From simon at josefsson.org Fri Jul 1 19:44:17 2011 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 Jul 2011 19:44:17 +0200 Subject: Problem compiling gnutls 2.12.7 on Solaris 9 In-Reply-To: (Dagobert Michelsen's message of "Wed, 29 Jun 2011 16:10:55 +0200") References: Message-ID: <87liwh521a.fsf@latte.josefsson.org> Dagobert Michelsen writes: > Hi, > > I am trying to compile gnutls 2.12.7 with libnettle 2.1 on Solaris 9 Sparc with > Sun Studio 12 and get the following error: I believe this is a Nettle bug -- it was reported on the nettle list recently. /Simon From ametzler at downhill.at.eu.org Sat Jul 2 12:27:34 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sat, 2 Jul 2011 12:27:34 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 Message-ID: <20110702102734.GA2013@downhill.g.la> Hello, ugrading libgcrypt from 1.4.6 to 1.5.0 causes 5 new test suite errors in gnutls 2.17.1: ------------------------- PASS: pgps2kgnu client: Handshake failed server: Handshake has failed (The request is invalid.) GnuTLS error: A TLS packet with unexpected length was received. Self test `./x509self' finished with 1 errors Self test `./x509self' finished with 1 errors FAIL: x509self client: Handshake failed server: Handshake has failed (The request is invalid.) GnuTLS error: A TLS packet with unexpected length was received. Self test `./x509dn' finished with 1 errors server: client failed with exit status 1 Self test `./x509dn' finished with 2 errors FAIL: x509dn Self test `./anonself' finished with 0 errors [...] PASS: setcredcrash client: Handshake 0 failed server: Handshake 0 has failed (The request is invalid.) GnuTLS error: A TLS packet with unexpected length was received. Self test `./openpgpself' finished with 1 errors Self test `./openpgpself' finished with 1 errors FAIL: openpgpself PASS: rfc2253-escape-test ------------------------- cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at downhill.at.eu.org Sat Jul 2 13:22:11 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sat, 2 Jul 2011 13:22:11 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110702102734.GA2013@downhill.g.la> References: <20110702102734.GA2013@downhill.g.la> Message-ID: <20110702112211.GB2013@downhill.g.la> On 2011-07-02 Andreas Metzler wrote: > ugrading libgcrypt from 1.4.6 to 1.5.0 causes 5 new test suite errors > in gnutls 2.17.1: [...] This is new breakage, building against 1.5.0beta1 works. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Sat Jul 2 14:23:05 2011 From: wk at gnupg.org (Werner Koch) Date: Sat, 02 Jul 2011 14:23:05 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110702112211.GB2013@downhill.g.la> (Andreas Metzler's message of "Sat, 2 Jul 2011 13:22:11 +0200") References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> Message-ID: <87y60geus6.fsf@vigenere.g10code.de> On Sat, 2 Jul 2011 13:22, ametzler at downhill.at.eu.org said: > This is new breakage, building against 1.5.0beta1 works. You should check two things: Leading zeroes fixups for pkcs#1 and whether there is the pkcs1 flag set in the S-expression used with verify or decrypt. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ametzler at downhill.at.eu.org Sat Jul 2 18:19:57 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sat, 2 Jul 2011 18:19:57 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110702112211.GB2013@downhill.g.la> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> Message-ID: <20110702161957.GD2013@downhill.g.la> On 2011-07-02 Andreas Metzler wrote: > On 2011-07-02 Andreas Metzler wrote: >> ugrading libgcrypt from 1.4.6 to 1.5.0 causes 5 new test suite errors >> in gnutls 2.17.1: > [...] > This is new breakage, building against 1.5.0beta1 works. 2.10.5 also breaks (x509sign-verify x509dn x509self and openpgpself tests) cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at downhill.at.eu.org Sun Jul 3 09:28:00 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 3 Jul 2011 09:28:00 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <87y60geus6.fsf@vigenere.g10code.de> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> Message-ID: <20110703072800.GA2005@downhill.g.la> On 2011-07-02 Werner Koch wrote: > On Sat, 2 Jul 2011 13:22, ametzler at downhill.at.eu.org said: > > This is new breakage, building against 1.5.0beta1 works. > You should check two things: Leading zeroes fixups for pkcs#1 and > whether there is the pkcs1 flag set in the S-expression used with verify > or decrypt. Good guess. According to git bisect gcrypt commit caf4480811fffdf3b8677864e8d663a68f210e5c causes the issue. cu andreas From wk at gnupg.org Mon Jul 4 09:18:06 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 Jul 2011 09:18:06 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110703072800.GA2005@downhill.g.la> (Andreas Metzler's message of "Sun, 3 Jul 2011 09:28:00 +0200") References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> Message-ID: <874o32ecpd.fsf@vigenere.g10code.de> Hi! I see this in gnutls/lib/pk-libgcrypt.c:_wrap_gcry_pk_decrypt bigint_t res; res = gcry_sexp_nth_mpi (s_plain, 0, 0); gcry_sexp_release (s_plain); This is wrong and worked only because of a bug in Libgcrypt < 1.5.0. -- Function: gcry_mpi_t gcry_sexp_nth_mpi (gcry_sexp_t LIST, int NUMBER, int MPIFMT) This function is used to get and convert data from a LIST. This data is assumed to be an MPI stored in the format described by MPIFMT and returned as a standard Libgcrypt MPI. The caller must release this returned value using `gcry_mpi_release'. If there is no data at the given index, the index represents a list or the value can't be converted to an MPI, `NULL' is returned. [added in 1.5:] If you use this function to parse results of a public key function, you most likely want to use `GCRYMPI_FMT_USG'.] If 0 is passed for MPIFMT a default is used, which is and has always been GCRYMPI_FMT_STD. This introduces a leading zero byte so that the integer does not start with the MSB set. Note that some other code uses gcry_sexp_nth_data and is thus not affected by this bug fix. It is the same bug I introduced in GnuPG, thus it is not a surprise that you find it also in gnutls. I did a web search to check the use of this function and found that most projects correctly specified the format they want. I am sorry that I missed to push and update for GnuPG and didn't notified the gnutls hackers. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ametzler at downhill.at.eu.org Mon Jul 4 19:51:46 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 4 Jul 2011 19:51:46 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <874o32ecpd.fsf@vigenere.g10code.de> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> Message-ID: <20110704175146.GA3116@downhill.g.la> On 2011-07-04 Werner Koch wrote: > I see this in gnutls/lib/pk-libgcrypt.c:_wrap_gcry_pk_decrypt > bigint_t res; > res = gcry_sexp_nth_mpi (s_plain, 0, 0); > gcry_sexp_release (s_plain); > This is wrong and worked only because of a bug in Libgcrypt < 1.5.0. [...] > If you use this function to parse results of a public key function, > you most likely want to use `GCRYMPI_FMT_USG'.] > If 0 is passed for MPIFMT a default is used, which is and has always > been GCRYMPI_FMT_STD. This introduces a leading zero byte so that the > integer does not start with the MSB set. > Note that some other code uses gcry_sexp_nth_data and is thus not > affected by this bug fix. Hello, thanks. For 2.12.7 [1] and 2.10.5 [2] this fixes one test failure (x509self for 2.12 and x509dn for 2.10) while the other errors remain. Sorry I am not more helpful than that, I am not a programmer. > It is the same bug I introduced in GnuPG, thus it is not a surprise that > you find it also in gnutls. I did a web search to check the use of this > function and found that most projects correctly specified the format > they want. [...] If you were wondering what projects were using gcry_sexp_nth_mpi, here is the list of packages build-depending on libgcrypt11-dev and using the function: gnome-keyring-3.0.3 libotr-3.2.0 openvas-libnasl-2.0.2 gnunet-0.8.1b libspectrum-1.0.0 libgwenhywfar-4.1.0 gnupg2-2.0.17 forked-daapd-0.17 teleport-0.34 libdisplaymigration-0.28 and gnutls. cu andreas [1] --------------- --- gnutls26-2.12.7.orig/lib/gcrypt/pk.c +++ gnutls26-2.12.7/lib/gcrypt/pk.c @@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit goto cleanup; } - res = gcry_sexp_nth_mpi (s_plain, 0, 0); + res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); if (res == NULL) { gnutls_assert (); --------------- [2] --------------- --- gnutls26-2.10.5.orig/lib/pk-libgcrypt.c +++ gnutls26-2.10.5/lib/pk-libgcrypt.c @@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit goto cleanup; } - res = gcry_sexp_nth_mpi (s_plain, 0, 0); + res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); if (res == NULL) { gnutls_assert (); --------------- From stefw at collabora.co.uk Thu Jul 7 19:32:38 2011 From: stefw at collabora.co.uk (Stef Walter) Date: Thu, 07 Jul 2011 19:32:38 +0200 Subject: [PATCH] Callback for PIN prompting per PKCS#11 URI Message-ID: <4E15EDB6.8010103@collabora.co.uk> Hi guys, Currently in gnutls only one global callback for PIN prompting can be registered. This causes problems with multiple libraries in the same process using gnutls. Attached is a patch which uses p11-kit to solve this problem in a generic and flexible way [1]. p11-kit (0.2 and later) now allow registering of various callbacks for different PKCS#11 URIs. It uses the 'pinfile' attribute of the URI to do this. The PKCS#11 URI specification talks about applications specific values 'pinfile' URI. These new p11-kit APIs do exactly that. Usage example: I'm using this to implement support for smart cards in GLib's new TLS code. * GLib registers a callback with p11-kit for the 'pinfile' value: gtls-database * It includes pinfile=gtls-database in the various PKCS#11 URIs it passes to gnutls. * gnutls sees that there's a 'pinfile' attribute, and asks p11-kit to request the PIN, which it does by calling the callback registered. Incidentally, I think the name of 'pinfile' in the PKCS#11 URI spec should be changed to 'pin' but that's a separate issue. This patch is also available as a branch: http://cgit.collabora.com/git/user/stefw/gnutls.git/log/?h=pinfile Let me know if something looks amiss. This patch makes no ABI changes to gnutls. Cheers, Stef [1] http://p11-glue.freedesktop.org/doc/p11-kit/p11-kit-PIN-Callbacks.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pkcs11-Use-p11_kit_pin_xxx-functionality-when-pinfil.patch Type: text/x-patch Size: 17410 bytes Desc: not available URL: From INVALID.NOREPLY at gnu.org Sat Jul 9 16:00:23 2011 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Sat, 09 Jul 2011 14:00:23 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel Message-ID: <20110709-160022.sv20807.97043@savannah.gnu.org> URL: Summary: GnuTLS 2.10.5 endless loop of mini test on armel Project: GnuTLS Submitted by: ametzler Submitted on: Sa 09 Jul 2011 16:00:22 CEST Category: Core library Priority: 5 - Normal Severity: 3 - Normal Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: The mini test nowadays loops endlessly on ARMEL. Log attached. _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht geschickt von/durch Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Sat Jul 9 16:02:20 2011 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Sat, 09 Jul 2011 14:02:20 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110709-160022.sv20807.97043@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> Message-ID: <20110709-160220.sv20807.53455@savannah.gnu.org> Additional Item Attachment, sr #107739 (project gnutls): File name: mini.log.gz Size:11 KB _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht geschickt von/durch Savannah http://savannah.gnu.org/ From simon at josefsson.org Sun Jul 10 19:41:20 2011 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 10 Jul 2011 19:41:20 +0200 Subject: gnutls i18n / l10N In-Reply-To: (Chris Leonard's message of "Thu, 23 Jun 2011 03:08:36 -0400") References: Message-ID: <874o2uc9tr.fsf@latte.josefsson.org> Chris Leonard writes: > There seems to have been a breakdown in updating the POT files > available for localization (L10n). Yes, this used to work automatically. I'll send a request to translation team to update its POT file. The 2.7.7 NEWS entry is correct: the gnutls domain should be dropped, and all i18n stuff now happens in the 'libgnutls' domain. /Simon > This page: > http://translationproject.org/domain/gnutls.html > Shows that the latest available version fo the POT is: > gnutls-2.5.7.pot > > This page: > http://translationproject.org/domain/libgnutls.html > Shows that the latest available version of the POT is: > libgnutls-2.8.5.pot > > > There is no reference for where L10n is supposed to happen on the main page: > http://www.gnu.org/software/gnutls/ > > > From the NEWS file, there is mention of new i18n/L10n since 2.5.7, but > it is not clear where this is happening. > > http://git.savannah.gnu.org/cgit/gnutls.git/tree/NEWS?h=gnutls_2_12_x > > * Version 2.7.7 (released 2009-04-20) > ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. > It is currently only used by the core library. This will enable a new > domain 'gnutls' for translations of the command line tools. > > * Version 2.8.6 (released 2010-03-15) > ** i18n: Updated Czech, Dutch, French, Polish, Swedish and Vietnamese > ** translations. Added Simplified Chinese translation. > > * Version 2.9.8 (released 2009-11-05) > ** i18n: Vietnamese translation updated. > Thanks to Clytie Siddall. > > * Version 2.11.4 (released 2010-10-15) > ** i18n: Update translations. > > Please update the Translation Project . If the Translation Project is > no longer in use, please mark it as deprecated and provide links for > where L10n gets done. > > Thank you for your attention to this matter. > > cjl > volunteer Sugar Labs / OLPC / eToys Pootle admin From INVALID.NOREPLY at gnu.org Wed Jul 13 19:05:00 2011 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Wed, 13 Jul 2011 17:05:00 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110709-160220.sv20807.53455@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> <20110709-160220.sv20807.53455@savannah.gnu.org> Message-ID: <20110713-190459.sv20807.47995@savannah.gnu.org> Follow-up Comment #1, sr #107739 (project gnutls): See also http://bugs.debian.org/633458 _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht geschickt von/durch Savannah http://savannah.gnu.org/ From vincent.torri at gmail.com Thu Jul 21 11:00:56 2011 From: vincent.torri at gmail.com (Vincent Torri) Date: Thu, 21 Jul 2011 11:00:56 +0200 Subject: remark about autotools Message-ID: Hey, there are 3 runs of configure in gnutls : the main one, and in lib and libextra. On unix, i might not a real problem, but on Windows, with MSYS, gnutls take an immensely amount of time to be configured. Would it be possible that, in gnutls 3, gnutls has only one run of configure ? thanks Vincent Torri -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Thu Jul 21 13:02:31 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 21 Jul 2011 14:02:31 +0300 Subject: remark about autotools In-Reply-To: References: Message-ID: On Thu, Jul 21, 2011 at 12:00 PM, Vincent Torri wrote: > Hey, > there are 3 runs of configure in gnutls : the main one, and in lib and > libextra. On unix, i might not a real problem, but on Windows, with MSYS, > gnutls take an immensely amount of time to be configured. Would it be > possible that, in gnutls 3, gnutls has only one run of configure ? This will be the case in 3.0.0. regards, Nikos From INVALID.NOREPLY at gnu.org Sat Jul 23 16:32:22 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Sat, 23 Jul 2011 14:32:22 +0000 Subject: [sr #107729] certtool --generate-request crashes when generating key on-the-fly In-Reply-To: <20110629-200900.sv60014.65985@savannah.gnu.org> References: <20110629-193617.sv60014.19095@savannah.gnu.org> <20110629-200900.sv60014.65985@savannah.gnu.org> Message-ID: <20110723-173222.sv707.36308@savannah.gnu.org> Update of sr #107729 (project gnutls): Status: None => Done Assigned to: None => nmav _______________________________________________________ Follow-up Comment #2: Thank you for reporting that. I've committed a fix at: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=45058379c1e8daf32fa62f27f72646c1a00e04d8 _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Sat Jul 23 16:32:59 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Sat, 23 Jul 2011 14:32:59 +0000 Subject: [sr #107730] certtool --generate-certificate segfaults In-Reply-To: <20110629-210000.sv60014.56857@savannah.gnu.org> References: <20110629-204453.sv60014.33313@savannah.gnu.org> <20110629-210000.sv60014.56857@savannah.gnu.org> Message-ID: <20110723-173259.sv707.97032@savannah.gnu.org> Update of sr #107730 (project gnutls): Status: None => Done Assigned to: None => nmav _______________________________________________________ Follow-up Comment #2: Fix applied. Thank you. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=e67bdb571e806165d9611c507de6473ecc410525 _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Sat Jul 23 16:33:08 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Sat, 23 Jul 2011 14:33:08 +0000 Subject: [sr #107730] certtool --generate-certificate segfaults In-Reply-To: <20110723-173259.sv707.97032@savannah.gnu.org> References: <20110629-204453.sv60014.33313@savannah.gnu.org> <20110629-210000.sv60014.56857@savannah.gnu.org> <20110723-173259.sv707.97032@savannah.gnu.org> Message-ID: <20110723-173308.sv707.48680@savannah.gnu.org> Update of sr #107730 (project gnutls): Open/Closed: Open => Closed _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Sat Jul 23 16:33:14 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Sat, 23 Jul 2011 14:33:14 +0000 Subject: [sr #107729] certtool --generate-request crashes when generating key on-the-fly In-Reply-To: <20110723-173222.sv707.36308@savannah.gnu.org> References: <20110629-193617.sv60014.19095@savannah.gnu.org> <20110629-200900.sv60014.65985@savannah.gnu.org> <20110723-173222.sv707.36308@savannah.gnu.org> Message-ID: <20110723-173314.sv707.85475@savannah.gnu.org> Update of sr #107729 (project gnutls): Open/Closed: Open => Closed _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From nmav at gnutls.org Sat Jul 23 17:13:00 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 23 Jul 2011 17:13:00 +0200 Subject: gnutls 2.99.4 Message-ID: <4E2AE4FC.5060808@gnutls.org> Hello, I've just released gnutls 2.99.4. This is to be considered the final prerelease of 3.0.0. The GnuTLS 2.99.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. The changes since the last development release are: * Version 2.99.4 (released 2011-07-23) ** doc: documentation updates. ** libgnutls: gnutls_rsa_params_t is now identical to gnutls_x509_privkey_t to avoid thread-safety issues. Reported by Sam Varshavchik. ** libgnutls: Added compatibility mode with /etc/gnutls/pkcs11.conf ** libgnutls: license upgraded to LGPLv3 ** libgnutls: gnutls_srp_verifier() returns data allocated with gnutls_malloc() for consistency. ** API and ABI modifications: No changes since last version. Here are the compressed sources: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.4.tar.xz ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.4.tar.xz Here is the OpenPGP signature: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.4.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.4.tar.xz.sig regards, Nikos From ametzler at downhill.at.eu.org Sun Jul 24 16:36:02 2011 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 24 Jul 2011 16:36:02 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110704175146.GA3116@downhill.g.la> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> Message-ID: <20110724143601.GB2052@downhill.g.la> On 2011-07-04 Andreas Metzler wrote: > On 2011-07-04 Werner Koch wrote: > > I see this in gnutls/lib/pk-libgcrypt.c:_wrap_gcry_pk_decrypt > > bigint_t res; > > res = gcry_sexp_nth_mpi (s_plain, 0, 0); > > gcry_sexp_release (s_plain); > > This is wrong and worked only because of a bug in Libgcrypt < 1.5.0. > [...] > > If you use this function to parse results of a public key function, > > you most likely want to use `GCRYMPI_FMT_USG'.] [...] > > Note that some other code uses gcry_sexp_nth_data and is thus not > > affected by this bug fix. [...] > For 2.12.7 [1] and 2.10.5 [2] this fixes one test failure > (x509self for 2.12 and x509dn for 2.10) while the other errors remain. > Sorry I am not more helpful than that, I am not a programmer. > [2] > --------------- > --- gnutls26-2.10.5.orig/lib/pk-libgcrypt.c > +++ gnutls26-2.10.5/lib/pk-libgcrypt.c > @@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit > goto cleanup; > } > - res = gcry_sexp_nth_mpi (s_plain, 0, 0); > + res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); > if (res == NULL) > { > gnutls_assert (); > --------------- [...] Hello, Well, simply replacing all occurences of gcry_sexp_nth_mpi (..., 0) with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) fixes the testsuite errors of both gnutls 2.10.5 and 2.12.7. The other occurences of gcry_sexp_nth_mpi are all similar to this one: ---------------------------- static int _wrap_gcry_pk_encrypt([...]) [...] gcry_sexp_t s_ciph = NULL, s_data = NULL, s_pkey = NULL; [...] gcry_sexp_t list; [use gcry_sexp_build to fill s_pkey, s_ciph, s_data ] /* pass it to libgcrypt */ rc = gcry_pk_encrypt (&s_ciph, s_data, s_pkey); [...] list = gcry_sexp_find_token (s_ciph, "a", 0); res = gcry_sexp_nth_mpi (list, 1, 0) ---------------------------- Is changing this to "res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);" the proper fix, or does it just seem to work accidentally? cu andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-2.10.5+gcrypt1.5.patch Type: text/x-diff Size: 4448 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-2.12.7+gcrypt1.5.patch Type: text/x-diff Size: 4568 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 25 09:22:15 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 25 Jul 2011 09:22:15 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110724143601.GB2052@downhill.g.la> (Andreas Metzler's message of "Sun, 24 Jul 2011 16:36:02 +0200") References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> Message-ID: <87ipqqsu3c.fsf@vigenere.g10code.de> On Sun, 24 Jul 2011 16:36, ametzler at downhill.at.eu.org said: > Is changing this to "res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);" > the proper fix, or does it just seem to work accidentally? I am pretty sure that this is correct. The bug was probably introduced by copying code from GnuPG which had the same error. It is quite possible that I once proposed to do it this way :-). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From tmraz at redhat.com Mon Jul 25 09:41:44 2011 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 25 Jul 2011 09:41:44 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <87ipqqsu3c.fsf@vigenere.g10code.de> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> <87ipqqsu3c.fsf@vigenere.g10code.de> Message-ID: <1311579704.6273.49.camel@vespa.frost.loc> On Mon, 2011-07-25 at 09:22 +0200, Werner Koch wrote: > On Sun, 24 Jul 2011 16:36, ametzler at downhill.at.eu.org said: > > > Is changing this to "res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);" > > the proper fix, or does it just seem to work accidentally? > > I am pretty sure that this is correct. The bug was probably introduced > by copying code from GnuPG which had the same error. It is quite > possible that I once proposed to do it this way :-). Hmm... wouldn't it be more proper to make the default MPI format for gcry_sexp_nth_mpi USG? Given the libgcrypt-1.4.x always behaved like this this is strictly said API/ABI break, regardless of what documentation says. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From wk at gnupg.org Mon Jul 25 12:39:12 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 25 Jul 2011 12:39:12 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <1311579704.6273.49.camel@vespa.frost.loc> (Tomas Mraz's message of "Mon, 25 Jul 2011 09:41:44 +0200") References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> <87ipqqsu3c.fsf@vigenere.g10code.de> <1311579704.6273.49.camel@vespa.frost.loc> Message-ID: <87ei1eskz3.fsf@vigenere.g10code.de> On Mon, 25 Jul 2011 09:41, tmraz at redhat.com said: > Hmm... wouldn't it be more proper to make the default MPI format for > gcry_sexp_nth_mpi USG? Given the libgcrypt-1.4.x always behaved like > this this is strictly said API/ABI break, regardless of what > documentation says. No, it didn't behaved like this. The case with the leading zeroes is more complex that just the GCRMPI_FMT_STD default. It was a bug in GnuPG to use the default. Fortunately most users of Libgcrypt didn't copied that bug. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From tmraz at redhat.com Mon Jul 25 12:51:39 2011 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 25 Jul 2011 12:51:39 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <87ei1eskz3.fsf@vigenere.g10code.de> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> <87ipqqsu3c.fsf@vigenere.g10code.de> <1311579704.6273.49.camel@vespa.frost.loc> <87ei1eskz3.fsf@vigenere.g10code.de> Message-ID: <1311591099.6273.52.camel@vespa.frost.loc> On Mon, 2011-07-25 at 12:39 +0200, Werner Koch wrote: > On Mon, 25 Jul 2011 09:41, tmraz at redhat.com said: > > > Hmm... wouldn't it be more proper to make the default MPI format for > > gcry_sexp_nth_mpi USG? Given the libgcrypt-1.4.x always behaved like > > this this is strictly said API/ABI break, regardless of what > > documentation says. > > No, it didn't behaved like this. The case with the leading zeroes is > more complex that just the GCRMPI_FMT_STD default. It was a bug in > GnuPG to use the default. Fortunately most users of Libgcrypt didn't > copied that bug. I understand that, but what would be broken (that was not broken already in libgcrypt-1.4.x) if the GCRY_MPI_FMT_USG was declared as default for gcry_sexp_nth_mpi() ? Is there currently any known use in existing software that expects the GCRY_MPI_FMT_STD if 0 is specified as format in gcry_sexp_nth_mpi()? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From wk at gnupg.org Mon Jul 25 13:30:50 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 25 Jul 2011 13:30:50 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <1311591099.6273.52.camel@vespa.frost.loc> (Tomas Mraz's message of "Mon, 25 Jul 2011 12:51:39 +0200") References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> <87ipqqsu3c.fsf@vigenere.g10code.de> <1311579704.6273.49.camel@vespa.frost.loc> <87ei1eskz3.fsf@vigenere.g10code.de> <1311591099.6273.52.camel@vespa.frost.loc> Message-ID: <87aac2sil1.fsf@vigenere.g10code.de> On Mon, 25 Jul 2011 12:51, tmraz at redhat.com said: > gcry_sexp_nth_mpi() ? Is there currently any known use in existing > software that expects the GCRY_MPI_FMT_STD if 0 is specified as format > in gcry_sexp_nth_mpi()? We can't know for sure. Libgcrypt is also used by proprietary applications and thus we have no way to check it. Before I released 1.5.0 I did a web search and found some code using Libgcrypt. Except for GnuPG and GNUTLS they all seemed to do it right. Unfortunately I forgot to notify the GNUTLS maintainers. I even pondered with a system wide Libgcrypt option to change the default so that in case of a problem this could be easily fixed. However that might be worse than just fixing the applications right away. It is clearly a bug but Libgcrypt and I prefer to fix bugs than to maintain bug emulation code for all eternity. There will be a GnuPG 2.0.18 shortly just to address this problem. I have not heard about other projects suffering from that bug. gold(1) seems to be a more severe problem than this bug fix. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From sjoerd.simons at collabora.co.uk Mon Jul 25 19:03:36 2011 From: sjoerd.simons at collabora.co.uk (Sjoerd Simons) Date: Mon, 25 Jul 2011 18:03:36 +0100 Subject: [PATCH] writev_emu: stop on the first incomplete write Message-ID: <1311613416.5210.24.camel@night> Hey, See attached patch :). Our library got someone confused in some cases when the push function couldn't write out, we'd see call traces like this: push (X bytes): return Y bytes (Y < X) push (Z bytes): return -EAGAIN push (X - Y bytes): abort! As after an EAGAIN the push function expect to be called again with the same amount of bytes. -- Sjoerd Simons Collabora Ltd. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-writev_emu-stop-on-the-first-incomplete-write.patch Type: text/x-patch Size: 916 bytes Desc: not available URL: From nmav at gnutls.org Mon Jul 25 19:15:00 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 25 Jul 2011 19:15:00 +0200 Subject: [PATCH] writev_emu: stop on the first incomplete write In-Reply-To: <1311613416.5210.24.camel@night> References: <1311613416.5210.24.camel@night> Message-ID: <4E2DA494.2030806@gnutls.org> On 07/25/2011 07:03 PM, Sjoerd Simons wrote: > Hey, > > See attached patch :). Our library got someone confused in some cases > when the push function couldn't write out, we'd see call traces like > this: > > push (X bytes): return Y bytes (Y < X) > push (Z bytes): return -EAGAIN > push (X - Y bytes): abort! Applied. thank you, Nikos From nmav at gnutls.org Mon Jul 25 19:18:48 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 25 Jul 2011 19:18:48 +0200 Subject: new testsuite errors with gcrypt 1.5 and gnutls 2.17.1 In-Reply-To: <20110724143601.GB2052@downhill.g.la> References: <20110702102734.GA2013@downhill.g.la> <20110702112211.GB2013@downhill.g.la> <87y60geus6.fsf@vigenere.g10code.de> <20110703072800.GA2005@downhill.g.la> <874o32ecpd.fsf@vigenere.g10code.de> <20110704175146.GA3116@downhill.g.la> <20110724143601.GB2052@downhill.g.la> Message-ID: <4E2DA578.5030502@gnutls.org> On 07/24/2011 04:36 PM, Andreas Metzler wrote: > Hello, > Well, simply replacing all occurences of gcry_sexp_nth_mpi (..., 0) with > gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) fixes the testsuite errors of > both gnutls 2.10.5 and 2.12.7. The other occurences of > gcry_sexp_nth_mpi are all similar to this one: I've committed your fix. Thank you! regards, Nikos From INVALID.NOREPLY at gnu.org Thu Jul 28 11:22:02 2011 From: INVALID.NOREPLY at gnu.org (anonymous) Date: Thu, 28 Jul 2011 09:22:02 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110713-190459.sv20807.47995@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> <20110709-160220.sv20807.53455@savannah.gnu.org> <20110713-190459.sv20807.47995@savannah.gnu.org> Message-ID: <20110728-092202.sv0.18946@savannah.gnu.org> Follow-up Comment #2, sr #107739 (project gnutls): Could the following patch fix the issue? http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=04b6bec750d214fc8bc5b65f99e47f0e251f1f7b _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Thu Jul 28 11:27:18 2011 From: INVALID.NOREPLY at gnu.org (anonymous) Date: Thu, 28 Jul 2011 09:27:18 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110728-092202.sv0.18946@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> <20110709-160220.sv20807.53455@savannah.gnu.org> <20110713-190459.sv20807.47995@savannah.gnu.org> <20110728-092202.sv0.18946@savannah.gnu.org> Message-ID: <20110728-092718.sv0.97499@savannah.gnu.org> Follow-up Comment #3, sr #107739 (project gnutls): If not, is the issue in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633458 related to the failure in mini? _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Thu Jul 28 19:04:51 2011 From: INVALID.NOREPLY at gnu.org (Andreas Metzler) Date: Thu, 28 Jul 2011 17:04:51 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110728-092718.sv0.97499@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> <20110709-160220.sv20807.53455@savannah.gnu.org> <20110713-190459.sv20807.47995@savannah.gnu.org> <20110728-092202.sv0.18946@savannah.gnu.org> <20110728-092718.sv0.97499@savannah.gnu.org> Message-ID: <20110728-190451.sv20807.23906@savannah.gnu.org> Follow-up Comment #4, sr #107739 (project gnutls): It definitely looks like a gcc bug triggered by gcrypt. - I had already pointed to the Debian bug on July 13. _______________________________________________________ Reply to this item at: _______________________________________________ Nachricht geschickt von/durch Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Thu Jul 28 19:34:45 2011 From: INVALID.NOREPLY at gnu.org (Petr Pisar) Date: Thu, 28 Jul 2011 17:34:45 +0000 Subject: [sr #107756] Typo in certtool usage output Message-ID: <20110728-173445.sv60014.96252@savannah.gnu.org> URL: Summary: Typo in certtool usage output Project: GnuTLS Submitted by: petrp Submitted on: Thu 28 Jul 2011 05:34:45 PM GMT Category: Included programs Priority: 5 - Normal Severity: 2 - Minor Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: None _______________________________________________________ Details: certtool --help shows: [...] --load-privkey FILE Private key file to use. --load-pubkey FILE Private key file to use. [...] I think --load-pubkey option should be described as `Public key file to use.' _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Thu Jul 28 19:49:08 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Thu, 28 Jul 2011 17:49:08 +0000 Subject: [sr #107756] Typo in certtool usage output In-Reply-To: <20110728-173445.sv60014.96252@savannah.gnu.org> References: <20110728-173445.sv60014.96252@savannah.gnu.org> Message-ID: <20110728-204908.sv707.64412@savannah.gnu.org> Update of sr #107756 (project gnutls): Status: None => Done Assigned to: None => nmav Open/Closed: Open => Closed _______________________________________________________ Follow-up Comment #1: I've corrected it. Thank you. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From INVALID.NOREPLY at gnu.org Thu Jul 28 19:49:40 2011 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Thu, 28 Jul 2011 17:49:40 +0000 Subject: [sr #107739] GnuTLS 2.10.5 endless loop of mini test on armel In-Reply-To: <20110728-190451.sv20807.23906@savannah.gnu.org> References: <20110709-160022.sv20807.97043@savannah.gnu.org> <20110709-160220.sv20807.53455@savannah.gnu.org> <20110713-190459.sv20807.47995@savannah.gnu.org> <20110728-092202.sv0.18946@savannah.gnu.org> <20110728-092718.sv0.97499@savannah.gnu.org> <20110728-190451.sv20807.23906@savannah.gnu.org> Message-ID: <20110728-204940.sv707.44686@savannah.gnu.org> Update of sr #107739 (project gnutls): Status: None => In Progress Assigned to: None => nmav _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From nmav at gnutls.org Fri Jul 29 22:33:39 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 29 Jul 2011 22:33:39 +0200 Subject: GnuTLS 3.0.0 released Message-ID: <4E331923.1030503@gnutls.org> We are proud to announce a new stable GnuTLS release: Version 3.0.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 3 (or later). The "extra" GnuTLS library (which contains), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU Genera Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnutls.org and http://www.gnu.org/software/gnutls/ What's New ========== Version 3.0.0 is the first stable release on the 3.0.x branch and is the result of 11 months of work on the experimental 2.99.x branch. The GnuTLS 3.0.x branch replaces the GnuTLS 2.12.x branch as the supported stable branch, although we will continue to support GnuTLS 2.12.x for some time. ** libgnutls: license upgraded to LGPLv3 ** libgnutls: depends on nettle 2.2. ** libgnutls: Added Datagram TLS 1.0 support. ** libgnutls: Added Elliptic curve support. Requires priority strings: +CURVE-ALL: to add all supported curves +ECDHE-RSA: to add ephemeral ECDHE with an RSA-signed certificate +ECDHE-ECDSA: to add ephemeral ECDHE with an ECDSA-signed certificate +ANON-ECDHE: to add anonymous ECDH ** libgnutls: Added ECDHE-PSK ciphersuites for TLS (RFC 5489). ** libgnutls: Added AES in GCM mode ** libgnutls: Added SUITEB128 and SUITEB192 priority strings to enable the NSA SuiteB cryptography ciphersuites. ** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ instruction. Uses Andy Polyakov's assembly code. ** libgnutls: Added gnutls_global_set_audit_log_function() that allows to get important auditing information including the corresponding session. That might be useful to block DoS or other attacker from specific IPs. ** libgnutls: gnutls_transport_set_lowat() is no more. ** libgnutls: Added gnutls_certificate_set_retrieve_function2() to set a callback to retrieve a certificate. The certificate is received in a format that requires no processing from gnutls thus it is suitable when performance is required. ** libgnutls: Simplified the handling of handshake messages to be hashed. Instead of hashing during the handshake process we now keep the data until handshake is over and hash them on request. This uses more memory but eliminates issues with TLS 1.2 and simplifies code. ** libgnutls: LZO support was removed. ** libgnutls: gnutls_srp_verifier() returns data allocated with gnutls_malloc() for consistency. ** libgnutls-openssl: modified to use modern gnutls' functions. This introduces an ABI incompatibility with previous versions. ** libgnutls: gnutls_rsa_params_t is now identical to gnutls_x509_privkey_t to avoid thread-safety issues. Reported by Sam Varshavchik. ** libgnutls: Added new PKCS #11 flags to force an object being private or not. (GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE and GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) ** libgnutls: Added gnutls_x509_crq_verify() to allow verification of the self signature in a certificate request. This allows verifying whether the owner of the private key is the generator of the request. ** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies the self signature of the request. ** libgnutls: Added gnutls_pubkey_verify_data2() that will verify data provided the signature algorithm. ** libgnutls: Added gnutls_x509_trust_list_add_named_crt() and gnutls_x509_trust_list_verify_named_crt() that allow having a list of certificates in the trusted list that will be associated with a name (e.g. server name) and will not be used as CAs. ** libgnutls: PKCS #11 back-end rewritten to use p11-kit http://p11-glue.freedesktop.org/p11-kit.html. Rewrite by Stef Walter. ** libgnutls: Uses a single configure file and a single gnulib library to save space. ** libgnutlsxx: The C++ interface returns exception on every error and not only on fatal ones. This allows easier handling of errors. ** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored the PSK callback. ** libgnutls: SRP and PSK are no longer set on the default priorities. They have to be explicitly set. ** libgnutls: During handshake message verification using DSS use the hash algorithm required by it. ** libgnutls: writev_emu: stop on the first incomplete write. Patch by Sjoerd Simons. ** libgnutls: gnutls_recv() return GNUTLS_E_PREMATURE_TERMINATION on unexpected EOF, instead of GNUTLS_E_UNEXPECTED_PACKET_LENGTH. ** libgnutls-extra: Inner application extension was removed. It was never standardized nor published as an RFC. ** libgnutls: Added new certificate verification functions, that can provide more details and are more efficient. Check gnutls_x509_trust_list_*. ** certtool: Uses the new certificate verification functions for --verify-chain. ** certtool: Added new certificate verification functionality using the --verify option. Combined with --load-ca-certificate it can verify a certificate chain against a list of certificates. ** libgnutls: Fix zlib handling in gnutls.pc. Patch by Andreas Metzler. ** certtool: bug fixes in certificate request generation. Patch by Petr P?sa?. ** API and ABI modifications: gnutls_pubkey_verify_data2: ADDED gnutls_ecc_curve_get: ADDED gnutls_x509_trust_list_add_named_crt: ADDED gnutls_x509_trust_list_verify_named_crt: ADDED gnutls_x509_privkey_verify_data: REMOVED gnutls_crypto_bigint_register: REMOVED gnutls_crypto_cipher_register: REMOVED gnutls_crypto_digest_register: REMOVED gnutls_crypto_mac_register: REMOVED gnutls_crypto_pk_register: REMOVED gnutls_crypto_rnd_register: REMOVED gnutls_crypto_single_cipher_register: REMOVED gnutls_crypto_single_digest_register: REMOVED gnutls_crypto_single_mac_register: REMOVED gnutls_certificate_get_issuer: ADDED gnutls_x509_trust_list_get_issuer: ADDED gnutls_x509_crq_verify: ADDED gnutls_global_set_audit_log_function: ADDED gnutls_ecc_curve_get_name: ADDED gnutls_ecc_curve_get_size: ADDED gnutls_x509_privkey_import_ecc_raw: ADDED gnutls_x509_privkey_export_ecc_raw: ADDED gnutls_global_set_time_function: ADDED gnutls_dtls_set_timeouts: ADDED gnutls_dtls_get_mtu: ADDED gnutls_dtls_get_data_mtu: ADDED gnutls_dtls_set_mtu: ADDED gnutls_dtls_cookie_send: ADDED gnutls_dtls_cookie_verify: ADDED gnutls_dtls_prestate_set: ADDED gnutls_x509_trust_list_verify_crt: ADDED gnutls_x509_trust_list_add_crls: ADDED gnutls_x509_trust_list_add_cas: ADDED gnutls_x509_trust_list_init: ADDED gnutls_x509_trust_list_deinit: ADDED gnutls_cipher_add_auth: ADDED gnutls_cipher_tag: ADDED gnutls_pcert_list_import_x509_raw: ADDED gnutls_psk_netconf_derive_key: REMOVED gnutls_certificate_verify_peers: REMOVED gnutls_session_set_finished_function: REMOVED gnutls_ext_register: REMOVED gnutls_certificate_get_x509_crls: REMOVED gnutls_certificate_get_x509_cas: REMOVED gnutls_certificate_get_openpgp_keyring: REMOVED gnutls_session_get_server_random: REMOVED gnutls_session_get_client_random: REMOVED gnutls_session_get_master_secret: REMOVED gnutls_ia_allocate_client_credentials: REMOVED gnutls_ia_allocate_server_credentials: REMOVED gnutls_ia_enable: REMOVED gnutls_ia_endphase_send: REMOVED gnutls_ia_extract_inner_secret: REMOVED gnutls_ia_free_client_credentials: REMOVED gnutls_ia_free_server_credentials: REMOVED gnutls_ia_generate_challenge: REMOVED gnutls_ia_get_client_avp_ptr: REMOVED gnutls_ia_get_server_avp_ptr: REMOVED gnutls_ia_handshake: REMOVED gnutls_ia_handshake_p: REMOVED gnutls_ia_permute_inner_secret: REMOVED gnutls_ia_recv: REMOVED gnutls_ia_send: REMOVED gnutls_ia_set_client_avp_function: REMOVED gnutls_ia_set_client_avp_ptr: REMOVED gnutls_ia_set_server_avp_function: REMOVED gnutls_ia_set_server_avp_ptr: REMOVED gnutls_ia_verify_endphase: REMOVED GNUTLS_E_ECC_NO_SUPPORTED_CURVES: New error code GNUTLS_E_ECC_UNSUPPORTED_CURVE: New error code GNUTLS_KX_ECDHE_RSA: New key exchange method GNUTLS_KX_ECDHE_ECDSA: New key exchange method GNUTLS_KX_ANON_ECDH: New key exchange method GNUTLS_KX_ECDHE_PSK: New key exchange method GNUTLS_PK_ECC: New public key algorithm GNUTLS_SIGN_ECDSA_SHA1: New signature algorithm GNUTLS_SIGN_ECDSA_SHA256: New signature algorithm GNUTLS_SIGN_ECDSA_SHA384: New signature algorithm GNUTLS_SIGN_ECDSA_SHA512: New signature algorithm GNUTLS_SIGN_ECDSA_SHA224: New signature algorithm GNUTLS_ECC_CURVE_INVALID: New curve definition GNUTLS_ECC_CURVE_SECP224R1: New curve definition GNUTLS_ECC_CURVE_SECP256R1: New curve definition GNUTLS_ECC_CURVE_SECP384R1: New curve definition GNUTLS_ECC_CURVE_SECP521R1: New curve definition GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: New PKCS#11 object flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: New PKCS#11 object flag. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.0.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.0.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.0.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.0.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] Documentation ============= The GnuTLS manual is available electronically at: http://www.gnu.org/software/gnutls/documentation.html and a paper copy can be obtained at: http://www.lulu.com/product/paperback/the-gnutls-manual/16356050 Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Italian, Malay, Polish, Simplified Chinese, Swedish, and Vietnamese. We welcome the addition of more translations.