFPreferencesCopyAppValue... no
checking for CFLocaleCopyCurrent... no
checking for GNU gettext in libc... no
checking for iconv... yes
checking for working iconv... yes
checking for GNU gettext in libintl... no
checking whether to use NLS... no
checking whether byte ordering is bigendian... yes
checking for ssize_t... yes
checking size of unsigned long int... 4
checking size of unsigned int... 4
checking whether to include zlib compression support... yes
checking for libz... yes
checking how to link with libz... 
/export/home/drkirkby/sage-4.2.1/local/lib/libz.so 
-R/export/home/drkirkby/sage-4.2.1/local/lib
checking for working alloca.h... yes
checking for alloca... yes
checking whether the preprocessor supports include_next... yes
checking for errno.h... yes
checking for float.h... yes
checking for netdb.h... yes
checking for sys/socket.h... yes
checking for stdint.h... (cached) yes
checking for wchar.h... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking for time.h... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for complete errno.h... yes
checking whether stdin defaults to large file offsets... yes
checking whether memmem is declared... no
checking whether <limits.h> defines MIN and MAX... no
checking whether <sys/param.h> defines MIN and MAX... no
checking whether malloc, realloc, calloc are POSIX compliant... yes
checking whether snprintf is declared... yes
checking for inline... inline
checking whether <sys/socket.h> is self-contained... yes
checking for shutdown... no
checking for struct sockaddr_storage... yes
checking for sa_family_t... yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for long long int... yes
checking for unsigned long long int... yes
checking for C/C++ restrict keyword... __restrict
checking for lstat... yes
checking for vasnprintf... no
checking whether stat file-mode macros are broken... no
checking for struct timespec in <time.h>... yes
checking for wchar_t... yes
checking for wint_t... yes
checking for size_t... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for intmax_t... yes
checking for snprintf... yes
checking for strnlen... no
checking for wcslen... yes
checking for wcsnlen... no
checking for mbrtowc... yes
checking for wcrtomb... yes
checking whether _snprintf is declared... no
checking whether vsnprintf is declared... yes
checking whether ungetc works on arbitrary bytes... yes
checking for alloca as a compiler built-in... yes
checking byteswap.h usability... no
checking byteswap.h presence... no
checking for byteswap.h... no
checking for fseeko... yes
checking whether __func__ is available... yes
checking if gcc/ld supports -Wl,--output-def... no
checking if LD -Wl,--version-script works... no
checking whether lseek detects pipes... yes
checking for memmem... no
checking for memmove... yes
checking for stdint.h... (cached) yes
checking for SIZE_MAX... yes
checking for snprintf... (cached) yes
checking whether snprintf respects a size of 1... yes
checking for library containing setsockopt... -lsocket
checking for socklen_t... yes
checking whether stdint.h conforms to C99... no
checking sys/inttypes.h usability... yes
checking sys/inttypes.h presence... yes
checking for sys/inttypes.h... yes
checking sys/bitypes.h usability... no
checking sys/bitypes.h presence... no
checking for sys/bitypes.h... no
checking for bit size of ptrdiff_t... 32
checking for bit size of size_t... 32
checking for bit size of sig_atomic_t... 32
checking for bit size of wchar_t... 32
checking for bit size of wint_t... 32
checking whether sig_atomic_t is signed... yes
checking whether wchar_t is signed... yes
checking whether wint_t is signed... yes
checking for ptrdiff_t integer literal suffix...
checking for size_t integer literal suffix... u
checking for sig_atomic_t integer literal suffix...
checking for wchar_t integer literal suffix... l
checking for wint_t integer literal suffix... l
checking for random.h... no
checking for struct random_data... no
checking for strcasecmp... yes
checking for strncasecmp... yes
checking whether strncasecmp is declared... yes
checking for strverscmp... no
checking whether <sys/socket.h> is self-contained... (cached) yes
checking for shutdown... (cached) no
checking for struct sockaddr_storage... (cached) yes
checking for sa_family_t... (cached) yes
checking for nlink_t... yes
checking whether localtime_r is compatible with its POSIX signature... yes
checking for ptrdiff_t... yes
checking for vasprintf... no
checking for vsnprintf... yes
checking whether snprintf respects a size of 1... (cached) yes
checking whether <wchar.h> is standalone... yes
checking for stdint.h... (cached) yes
checking for wchar_t... (cached) yes
checking for wint_t... (cached) yes
checking for shutdown... (cached) no
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking whether we are using the GNU C++ compiler... (cached) yes
checking whether g++ accepts -g... (cached) yes
checking dependency style of g++... (cached) gcc3
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... ld
checking if the linker (ld) is GNU ld... no
checking whether the g++ linker (ld) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... conftest*: No such file or directory
yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (ld) supports shared libraries... yes
checking dynamic linker characteristics... solaris2.10 ld.so
checking how to hardcode library paths into programs... immediate
configure: creating ./config.status
config.status: creating Makefile
config.status: creating gnutls.pc
config.status: creating gl/Makefile
config.status: creating gl/tests/Makefile
config.status: creating includes/Makefile
config.status: creating includes/gnutls/gnutls.h
config.status: creating minitasn1/Makefile
config.status: creating opencdk/Makefile
config.status: creating openpgp/Makefile
config.status: creating po/Makefile.in
config.status: creating x509/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
libtoolT: No such file or directory
config.status: executing po-directories commands
config.status: creating po/POTFILES
config.status: creating po/Makefile
=== configuring in libextra 
(/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/libextra)
configure: running /bin/bash ./configure --disable-option-checking 
'--prefix=/export/home/drkirkby/sage-4.2.1/local'  '--enable-shared' 
'--disable-static' '--disable-cxx' '--enable-guile=no' 'CC=gcc' 'LDFLAGS=' 
'CXX=g++' --cache-file=/dev/null --srcdir=.
checking for a BSD-compatible install... /usr/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... build-aux/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for ranlib... ranlib
checking build system type... sparc-sun-solaris2.10
checking host system type... sparc-sun-solaris2.10
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep
checking for egrep... /usr/sfw/bin/ggrep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/sfw/bin/ggrep -F
checking for ld used by gcc... ld
checking if the linker (ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p
checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 786240
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... no
checking for ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for ar... ar
checking for strip... strip
checking for ranlib... (cached) ranlib
checking command to parse /usr/ccs/bin/nm -p output from gcc object... ok
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... conftest*: No such file or directory
yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... conftest*: No such file 
or directory
yes
checking dynamic linker characteristics... solaris2.10 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for ld used by GCC... ld
checking if the linker (ld) is GNU ld... no
checking for shared library run path origin... done
checking for 64-bit host... no
checking for libgcrypt... yes
checking how to link with libgcrypt... 
/export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so 
-L/export/home/drkirkby/sage-4.2.1/local/lib 
/export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket 
-R/export/home/drkirkby/sage-4.2.1/local/lib
checking for libtasn1... no
configure: WARNING:
   ***
   *** Libtasn1 was not found. Will use the included one.

checking whether to use the included minitasn1... yes
checking whether to include LZO compression support... no
checking whether C99 macros are supported... yes
checking whether to enable Opaque PRF input support... no
checking whether to disable SRP authentication support... no
checking whether to disable PSK authentication support... no
checking whether to disable anonymous authentication support... no
checking whether to disable Camellia cipher... no
checking whether to disable extra PKI stuff... no
checking whether to disable OpenPGP Certificate authentication support... no
checking size of void *... 4
checking size of long... 4
checking size of int... 4
checking for inline... inline
checking for sys/socket.h... yes
checking whether to disable OpenSSL compatibility layer... yes
checking for library containing setsockopt... -lsocket
checking whether byte ordering is bigendian... yes
checking for C/C++ restrict keyword... __restrict
checking if gcc/ld supports -Wl,--output-def... no
checking if LD -Wl,--version-script works... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating gnutls-extra.pc
config.status: creating gl/Makefile
config.status: creating includes/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
libtoolT: No such file or directory
configure: summary of build options:

   version:          2.8.5 shared 40:12:14
   Host type:        sparc-sun-solaris2.10
   Install prefix:   /export/home/drkirkby/sage-4.2.1/local
   Compiler:         gcc -std=gnu99
   Warning flags:    errors:  warnings:
   Library types:    Shared=yes, Static=no
   Valgrind:
   Guile wrappers:   no
   C++ library:      no
   OpenSSL library:  yes

cat: cannot open ./.prev-version
make[2]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src'
make  all-recursive
cat: cannot open ./.prev-version
make[3]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src'
Making all in lib
make[4]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib'
make  all-recursive
make[5]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib'
Making all in gl
make[6]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
   cat ./alloca.in.h; \
} > alloca.h-t
mv -f alloca.h-t alloca.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
   cat ./byteswap.in.h; \
} > byteswap.h-t
mv -f byteswap.h-t byteswap.h
rm -f stdint.h-t stdint.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
   sed -e 's/@''HAVE_STDINT_H''@/1/g' \
       -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_STDINT_H''@|<stdint.h>|g' \
       -e 's/@''HAVE_SYS_TYPES_H''@/1/g' \
       -e 's/@''HAVE_INTTYPES_H''@/1/g' \
       -e 's/@''HAVE_SYS_INTTYPES_H''@/1/g' \
       -e 's/@''HAVE_SYS_BITYPES_H''@/0/g' \
       -e 's/@''HAVE_LONG_LONG_INT''@/1/g' \
       -e 's/@''HAVE_UNSIGNED_LONG_LONG_INT''@/1/g' \
       -e 's/@''APPLE_UNIVERSAL_BUILD''@/0/g' \
       -e 's/@''BITSIZEOF_PTRDIFF_T''@/32/g' \
       -e 's/@''PTRDIFF_T_SUFFIX''@//g' \
       -e 's/@''BITSIZEOF_SIG_ATOMIC_T''@/32/g' \
       -e 's/@''HAVE_SIGNED_SIG_ATOMIC_T''@/1/g' \
       -e 's/@''SIG_ATOMIC_T_SUFFIX''@//g' \
       -e 's/@''BITSIZEOF_SIZE_T''@/32/g' \
       -e 's/@''SIZE_T_SUFFIX''@/u/g' \
       -e 's/@''BITSIZEOF_WCHAR_T''@/32/g' \
       -e 's/@''HAVE_SIGNED_WCHAR_T''@/1/g' \
       -e 's/@''WCHAR_T_SUFFIX''@/l/g' \
       -e 's/@''BITSIZEOF_WINT_T''@/32/g' \
       -e 's/@''HAVE_SIGNED_WINT_T''@/1/g' \
       -e 's/@''WINT_T_SUFFIX''@/l/g' \
       < ./stdint.in.h; \
} > stdint.h-t
mv stdint.h-t stdint.h
rm -f stdio.h-t stdio.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_STDIO_H''@|<stdio.h>|g' \
       -e 's|@''GNULIB_FPRINTF''@|1|g' \
       -e 's|@''GNULIB_FPRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_PRINTF''@|1|g' \
       -e 's|@''GNULIB_PRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_SNPRINTF''@|1|g' \
       -e 's|@''GNULIB_SPRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_VFPRINTF''@|1|g' \
       -e 's|@''GNULIB_VFPRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_VPRINTF''@|1|g' \
       -e 's|@''GNULIB_VPRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_VSNPRINTF''@|1|g' \
       -e 's|@''GNULIB_VSPRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_DPRINTF''@|0|g' \
       -e 's|@''GNULIB_VDPRINTF''@|0|g' \
       -e 's|@''GNULIB_VASPRINTF''@|1|g' \
       -e 's|@''GNULIB_OBSTACK_PRINTF''@|0|g' \
       -e 's|@''GNULIB_OBSTACK_PRINTF_POSIX''@|0|g' \
       -e 's|@''GNULIB_FOPEN''@|0|g' \
       -e 's|@''GNULIB_FREOPEN''@|0|g' \
       -e 's|@''GNULIB_FSEEK''@|0|g' \
       -e 's|@''GNULIB_FSEEKO''@|1|g' \
       -e 's|@''GNULIB_FTELL''@|0|g' \
       -e 's|@''GNULIB_FTELLO''@|0|g' \
       -e 's|@''GNULIB_FFLUSH''@|0|g' \
       -e 's|@''GNULIB_FCLOSE''@|0|g' \
       -e 's|@''GNULIB_FPUTC''@|1|g' \
       -e 's|@''GNULIB_PUTC''@|1|g' \
       -e 's|@''GNULIB_PUTCHAR''@|1|g' \
       -e 's|@''GNULIB_FPUTS''@|1|g' \
       -e 's|@''GNULIB_PUTS''@|1|g' \
       -e 's|@''GNULIB_FWRITE''@|1|g' \
       -e 's|@''GNULIB_GETDELIM''@|0|g' \
       -e 's|@''GNULIB_GETLINE''@|0|g' \
       -e 's|@''GNULIB_PERROR''@|0|g' \
       -e 's|@''GNULIB_STDIO_H_SIGPIPE''@|0|g' \
       -e 's|@''REPLACE_STDIO_WRITE_FUNCS''@|0|g' \
       -e 's|@''REPLACE_FPRINTF''@|0|g' \
       -e 's|@''REPLACE_VFPRINTF''@|0|g' \
       -e 's|@''REPLACE_PRINTF''@|0|g' \
       -e 's|@''REPLACE_VPRINTF''@|0|g' \
       -e 's|@''REPLACE_SNPRINTF''@|0|g' \
       -e 's|@''HAVE_DECL_SNPRINTF''@|1|g' \
       -e 's|@''REPLACE_VSNPRINTF''@|0|g' \
       -e 's|@''HAVE_DECL_VSNPRINTF''@|1|g' \
       -e 's|@''REPLACE_SPRINTF''@|0|g' \
       -e 's|@''REPLACE_VSPRINTF''@|0|g' \
       -e 's|@''HAVE_DPRINTF''@|1|g' \
       -e 's|@''REPLACE_DPRINTF''@|0|g' \
       -e 's|@''HAVE_VDPRINTF''@|1|g' \
       -e 's|@''REPLACE_VDPRINTF''@|0|g' \
       -e 's|@''HAVE_VASPRINTF''@|0|g' \
       -e 's|@''REPLACE_VASPRINTF''@|0|g' \
       -e 's|@''HAVE_DECL_OBSTACK_PRINTF''@|1|g' \
       -e 's|@''REPLACE_OBSTACK_PRINTF''@|0|g' \
       -e 's|@''REPLACE_FOPEN''@|0|g' \
       -e 's|@''REPLACE_FREOPEN''@|0|g' \
       -e 's|@''REPLACE_FSEEKO''@|0|g' \
       -e 's|@''REPLACE_FSEEK''@|0|g' \
       -e 's|@''REPLACE_FTELLO''@|0|g' \
       -e 's|@''REPLACE_FTELL''@|0|g' \
       -e 's|@''REPLACE_FFLUSH''@|0|g' \
       -e 's|@''REPLACE_FCLOSE''@|0|g' \
       -e 's|@''HAVE_DECL_GETDELIM''@|1|g' \
       -e 's|@''HAVE_DECL_GETLINE''@|1|g' \
       -e 's|@''REPLACE_GETLINE''@|0|g' \
       -e 's|@''REPLACE_PERROR''@|0|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./stdio.in.h; \
} > stdio.h-t
mv stdio.h-t stdio.h
rm -f stdlib.h-t stdlib.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_STDLIB_H''@|<stdlib.h>|g' \
       -e 's|@''HAVE_RANDOM_H''@|0|g' \
       -e 's|@''GNULIB_MALLOC_POSIX''@|0|g' \
       -e 's|@''GNULIB_REALLOC_POSIX''@|1|g' \
       -e 's|@''GNULIB_CALLOC_POSIX''@|0|g' \
       -e 's|@''GNULIB_ATOLL''@|0|g' \
       -e 's|@''GNULIB_GETLOADAVG''@|0|g' \
       -e 's|@''GNULIB_GETSUBOPT''@|0|g' \
       -e 's|@''GNULIB_MKDTEMP''@|0|g' \
       -e 's|@''GNULIB_MKSTEMP''@|0|g' \
       -e 's|@''GNULIB_PUTENV''@|0|g' \
       -e 's|@''GNULIB_RANDOM_R''@|0|g' \
       -e 's|@''GNULIB_RPMATCH''@|0|g' \
       -e 's|@''GNULIB_SETENV''@|0|g' \
       -e 's|@''GNULIB_STRTOD''@|0|g' \
       -e 's|@''GNULIB_STRTOLL''@|0|g' \
       -e 's|@''GNULIB_STRTOULL''@|0|g' \
       -e 's|@''GNULIB_UNSETENV''@|0|g' \
       -e 's|@''HAVE_ATOLL''@|1|g' \
       -e 's|@''HAVE_CALLOC_POSIX''@|1|g' \
       -e 's|@''HAVE_GETSUBOPT''@|1|g' \
       -e 's|@''HAVE_MALLOC_POSIX''@|1|g' \
       -e 's|@''HAVE_MKDTEMP''@|1|g' \
       -e 's|@''HAVE_REALLOC_POSIX''@|1|g' \
       -e 's|@''HAVE_RANDOM_R''@|1|g' \
       -e 's|@''HAVE_RPMATCH''@|1|g' \
       -e 's|@''HAVE_SETENV''@|1|g' \
       -e 's|@''HAVE_STRTOD''@|1|g' \
       -e 's|@''HAVE_STRTOLL''@|1|g' \
       -e 's|@''HAVE_STRTOULL''@|1|g' \
       -e 's|@''HAVE_STRUCT_RANDOM_DATA''@|0|g' \
       -e 's|@''HAVE_SYS_LOADAVG_H''@|0|g' \
       -e 's|@''HAVE_UNSETENV''@|1|g' \
       -e 's|@''HAVE_DECL_GETLOADAVG''@|1|g' \
       -e 's|@''REPLACE_MKSTEMP''@|0|g' \
       -e 's|@''REPLACE_PUTENV''@|0|g' \
       -e 's|@''REPLACE_STRTOD''@|0|g' \
       -e 's|@''VOID_UNSETENV''@|0|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./stdlib.in.h; \
} > stdlib.h-t
mv stdlib.h-t stdlib.h
rm -f string.h-t string.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_STRING_H''@|<string.h>|g' \
       -e 's|@''GNULIB_MBSLEN''@|0|g' \
       -e 's|@''GNULIB_MBSNLEN''@|0|g' \
       -e 's|@''GNULIB_MBSCHR''@|0|g' \
       -e 's|@''GNULIB_MBSRCHR''@|0|g' \
       -e 's|@''GNULIB_MBSSTR''@|0|g' \
       -e 's|@''GNULIB_MBSCASECMP''@|0|g' \
       -e 's|@''GNULIB_MBSNCASECMP''@|0|g' \
       -e 's|@''GNULIB_MBSPCASECMP''@|0|g' \
       -e 's|@''GNULIB_MBSCASESTR''@|0|g' \
       -e 's|@''GNULIB_MBSCSPN''@|0|g' \
       -e 's|@''GNULIB_MBSPBRK''@|0|g' \
       -e 's|@''GNULIB_MBSSPN''@|0|g' \
       -e 's|@''GNULIB_MBSSEP''@|0|g' \
       -e 's|@''GNULIB_MBSTOK_R''@|0|g' \
       -e 's|@''GNULIB_MEMMEM''@|1|g' \
       -e 's|@''GNULIB_MEMPCPY''@|0|g' \
       -e 's|@''GNULIB_MEMRCHR''@|0|g' \
       -e 's|@''GNULIB_RAWMEMCHR''@|0|g' \
       -e 's|@''GNULIB_STPCPY''@|0|g' \
       -e 's|@''GNULIB_STPNCPY''@|0|g' \
       -e 's|@''GNULIB_STRCHRNUL''@|0|g' \
       -e 's|@''GNULIB_STRDUP''@|0|g' \
       -e 's|@''GNULIB_STRNDUP''@|0|g' \
       -e 's|@''GNULIB_STRNLEN''@|0|g' \
       -e 's|@''GNULIB_STRPBRK''@|0|g' \
       -e 's|@''GNULIB_STRSEP''@|0|g' \
       -e 's|@''GNULIB_STRSTR''@|0|g' \
       -e 's|@''GNULIB_STRCASESTR''@|0|g' \
       -e 's|@''GNULIB_STRTOK_R''@|0|g' \
       -e 's|@''GNULIB_STRERROR''@|0|g' \
       -e 's|@''GNULIB_STRSIGNAL''@|0|g' \
       -e 's|@''GNULIB_STRVERSCMP''@|1|g' \
       -e 's|@''HAVE_DECL_MEMMEM''@|0|g' \
       -e 's|@''HAVE_MEMPCPY''@|1|g' \
       -e 's|@''HAVE_DECL_MEMRCHR''@|1|g' \
       -e 's|@''HAVE_RAWMEMCHR''@|1|g' \
       -e 's|@''HAVE_STPCPY''@|1|g' \
       -e 's|@''HAVE_STPNCPY''@|1|g' \
       -e 's|@''HAVE_STRCHRNUL''@|1|g' \
       -e 's|@''HAVE_DECL_STRDUP''@|1|g' \
       -e 's|@''HAVE_STRNDUP''@|1|g' \
       -e 's|@''HAVE_DECL_STRNDUP''@|1|g' \
       -e 's|@''HAVE_DECL_STRNLEN''@|1|g' \
       -e 's|@''HAVE_STRPBRK''@|1|g' \
       -e 's|@''HAVE_STRSEP''@|1|g' \
       -e 's|@''HAVE_STRCASESTR''@|1|g' \
       -e 's|@''HAVE_DECL_STRTOK_R''@|1|g' \
       -e 's|@''HAVE_DECL_STRERROR''@|1|g' \
       -e 's|@''HAVE_DECL_STRSIGNAL''@|1|g' \
       -e 's|@''HAVE_STRVERSCMP''@|0|g' \
       -e 's|@''REPLACE_MEMMEM''@|0|g' \
       -e 's|@''REPLACE_STRCASESTR''@|0|g' \
       -e 's|@''REPLACE_STRDUP''@|0|g' \
       -e 's|@''REPLACE_STRSTR''@|0|g' \
       -e 's|@''REPLACE_STRERROR''@|0|g' \
       -e 's|@''REPLACE_STRSIGNAL''@|0|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./string.in.h; \
} > string.h-t
mv string.h-t string.h
rm -f strings.h-t strings.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_STRINGS_H''@|<strings.h>|g' \
       -e 's|@''HAVE_STRCASECMP''@|1|g' \
       -e 's|@''HAVE_DECL_STRNCASECMP''@|1|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./strings.in.h; \
} > strings.h-t
mv strings.h-t strings.h
../build-aux/install-sh -c -d sys
rm -f sys/stat.h-t sys/stat.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_SYS_STAT_H''@|<sys/stat.h>|g' \
       -e 's|@''GNULIB_LCHMOD''@|0|g' \
       -e 's|@''GNULIB_LSTAT''@|0|g' \
       -e 's|@''HAVE_LCHMOD''@|1|g' \
       -e 's|@''HAVE_LSTAT''@|1|g' \
       -e 's|@''REPLACE_LSTAT''@|0|g' \
       -e 's|@''REPLACE_MKDIR''@|0|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./sys_stat.in.h; \
} > sys/stat.h-t
mv sys/stat.h-t sys/stat.h
rm -f time.h-t time.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
   sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@NEXT_TIME_H''@|<time.h>|g' \
       -e 's|@REPLACE_LOCALTIME_R''@|0|g' \
       -e 's|@REPLACE_NANOSLEEP''@|GNULIB_PORTCHECK|g' \
       -e 's|@REPLACE_STRPTIME''@|GNULIB_PORTCHECK|g' \
       -e 's|@REPLACE_TIMEGM''@|GNULIB_PORTCHECK|g' \
       -e 's|@SYS_TIME_H_DEFINES_STRUCT_TIMESPEC''@|0|g' \
       -e 's|@TIME_H_DEFINES_STRUCT_TIMESPEC''@|1|g' \
       < ./time.in.h; \
} > time.h-t
mv time.h-t time.h
rm -f unistd.h-t unistd.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
   sed -e 's|@''HAVE_UNISTD_H''@|1|g' \
       -e 's|@''INCLUDE_NEXT''@|include_next|g' \
       -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \
       -e 's|@''NEXT_UNISTD_H''@|<unistd.h>|g' \
       -e 's|@''GNULIB_CHOWN''@|0|g' \
       -e 's|@''GNULIB_CLOSE''@|0|g' \
       -e 's|@''GNULIB_DUP2''@|0|g' \
       -e 's|@''GNULIB_ENVIRON''@|0|g' \
       -e 's|@''GNULIB_EUIDACCESS''@|0|g' \
       -e 's|@''GNULIB_FCHDIR''@|0|g' \
       -e 's|@''GNULIB_FSYNC''@|0|g' \
       -e 's|@''GNULIB_FTRUNCATE''@|0|g' \
       -e 's|@''GNULIB_GETCWD''@|0|g' \
       -e 's|@''GNULIB_GETDOMAINNAME''@|0|g' \
       -e 's|@''GNULIB_GETDTABLESIZE''@|0|g' \
       -e 's|@''GNULIB_GETHOSTNAME''@|0|g' \
       -e 's|@''GNULIB_GETLOGIN_R''@|0|g' \
       -e 's|@''GNULIB_GETPAGESIZE''@|0|g' \
       -e 's|@''GNULIB_GETUSERSHELL''@|0|g' \
       -e 's|@''GNULIB_LCHOWN''@|0|g' \
       -e 's|@''GNULIB_LINK''@|0|g' \
       -e 's|@''GNULIB_LSEEK''@|1|g' \
       -e 's|@''GNULIB_READLINK''@|0|g' \
       -e 's|@''GNULIB_SLEEP''@|0|g' \
       -e 's|@''GNULIB_UNISTD_H_SIGPIPE''@|0|g' \
       -e 's|@''GNULIB_WRITE''@|0|g' \
       -e 's|@''HAVE_DUP2''@|1|g' \
       -e 's|@''HAVE_EUIDACCESS''@|1|g' \
       -e 's|@''HAVE_FSYNC''@|1|g' \
       -e 's|@''HAVE_FTRUNCATE''@|1|g' \
       -e 's|@''HAVE_GETDOMAINNAME''@|1|g' \
       -e 's|@''HAVE_GETDTABLESIZE''@|1|g' \
       -e 's|@''HAVE_GETHOSTNAME''@|1|g' \
       -e 's|@''HAVE_GETPAGESIZE''@|1|g' \
       -e 's|@''HAVE_GETUSERSHELL''@|1|g' \
       -e 's|@''HAVE_LINK''@|1|g' \
       -e 's|@''HAVE_READLINK''@|1|g' \
       -e 's|@''HAVE_SLEEP''@|1|g' \
       -e 's|@''HAVE_DECL_ENVIRON''@|1|g' \
       -e 's|@''HAVE_DECL_GETLOGIN_R''@|1|g' \
       -e 's|@''HAVE_OS_H''@|0|g' \
       -e 's|@''HAVE_SYS_PARAM_H''@|0|g' \
       -e 's|@''REPLACE_CHOWN''@|0|g' \
       -e 's|@''REPLACE_CLOSE''@|0|g' \
       -e 's|@''REPLACE_FCHDIR''@|0|g' \
       -e 's|@''REPLACE_GETCWD''@|0|g' \
       -e 's|@''REPLACE_GETPAGESIZE''@|0|g' \
       -e 's|@''REPLACE_LCHOWN''@|0|g' \
       -e 's|@''REPLACE_LSEEK''@|0|g' \
       -e 's|@''REPLACE_WRITE''@|0|g' \
       -e 's|@''UNISTD_H_HAVE_WINSOCK2_H''@|0|g' \
       -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \
       < ./unistd.in.h; \
} > unistd.h-t
mv unistd.h-t unistd.h
make  all-recursive
make[7]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
Making all in tests
make[8]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make  all-recursive
make[9]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make[10]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make[10]: Nothing to be done for `all-am'.
make[10]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make[9]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make[8]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests'
make[8]: Entering directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
c-ctype.lo -MD -MP -MF .deps/c-ctype.Tpo -c -o c-ctype.lo c-ctype.c
.libs/c-ctype.o: No such file or directory
c-ctype.lo: No such file or directory
c-ctype.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT c-ctype.lo -MD -MP 
-MF .deps/c-ctype.Tpo -c c-ctype.c  -fPIC -DPIC -o .libs/c-ctype.o
mv -f .deps/c-ctype.Tpo .deps/c-ctype.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
close-hook.lo -MD -MP -MF .deps/close-hook.Tpo -c -o close-hook.lo close-hook.c
.libs/close-hook.o: No such file or directory
close-hook.lo: No such file or directory
close-hook.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT close-hook.lo -MD 
-MP -MF .deps/close-hook.Tpo -c close-hook.c  -fPIC -DPIC -o .libs/close-hook.o
mv -f .deps/close-hook.Tpo .deps/close-hook.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
sockets.lo -MD -MP -MF .deps/sockets.Tpo -c -o sockets.lo sockets.c
.libs/sockets.o: No such file or directory
sockets.lo: No such file or directory
sockets.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT sockets.lo -MD -MP 
-MF .deps/sockets.Tpo -c sockets.c  -fPIC -DPIC -o .libs/sockets.o
mv -f .deps/sockets.Tpo .deps/sockets.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
asnprintf.lo -MD -MP -MF .deps/asnprintf.Tpo -c -o asnprintf.lo asnprintf.c
.libs/asnprintf.o: No such file or directory
asnprintf.lo: No such file or directory
asnprintf.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asnprintf.lo -MD -MP 
-MF .deps/asnprintf.Tpo -c asnprintf.c  -fPIC -DPIC -o .libs/asnprintf.o
mv -f .deps/asnprintf.Tpo .deps/asnprintf.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
asprintf.lo -MD -MP -MF .deps/asprintf.Tpo -c -o asprintf.lo asprintf.c
.libs/asprintf.o: No such file or directory
asprintf.lo: No such file or directory
asprintf.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asprintf.lo -MD -MP 
-MF .deps/asprintf.Tpo -c asprintf.c  -fPIC -DPIC -o .libs/asprintf.o
mv -f .deps/asprintf.Tpo .deps/asprintf.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT memmem.lo 
-MD -MP -MF .deps/memmem.Tpo -c -o memmem.lo memmem.c
.libs/memmem.o: No such file or directory
memmem.lo: No such file or directory
memmem.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT memmem.lo -MD -MP 
-MF .deps/memmem.Tpo -c memmem.c  -fPIC -DPIC -o .libs/memmem.o
mv -f .deps/memmem.Tpo .deps/memmem.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
printf-args.lo -MD -MP -MF .deps/printf-args.Tpo -c -o printf-args.lo printf-args.c
.libs/printf-args.o: No such file or directory
printf-args.lo: No such file or directory
printf-args.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-args.lo -MD 
-MP -MF .deps/printf-args.Tpo -c printf-args.c  -fPIC -DPIC -o .libs/printf-args.o
mv -f .deps/printf-args.Tpo .deps/printf-args.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
printf-parse.lo -MD -MP -MF .deps/printf-parse.Tpo -c -o printf-parse.lo 
printf-parse.c
.libs/printf-parse.o: No such file or directory
printf-parse.lo: No such file or directory
printf-parse.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-parse.lo -MD 
-MP -MF .deps/printf-parse.Tpo -c printf-parse.c  -fPIC -DPIC -o 
.libs/printf-parse.o
mv -f .deps/printf-parse.Tpo .deps/printf-parse.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
read-file.lo -MD -MP -MF .deps/read-file.Tpo -c -o read-file.lo read-file.c
.libs/read-file.o: No such file or directory
read-file.lo: No such file or directory
read-file.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT read-file.lo -MD -MP 
-MF .deps/read-file.Tpo -c read-file.c  -fPIC -DPIC -o .libs/read-file.o
mv -f .deps/read-file.Tpo .deps/read-file.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
strverscmp.lo -MD -MP -MF .deps/strverscmp.Tpo -c -o strverscmp.lo strverscmp.c
.libs/strverscmp.o: No such file or directory
strverscmp.lo: No such file or directory
strverscmp.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT strverscmp.lo -MD 
-MP -MF .deps/strverscmp.Tpo -c strverscmp.c  -fPIC -DPIC -o .libs/strverscmp.o
mv -f .deps/strverscmp.Tpo .deps/strverscmp.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
vasnprintf.lo -MD -MP -MF .deps/vasnprintf.Tpo -c -o vasnprintf.lo vasnprintf.c
.libs/vasnprintf.o: No such file or directory
vasnprintf.lo: No such file or directory
vasnprintf.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasnprintf.lo -MD 
-MP -MF .deps/vasnprintf.Tpo -c vasnprintf.c  -fPIC -DPIC -o .libs/vasnprintf.o
mv -f .deps/vasnprintf.Tpo .deps/vasnprintf.Plo
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. 
-I../intl -I/export/home/drkirkby/sage-4.2.1/local/include  -g -O2 -MT 
vasprintf.lo -MD -MP -MF .deps/vasprintf.Tpo -c -o vasprintf.lo vasprintf.c
.libs/vasprintf.o: No such file or directory
vasprintf.lo: No such file or directory
vasprintf.loT: No such file or directory
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../intl 
-I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasprintf.lo -MD -MP 
-MF .deps/vasprintf.Tpo -c vasprintf.c  -fPIC -DPIC -o .libs/vasprintf.o
mv -f .deps/vasprintf.Tpo .deps/vasprintf.Plo
/bin/bash ../libtool --tag=CC   --mode=link gcc  -g -O2   -o liblgnu.la 
c-ctype.lo close-hook.lo sockets.lo asnprintf.lo asprintf.lo memmem.lo 
printf-args.lo printf-parse.lo read-file.lo strverscmp.lo vasnprintf.lo 
vasprintf.lo
libtool: link: ar cru .libs/liblgnu.a .libs/c-ctype.o .libs/close-hook.o 
.libs/sockets.o .libs/asnprintf.o .libs/asprintf.o .libs/memmem.o 
.libs/printf-args.o .libs/printf-parse.o .libs/read-file.o .libs/strverscmp.o 
.libs/vasnprintf.o .libs/vasprintf.o
libtool: link: ranlib .libs/liblgnu.a
liblgnu.la: No such file or directory
libtool: link: ( cd ".libs" && rm "liblgnu.la" && ln -s "../liblgnu.la" 
"liblgnu.la" )
liblgnu.la: No such file or directory
make[8]: *** [liblgnu.la] Error 2
make[8]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
make[7]: *** [all-recursive] Error 1
make[7]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
make[6]: *** [all] Error 2
make[6]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl'
make[5]: *** [all-recursive] Error 1
make[5]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib'
make[4]: *** [all] Error 2
make[4]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory 
`/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src'
failed to build GNUTLS

real    2m0.076s
user    0m51.307s
sys     1m5.651s
sage: An error occurred while installing gnutls-2.8.5




From david.kirkby at onetel.net  Sun Nov 29 02:19:09 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 29 Nov 2009 01:19:09 +0000
Subject: gnutls-2.2.1 fails to build on HP-UX
In-Reply-To: <87iqcxfv2s.fsf@mocca.josefsson.org>
References: <4B0C8F07.6060205@onetel.net> <87iqcxfv2s.fsf@mocca.josefsson.org>
Message-ID: <4B11CC0D.7080400@onetel.net>

Simon Josefsson wrote:
> "Dr. David Kirkby" <david.kirkby at onetel.net> writes:
> 
>> In the Sage project, gnutls is causing a problem on both OpenSolaris
>> and HP-UX. The latter is not a supported OS, but I have tried building
>> parts of Sage on it.
>>
>> This is the HP-UX error.
>>
>> http://trac.sagemath.org/sage_trac/ticket/7511
>>
>> Any thoughts why this may be happening?
> 
> HP-UX doesn't have sockaddr_storage, but I believe gnulib should work
> around that problem -- however that is probably only in much more recent
> GnuTLS releases than the 2.2.1 that you used.
> 
>> We tried a later version, and that was causing problems not only on
>> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC).
> 
> Details?  The recent releases should work relatively fine on Solaris,

See the other thread

"gnutls failure on Solaris 10 update 7 gcc 4.4.1"

(sorry, I should have put the version of gnutls in the title, but it is 
documented in the email)



Dave




From david.kirkby at onetel.net  Sun Nov 29 02:32:12 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 29 Nov 2009 01:32:12 +0000
Subject: gnutls-2.8.5 failure on OpenSolaris
Message-ID: <4B11CF1C.7060809@onetel.net>

I tried to build gnutls-2.8.5 on a Sun Ultra 27 running OpenSolaris 06/2009, 
with gcc 3.4.3 (the only one supplied with OpenSolaris). It fails, unless I add 
the 'nsl' library to to LDFLAGS.



bash-3.2$ uname -a
SunOS hawk 5.11 snv_111b i86pc i386 i86pc
bash-3.2$ cat /etc/release
                          OpenSolaris 2009.06 snv_111b X86
            Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
                         Use is subject to license terms.
                               Assembled 07 May 2009
bash-3.2$ gcc -v
Reading specs from /usr/sfw/lib/gcc/i386-pc-solaris2.11/3.4.3/specs
Configured with: /builds2/sfwnv-111a/usr/src/cmd/gcc/gcc-3.4.3/configure 
--prefix=/usr/sfw --with-as=/usr/sfw/bin/gas --with-gnu-as 
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++,f77,objc 
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-20050802)


./configure  --with-libgcrypt-prefix=/usr

libtool: link: gcc -std=gnu99 -g -O2 -o ex-crq ex-crq.o  ./.libs/libexamples.a 
../../lib/.libs/libgnutls.so -L/usr/lib ../../libextra/.libs/libgnutls-extra.so 
/export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt 
../../gl/.libs/libgnu.a -lsocket -R/export/home/drkirkby/gnutls-2.8.5/lib/.libs 
-R/export/home/drkirkby/gnutls-2.8.5/libextra/.libs -R/usr/local/lib
ld: warning: file /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so: 
linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../..  -I../../lib/includes 
-I../../lib/includes -I../../libextra/includes -I../../gl -I../../gl    -g -O2 
-MT ex-serv1.o -MD -MP -MF .deps/ex-serv1.Tpo -c -o ex-serv1.o ex-serv1.c
mv -f .deps/ex-serv1.Tpo .deps/ex-serv1.Po
/bin/sh ../../libtool --tag=CC   --mode=link gcc -std=gnu99   -g -O2 -no-install 
  -o ex-serv1 ex-serv1.o libexamples.la ../../lib/libgnutls.la 
../../libextra/libgnutls-extra.la ../../gl/libgnu.la -lsocket
libtool: link: gcc -std=gnu99 -g -O2 -o ex-serv1 ex-serv1.o 
./.libs/libexamples.a ../../lib/.libs/libgnutls.so -L/usr/lib 
../../libextra/.libs/libgnutls-extra.so 
/export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt 
../../gl/.libs/libgnu.a -lsocket -R/export/home/drkirkby/gnutls-2.8.5/lib/.libs 
-R/export/home/drkirkby/gnutls-2.8.5/libextra/.libs -R/usr/local/lib
ld: warning: file /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so: 
linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file
Undefined			first referenced
  symbol  			    in file
inet_ntop                           ex-serv1.o  (symbol belongs to implicit 
dependency /usr/lib/libnsl.so.1)
ld: fatal: symbol referencing errors. No output written to ex-serv1
collect2: ld returned 1 exit status
make[4]: *** [ex-serv1] Error 1
make[4]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc/examples'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5'
make: *** [all] Error 2

Configuring with:

./configure  --with-libgcrypt-prefix=/usr 'LDFLAGS=-lnsl'

allows it to build ok




From simon at josefsson.org  Sun Nov 29 14:49:48 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 29 Nov 2009 14:49:48 +0100
Subject: gnutls-2.2.1 fails to build on HP-UX
In-Reply-To: <4B0C8F07.6060205@onetel.net> (David Kirkby's message of "Wed, 25
	Nov 2009 01:57:27 +0000")
References: <4B0C8F07.6060205@onetel.net>
Message-ID: <87d431zbib.fsf@mocca.josefsson.org>

"Dr. David Kirkby" <david.kirkby at onetel.net> writes:

> We tried a later version, and that was causing problems not only on
> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC).

I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu
now (Solaris 10?) and it worked fine except for another 'grep -q'-ism
which I have fixed.  Expect the next 2.9.10 release to build without any
errors on it.

/Simon




From simon at josefsson.org  Sun Nov 29 14:52:02 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 29 Nov 2009 14:52:02 +0100
Subject: missing file
Message-ID: <878wdpzbel.fsf@mocca.josefsson.org>

Nikos, did you forget to commit some file?

cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory

/Simon




From david.kirkby at onetel.net  Sun Nov 29 16:48:38 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 29 Nov 2009 15:48:38 +0000
Subject: gnutls-2.2.1 fails to build on HP-UX
In-Reply-To: <87d431zbib.fsf@mocca.josefsson.org>
References: <4B0C8F07.6060205@onetel.net> <87d431zbib.fsf@mocca.josefsson.org>
Message-ID: <4B1297D6.4050802@onetel.net>

Simon Josefsson wrote:
> "Dr. David Kirkby" <david.kirkby at onetel.net> writes:
> 
>> We tried a later version, and that was causing problems not only on
>> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC).
> 
> I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu
> now (Solaris 10?)

Yes, 't2' runs Solaris 10 update 8. (Solaris 10 came out in March 2005, and has 
been updated 8 times since). It's a machine based on Sun's SPARC processors. For 
what it is worth, there are 4 combinations of Solaris

  * Solaris 10 on SPARC processors (like t2)
  * Solaris 10 on x86 processors
  * OpenSolaris on SPARC processors (quite rare)
  * OpenSolaris on x86 processors.

Did you build the gnutls snapshot with gcc, or the Sun compilers in 
/opt/SUNWspro/bin ?

It would be good if gnutls would build with the Sun C (/opt/SUNWspro/bin/cc) and 
C++ (/opt/SUNWspro/bin/CC) compilers, as they generate faster code than gcc.

The Sun compilers also tend to be a bit more problematic to build with, as they 
are far more fussy about the code than the GNU compilers. They enforce the C 
standards much more rigidly, whereas gcc allows numerous extensions to the C 
language.

I've not tried to build gnutls with the Sun compilers yet myself. I might as 
well not bother until I get an up to date snapshot.

OpenSolaris is Sun more 'experimental' Solaris version. It has more up to date 
tools, but is less well tested than Solaris 10. I built gnutls 2.8.5 on 
OpenSolaris (the latest 06/2009 edition), using gcc, but needed to configure 
gnutls with:

./configure  --with-libgcrypt-prefix=/usr 'LDFLAGS=-lnsl'

otherwise, without setting LDFLAGS, 'inet_ntop' was an unresolved symbol.

William Stein could give you access to a OpenSolaris virtual machine. But if I 
can get a snapshot, I can test it quite easily.

I've already sent you the account details for the HP-UX machine.

> and it worked fine except for another 'grep -q'-ism
> which I have fixed.  

Good.

> Expect the next 2.9.10 release to build without any
> errors on it.
> 
> /Simon

That's good news. If you can test on the HP-UX machine, I would appreciate it. 
If you do not feel you are able to test for a few days, then let me know and I 
will power the machine off until you are able to. It uses quite a bit of power, 
so I do not wish to run it unless its being used.

Dave




From david.kirkby at onetel.net  Sun Nov 29 17:03:45 2009
From: david.kirkby at onetel.net (Dr. David Kirkby)
Date: Sun, 29 Nov 2009 16:03:45 +0000
Subject: gnutls-2.2.1 fails to build on HP-UX
In-Reply-To: <4B1297D6.4050802@onetel.net>
References: <4B0C8F07.6060205@onetel.net> <87d431zbib.fsf@mocca.josefsson.org>
	<4B1297D6.4050802@onetel.net>
Message-ID: <4B129B61.3040101@onetel.net>

Dr. David Kirkby wrote:
> Simon Josefsson wrote:
>> "Dr. David Kirkby" <david.kirkby at onetel.net> writes:
>>
>>> We tried a later version, and that was causing problems not only on
>>> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC).
>>
>> I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu
>> now (Solaris 10?)
> 
> Yes, 't2' runs Solaris 10 update 8. (Solaris 10 came out in March 2005, 
> and has been updated 8 times since). It's a machine based on Sun's SPARC 
> processors. For what it is worth, there are 4 combinations of Solaris
> 
>  * Solaris 10 on SPARC processors (like t2)
>  * Solaris 10 on x86 processors
>  * OpenSolaris on SPARC processors (quite rare)
>  * OpenSolaris on x86 processors.

I mean they are all current - there are of course older releases.




From nmav at gnutls.org  Sun Nov 29 23:29:45 2009
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 30 Nov 2009 00:29:45 +0200
Subject: missing file
In-Reply-To: <878wdpzbel.fsf@mocca.josefsson.org>
References: <878wdpzbel.fsf@mocca.josefsson.org>
Message-ID: <4B12F5D9.3060603@gnutls.org>

Simon Josefsson wrote:
> Nikos, did you forget to commit some file?
> 
> cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory

It was including this file unconditionally. Now it should be ok (only
included if --enable-cryptodev is specified). If you have a cpu with
crypto accelerator that is supported by linux (via and some amd geode
cpus have), and you use cryptodev you should get quite a difference. For
some reason I get big difference by using the kernel aes implementation.

nmav at crystal:~/cvs/gnutls/src$ ./benchmark
Checking AES (8kb payload)... Transferred 58720 kb in 1.40 secs:
41883.21 kbyte/sec
Checking AES (16kb payload)... Transferred 117440 kb in 2.71 secs:
43384.01 kbyte/sec
Checking AES (32kb payload)... Transferred 234881 kb in 5.37 secs:
43780.25 kbyte/sec

[after cryptodev module loaded]
nmav at crystal:~/cvs/gnutls/src$ ./benchmark
Checking AES (8kb payload)... Transferred 58720 kb in 0.49 secs:
120328.39 kbyte/sec
Checking AES (16kb payload)... Transferred 117440 kb in 0.82 secs:
142871.67 kbyte/sec
Checking AES (32kb payload)... Transferred 234881 kb in 1.64 secs:
143045.69 kbyte/sec



PS. I cannot seem to get how configure.ac works now. I have added a
cryptodev test in configure.ac (global), but the ENABLE_CRYPTODEV
definition is only in root config.h and lib/config.h does not have it
(gnutls_int.h doesn't include the root one). How can I add a check like
that?




From simon at josefsson.org  Mon Nov 30 16:16:20 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 30 Nov 2009 16:16:20 +0100
Subject: missing file
In-Reply-To: <4B12F5D9.3060603@gnutls.org> (Nikos Mavrogiannopoulos's message
	of "Mon, 30 Nov 2009 00:29:45 +0200")
References: <878wdpzbel.fsf@mocca.josefsson.org> <4B12F5D9.3060603@gnutls.org>
Message-ID: <87pr70t54r.fsf@mocca.josefsson.org>

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Simon Josefsson wrote:
>> Nikos, did you forget to commit some file?
>> 
>> cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory
>
> It was including this file unconditionally. Now it should be ok (only
> included if --enable-cryptodev is specified). If you have a cpu with
> crypto accelerator that is supported by linux (via and some amd geode
> cpus have), and you use cryptodev you should get quite a difference. For
> some reason I get big difference by using the kernel aes implementation.
>
> nmav at crystal:~/cvs/gnutls/src$ ./benchmark
> Checking AES (8kb payload)... Transferred 58720 kb in 1.40 secs:
> 41883.21 kbyte/sec
> Checking AES (16kb payload)... Transferred 117440 kb in 2.71 secs:
> 43384.01 kbyte/sec
> Checking AES (32kb payload)... Transferred 234881 kb in 5.37 secs:
> 43780.25 kbyte/sec
>
> [after cryptodev module loaded]
> nmav at crystal:~/cvs/gnutls/src$ ./benchmark
> Checking AES (8kb payload)... Transferred 58720 kb in 0.49 secs:
> 120328.39 kbyte/sec
> Checking AES (16kb payload)... Transferred 117440 kb in 0.82 secs:
> 142871.67 kbyte/sec
> Checking AES (32kb payload)... Transferred 234881 kb in 1.64 secs:
> 143045.69 kbyte/sec

Nice!

> PS. I cannot seem to get how configure.ac works now. I have added a
> cryptodev test in configure.ac (global), but the ENABLE_CRYPTODEV
> definition is only in root config.h and lib/config.h does not have it
> (gnutls_int.h doesn't include the root one). How can I add a check like
> that?

There is a lib/configure.ac too.  Put all configure checks that are
specific to lib/ stuff into that configure.ac.  If there are things that
are common between lib/ and libextra/, put those checks into
lib/m4/hooks.m4.

/Simon