From nmav at gnutls.org Mon Mar 3 07:21:25 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 03 Mar 2014 07:21:25 +0100 Subject: [gnutls-devel] gnutls 3.1.22 Message-ID: <53141F65.2090204@gnutls.org> Hello, I've just released gnutls 3.1.22. This is an important bug-fix release on the previous stable branch which addresses GNUTLS-SA-2014-2 http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 * Version 3.1.22 (released 2014-03-03) ** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) ** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. ** libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. ** libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. ** libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.22.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Mon Mar 3 07:22:41 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 03 Mar 2014 07:22:41 +0100 Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2 Message-ID: <53141FB1.3040809@gnutls.org> Hello, I've just released gnutls 3.2.12. This is an important bug-fix release on the current stable branch which addresses GNUTLS-SA-2014-2 http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 This fixes is an important (and at the same time embarrassing) bug discovered during an audit for Red Hat. Everyone is urged to upgrade. The git branches of older releases (e.g., 2.12.x), were also updated with patches to the issue as they are also vulnerable. I'll provide more information on the issue the next few days. * Version 3.2.12 (released 2014-03-03) ** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) ** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. ** libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. ** libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. ** libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. ** ocsptool: When verifying a response and a signer isn't provided assume that the signer is the issuer. ** ocsptool: When sending a nonce, verify that the nonce exists in the OCSP response. ** gnutls-cli: Added --strict-tofu option; contributed by Jens Lechtenboerger. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Tue Mar 4 19:43:02 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 4 Mar 2014 19:43:02 +0100 Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2 In-Reply-To: <53141FB1.3040809@gnutls.org> References: <53141FB1.3040809@gnutls.org> Message-ID: <20140304184302.GB3248@downhill.g.la> On 2014-03-03 Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.2.12. [...] > ** API and ABI modifications: > No changes since last version. [...] Hello, 3.2.12 broke the ABI in 1972eaa216489512dd73db52f9fca473ef859e33 which drops all symbols depending on ENABLE_RSA_EXPORT: GNUTLS_1_4 gnutls_rsa_export_get_pubkey GNUTLS_1_4 gnutls_rsa_export_get_modulus_bits GNUTLS_1_4 gnutls_certificate_set_rsa_export_params GNUTLS_1_4 gnutls_rsa_params_import_raw GNUTLS_1_4 gnutls_rsa_params_init GNUTLS_1_4 gnutls_rsa_params_deinit GNUTLS_1_4 gnutls_rsa_params_cpy GNUTLS_1_4 gnutls_rsa_params_generate2 GNUTLS_1_4 gnutls_rsa_params_import_pkcs1 GNUTLS_1_4 gnutls_rsa_params_export_pkcs1 GNUTLS_1_4 gnutls_rsa_params_export_raw cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Tue Mar 4 20:24:05 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 04 Mar 2014 20:24:05 +0100 Subject: [gnutls-devel] gnutls 3.2.12.1 (abi change fix) In-Reply-To: <20140304184302.GB3248@downhill.g.la> References: <53141FB1.3040809@gnutls.org> <20140304184302.GB3248@downhill.g.la> Message-ID: <1393961045.15100.2.camel@nomad.lan> On Tue, 2014-03-04 at 19:43 +0100, Andreas Metzler wrote: > 3.2.12 broke the ABI in 1972eaa216489512dd73db52f9fca473ef859e33 which > drops all symbols depending on ENABLE_RSA_EXPORT: You are correct. I've reintroduced the option in: https://www.gitorious.org/gnutls/gnutls/commit/9a3fb4b5fdc285e39a6c106ab9889342ff0d5c23 I've released 3.2.12.1 which reverts the ABI change. * Version 3.2.12.1 (released 2014-03-04) ** libgnutls: Reverted change that broke ABI. Reported by Andreas Metzler. ** API and ABI modifications: No changes since last version. From ludo at gnu.org Wed Mar 5 00:26:41 2014 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Wed, 05 Mar 2014 00:26:41 +0100 Subject: [gnutls-devel] Moving away from the RSA-export API Message-ID: <87r46h1r66.fsf@gnu.org> Hello, The inadvertent removal of the --disable-rsa-export configure option led to test failures in the Guile bindings [0], which made me realize that this is actually a deprecated API. However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and document (e.g., the OpenPGP example in the manual) this API. What would be the recommended way to upgrade? Thanks, Ludo?. [0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html From nmav at gnutls.org Wed Mar 5 09:44:41 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 5 Mar 2014 09:44:41 +0100 Subject: [gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2 In-Reply-To: <53141FB1.3040809@gnutls.org> References: <53141FB1.3040809@gnutls.org> Message-ID: On Mon, Mar 3, 2014 at 7:22 AM, Nikos Mavrogiannopoulos wrote: > This fixes is an important (and at the same time embarrassing) bug > discovered during an audit for Red Hat. Everyone is urged to upgrade. > The git branches of older releases (e.g., 2.12.x), were also updated > with patches to the issue as they are also vulnerable. I'll provide more > information on the issue the next few days. Hello, It seems that this bug got quite some publicity and I even started receiving mail from random people. If anyone has any suggestions on gnutls project workflow please post it here, and (more important) volunteer to take up some work. Judging is easy, doing the actual work isn't. So here are few more words on the specific issue. The bug was introduced around the 1.0.0 version, and went for quite long time undetected, I believe for the following reason mainly: 1. This bug cannot be detected by any certificate validation tests; prior to any release gnutls is tested against a certificate validation path suite (developed to test X.509 path validation for USA's DoD), but that couldn't help detect the issue. It didn't help with any of the other issues that had been detected in the X.509 path validation code of gnutls, so we have an additional suite developed in-house. That didn't help with the issue either because it requires a specially crafted certificate (and I'm not revealing more details on that yet). 2. This bug can only be detected by code audit, which doesn't happen often (it's not a fun thing to do). 3. As this code was on a critical part of the library it was touched and thus read, very rarely. Moreover, the code in question followed the usual form of error checking in the library 'if(err<0) return err', making it look correct, unless one would notice that the function returned a boolean value (and we have very few such functions in the library). Of course the bug was introduced by me and I am fully responsible for it. That's my last mail on the topic. Shit happens; we flush and go on. regards, Nikos From nmav at gnutls.org Wed Mar 5 09:46:52 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 5 Mar 2014 09:46:52 +0100 Subject: [gnutls-devel] Moving away from the RSA-export API In-Reply-To: <87r46h1r66.fsf@gnu.org> References: <87r46h1r66.fsf@gnu.org> Message-ID: On Wed, Mar 5, 2014 at 12:26 AM, Ludovic Court?s wrote: > Hello, > The inadvertent removal of the --disable-rsa-export configure option led > to test failures in the Guile bindings [0], which made me realize that > this is actually a deprecated API. > However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and > document (e.g., the OpenPGP example in the manual) this API. > What would be the recommended way to upgrade? Deprecate it as well? Binary compatibility will remain, but these functions are defunc anyway. > [0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html Does gnutls 3.2.12.1 fix that issue? regards, Nikos From ludo at gnu.org Wed Mar 5 14:06:51 2014 From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Date: Wed, 05 Mar 2014 14:06:51 +0100 Subject: [gnutls-devel] Moving away from the RSA-export API In-Reply-To: (Nikos Mavrogiannopoulos's message of "Wed, 5 Mar 2014 09:46:52 +0100") References: <87r46h1r66.fsf@gnu.org> Message-ID: <878uso23ro.fsf@gnu.org> Nikos Mavrogiannopoulos skribis: > On Wed, Mar 5, 2014 at 12:26 AM, Ludovic Court?s wrote: >> Hello, >> The inadvertent removal of the --disable-rsa-export configure option led >> to test failures in the Guile bindings [0], which made me realize that >> this is actually a deprecated API. >> However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and >> document (e.g., the OpenPGP example in the manual) this API. >> What would be the recommended way to upgrade? > > Deprecate it as well? Binary compatibility will remain, but these > functions are defunc anyway. And replace it with gnutls_x509_privkey, right? The equivalence between rsa_params and x509_privkey alluded to in NEWS doesn?t seem natural at first sight, because RSA parameters and X.509 private keys are different things. Or am I missing something? >> [0] https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html > > Does gnutls 3.2.12.1 fix that issue? I think so, though I had just fixed it differently in the meantime: http://git.savannah.gnu.org/cgit/guix.git/commit/?id=9b521a678b6a9bb1e27d7379f70e467ececbe6d1 Thanks, Ludo?. From nmav at gnutls.org Wed Mar 5 14:10:04 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 5 Mar 2014 14:10:04 +0100 Subject: [gnutls-devel] Moving away from the RSA-export API In-Reply-To: <878uso23ro.fsf@gnu.org> References: <87r46h1r66.fsf@gnu.org> <878uso23ro.fsf@gnu.org> Message-ID: On Wed, Mar 5, 2014 at 2:06 PM, Ludovic Court?s wrote: >>> However, the Guile bindings use (e.g., tests/x509-auth.scm), export, and >>> document (e.g., the OpenPGP example in the manual) this API. >>> What would be the recommended way to upgrade? >> Deprecate it as well? Binary compatibility will remain, but these >> functions are defunc anyway. > And replace it with gnutls_x509_privkey, right? > The equivalence between rsa_params and x509_privkey alluded to in NEWS > doesn't seem natural at first sight, because RSA parameters and X.509 > private keys are different things. The RSA params for rsa-export were just a 512-bit rsa private key. regards, Nikos From ramkumar.chinchani at gmail.com Mon Mar 3 06:43:44 2014 From: ramkumar.chinchani at gmail.com (Ramkumar Chinchani) Date: Mon, 3 Mar 2014 05:43:44 +0000 Subject: [gnutls-devel] gnutls_openpgp_keyring_import() doesn't report the proper error if incorrect armor is used Message-ID: If the "data" argument to gnutls_openpgp_keyring_import() is really in RAW format and "format" is incorrectly specified as BASE64, then the following snippet of code fails silently with "err" = EOF in the very first iteration and it falls through. So the caller cannot detect this and retry a different armor/format. 169 do { 170 err = 171 cdk_stream_read(input, raw_data + written, 172 raw_len - written); 173 174 if (err > 0) 175 written += err; 176 } 177 while (written < raw_len && err != EOF && err > 0); Suggesting the following patch. diff --git a/lib/openpgp/extras.c b/lib/openpgp/extras.c index 65bb488..d2a854f 100644 --- a/lib/openpgp/extras.c +++ b/lib/openpgp/extras.c @@ -177,6 +177,11 @@ gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t keyring, while (written < raw_len && err != EOF && err > 0); raw_len = written; + if (raw_len == 0) { + gnutls_assert(); + err = GNUTLS_E_BASE64_DECODING_ERROR; + goto error; + } } else { /* RAW */ raw_len = data->size; raw_data = data->data; -------------- next part -------------- An HTML attachment was scrubbed... URL: From colin at colino.net Wed Mar 5 11:09:07 2014 From: colin at colino.net (Colin Leroy) Date: Wed, 5 Mar 2014 11:09:07 +0100 Subject: [gnutls-devel] [PATCH] Fix xssl build without HAVE_VASPRINTF Message-ID: <20140305110907.39d808eb@colin> Hello, I hit an "undefined symbol _gnutls_vasprintf" error when building the newest GnuTLS without HAVE_VASPRINTF defined. Attached is a patch which fixes it. Thanks, -- Colin -------------- next part -------------- A non-text attachment was scrubbed... Name: xssl_build_fix.patch Type: text/x-patch Size: 421 bytes Desc: not available URL: From nullprogrammer at gmail.com Thu Mar 6 02:08:00 2014 From: nullprogrammer at gmail.com (Jason Spafford) Date: Wed, 5 Mar 2014 17:08:00 -0800 Subject: [gnutls-devel] Patch for checking string length on a potentially null string Message-ID: I read the guidelines and have satisfied all the requirements as far as I know. I agree to the Developer's Certificate of Origin. The instructions never say where to include the patch, so I've attached it to this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: fix_null_string_length.patch Type: application/octet-stream Size: 990 bytes Desc: not available URL: From nmav at gnutls.org Thu Mar 6 19:26:31 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 06 Mar 2014 19:26:31 +0100 Subject: [gnutls-devel] gnutls_openpgp_keyring_import() doesn't report the proper error if incorrect armor is used In-Reply-To: References: Message-ID: <1394130391.4163.10.camel@nomad.lan> On Mon, 2014-03-03 at 05:43 +0000, Ramkumar Chinchani wrote: > raw_len = written; > + if (raw_len == 0) { > + gnutls_assert(); > + err = GNUTLS_E_BASE64_DECODING_ERROR; > + goto error; > + } Applied, thank you. Nikos From nmav at gnutls.org Thu Mar 6 19:13:53 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 06 Mar 2014 19:13:53 +0100 Subject: [gnutls-devel] Patch for checking string length on a potentially null string In-Reply-To: References: Message-ID: <1394129633.4163.9.camel@nomad.lan> On Wed, 2014-03-05 at 17:08 -0800, Jason Spafford wrote: > I read the guidelines and have satisfied all the requirements as far > as I know. I agree to the Developer's Certificate of Origin. Applied, thank you. Nikos From matthew.d.wood at intel.com Fri Mar 7 00:26:10 2014 From: matthew.d.wood at intel.com (Wood, Matthew D) Date: Thu, 6 Mar 2014 23:26:10 +0000 Subject: [gnutls-devel] Quick questions re: creating new crypto acceleration patch Message-ID: I?m investigating creating a patch that would add support for the upcoming Intel(R) SHA Extensions acceleration (http://software.intel.com/en-us/articles/intel-sha-extensions) to GuTLS. The instructions accelerate SHA-1 and SHA-256 in upcoming processors (e.g. Goldmont). I wanted to confirm my strategy and get your advice prior to heavy investment. 1. Create patch from the git master vs. the current stable branch (gnutls_3_2_x). I want to confirm this because I have not been able to successfully build the master without changes, while the stable branch builds without issues. I am using Ubuntu 13.10 64bit with all patches. note: The build on master fails related to ocsptool-args.h not having a build rule. Porting the src/Makefile.in change to the BUILT_SOURCES variable in the latest stable branch (removing headers in the list) solves the issue. 2. It appears that much of the assembly is linked in from OpenSSL. It doesn?t appear that the Intel SHA Extensions contributions to OpenSSL have made it into their release tree yet. Would you prefer to wait for a patch that follows this inclusion pattern or to have GnuTLS specific assembly code submitted? There is reference code from Intel at http://software.intel.com/en-us/articles/intel-sha-extensions-implementatio ns that would serve as my starting point if I were to create GnuTLS specific assembly. 3. When registering the optimized SHA implementations, the priority would be 70. The implementations optimized for SSE3 are currently 80, and the versions using the SHA extensions would be preferred. I would also need to make the following adjustment to current code: - gnutls_cpuid() would change to set ECX=0 prior to the cpuid instruction. Detecting support for the SHA instructions uses CPUID leaf 7, sub-leaf 0 (eax=7,ecx=0) and any other value in ecx returns zeros in all response registers. It would not change the interface to gnutls_cpuid(), just make it more robust. The timing of the patch would be sometime after the release of GCC 4.9.x and prior to the release of the supporting hardware. GCC 4.9.x supports the new SHA extensions, and is estimated to be released sometime around the end of this month. Thanks, Matt Wood From nmav at gnutls.org Fri Mar 7 08:07:49 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:07:49 +0100 Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> Message-ID: <1394176069.4157.19.camel@nomad.lan> On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote: > This fixes two problems: > > 1) read-file build failure on Android (upstream commit cb3c90598c1) > > 2) Missing inet_pton.c error during GnuTLS "make bootstrap": > > touch ChangeLog > test -f ./configure || AUTOPOINT=true autoreconf --install > missing file gl/tests/inet_pton.c > configure.ac:189: error: expected source file, required through AC_LIBSOURCES, not found > gl/m4/gnulib-comp.m4:203: gl_INIT is expanded from... > configure.ac:189: the top level > autom4te: /usr/bin/m4 failed with exit status: 1 > aclocal: error: echo failed with exit status: 1 > autoreconf: aclocal failed with exit status: 1 > make: *** [autoreconf] Error 1 Hello Kevin, Is that on latest master? I fixed some issue yesterday that was related to that. I'd like to remove all the gnulib networking code from gl/ and move it to src/gl/ as gl overwrites many system functions and makes it impossible the library to work in windows systems properly if the application using the library doesn't use gnulib too. btw. I do not have commit nr: cb3c90598c1 regards, Nikos From nmav at gnutls.org Fri Mar 7 08:11:34 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:11:34 +0100 Subject: [gnutls-devel] [PATCH 2/5] Fix build failures on autogen'ed docs In-Reply-To: <1394174109-661-2-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> <1394174109-661-2-git-send-email-cernekee@gmail.com> Message-ID: <1394176294.4157.22.camel@nomad.lan> On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote: > This change uses a '%'-style pattern to avoid duplication of similar > rules. '%' patterns are a GNU-ism but there is precedent in > guile/src/Makefile.am. Could we avoid the gnu-ism for that fix? I think the main library should be able to compile in a many systems as possible -meaning we have to use ugly makefile directives :(. regards, Nikos From nmav at gnutls.org Fri Mar 7 08:14:40 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:14:40 +0100 Subject: [gnutls-devel] [PATCH 3/5] doc: Fix enums.texi failure on out-of-tree builds In-Reply-To: <1394174109-661-3-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> <1394174109-661-3-git-send-email-cernekee@gmail.com> Message-ID: <1394176480.4157.24.camel@nomad.lan> On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote: > enums.texi is a generated file so we should not look for it in $(srcdir). > When we do, chaos ensues: Thank you. Applied (3-4). From nmav at gnutls.org Fri Mar 7 08:20:36 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:20:36 +0100 Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving doc/invoke-*.texi In-Reply-To: <1394174109-661-5-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> <1394174109-661-5-git-send-email-cernekee@gmail.com> Message-ID: <1394176836.4157.27.camel@nomad.lan> On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote: > Several problems were found in this area: > > 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with > no input file and it will hang forever waiting for content from stdin: > +$(AUTOGENED_GNUTLS_DOC) : invoke-gnutls-%.texi : $(top_srcdir)/src/%-args.def > + $(call autogen_common,$<,$@) I like the change, but I am thinking whether it makes sense to have gnu-isms for the documentation part. From nmav at gnutls.org Fri Mar 7 08:29:39 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:29:39 +0100 Subject: [gnutls-devel] Quick questions re: creating new crypto acceleration patch In-Reply-To: References: Message-ID: <1394177379.4157.36.camel@nomad.lan> On Thu, 2014-03-06 at 23:26 +0000, Wood, Matthew D wrote: > I?m investigating creating a patch that would add support for the upcoming > Intel(R) SHA Extensions acceleration > (http://software.intel.com/en-us/articles/intel-sha-extensions) to GuTLS. > The instructions accelerate SHA-1 and SHA-256 in upcoming processors (e.g. > Goldmont). I wanted to confirm my strategy and get your advice prior to > heavy investment. Hello Matthew, I think the best would be to have the additions in nettle directly, so that other projects using nettle benefit as well. If I remember well, the idea there was to have a constructor that will check for specific processor capabilities and set a variable (e.g., cpuid flags) which will be used during the execution to divert to the assembly optimized version. But for details you'll have to talk directly with the author (Niels). > 3. When registering the optimized SHA implementations, the priority would > be 70. The implementations optimized for SSE3 are currently 80, and the > versions using the SHA extensions would be preferred. The cipher overriding part in gnutls was created as an interim solution until nettle supports overriding ciphers at runtime. I'd like to add new ciphers in that, only if adding that capability to nettle isn't possible (or practical). In that case we can fallback to using the cipher overriding api in gnutls for the SHA optimizations. regards, Nikos From nmav at gnutls.org Fri Mar 7 08:50:21 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Mar 2014 08:50:21 +0100 Subject: [gnutls-devel] auditing gnutls Message-ID: <1394178621.4157.55.camel@nomad.lan> Hello, It seems there are more eyes looking at gnutls now, so to make things easier, here is a list of the parts of gnutls (and also libtasn1) that are exposed to network/untrusted data and have more need for auditing. If you are able to audit the code please check the master branch (see instructions at http://www.gnutls.org/devel.html ), and in case you are able to successfully audit one of the following paths, please edit the files reviewed and add a header under the author: 'Reviewed-By: Your Name (date)' or 'Reviewed X.509 certificate verfication: Your name (date)' Then make a patch with any changes you see fit (e.g. fixes or simplifications of complex code) and send it to this list (preferably) or to me directly. If you cannot audit, but you know others that want and can, please forward that mail to them. The reward for significant flaw finders is eternal fame, and a @gnutls.org email address. Note that there are people that have requested access to the coverity gnutls logs. These are for a very old gnutls version and they don't reveal anything that isn't also visible by clang's scan-build. ********* The list: ********* 1. X.509 certificate verification starting from gnutls_certificate_verify_peers3() - gnutls_cert.c (may require PKIX details from RFC5280) 2. X.509 certificate verification starting from gnutls_x509_trust_list_verify_crt() - x509/verify-high.c 3. X.509 certificate verification starting from gnutls_x509_trust_list_verify_named_crt() - x509/verify-high.c 4. TOFU certificate verification starting from gnutls_verify_stored_pubkey() - verify-tofu.c 5. TLS record parsing starting from gnutls_record_recv() to gnutls_decrypt() - gnutls_record.c / gnutls_cipher.c (may require TLS record details from RFC2246) 6. TLS handshake for RSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/rsa.c. (may require TLS details from rfc5246) 7. TLS handshake for DHE-RSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/dhe.c. (may require TLS details from rfc5246) 8. TLS handshake for ECDHE-ECDSA key exchange - gnutls_handshake() from gnutls_handshake.c and auth/ecdhe.c. (may require TLS details from rfc4492) 9 TLS handshake as a state machine starting from gnutls_handshake in gnutls_handshake.c. 10. Random generator starting from gnutls_rnd() / random.c, and nettle/rnd.c. This generator should work on multi-threaded systems and after fork. 11. X.509 certificate parsing at x509/x509.c. (may require PKIX details from RFC5280) 12. (X.509 certificate) DER decoding at libtasn1's asn1_der_decoding. Check code from the upstream repository at: https://www.gnu.org/software/libtasn1/ (that's a task for the brave) regards, Nikos From cernekee at gmail.com Fri Mar 7 07:35:08 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 22:35:08 -0800 Subject: [gnutls-devel] [PATCH 4/5] Rename psk-args.def to psktool-args.def In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> Message-ID: <1394174109-661-4-git-send-email-cernekee@gmail.com> Other utilities generate invoke-%.texi from %-args.def, but currently invoke-psktool.texi is generated from psk-args.def. If we make psktool conform to the same convention as the other utilities, we can use a generic pattern to handle all of them the same way. Signed-off-by: Kevin Cernekee --- .gitignore | 4 ++-- doc/manpages/Makefile.am | 2 +- src/Makefile.am | 4 ++-- src/psk.c | 2 +- src/{psk-args.def => psktool-args.def} | 0 5 files changed, 6 insertions(+), 6 deletions(-) rename src/{psk-args.def => psktool-args.def} (100%) diff --git a/.gitignore b/.gitignore index 31bc5f6..6b50937 100644 --- a/.gitignore +++ b/.gitignore @@ -662,8 +662,8 @@ src/ocsptool-args.c src/ocsptool-args.h src/p11tool-args.c src/p11tool-args.h -src/psk-args.c -src/psk-args.h +src/psktool-args.c +src/psktool-args.h src/serv-args.c src/serv-args.h src/srptool-args.c diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 31d0d56..dfdf9ab 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -84,7 +84,7 @@ tpmtool.1: ../../src/tpmtool-args.def autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \ rm -f "$<".tmp -psktool.1: ../../src/psk-args.def +psktool.1: ../../src/psktool-args.def -sed 's/@subheading $.*$/@*\n at var{\1}\n@*/' $< > "$<".tmp && \ autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \ rm -f "$<".tmp diff --git a/src/Makefile.am b/src/Makefile.am index a14c021..fcb8e84 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -20,7 +20,7 @@ SUBDIRS = gl BUILT_SOURCES = srptool-args.c srptool-args.h \ - psk-args.c psk-args.h ocsptool-args.h ocsptool-args.c \ + psktool-args.c psktool-args.h ocsptool-args.h ocsptool-args.c \ serv-args.c serv-args.h cli-args.c cli-args.h \ cli-debug-args.c cli-debug-args.h certtool-args.c certtool-args.h \ danetool-args.c danetool-args.h p11tool-args.c p11tool-args.h \ @@ -90,7 +90,7 @@ psktool_LDADD = ../lib/libgnutls.la libcmd-psk.la $(LIBOPTS) ../gl/libgnu.la psktool_LDADD += $(LTLIBINTL) gl/libgnu_gpl.la noinst_LTLIBRARIES += libcmd-psk.la libcmd_psk_la_CFLAGS = -libcmd_psk_la_SOURCES = psk-args.def psk-args.c psk-args.h +libcmd_psk_la_SOURCES = psktool-args.def psktool-args.c psktool-args.h if ENABLE_OCSP diff --git a/src/psk.c b/src/psk.c index 7bf7ae7..e7dba82 100644 --- a/src/psk.c +++ b/src/psk.c @@ -38,7 +38,7 @@ int main(int argc, char **argv) #include #include #include -#include +#include #include /* for random */ diff --git a/src/psk-args.def b/src/psktool-args.def similarity index 100% rename from src/psk-args.def rename to src/psktool-args.def -- 1.8.3.2 From cernekee at gmail.com Fri Mar 7 07:35:06 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 22:35:06 -0800 Subject: [gnutls-devel] [PATCH 2/5] Fix build failures on autogen'ed docs In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> Message-ID: <1394174109-661-2-git-send-email-cernekee@gmail.com> autogen needs to be invoked with $(srcdir)/-args.def or else it will not be able to find the input file if GnuTLS is built out of tree, e.g. mkdir build cd build ../configure make Also, add missing targets for %-args.h, to avoid this error: make[2]: Entering directory `/home/user/gnutls/src' autogen srptool-args.def autogen psk-args.def make[2]: *** No rule to make target `ocsptool-args.h', needed by `all'. Stop. make[2]: Leaving directory `/home/user/gnutls/src' make[1]: *** [all-recursive] Error 1 This change uses a '%'-style pattern to avoid duplication of similar rules. '%' patterns are a GNU-ism but there is precedent in guile/src/Makefile.am. Signed-off-by: Kevin Cernekee --- src/Makefile.am | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index a768f57..a14c021 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -213,23 +213,5 @@ libcmd_tpmtool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIM endif # ENABLE_TROUSERS -danetool-args.c: $(srcdir)/args-std.def $(srcdir)/danetool-args.def - -$(AUTOGEN) danetool-args.def -ocsptool-args.c: $(srcdir)/args-std.def $(srcdir)/ocsptool-args.def - -$(AUTOGEN) ocsptool-args.def -tpmtool-args.c: $(srcdir)/args-std.def $(srcdir)/tpmtool-args.def - -$(AUTOGEN) tpmtool-args.def -p11tool-args.c: $(srcdir)/args-std.def $(srcdir)/p11tool-args.def - -$(AUTOGEN) p11tool-args.def -psk-args.c: $(srcdir)/args-std.def $(srcdir)/psk-args.def - -$(AUTOGEN) psk-args.def -cli-debug-args.c: $(srcdir)/args-std.def $(srcdir)/cli-debug-args.def - -$(AUTOGEN) cli-debug-args.def -cli-args.c: $(srcdir)/args-std.def $(srcdir)/cli-args.def - -$(AUTOGEN) cli-args.def -serv-args.c: $(srcdir)/args-std.def $(srcdir)/serv-args.def - -$(AUTOGEN) serv-args.def -srptool-args.c: $(srcdir)/args-std.def $(srcdir)/srptool-args.def - -$(AUTOGEN) srptool-args.def -certtool-args.c: $(srcdir)/args-std.def $(srcdir)/certtool-args.def - -$(AUTOGEN) certtool-args.def +%-args.c %-args.h: $(srcdir)/%-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< -- 1.8.3.2 From cernekee at gmail.com Fri Mar 7 07:35:05 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 22:35:05 -0800 Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures Message-ID: <1394174109-661-1-git-send-email-cernekee@gmail.com> This fixes two problems: 1) read-file build failure on Android (upstream commit cb3c90598c1) 2) Missing inet_pton.c error during GnuTLS "make bootstrap": touch ChangeLog test -f ./configure || AUTOPOINT=true autoreconf --install missing file gl/tests/inet_pton.c configure.ac:189: error: expected source file, required through AC_LIBSOURCES, not found gl/m4/gnulib-comp.m4:203: gl_INIT is expanded from... configure.ac:189: the top level autom4te: /usr/bin/m4 failed with exit status: 1 aclocal: error: echo failed with exit status: 1 autoreconf: aclocal failed with exit status: 1 make: *** [autoreconf] Error 1 Signed-off-by: Kevin Cernekee --- gl/tests/arpa_inet.in.h | 140 +++++++++++++++++++++++++ gl/tests/fd-hook.c | 116 +++++++++++++++++++++ gl/tests/fd-hook.h | 119 +++++++++++++++++++++ gl/tests/inet_pton.c | 268 ++++++++++++++++++++++++++++++++++++++++++++++++ gl/tests/sockets.c | 154 ++++++++++++++++++++++++++++ gl/tests/sockets.h | 62 +++++++++++ src/gl/stdint.in.h | 3 +- src/gl/sys_types.in.h | 2 + 8 files changed, 862 insertions(+), 2 deletions(-) create mode 100644 gl/tests/arpa_inet.in.h create mode 100644 gl/tests/fd-hook.c create mode 100644 gl/tests/fd-hook.h create mode 100644 gl/tests/inet_pton.c create mode 100644 gl/tests/sockets.c create mode 100644 gl/tests/sockets.h diff --git a/gl/tests/arpa_inet.in.h b/gl/tests/arpa_inet.in.h new file mode 100644 index 0000000..b8c2e18 --- /dev/null +++ b/gl/tests/arpa_inet.in.h @@ -0,0 +1,140 @@ +/* A GNU-like . + + Copyright (C) 2005-2006, 2008-2014 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, see . */ + +#ifndef _ at GUARD_PREFIX@_ARPA_INET_H + +#if __GNUC__ >= 3 + at PRAGMA_SYSTEM_HEADER@ +#endif + at PRAGMA_COLUMNS@ + +#if @HAVE_FEATURES_H@ +# include /* for __GLIBC__ */ +#endif + +/* Gnulib's sys/socket.h is responsible for defining socklen_t (used below) and + for pulling in winsock2.h etc. under MinGW. + But avoid namespace pollution on glibc systems. */ +#ifndef __GLIBC__ +# include +#endif + +/* On NonStop Kernel, inet_ntop and inet_pton are declared in . + But avoid namespace pollution on glibc systems. */ +#if defined __TANDEM && !defined __GLIBC__ +# include +#endif + +#if @HAVE_ARPA_INET_H@ + +/* The include_next requires a split double-inclusion guard. */ +# @INCLUDE_NEXT@ @NEXT_ARPA_INET_H@ + +#endif + +#ifndef _ at GUARD_PREFIX@_ARPA_INET_H +#define _ at GUARD_PREFIX@_ARPA_INET_H + +/* The definitions of _GL_FUNCDECL_RPL etc. are copied here. */ + +/* The definition of _GL_ARG_NONNULL is copied here. */ + +/* The definition of _GL_WARN_ON_USE is copied here. */ + + +#if @GNULIB_INET_NTOP@ +/* Converts an internet address from internal format to a printable, + presentable format. + AF is an internet address family, such as AF_INET or AF_INET6. + SRC points to a 'struct in_addr' (for AF_INET) or 'struct in6_addr' + (for AF_INET6). + DST points to a buffer having room for CNT bytes. + The printable representation of the address (in numeric form, not + surrounded by [...], no reverse DNS is done) is placed in DST, and + DST is returned. If an error occurs, the return value is NULL and + errno is set. If CNT bytes are not sufficient to hold the result, + the return value is NULL and errno is set to ENOSPC. A good value + for CNT is 46. + + For more details, see the POSIX:2001 specification + . */ +# if @REPLACE_INET_NTOP@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef inet_ntop +# define inet_ntop rpl_inet_ntop +# endif +_GL_FUNCDECL_RPL (inet_ntop, const char *, + (int af, const void *restrict src, + char *restrict dst, socklen_t cnt) + _GL_ARG_NONNULL ((2, 3))); +_GL_CXXALIAS_RPL (inet_ntop, const char *, + (int af, const void *restrict src, + char *restrict dst, socklen_t cnt)); +# else +# if !@HAVE_DECL_INET_NTOP@ +_GL_FUNCDECL_SYS (inet_ntop, const char *, + (int af, const void *restrict src, + char *restrict dst, socklen_t cnt) + _GL_ARG_NONNULL ((2, 3))); +# endif +/* Need to cast, because on NonStop Kernel, the fourth parameter is + size_t cnt. */ +_GL_CXXALIAS_SYS_CAST (inet_ntop, const char *, + (int af, const void *restrict src, + char *restrict dst, socklen_t cnt)); +# endif +_GL_CXXALIASWARN (inet_ntop); +#elif defined GNULIB_POSIXCHECK +# undef inet_ntop +# if HAVE_RAW_DECL_INET_NTOP +_GL_WARN_ON_USE (inet_ntop, "inet_ntop is unportable - " + "use gnulib module inet_ntop for portability"); +# endif +#endif + +#if @GNULIB_INET_PTON@ +# if @REPLACE_INET_PTON@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef inet_pton +# define inet_pton rpl_inet_pton +# endif +_GL_FUNCDECL_RPL (inet_pton, int, + (int af, const char *restrict src, void *restrict dst) + _GL_ARG_NONNULL ((2, 3))); +_GL_CXXALIAS_RPL (inet_pton, int, + (int af, const char *restrict src, void *restrict dst)); +# else +# if !@HAVE_DECL_INET_PTON@ +_GL_FUNCDECL_SYS (inet_pton, int, + (int af, const char *restrict src, void *restrict dst) + _GL_ARG_NONNULL ((2, 3))); +# endif +_GL_CXXALIAS_SYS (inet_pton, int, + (int af, const char *restrict src, void *restrict dst)); +# endif +_GL_CXXALIASWARN (inet_pton); +#elif defined GNULIB_POSIXCHECK +# undef inet_pton +# if HAVE_RAW_DECL_INET_PTON +_GL_WARN_ON_USE (inet_pton, "inet_pton is unportable - " + "use gnulib module inet_pton for portability"); +# endif +#endif + + +#endif /* _ at GUARD_PREFIX@_ARPA_INET_H */ +#endif /* _ at GUARD_PREFIX@_ARPA_INET_H */ diff --git a/gl/tests/fd-hook.c b/gl/tests/fd-hook.c new file mode 100644 index 0000000..0171cc6 --- /dev/null +++ b/gl/tests/fd-hook.c @@ -0,0 +1,116 @@ +/* Hook for making making file descriptor functions close(), ioctl() extensible. + Copyright (C) 2009-2014 Free Software Foundation, Inc. + Written by Bruno Haible , 2009. + + This program is free software: you can redistribute it and/or modify it + under the terms of the GNU General Public License as published + by the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +#include + +/* Specification. */ +#include "fd-hook.h" + +#include + +/* Currently, this entire code is only needed for the handling of sockets + on native Windows platforms. */ +#if WINDOWS_SOCKETS + +/* The first and last link in the doubly linked list. + Initially the list is empty. */ +static struct fd_hook anchor = { &anchor, &anchor, NULL, NULL }; + +int +execute_close_hooks (const struct fd_hook *remaining_list, gl_close_fn primary, + int fd) +{ + if (remaining_list == &anchor) + /* End of list reached. */ + return primary (fd); + else + return remaining_list->private_close_fn (remaining_list->private_next, + primary, fd); +} + +int +execute_all_close_hooks (gl_close_fn primary, int fd) +{ + return execute_close_hooks (anchor.private_next, primary, fd); +} + +int +execute_ioctl_hooks (const struct fd_hook *remaining_list, gl_ioctl_fn primary, + int fd, int request, void *arg) +{ + if (remaining_list == &anchor) + /* End of list reached. */ + return primary (fd, request, arg); + else + return remaining_list->private_ioctl_fn (remaining_list->private_next, + primary, fd, request, arg); +} + +int +execute_all_ioctl_hooks (gl_ioctl_fn primary, + int fd, int request, void *arg) +{ + return execute_ioctl_hooks (anchor.private_next, primary, fd, request, arg); +} + +void +register_fd_hook (close_hook_fn close_hook, ioctl_hook_fn ioctl_hook, struct fd_hook *link) +{ + if (close_hook == NULL) + close_hook = execute_close_hooks; + if (ioctl_hook == NULL) + ioctl_hook = execute_ioctl_hooks; + + if (link->private_next == NULL && link->private_prev == NULL) + { + /* Add the link to the doubly linked list. */ + link->private_next = anchor.private_next; + link->private_prev = &anchor; + link->private_close_fn = close_hook; + link->private_ioctl_fn = ioctl_hook; + anchor.private_next->private_prev = link; + anchor.private_next = link; + } + else + { + /* The link is already in use. */ + if (link->private_close_fn != close_hook + || link->private_ioctl_fn != ioctl_hook) + abort (); + } +} + +void +unregister_fd_hook (struct fd_hook *link) +{ + struct fd_hook *next = link->private_next; + struct fd_hook *prev = link->private_prev; + + if (next != NULL && prev != NULL) + { + /* The link is in use. Remove it from the doubly linked list. */ + prev->private_next = next; + next->private_prev = prev; + /* Clear the link, to mark it unused. */ + link->private_next = NULL; + link->private_prev = NULL; + link->private_close_fn = NULL; + link->private_ioctl_fn = NULL; + } +} + +#endif diff --git a/gl/tests/fd-hook.h b/gl/tests/fd-hook.h new file mode 100644 index 0000000..1aa264e --- /dev/null +++ b/gl/tests/fd-hook.h @@ -0,0 +1,119 @@ +/* Hook for making making file descriptor functions close(), ioctl() extensible. + Copyright (C) 2009-2014 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify it + under the terms of the GNU General Public License as published + by the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + + +#ifndef FD_HOOK_H +#define FD_HOOK_H + +#ifdef __cplusplus +extern "C" { +#endif + + +/* Currently, this entire code is only needed for the handling of sockets + on native Windows platforms. */ +#if WINDOWS_SOCKETS + + +/* Type of function that closes FD. */ +typedef int (*gl_close_fn) (int fd); + +/* Type of function that applies a control request to FD. */ +typedef int (*gl_ioctl_fn) (int fd, int request, void *arg); + +/* An element of the list of file descriptor hooks. + In CLOS (Common Lisp Object System) speak, it consists of an "around" + method for the close() function and an "around" method for the ioctl() + function. + The fields of this structure are considered private. */ +struct fd_hook +{ + /* Doubly linked list. */ + struct fd_hook *private_next; + struct fd_hook *private_prev; + /* Function that treats the types of FD that it knows about and calls + execute_close_hooks (REMAINING_LIST, PRIMARY, FD) as a fallback. */ + int (*private_close_fn) (const struct fd_hook *remaining_list, + gl_close_fn primary, + int fd); + /* Function that treats the types of FD that it knows about and calls + execute_ioctl_hooks (REMAINING_LIST, PRIMARY, FD, REQUEST, ARG) as a + fallback. */ + int (*private_ioctl_fn) (const struct fd_hook *remaining_list, + gl_ioctl_fn primary, + int fd, int request, void *arg); +}; + +/* This type of function closes FD, applying special knowledge for the FD + types it knows about, and calls + execute_close_hooks (REMAINING_LIST, PRIMARY, FD) + for the other FD types. + In CLOS speak, REMAINING_LIST is the remaining list of "around" methods, + and PRIMARY is the "primary" method for close(). */ +typedef int (*close_hook_fn) (const struct fd_hook *remaining_list, + gl_close_fn primary, + int fd); + +/* Execute the close hooks in REMAINING_LIST, with PRIMARY as "primary" method. + Return 0 or -1, like close() would do. */ +extern int execute_close_hooks (const struct fd_hook *remaining_list, + gl_close_fn primary, + int fd); + +/* Execute all close hooks, with PRIMARY as "primary" method. + Return 0 or -1, like close() would do. */ +extern int execute_all_close_hooks (gl_close_fn primary, int fd); + +/* This type of function applies a control request to FD, applying special + knowledge for the FD types it knows about, and calls + execute_ioctl_hooks (REMAINING_LIST, PRIMARY, FD, REQUEST, ARG) + for the other FD types. + In CLOS speak, REMAINING_LIST is the remaining list of "around" methods, + and PRIMARY is the "primary" method for ioctl(). */ +typedef int (*ioctl_hook_fn) (const struct fd_hook *remaining_list, + gl_ioctl_fn primary, + int fd, int request, void *arg); + +/* Execute the ioctl hooks in REMAINING_LIST, with PRIMARY as "primary" method. + Return 0 or -1, like ioctl() would do. */ +extern int execute_ioctl_hooks (const struct fd_hook *remaining_list, + gl_ioctl_fn primary, + int fd, int request, void *arg); + +/* Execute all ioctl hooks, with PRIMARY as "primary" method. + Return 0 or -1, like ioctl() would do. */ +extern int execute_all_ioctl_hooks (gl_ioctl_fn primary, + int fd, int request, void *arg); + +/* Add a function pair to the list of file descriptor hooks. + CLOSE_HOOK and IOCTL_HOOK may be NULL, indicating no change. + The LINK variable points to a piece of memory which is guaranteed to be + accessible until the corresponding call to unregister_fd_hook. */ +extern void register_fd_hook (close_hook_fn close_hook, ioctl_hook_fn ioctl_hook, + struct fd_hook *link); + +/* Removes a hook from the list of file descriptor hooks. */ +extern void unregister_fd_hook (struct fd_hook *link); + + +#endif + + +#ifdef __cplusplus +} +#endif + +#endif /* FD_HOOK_H */ diff --git a/gl/tests/inet_pton.c b/gl/tests/inet_pton.c new file mode 100644 index 0000000..e9703a7 --- /dev/null +++ b/gl/tests/inet_pton.c @@ -0,0 +1,268 @@ +/* inet_pton.c -- convert IPv4 and IPv6 addresses from text to binary form + + Copyright (C) 2006, 2008-2014 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +/* + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +/* Specification. */ +#include + +#if HAVE_DECL_INET_PTON + +# undef inet_pton + +int +rpl_inet_pton (int af, const char *restrict src, void *restrict dst) +{ + return inet_pton (af, src, dst); +} + +#else + +# include +# include +# include + +# define NS_INADDRSZ 4 +# define NS_IN6ADDRSZ 16 +# define NS_INT16SZ 2 + +/* + * WARNING: Don't even consider trying to compile this on a system where + * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. + */ + +static int inet_pton4 (const char *src, unsigned char *dst); +# if HAVE_IPV6 +static int inet_pton6 (const char *src, unsigned char *dst); +# endif + +/* int + * inet_pton(af, src, dst) + * convert from presentation format (which usually means ASCII printable) + * to network format (which is usually some kind of binary format). + * return: + * 1 if the address was valid for the specified address family + * 0 if the address wasn't valid ('dst' is untouched in this case) + * -1 if some other error occurred ('dst' is untouched in this case, too) + * author: + * Paul Vixie, 1996. + */ +int +inet_pton (int af, const char *restrict src, void *restrict dst) +{ + switch (af) + { + case AF_INET: + return (inet_pton4 (src, dst)); + +# if HAVE_IPV6 + case AF_INET6: + return (inet_pton6 (src, dst)); +# endif + + default: + errno = EAFNOSUPPORT; + return (-1); + } + /* NOTREACHED */ +} + +/* int + * inet_pton4(src, dst) + * like inet_aton() but without all the hexadecimal, octal (with the + * exception of 0) and shorthand. + * return: + * 1 if 'src' is a valid dotted quad, else 0. + * notice: + * does not touch 'dst' unless it's returning 1. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton4 (const char *restrict src, unsigned char *restrict dst) +{ + int saw_digit, octets, ch; + unsigned char tmp[NS_INADDRSZ], *tp; + + saw_digit = 0; + octets = 0; + *(tp = tmp) = 0; + while ((ch = *src++) != '\0') + { + + if (ch >= '0' && ch <= '9') + { + unsigned new = *tp * 10 + (ch - '0'); + + if (saw_digit && *tp == 0) + return (0); + if (new > 255) + return (0); + *tp = new; + if (!saw_digit) + { + if (++octets > 4) + return (0); + saw_digit = 1; + } + } + else if (ch == '.' && saw_digit) + { + if (octets == 4) + return (0); + *++tp = 0; + saw_digit = 0; + } + else + return (0); + } + if (octets < 4) + return (0); + memcpy (dst, tmp, NS_INADDRSZ); + return (1); +} + +# if HAVE_IPV6 + +/* int + * inet_pton6(src, dst) + * convert presentation level address to network order binary form. + * return: + * 1 if 'src' is a valid [RFC1884 2.2] address, else 0. + * notice: + * (1) does not touch 'dst' unless it's returning 1. + * (2) :: in a full address is silently ignored. + * credit: + * inspired by Mark Andrews. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton6 (const char *restrict src, unsigned char *restrict dst) +{ + static const char xdigits[] = "0123456789abcdef"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *curtok; + int ch, saw_xdigit; + unsigned val; + + tp = memset (tmp, '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; + colonp = NULL; + /* Leading :: requires some special handling. */ + if (*src == ':') + if (*++src != ':') + return (0); + curtok = src; + saw_xdigit = 0; + val = 0; + while ((ch = c_tolower (*src++)) != '\0') + { + const char *pch; + + pch = strchr (xdigits, ch); + if (pch != NULL) + { + val <<= 4; + val |= (pch - xdigits); + if (val > 0xffff) + return (0); + saw_xdigit = 1; + continue; + } + if (ch == ':') + { + curtok = src; + if (!saw_xdigit) + { + if (colonp) + return (0); + colonp = tp; + continue; + } + else if (*src == '\0') + { + return (0); + } + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + saw_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && + inet_pton4 (curtok, tp) > 0) + { + tp += NS_INADDRSZ; + saw_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } + return (0); + } + if (saw_xdigit) + { + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + } + if (colonp != NULL) + { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ + const int n = tp - colonp; + int i; + + if (tp == endp) + return (0); + for (i = 1; i <= n; i++) + { + endp[-i] = colonp[n - i]; + colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + return (0); + memcpy (dst, tmp, NS_IN6ADDRSZ); + return (1); +} + +# endif + +#endif diff --git a/gl/tests/sockets.c b/gl/tests/sockets.c new file mode 100644 index 0000000..962c578 --- /dev/null +++ b/gl/tests/sockets.c @@ -0,0 +1,154 @@ +/* sockets.c --- wrappers for Windows socket functions + + Copyright (C) 2008-2014 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +/* Written by Simon Josefsson */ + +#include + +/* Specification. */ +#include "sockets.h" + +#if WINDOWS_SOCKETS + +/* This includes winsock2.h on MinGW. */ +# include + +# include "fd-hook.h" +# include "msvc-nothrow.h" + +/* Get set_winsock_errno, FD_TO_SOCKET etc. */ +# include "w32sock.h" + +static int +close_fd_maybe_socket (const struct fd_hook *remaining_list, + gl_close_fn primary, + int fd) +{ + /* Note about multithread-safety: There is a race condition where, between + our calls to closesocket() and the primary close(), some other thread + could make system calls that allocate precisely the same HANDLE value + as sock; then the primary close() would call CloseHandle() on it. */ + SOCKET sock; + WSANETWORKEVENTS ev; + + /* Test whether fd refers to a socket. */ + sock = FD_TO_SOCKET (fd); + ev.lNetworkEvents = 0xDEADBEEF; + WSAEnumNetworkEvents (sock, NULL, &ev); + if (ev.lNetworkEvents != 0xDEADBEEF) + { + /* fd refers to a socket. */ + /* FIXME: other applications, like squid, use an undocumented + _free_osfhnd free function. But this is not enough: The 'osfile' + flags for fd also needs to be cleared, but it is hard to access it. + Instead, here we just close twice the file descriptor. */ + if (closesocket (sock)) + { + set_winsock_errno (); + return -1; + } + else + { + /* This call frees the file descriptor and does a + CloseHandle ((HANDLE) _get_osfhandle (fd)), which fails. */ + _close (fd); + return 0; + } + } + else + /* Some other type of file descriptor. */ + return execute_close_hooks (remaining_list, primary, fd); +} + +static int +ioctl_fd_maybe_socket (const struct fd_hook *remaining_list, + gl_ioctl_fn primary, + int fd, int request, void *arg) +{ + SOCKET sock; + WSANETWORKEVENTS ev; + + /* Test whether fd refers to a socket. */ + sock = FD_TO_SOCKET (fd); + ev.lNetworkEvents = 0xDEADBEEF; + WSAEnumNetworkEvents (sock, NULL, &ev); + if (ev.lNetworkEvents != 0xDEADBEEF) + { + /* fd refers to a socket. */ + if (ioctlsocket (sock, request, arg) < 0) + { + set_winsock_errno (); + return -1; + } + else + return 0; + } + else + /* Some other type of file descriptor. */ + return execute_ioctl_hooks (remaining_list, primary, fd, request, arg); +} + +static struct fd_hook fd_sockets_hook; + +static int initialized_sockets_version /* = 0 */; + +#endif /* WINDOWS_SOCKETS */ + +int +gl_sockets_startup (int version _GL_UNUSED) +{ +#if WINDOWS_SOCKETS + if (version > initialized_sockets_version) + { + WSADATA data; + int err; + + err = WSAStartup (version, &data); + if (err != 0) + return 1; + + if (data.wVersion < version) + return 2; + + if (initialized_sockets_version == 0) + register_fd_hook (close_fd_maybe_socket, ioctl_fd_maybe_socket, + &fd_sockets_hook); + + initialized_sockets_version = version; + } +#endif + + return 0; +} + +int +gl_sockets_cleanup (void) +{ +#if WINDOWS_SOCKETS + int err; + + initialized_sockets_version = 0; + + unregister_fd_hook (&fd_sockets_hook); + + err = WSACleanup (); + if (err != 0) + return 1; +#endif + + return 0; +} diff --git a/gl/tests/sockets.h b/gl/tests/sockets.h new file mode 100644 index 0000000..0bee1dd --- /dev/null +++ b/gl/tests/sockets.h @@ -0,0 +1,62 @@ +/* sockets.h - wrappers for Windows socket functions + + Copyright (C) 2008-2014 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +/* Written by Simon Josefsson */ + +#ifndef SOCKETS_H +# define SOCKETS_H 1 + +#define SOCKETS_1_0 0x100 /* don't use - does not work on Windows XP */ +#define SOCKETS_1_1 0x101 +#define SOCKETS_2_0 0x200 /* don't use - does not work on Windows XP */ +#define SOCKETS_2_1 0x201 +#define SOCKETS_2_2 0x202 + +int gl_sockets_startup (int version) +#if !WINDOWS_SOCKETS + _GL_ATTRIBUTE_CONST +#endif + ; + +int gl_sockets_cleanup (void) +#if !WINDOWS_SOCKETS + _GL_ATTRIBUTE_CONST +#endif + ; + +/* This function is useful it you create a socket using gnulib's + Winsock wrappers but needs to pass on the socket handle to some + other library that only accepts sockets. */ +#if WINDOWS_SOCKETS + +#include + +#include "msvc-nothrow.h" + +static inline SOCKET +gl_fd_to_handle (int fd) +{ + return _get_osfhandle (fd); +} + +#else + +#define gl_fd_to_handle(x) (x) + +#endif /* WINDOWS_SOCKETS */ + +#endif /* SOCKETS_H */ diff --git a/src/gl/stdint.in.h b/src/gl/stdint.in.h index 5deca39..247f0d8 100644 --- a/src/gl/stdint.in.h +++ b/src/gl/stdint.in.h @@ -38,8 +38,7 @@ other system header files; just include the system's . Ideally we should test __BIONIC__ here, but it is only defined after has been included; hence test __ANDROID__ instead. */ -#if defined __ANDROID__ \ - && defined _SYS_TYPES_H_ && !defined __need_size_t +#if defined __ANDROID__ && defined _GL_INCLUDING_SYS_TYPES_H # @INCLUDE_NEXT@ @NEXT_STDINT_H@ #else diff --git a/src/gl/sys_types.in.h b/src/gl/sys_types.in.h index d3a4be1..deb5d67 100644 --- a/src/gl/sys_types.in.h +++ b/src/gl/sys_types.in.h @@ -23,7 +23,9 @@ #ifndef _ at GUARD_PREFIX@_SYS_TYPES_H /* The include_next requires a split double-inclusion guard. */ +# define _GL_INCLUDING_SYS_TYPES_H #@INCLUDE_NEXT@ @NEXT_SYS_TYPES_H@ +# undef _GL_INCLUDING_SYS_TYPES_H #ifndef _ at GUARD_PREFIX@_SYS_TYPES_H #define _ at GUARD_PREFIX@_SYS_TYPES_H -- 1.8.3.2 From cernekee at gmail.com Fri Mar 7 07:35:09 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 22:35:09 -0800 Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving doc/invoke-*.texi In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> Message-ID: <1394174109-661-5-git-send-email-cernekee@gmail.com> Several problems were found in this area: 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with no input file and it will hang forever waiting for content from stdin: mv -f enums.texi-tmp enums.texi mkdir enums ../../doc/scripts/split-texi.pl enums enum < enums.texi echo stamp_enums > stamp_enums cd ../src/ && autogen -Tagtexi-cmd.tpl && \ rm -f ../doc/invoke-gnutls-cli.texi && \ ../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \ mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \ rm -f ../src/invoke-gnutls-cli.texi Since these documents are @include'd by other documents, it is probably a good idea to make sure the targets are buildable in case they get listed as prerequisites. 2) SRC_DEF_* used relative paths which are correct for an in-place build, but incorrect for an out-of-tree build. They should use something like $(top_srcdir)/src to resolve the ambiguity. 3) cleanup-autogen.pl was also referenced using a relative pathname, breaking out-of-tree builds. 4) Copy&paste targets that could be replaced with simple patterns. Signed-off-by: Kevin Cernekee --- doc/Makefile.am | 141 ++++++++++++-------------------------------------------- 1 file changed, 30 insertions(+), 111 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 7c33cfa..a876845 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -32,112 +32,36 @@ endif -include $(top_srcdir)/doc/doc.mk -SRC_DEF_CLI = -SRC_DEF_CLI_DEBUG = -SRC_DEF_SERV = -SRC_DEF_CERTTOOL = -SRC_DEF_OCSPTOOL = -SRC_DEF_DANETOOL = -SRC_DEF_SRPTOOL = -SRC_DEF_PSKTOOL = -SRC_DEF_P11TOOL = -SRC_DEF_TPMTOOL = -if WANT_TEST_SUITE -SRC_DEF_CLI += ../src/cli-args.def -SRC_DEF_CLI_DEBUG += ../src/cli-debug-args.def -SRC_DEF_SERV += ../src/serv-args.def -SRC_DEF_CERTTOOL += ../src/certtool-args.def -SRC_DEF_OCSPTOOL += ../src/ocsptool-args.def -SRC_DEF_DANETOOL += ../src/danetool-args.def -SRC_DEF_SRPTOOL += ../src/srptool-args.def -SRC_DEF_PSKTOOL += ../src/psk-args.def -SRC_DEF_P11TOOL += ../src/p11tool-args.def -SRC_DEF_TPMTOOL += ../src/tpmtool-args.def -endif - -invoke-gnutls-cli.texi: $(SRC_DEF_CLI) - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-gnutls-cli-debug.texi: $(SRC_DEF_CLI_DEBUG) invoke-gnutls-cli.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-gnutls-serv.texi: $(SRC_DEF_SERV) invoke-gnutls-cli-debug.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-certtool.texi: $(SRC_DEF_CERTTOOL) invoke-gnutls-serv.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) invoke-certtool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-danetool.texi: $(SRC_DEF_DANETOOL) invoke-ocsptool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-srptool.texi: $(SRC_DEF_SRPTOOL) invoke-danetool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsubsection/g' ../doc/$@ - -invoke-psktool.texi: $(SRC_DEF_PSKTOOL) invoke-srptool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsubsection/g' ../doc/$@ - -invoke-p11tool.texi: $(SRC_DEF_P11TOOL) invoke-psktool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-tpmtool.texi: $(SRC_DEF_TPMTOOL) invoke-p11tool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ +AUTOGENED_GNUTLS_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \ + invoke-gnutls-serv.texi +AUTOGENED_UTIL0_DOC = invoke-certtool.texi invoke-ocsptool.texi \ + invoke-p11tool.texi invoke-tpmtool.texi invoke-danetool.texi +AUTOGENED_UTIL1_DOC = invoke-psktool.texi invoke-srptool.texi + +AUTOGENED_DOC = $(AUTOGENED_GNUTLS_DOC) $(AUTOGENED_UTIL0_DOC) \ + $(AUTOGENED_UTIL1_DOC) + +# $(AUTOGEN) could be /bin/true. If so, just use the shipped texi file. +autogen_common = \ + $(AUTOGEN) -Tagtexi-cmd.tpl $1; \ + if [ ! -e $2 ]; then \ + cp $(srcdir)/$2 .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $2 > $2.tmp && \ + mv -f $2.tmp $2 + +$(AUTOGENED_GNUTLS_DOC) : invoke-gnutls-%.texi : $(top_srcdir)/src/%-args.def + $(call autogen_common,$<,$@) + +$(AUTOGENED_UTIL0_DOC) : invoke-%.texi : $(top_srcdir)/src/%-args.def + $(call autogen_common,$<,$@) && \ + sed -i 's/@subheading/@subsubheading/g' $@ && \ + sed -i 's/@section/@subsection/g' $@ + +$(AUTOGENED_UTIL1_DOC) : invoke-%.texi : $(top_srcdir)/src/%-args.def + $(call autogen_common,$<,$@) && \ + sed -i 's/@subheading/@subsubheading/g' $@ && \ + sed -i 's/@section/@subsubsection/g' $@ info_TEXINFOS = gnutls.texi gnutls-guile.texi gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ @@ -149,11 +73,6 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ cha-shared-key.texi cha-gtls-examples.texi cha-upgrade.texi \ cha-tokens.texi cha-crypto.texi cha-auth.texi -AUTOGENED_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \ - invoke-gnutls-serv.texi invoke-certtool.texi invoke-srptool.texi \ - invoke-ocsptool.texi invoke-psktool.texi invoke-p11tool.texi \ - invoke-tpmtool.texi invoke-danetool.texi - gnutls_TEXINFOS += stamp_functions # Examples. -- 1.8.3.2 From cernekee at gmail.com Fri Mar 7 07:35:07 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 22:35:07 -0800 Subject: [gnutls-devel] [PATCH 3/5] doc: Fix enums.texi failure on out-of-tree builds In-Reply-To: <1394174109-661-1-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> Message-ID: <1394174109-661-3-git-send-email-cernekee@gmail.com> enums.texi is a generated file so we should not look for it in $(srcdir). When we do, chaos ensues: mv -f enums.texi-tmp enums.texi mkdir enums ../../doc/scripts/split-texi.pl enums enum < ../../doc/enums.texi /bin/bash: ../../doc/enums.texi: No such file or directory make[4]: *** [stamp_enums] Error 1 make[4]: Leaving directory `/home/user/gnutls/build/doc' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/user/gnutls/build/doc' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/user/gnutls/build/doc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/user/gnutls/build' make: *** [all] Error 2 Signed-off-by: Kevin Cernekee --- doc/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index e30ac52..7c33cfa 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -429,7 +429,7 @@ stamp_functions: $(API_FILES) stamp_enums: enums.texi -mkdir enums - $(srcdir)/scripts/split-texi.pl enums enum < $(srcdir)/enums.texi + $(srcdir)/scripts/split-texi.pl enums enum < $< echo $@ > $@ $(ENUMS): stamp_enums @@ -449,7 +449,7 @@ compare-exported: rm -f tmp-exp-$@ tmp-head-$@ compare-makefile: enums.texi - ENUMS=`grep '^@c ' $(srcdir)/enums.texi | sed 's/@c //g' | sort -d`; \ + ENUMS=`grep '^@c ' $< | sed 's/@c //g' | sort -d`; \ STR=""; \ for i in $$ENUMS; do \ STR="$$STR\nENUMS += enums/$$i"; \ -- 1.8.3.2 From cernekee at gmail.com Fri Mar 7 08:20:36 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Thu, 6 Mar 2014 23:20:36 -0800 Subject: [gnutls-devel] [PATCH 1/5] Update gnulib to fix build failures In-Reply-To: <1394176069.4157.19.camel@nomad.lan> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> <1394176069.4157.19.camel@nomad.lan> Message-ID: On Thu, Mar 6, 2014 at 11:07 PM, Nikos Mavrogiannopoulos wrote: >> 2) Missing inet_pton.c error during GnuTLS "make bootstrap": > > Hello Kevin, > Is that on latest master? I fixed some issue yesterday that was related > to that. It was broken this morning (GMT -0800) but it does appear to be fixed on the latest master, probably by 32557a59a. > btw. I do not have commit nr: cb3c90598c1 That is the upstream gnulib commit that fixes the Android builds: commit cb3c90598c13d3db616c0c1e62c5d59ed80b069d Author: Kevin Cernekee Date: Wed Mar 5 12:10:56 2014 -0800 stdint, read-file: fix missing SIZE_MAX on Android (tiny change) This is basically one of the options Bruno Haible proposed in: http://lists.gnu.org/archive/html/bug-gnulib/2012-01/msg00282.html * lib/sys_types.in.h (_GL_INCLUDING_UNISTD_H): New macro. * lib/stdint.in.h: Use it. * modules/stdint (Depends-on): Add sys_types. From dkg at fifthhorseman.net Fri Mar 7 10:01:04 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 07 Mar 2014 09:01:04 +0000 Subject: [gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency In-Reply-To: <5310F24E.4010900@gnutls.org> References: <20131228135512.GB3225@downhill.g.la> <1388241258.14170.10.camel@aspire.lan> <5310F24E.4010900@gnutls.org> Message-ID: <53198AD0.7010403@fifthhorseman.net> On 02/28/2014 08:32 PM, Nikos Mavrogiannopoulos wrote: > I realized that dnsmasq uses nettle to provide dnssec support. If > someone could make a small library out of it, we could simply switch to > it from unbound. This sounds promising, but i don't see any such usage in the source of dnsmasq 2.68. are you sure it's in dnsmasq? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Fri Mar 7 14:00:35 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 7 Mar 2014 14:00:35 +0100 Subject: [gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency In-Reply-To: <53198AD0.7010403@fifthhorseman.net> References: <20131228135512.GB3225@downhill.g.la> <1388241258.14170.10.camel@aspire.lan> <5310F24E.4010900@gnutls.org> <53198AD0.7010403@fifthhorseman.net> Message-ID: On Fri, Mar 7, 2014 at 10:01 AM, Daniel Kahn Gillmor wrote: > On 02/28/2014 08:32 PM, Nikos Mavrogiannopoulos wrote: >> I realized that dnsmasq uses nettle to provide dnssec support. If >> someone could make a small library out of it, we could simply switch to >> it from unbound. > This sounds promising, but i don't see any such usage in the source of > dnsmasq 2.68. are you sure it's in dnsmasq? I don't know if it is released yet. I saw the addition in the changelog entries. The code is at http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/dnssec.c;hb=HEAD regards, Nikos From cernekee at gmail.com Sat Mar 8 05:38:27 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Fri, 7 Mar 2014 20:38:27 -0800 Subject: [gnutls-devel] [PATCH V2 1/4] updated gnulib Message-ID: <1394253510-8458-1-git-send-email-cernekee@gmail.com> This pulls in upstream commit cb3c90598 (stdint, read-file: fix missing SIZE_MAX on Android). Signed-off-by: Kevin Cernekee --- src/gl/stdint.in.h | 3 +-- src/gl/sys_types.in.h | 2 ++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/gl/stdint.in.h b/src/gl/stdint.in.h index 5deca39..247f0d8 100644 --- a/src/gl/stdint.in.h +++ b/src/gl/stdint.in.h @@ -38,8 +38,7 @@ other system header files; just include the system's . Ideally we should test __BIONIC__ here, but it is only defined after has been included; hence test __ANDROID__ instead. */ -#if defined __ANDROID__ \ - && defined _SYS_TYPES_H_ && !defined __need_size_t +#if defined __ANDROID__ && defined _GL_INCLUDING_SYS_TYPES_H # @INCLUDE_NEXT@ @NEXT_STDINT_H@ #else diff --git a/src/gl/sys_types.in.h b/src/gl/sys_types.in.h index d3a4be1..deb5d67 100644 --- a/src/gl/sys_types.in.h +++ b/src/gl/sys_types.in.h @@ -23,7 +23,9 @@ #ifndef _ at GUARD_PREFIX@_SYS_TYPES_H /* The include_next requires a split double-inclusion guard. */ +# define _GL_INCLUDING_SYS_TYPES_H #@INCLUDE_NEXT@ @NEXT_SYS_TYPES_H@ +# undef _GL_INCLUDING_SYS_TYPES_H #ifndef _ at GUARD_PREFIX@_SYS_TYPES_H #define _ at GUARD_PREFIX@_SYS_TYPES_H -- 1.8.3.2 From cernekee at gmail.com Sat Mar 8 05:38:30 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Fri, 7 Mar 2014 20:38:30 -0800 Subject: [gnutls-devel] [PATCH V2 4/4] Fix build failures involving doc/invoke-*.texi In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com> References: <1394253510-8458-1-git-send-email-cernekee@gmail.com> Message-ID: <1394253510-8458-4-git-send-email-cernekee@gmail.com> Several problems were found in this area: 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with no input file and it will hang forever waiting for content from stdin: mv -f enums.texi-tmp enums.texi mkdir enums ../../doc/scripts/split-texi.pl enums enum < enums.texi echo stamp_enums > stamp_enums cd ../src/ && autogen -Tagtexi-cmd.tpl && \ rm -f ../doc/invoke-gnutls-cli.texi && \ ../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \ mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \ rm -f ../src/invoke-gnutls-cli.texi Since these documents are @include'd by other documents, it is probably a good idea to make sure the targets are buildable in case they get listed as prerequisites. 2) SRC_DEF_* used relative paths which are correct for an in-place build, but incorrect for an out-of-tree build. They should use something like $(top_srcdir)/src to resolve the ambiguity. 3) cleanup-autogen.pl was also referenced using a relative pathname, breaking out-of-tree builds. 4) The non-portable "sed -i" flag was used. Signed-off-by: Kevin Cernekee --- .gitignore | 12 +--- doc/Makefile.am | 207 +++++++++++++++++++++++++++----------------------------- 2 files changed, 102 insertions(+), 117 deletions(-) diff --git a/.gitignore b/.gitignore index 6b50937..6b2615a 100644 --- a/.gitignore +++ b/.gitignore @@ -689,16 +689,8 @@ src/gl/warn-on-use.h doc/stamp_invoke src/gl/libgnu_gpl.a src/gl/libgnu_gpl.la -doc/invoke-certtool.texi -doc/invoke-danetool.texi -doc/invoke-gnutls-cli-debug.texi -doc/invoke-gnutls-cli.texi -doc/invoke-gnutls-serv.texi -doc/invoke-ocsptool.texi -doc/invoke-p11tool.texi -doc/invoke-psktool.texi -doc/invoke-srptool.texi -doc/invoke-tpmtool.texi +doc/invoke-*.texi +doc/invoke-*.menu doc/parse-datetime.texi tests/fips-test tests/global-init diff --git a/doc/Makefile.am b/doc/Makefile.am index 7c33cfa..73fe681 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -31,113 +31,106 @@ endif -include $(top_srcdir)/doc/doc.mk - -SRC_DEF_CLI = -SRC_DEF_CLI_DEBUG = -SRC_DEF_SERV = -SRC_DEF_CERTTOOL = -SRC_DEF_OCSPTOOL = -SRC_DEF_DANETOOL = -SRC_DEF_SRPTOOL = -SRC_DEF_PSKTOOL = -SRC_DEF_P11TOOL = -SRC_DEF_TPMTOOL = -if WANT_TEST_SUITE -SRC_DEF_CLI += ../src/cli-args.def -SRC_DEF_CLI_DEBUG += ../src/cli-debug-args.def -SRC_DEF_SERV += ../src/serv-args.def -SRC_DEF_CERTTOOL += ../src/certtool-args.def -SRC_DEF_OCSPTOOL += ../src/ocsptool-args.def -SRC_DEF_DANETOOL += ../src/danetool-args.def -SRC_DEF_SRPTOOL += ../src/srptool-args.def -SRC_DEF_PSKTOOL += ../src/psk-args.def -SRC_DEF_P11TOOL += ../src/p11tool-args.def -SRC_DEF_TPMTOOL += ../src/tpmtool-args.def -endif - -invoke-gnutls-cli.texi: $(SRC_DEF_CLI) - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-gnutls-cli-debug.texi: $(SRC_DEF_CLI_DEBUG) invoke-gnutls-cli.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-gnutls-serv.texi: $(SRC_DEF_SERV) invoke-gnutls-cli-debug.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ - -invoke-certtool.texi: $(SRC_DEF_CERTTOOL) invoke-gnutls-serv.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) invoke-certtool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-danetool.texi: $(SRC_DEF_DANETOOL) invoke-ocsptool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-srptool.texi: $(SRC_DEF_SRPTOOL) invoke-danetool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsubsection/g' ../doc/$@ - -invoke-psktool.texi: $(SRC_DEF_PSKTOOL) invoke-srptool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsubsection/g' ../doc/$@ - -invoke-p11tool.texi: $(SRC_DEF_P11TOOL) invoke-psktool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ - -invoke-tpmtool.texi: $(SRC_DEF_TPMTOOL) invoke-p11tool.texi - -cd ../src/ && $(AUTOGEN) -Tagtexi-cmd.tpl $< && \ - rm -f ../doc/$@ && \ - ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ - mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ && \ - sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ +invoke-gnutls-cli.texi: $(top_srcdir)/src/cli-args.def + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + mv -f $@.tmp $@ + +invoke-gnutls-cli-debug.texi: $(top_srcdir)/src/cli-debug-args.def invoke-gnutls-cli.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + mv -f $@.tmp $@ + +invoke-gnutls-serv.texi: $(top_srcdir)/src/serv-args.def invoke-gnutls-cli-debug.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + mv -f $@.tmp $@ + +invoke-certtool.texi: $(top_srcdir)/src/certtool-args.def invoke-gnutls-serv.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-args.def invoke-certtool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-danetool.texi: $(top_srcdir)/src/danetool-args.def invoke-ocsptool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-srptool.texi: $(top_srcdir)/src/srptool-args.def invoke-danetool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-psktool.texi: $(top_srcdir)/src/psktool-args.def invoke-srptool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-p11tool.texi: $(top_srcdir)/src/p11tool-args.def invoke-psktool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsection/g' $@.tmp > $@ && \ + rm -f $@.tmp + +invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-args.def invoke-p11tool.texi + $(AUTOGEN) -Tagtexi-cmd.tpl $<; \ + if [ ! -e $@ ]; then \ + cp $(srcdir)/$@ .; \ + fi; \ + $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ + rm -f $@ && \ + sed -e 's/@subheading/@subsubheading/g' \ + -e 's/@section/@subsection/g' $@.tmp > $@ && \ + rm -f $@.tmp info_TEXINFOS = gnutls.texi gnutls-guile.texi gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ -- 1.8.3.2 From cernekee at gmail.com Sat Mar 8 05:38:29 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Fri, 7 Mar 2014 20:38:29 -0800 Subject: [gnutls-devel] [PATCH V2 3/4] Fix build failures on autogen'ed docs In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com> References: <1394253510-8458-1-git-send-email-cernekee@gmail.com> Message-ID: <1394253510-8458-3-git-send-email-cernekee@gmail.com> autogen needs to be invoked with $(srcdir)/-args.def or else it will not be able to find the input file if GnuTLS is built out of tree, e.g. mkdir build cd build ../configure make Also, add missing targets for %-args.h, to avoid this error: make[2]: Entering directory `/home/user/gnutls/src' autogen srptool-args.def autogen psk-args.def make[2]: *** No rule to make target `ocsptool-args.h', needed by `all'. Stop. make[2]: Leaving directory `/home/user/gnutls/src' make[1]: *** [all-recursive] Error 1 For portability's sake we will spell out the rule for each target instead of using a GNU '%' pattern rule: https://www.gnu.org/software/make/manual/html_node/Features.html#Features Signed-off-by: Kevin Cernekee --- src/Makefile.am | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index f6d7f6c..4ca2a92 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -213,23 +213,23 @@ libcmd_tpmtool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIM endif # ENABLE_TROUSERS -danetool-args.c: $(srcdir)/args-std.def $(srcdir)/danetool-args.def - -$(AUTOGEN) danetool-args.def -ocsptool-args.c: $(srcdir)/args-std.def $(srcdir)/ocsptool-args.def - -$(AUTOGEN) ocsptool-args.def -tpmtool-args.c: $(srcdir)/args-std.def $(srcdir)/tpmtool-args.def - -$(AUTOGEN) tpmtool-args.def -p11tool-args.c: $(srcdir)/args-std.def $(srcdir)/p11tool-args.def - -$(AUTOGEN) p11tool-args.def -psktool-args.c: $(srcdir)/args-std.def $(srcdir)/psktool-args.def - -$(AUTOGEN) psktool-args.def -cli-debug-args.c: $(srcdir)/args-std.def $(srcdir)/cli-debug-args.def - -$(AUTOGEN) cli-debug-args.def -cli-args.c: $(srcdir)/args-std.def $(srcdir)/cli-args.def - -$(AUTOGEN) cli-args.def -serv-args.c: $(srcdir)/args-std.def $(srcdir)/serv-args.def - -$(AUTOGEN) serv-args.def -srptool-args.c: $(srcdir)/args-std.def $(srcdir)/srptool-args.def - -$(AUTOGEN) srptool-args.def -certtool-args.c: $(srcdir)/args-std.def $(srcdir)/certtool-args.def - -$(AUTOGEN) certtool-args.def +danetool-args.c danetool-args.h: $(srcdir)/danetool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +ocsptool-args.c ocsptool-args.h: $(srcdir)/ocsptool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +tpmtool-args.c tpmtool-args.h: $(srcdir)/tpmtool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +p11tool-args.c p11tool-args.h: $(srcdir)/p11tool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +psktool-args.c psktool-args.h: $(srcdir)/psktool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +cli-debug-args.c cli-debug-args.h: $(srcdir)/cli-debug-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +cli-args.c cli-args.h: $(srcdir)/cli-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +serv-args.c serv-args.h: $(srcdir)/serv-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +srptool-args.c srptool-args.h: $(srcdir)/srptool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< +certtool-args.c certtool-args.h: $(srcdir)/certtool-args.def $(srcdir)/args-std.def + -$(AUTOGEN) $< -- 1.8.3.2 From cernekee at gmail.com Sat Mar 8 05:38:28 2014 From: cernekee at gmail.com (Kevin Cernekee) Date: Fri, 7 Mar 2014 20:38:28 -0800 Subject: [gnutls-devel] [PATCH V2 2/4] README-alpha: Add gperf dependency for building from git In-Reply-To: <1394253510-8458-1-git-send-email-cernekee@gmail.com> References: <1394253510-8458-1-git-send-email-cernekee@gmail.com> Message-ID: <1394253510-8458-2-git-send-email-cernekee@gmail.com> Without gperf, priority-options.h does not get built and this results in a compile error. Signed-off-by: Kevin Cernekee --- README-alpha | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README-alpha b/README-alpha index 3df2d8a..8120b4f 100644 --- a/README-alpha +++ b/README-alpha @@ -25,6 +25,7 @@ We require several tools to check out and build the software, including: - Nettle - Guile - p11-kit +- gperf - libtasn1 (optional) - datefudge (optional) - Libidn (optional, for crywrap) @@ -40,7 +41,7 @@ apt-get install git-core autoconf libtool gettext autopoint apt-get install texinfo texlive texlive-generic-recommended texlive-extra-utils apt-get install help2man gtk-doc-tools valgrind apt-get install guile-1.8-dev libtasn1-3-dev -apt-get install datefudge libidn11-dev gawk +apt-get install datefudge libidn11-dev gawk gperf You will sometimes need to install more recent versions of Automake, Nettle, P11-kit and Autogen, which you will need to build from -- 1.8.3.2 From nmav at gnutls.org Sat Mar 8 09:51:15 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 08 Mar 2014 09:51:15 +0100 Subject: [gnutls-devel] [PATCH 5/5] Fix build failures involving doc/invoke-*.texi In-Reply-To: <1394174109-661-5-git-send-email-cernekee@gmail.com> References: <1394174109-661-1-git-send-email-cernekee@gmail.com> <1394174109-661-5-git-send-email-cernekee@gmail.com> Message-ID: <1394268675.4172.2.camel@nomad.lan> On Thu, 2014-03-06 at 22:35 -0800, Kevin Cernekee wrote: > Several problems were found in this area: > > 1) Currently, if SRC_DEF_* are undefined, autogen will get invoked with > no input file and it will hang forever waiting for content from stdin: > > mv -f enums.texi-tmp enums.texi > mkdir enums > ../../doc/scripts/split-texi.pl enums enum < enums.texi > echo stamp_enums > stamp_enums > cd ../src/ && autogen -Tagtexi-cmd.tpl && \ > rm -f ../doc/invoke-gnutls-cli.texi && \ > ../doc/scripts/cleanup-autogen.pl <../src/invoke-gnutls-cli.texi >../doc/invoke-gnutls-cli.texi.tmp && \ > mv -f ../doc/invoke-gnutls-cli.texi.tmp ../doc/invoke-gnutls-cli.texi && \ > rm -f ../src/invoke-gnutls-cli.texi > Applied all 5. Thank you. Nikos From tobias at 23.gs Sat Mar 8 16:06:44 2014 From: tobias at 23.gs (Tobias Gruetzmacher) Date: Sat, 8 Mar 2014 16:06:44 +0100 Subject: [gnutls-devel] Fix shared build on Win32 Message-ID: <20140308150644.GA5606@23.gs> Hi, while debugging shared builds in MXE (A Win32-cross-build environment for Linux) I came accress the usage of _gnutls_vasprintf in libgnutls-xssl. This breaks because libgnutls does not export that symbol. The current fix used for MXE is here: https://github.com/mxe/mxe/blob/master/src/gnutls-2-add-missing-export.patch Since I consider this patch trivial, I suppose it is under the most liberal licence you can find. Regards, Tobias -- GPG-Key 0xE2BEA341 - signed/encrypted mail preferred -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From syn4m1cs at riseup.net Sun Mar 9 11:46:28 2014 From: syn4m1cs at riseup.net (Synamics) Date: Sun, 09 Mar 2014 07:46:28 -0300 Subject: [gnutls-devel] Fwd: Devel page points to insecure cloning of GnuTLS In-Reply-To: <531C45B5.30505@riseup.net> References: <531C45B5.30505@riseup.net> Message-ID: <531C4684.2000709@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, good morning The page http://www.gnutls.org/devel.html points to "git://gitorious.org/gnutls/gnutls.git", which uses git protocol, without authentication of the downloaded packages. Why not subtitute it with https://gitorious.org/gnutls/gnutls.git ? You have done a good job with GnuTLS, I'll try to help you at auditing it... Good-Bye. - -- Synamics synamics at riseup.net GPG: 8BCC264B (1570 A5FC 48D1 99C6 1C45 E847 567E 231A 8BCC 264B) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJTHEW1AAoJEFZ+IxqLzCZLJBcQAJnL99pc0LI0RrbvO91QVsS0 i6RG49+VhzF8NV1hDeBXeGXQ7ng5Z9HxlOh2RsXPbzLhsTIvm4QNyE0SWoDgBLn+ evGxaPX0NW+27sHe7GTFpQlDD/Eh0bR6yIOEMrRODcuyPK44nDngAmtzLsTMP4EP mRt5ErbHzgB1B5/3O2PJs4ekIkZ65ZZntEJToD9LL5TCIVnAGxXMyGSv6xCV6CgN ey14JdsKNP9Py4AcbG9aW91g+PzE83ULgNhs6cel0TrRoVAxfnm0AxfQAHeYRmI9 5PLc6KS9vpZSGQsVSU7vl4MmvIcsCvMT60eAbdXvElG5Z2Dr6KKsReta6fGMfefj r9SlxzOd6MwlFpu1xw8q3tUvk1aPHrPnGrGShMiC1iRn7oVFqSDQaXmoej6CEirc 8Xp/DISPElpDdDgFm7o6ifyATrvmKyAoa2Miy6smTg5eJMJwPOKGPdysBorMoFGn R0vksg8YL7s/sdb1XyBNqSrfXUM0xfcsxAnuW2A6iOZW+jTwHx4WhwhmlG00qKsG GS4CxV9QddnCl05Gi1z1/0GjC4liWxQSs4aGlrWa7stIWfpudWveSfrMOSaHN8dU WFR0BY6ITc6yWFBQSTKSkCMtFfBnpIOAG4o7n9R9G9iYK2xcFm3v+LiEpyHonECj KbiS5gNJHqFDYb7SIjkD =n0m4 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2291 bytes Desc: S/MIME Cryptographic Signature URL: From dkg at fifthhorseman.net Mon Mar 10 01:04:11 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 09 Mar 2014 20:04:11 -0400 Subject: [gnutls-devel] Fwd: Devel page points to insecure cloning of GnuTLS In-Reply-To: <531C4684.2000709@riseup.net> References: <531C45B5.30505@riseup.net> <531C4684.2000709@riseup.net> Message-ID: <531D017B.8060208@fifthhorseman.net> On 03/09/2014 06:46 AM, Synamics wrote: > The page http://www.gnutls.org/devel.html points to > "git://gitorious.org/gnutls/gnutls.git", which uses git protocol, > without authentication of the downloaded packages. > Why not subtitute it with https://gitorious.org/gnutls/gnutls.git ? the https transport only provides transport-layer authentication also, which just proves that you're connecting to the gitorious server -- not that the files in question are the correct files for the GnuTLS project. To verify the provenance of the data, you need to check the OpenPGP signatures in the git tag that you are interested in (there are tags that correspond to each released version). The tag should be signed by Nikos Mavrogiannopolous. for example: git tag -v gnutls_3_2_12_1 I believe Nikos' key has the following fingerprint (but have not verified it in person with him): 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171 gitorious' git https:// transport appears to be the "dumb" version, which means that fetching a large repository with a complex history (like that of the gnutls project) is expensive and slow. the git:// transport is significantly faster and more efficient. if you can spare the bandwidth and the CPU and RAM, you can try comparing these two commands: time git clone https://gitorious.org/gnutls/gnutls.git time git clone git://gitorious.org/gnutls/gnutls.git If gitorious used the git-http-backend (i don't know how well that would integrate with their nginx+varnish setup), so that git could use the smart http transport, i'd be more inclined to agree with the proposed change (because transport security and privacy is better than cleartext in general, even if the real cryptographic checks you want on the source code need to come from the OpenPGP signatures in the repo itself), but for efficiency purposes, i think the current choice of git:// is a better one. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Tue Mar 11 10:03:28 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 11 Mar 2014 10:03:28 +0100 Subject: [gnutls-devel] Fix shared build on Win32 In-Reply-To: <20140308150644.GA5606@23.gs> References: <20140308150644.GA5606@23.gs> Message-ID: On Sat, Mar 8, 2014 at 4:06 PM, Tobias Gruetzmacher wrote: > Hi, > while debugging shared builds in MXE (A Win32-cross-build environment > for Linux) I came accress the usage of _gnutls_vasprintf in > libgnutls-xssl. This breaks because libgnutls does not export that > symbol. The current fix used for MXE is here: That you. I've committed the fix in the 3.2 branch. I've also removed xssl from the main branch of gnutls. There are no resources to support a second library, despite the fact that I liked the idea of the high level library. regards, Nikos From luisgf at luisgf.es Wed Mar 12 14:21:46 2014 From: luisgf at luisgf.es (Luis G.F) Date: Wed, 12 Mar 2014 14:21:46 +0100 Subject: [gnutls-devel] Memory leak in GnuTLS serv.c Message-ID: <53205F6A.8070507@luisgf.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all: Attach to this email, you can found a patch to apply to the lastest version of gnutls in order to fix a potential memory leak in serv.c. Thanks for your great work, regards Luis! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTIF9qAAoJEGvLwn/JGLgP+MkQALkjyULosEHQlYUtswtH90Au z9aaBJeoi1wRngAFj1pVRNHxAp9n0B1i9hqT3jBkrptCMCj+0xUG+eXfIXmvudxE PJjSDbTiXbNFlCVslASx92cQkOmGzOnIvklY9vUmw2pBm1se0pU+Rhqh2ZPOxfYt 9Wzwtgyesktr9nrlL8ou1Beta+MuEhOEvmkSYWViqeZDgDUn18o/7e0ucOIu0peq eGERCH6no3L9ED+TC1MQxGGiZWCLULIQuXOYjEXeEQXc1sN3Ib3WiDzzVwjaP75H 9gFsKGOo51rYbQrw6jiIQBG8idJo3LQGW5HCAy9QpRPdW6YBgyzudKqeVjqBO170 jZ/jUMMqc2slYDjR8wTsxeAYXn7pZ+no8iAIpkqJ8/jOLqxlkwUPbbg0dvwp19Fd fkB43/jclzF30BawTgWRwsVobmGe1VQGqphTrhrh/vqvqmaMZyLLUAh5wIRJQL+f RnROTzQN67azU4creMoTqhQyYQtFUqqPJqvcl+pqWBBndOatvfST1k3VCeRhSw+R tmpVAKBQeaftufcQHfTbmPYYtiqeX6/HRMrR0lVVk9k62W1llH7a+GQs29WHnoFL a+xk/C8OcaYe6pqzJyvHLgmGknfWh/Pga1DdiBB7m8obSjalJT/ekETUC2fQqIGx 1VM5QXCFSOZyeclWe9wm =npDX -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fix_memory_leak.patch Type: text/x-patch Size: 1335 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: fix_memory_leak.patch.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From noloader at gmail.com Tue Mar 18 07:11:02 2014 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 18 Mar 2014 02:11:02 -0400 Subject: [gnutls-devel] Overly permissive hostname matching Message-ID: I believe GnuTLS has a security flaw in its certificate hostname matching code. In the attached server certificate, the hostname is provided via a Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com". Also attached is the default CA, which was used to sign the server's certificate. Effectively, wget accepts a single certificate for the gTLD of .COM. That's probably bad. If a CA is compromised, then the compromised CA could issue a "super certificate" and cover the entire top level domain space. I suspect wget also accepts certificates for .COM's friends, like .NET, .ORG, .MIL, etc. Its probably not limited to gTLDs. Mozilla maintains a list of effective TLDs at https://wiki.mozilla.org/Public_Suffix_List. The 1600+ effective TLDs are probably accepted, too. Attached are the certificates, keys, and commands to set up a test rig with OpenSSL's s_server. The certificates are issued for example.com, and require a modification to /etc/hosts to make things work as (un)expected. Jeffrey Walton Baltimore, MD, US $ echo -e "GET / HTTP/1.0\r\n" | gnutls-cli --x509cafile ca-rsa-cert.pem example.com --port 8443 Processed 1 CA certificate(s). Resolving 'example.com'... Connecting to '127.0.0.1:8443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `O=Example\, LLC,CN=Example Certificate', issuer `C=USO=Example\, LLC,CN=Example CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-01-01 00:00:00 UTC', expires `2024-01-01 00:00:00 UTC', SHA-1 fingerprint `6ef2b017e26ce55092c8f886cff7ef9479629375' - The hostname in the certificate matches 'example.com'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed -------------- next part -------------- A non-text attachment was scrubbed... Name: hostname-verification.tar.gz Type: application/x-gzip Size: 6409 bytes Desc: not available URL: From nmav at gnutls.org Tue Mar 18 09:40:29 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 18 Mar 2014 09:40:29 +0100 Subject: [gnutls-devel] Overly permissive hostname matching In-Reply-To: References: Message-ID: On Tue, Mar 18, 2014 at 7:11 AM, Jeffrey Walton wrote: > I believe GnuTLS has a security flaw in its certificate hostname matching code. > In the attached server certificate, the hostname is provided via a > Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com". > Also attached is the default CA, which was used to sign the server's > certificate. > Effectively, wget accepts a single certificate for the gTLD of .COM. > That's probably bad. If a CA is compromised, then the compromised CA > could issue a "super certificate" and cover the entire top level > domain space. That's a very interesting point, but I am not sure there is an easy fix. GnuTLS follows RFC2818 for hostname verification, and that document is pretty clear on the scope of the wildcards. It mentions for example: "f*.com matches foo.com". Maybe we can forbid a first level wildcard, but is that practice documented somewhere? I don't see any IETF documents updating RFC2818. Maybe TLS-UTA [0], is a better discussion place for that. [0]. https://tools.ietf.org/wg/uta/ regards, Nikos From dkg at fifthhorseman.net Tue Mar 18 15:23:08 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 18 Mar 2014 10:23:08 -0400 Subject: [gnutls-devel] Overly permissive hostname matching In-Reply-To: References: Message-ID: <532856CC.9040608@fifthhorseman.net> On 03/18/2014 04:40 AM, Nikos Mavrogiannopoulos wrote: > That's a very interesting point, but I am not sure there is an easy > fix. GnuTLS follows RFC2818 for hostname verification, and that > document is pretty clear on the scope of the wildcards. It mentions > for example: "f*.com matches foo.com". Maybe we can forbid a first > level wildcard, but is that practice documented somewhere? I don't see > any IETF documents updating RFC2818. RFC 2818 is a web-specific reference, so it doesn't cover all uses of TLS; the CA/Browser Forum baseline requirements section 11.1.3 covers what CAs are supposed to do about wildcard issuance: https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf the CABForum guidelines have no mention of any on mixed wildcard/non-wildcard labels in the CN or dNSNames, which makes me think they haven't even been considered. I don't think f*.com is a reasonable thing for modern CAs to issue. for other IETF references, RFC 6125 has some useful material, though it explicitly deprecates wildcards, only recommending their use for backward/legacy compatibility: https://tools.ietf.org/html/rfc6125#section-6.4.3 https://tools.ietf.org/html/rfc6125#section-7.2 --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From noloader at gmail.com Tue Mar 18 10:08:31 2014 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 18 Mar 2014 05:08:31 -0400 Subject: [gnutls-devel] Overly permissive hostname matching In-Reply-To: References: Message-ID: On Tue, Mar 18, 2014 at 4:40 AM, Nikos Mavrogiannopoulos wrote: > On Tue, Mar 18, 2014 at 7:11 AM, Jeffrey Walton wrote: >> I believe GnuTLS has a security flaw in its certificate hostname matching code. >> In the attached server certificate, the hostname is provided via a >> Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com". >> Also attached is the default CA, which was used to sign the server's >> certificate. >> Effectively, wget accepts a single certificate for the gTLD of .COM. >> That's probably bad. If a CA is compromised, then the compromised CA >> could issue a "super certificate" and cover the entire top level >> domain space. > > That's a very interesting point, but I am not sure there is an easy > fix. GnuTLS follows RFC2818 for hostname verification, and that > document is pretty clear on the scope of the wildcards. It mentions > for example: "f*.com matches foo.com". Maybe we can forbid a first > level wildcard, but is that practice documented somewhere? I don't see > any IETF documents updating RFC2818. Hi Niko. I don't recall reading a prohibition anywhere. I even seem to recall the browser's use of the list as voluntary (for lack of a better term) since it was not prohibited or under specified. Maybe its one of those things along the lines of "why would anyone ever need to revoke a CA".... Intuitively, we know that no one CA services a particular domain in the gTLD space, so something seems out of place in clients willing to accept a super cert. How does GnuTLS handle DNS names with an embedded NULL (Kaminsky's and Marlinspike's NULL Termination Attacks)? Does it take a proactive approach by rejecting the certifcate? If so, rejecting a certifcate for *.COM and *.NET would seem to be consistent behavior. Jeff From mancha1 at hush.com Wed Mar 19 03:48:57 2014 From: mancha1 at hush.com (mancha) Date: Wed, 19 Mar 2014 02:48:57 +0000 Subject: [gnutls-devel] Overly permissive hostname matching Message-ID: <20140319024857.953B5A0157@smtp.hushmail.com> On Tue, 18 Mar 2014 08:40:50 "Nikos Mavrogiannopoulos" wrote: >That's a very interesting point, but I am not sure there is an >easy fix. GnuTLS follows RFC2818 for hostname verification, and >that document is pretty clear on the scope of the wildcards. It >mentions for example: "f*.com matches foo.com". Maybe we can >forbid a first level wildcard, but is that practice documented >somewhere? I don't see any IETF documents updating RFC2818. Apropos, this is addressed client-side in different ways (e.g.): 1. Chromium (x509_certificate.cc) // Do not allow wildcards for public/ICANN registry controlled domains - // that is, prevent *.com or *.co.uk as valid presented names, but do not // prevent *.appspot.com (a private registry controlled domain). // In addition, unknown top-level domains (such as 'intranet' domains or // new TLDs/gTLDs not yet added to the registry controlled domain dataset) // are also implicitly prevented. // Because |reference_domain| must contain at least one name component that // is not registry controlled, this ensures that all reference domains // contain at least three domain components when using wildcards. size_t registry_length = registry_controlled_domains::GetRegistryLength( reference_name, registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); 2. Mozilla (certdb.c) /* New approach conforms to RFC 6125. */ char *wildcard = PORT_Strchr(cn, '*'); char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; char *firsthndot = PORT_Strchr(hn, '.'); /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and * - may be preceded by additional characters, and * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot && firstcndot - wildcard == 1 /* wildcard is last char in first component */ && secondcndot - firstcndot > 1 /* second component is non- empty */ && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) && !PORT_Strcasecmp(firstcndot, firsthndot) /* If hn starts with xn--, then cn must start with wildcard */ && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; } --mancha PS Nikos, I posted this message earlier via gmane[1] but it seems to have been routed to a defunct list[2] rather than the current one[3]. Have you seen this before? [1] http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380 [2] https://lists.gnu.org/archive/html/gnutls-devel/2014- 03/index.html [3] http://lists.gnutls.org/pipermail/gnutls-devel/2014- March/thread.html From nmav at gnutls.org Wed Mar 19 14:22:06 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 19 Mar 2014 14:22:06 +0100 Subject: [gnutls-devel] Overly permissive hostname matching In-Reply-To: <20140319024857.953B5A0157@smtp.hushmail.com> References: <20140319024857.953B5A0157@smtp.hushmail.com> Message-ID: On Wed, Mar 19, 2014 at 3:48 AM, mancha wrote: > Apropos, this is addressed client-side in different ways (e.g.): > 1. Chromium (x509_certificate.cc) [...] > 2. Mozilla (certdb.c) [...] Hello, Indeed, I think that this should be changed in new versions of gnutls. I think the mozilla rule of: - may occur only in a DNS name with at least 3 components, and Is a good one to start with. However, I'd appreciate if somebody could bring that up to the TLS-UTA working group (I'm too busy to pursue that). I think that the wildcard behaviour, if needed at all, should be defined by an IETF document, rather than each implementation making its own assumptions. regards, Nikos > PS Nikos, I posted this message earlier via gmane[1] but it seems to > have been routed to a defunct list[2] rather than the current > one[3]. > Have you seen this before? No, I haven't used gmane for posting. Is there anything I can do for fixing that? regards, Nikos From mancha1 at zoho.com Wed Mar 19 23:04:55 2014 From: mancha1 at zoho.com (mancha) Date: Wed, 19 Mar 2014 22:04:55 +0000 Subject: [gnutls-devel] Overly permissive hostname matching In-Reply-To: References: <20140319024857.953B5A0157@smtp.hushmail.com> Message-ID: <20140319220455.GA32282@zoho.com> On Wed, Mar 19, 2014 at 02:22:06PM +0100, Nikos Mavrogiannopoulos wrote: > No, I haven't used gmane for posting. Is there anything I can do for > fixing that? > Hi Nikos. I've emailed Lars at gmane to let him know about this quirk. I doubt there's anything to do on your end but I'll let you know if there is. Cheers. --mancha From ametzler at bebt.de Thu Mar 20 17:02:32 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Thu, 20 Mar 2014 17:02:32 +0100 Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x Message-ID: <20140320160232.GB3241@downhill.g.la> Hello, this is GnuTLS 2.12.x seems to fail to connect to servers using a cert signed with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this has become more important. More details in abovementioned bugreport. Ivan Shmakov has provided attached patch for GnuTLS 2.12.x. Could you please review it (and if this is successful integrate to GIT). thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: possible.patch Type: text/x-diff Size: 6368 bytes Desc: not available URL: From nmav at gnutls.org Thu Mar 20 19:06:26 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 20 Mar 2014 19:06:26 +0100 Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x In-Reply-To: <20140320160232.GB3241@downhill.g.la> References: <20140320160232.GB3241@downhill.g.la> Message-ID: <1395338786.4183.7.camel@nomad.lan> On Thu, 2014-03-20 at 17:02 +0100, Andreas Metzler wrote: > Hello, > > this is > > GnuTLS 2.12.x seems to fail to connect to servers using a cert signed > with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this > has become more important. > More details in abovementioned bugreport. > Ivan Shmakov has provided attached patch for > GnuTLS 2.12.x. Could you please review it (and if this is successful > integrate to GIT). Hello Andreas, From a quick glimpse I don't think that this would solve the problem. This code does not restrict the signature algorithms available for certificate verification, but rather the signature algorithms that will be used during the TLS handshake. As I understand (but cannot deduce because the logs available are very limited) the client advertises only support for SHA512 hash in the signature algorithms extension. Unfortunately that version of gnutls could only work with either SHA1 or SHA256 in the TLS 1.2 handshake and this is what this check takes care of. So I will not commit this patch, but nevertheless, I think the issue is easy solvable, as it is just a misconfiguration of the client. Just make sure it does not only support SHA512. regards, Nikos From nmav at gnutls.org Fri Mar 21 08:51:19 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 21 Mar 2014 08:51:19 +0100 Subject: [gnutls-devel] RSA-SHA512 signature support for gnutls 2.12.x In-Reply-To: <1395338786.4183.7.camel@nomad.lan> References: <20140320160232.GB3241@downhill.g.la> <1395338786.4183.7.camel@nomad.lan> Message-ID: On Thu, Mar 20, 2014 at 7:06 PM, Nikos Mavrogiannopoulos wrote: >> GnuTLS 2.12.x seems to fail to connect to servers using a cert signed >> with RSA-SHA512. Since cacert.org seems to be using RSA-SHA512 this >> has become more important. >> More details in abovementioned bugreport. >> Ivan Shmakov has provided attached patch for >> GnuTLS 2.12.x. Could you please review it (and if this is successful >> integrate to GIT). > Hello Andreas, > From a quick glimpse I don't think that this would solve the problem. > This code does not restrict the signature algorithms available for > certificate verification, but rather the signature algorithms that will > be used during the TLS handshake. As I understand (but cannot deduce > because the logs available are very limited) the client advertises only > support for SHA512 hash in the signature algorithms extension. > Unfortunately that version of gnutls could only work with either SHA1 or > SHA256 in the TLS 1.2 handshake and this is what this check takes care > of. It seems I was wrong on that assessment. It is a different issue. That code tries to enforce the TLS 1.2 (rfc5246) requirement: "If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension." and it seems is buggy when the server has a sha512 certificate. That code was removed in the end as the reporter noticed [*], so I guess re-applying that patch would fix the issue (I cannot check whether there were followups in that fix or other related changes). Alternatively you could disable TLS 1.2 in that version of gnutls. regards, Nikos [*]. The reason was that the server has no say in which algorithm the CA will sign its certificate with, so there was an implementer consensus in the TLS WG to ignore this protocol requirement. From noloader at gmail.com Sat Mar 22 04:04:13 2014 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 21 Mar 2014 23:04:13 -0400 Subject: [gnutls-devel] More hostname matching goodness Message-ID: Hi Gentleman/Nikos, Here's another that looks illegal per the RFCs and CA/B Baseline. Create a server cert with a single SAN of "WWW.*.COM": $ openssl x509 -in server-rsa-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9008050290962543110 (0x7d0306034fad3206) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Example, LLC, CN=Example CA Validity Not Before: Jan 1 00:00:00 2014 GMT Not After : Jan 1 00:00:00 2024 GMT Subject: O=Example, LLC, CN=Example Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:3b:86:b8:17:4e:0f:b7:d5:ff:9b:4a:16:32: ... aa:7a:2e:24:75:25:20:e6:5e:5c:c2:67:56:0f:14: dd:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.*.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Subject Key Identifier: B5:AF:38:82:0C:C4:32:6E:9F:F5:F1:97:83:49:26:8D:AB:CB:3C:88 X509v3 Authority Key Identifier: keyid:B1:77:69:71:06:C6:25:90:28:B8:BA:49:70:A1:2F:3F:0F:32:C0:3C ... Start the server: $ openssl s_server -accept 8443 -www -certform PEM -cert server-rsa-cert-2.pem -keyform PEM -key server-rsa-key-plain.pem -tls1 -cipher HIGH:-EDH:-DHE Make a client request trusting the exemplary CA: $ echo -e "GET / HTTP/1.0\r\n" | gnutls-cli --x509cafile ca-rsa-cert.pem www.example.com --port 8443 Processed 1 CA certificate(s). Resolving 'www.example.com'... Connecting to '127.0.0.1:8443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `O=Example\, LLC,CN=Example Certificate', issuer `C=USO=Example\, LLC,CN=Example CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-01-01 00:00:00 UTC', expires `2024-01-01 00:00:00 UTC', SHA-1 fingerprint `bc1c3a33d91dfeb60b0d6083921041f7ffd7dbfa' - The hostname in the certificate matches 'www.example.com'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ***** I also found a server certificate with two SANs is most useful: one "*.COM", and one "WWW.*.COM". I've also got a really cool "one cert to rule them all". Its got the top levels (*.COM, *.NET, etc) and the named host variants (WWW.*.COM, WWW.*.NET, MAIL.*.COM, MAIL.*.NET, FTP.*.COM, FTP.*.NET). Jeffrey Walton Baltimore, MD, US From nmav at gnutls.org Mon Mar 24 09:45:59 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 24 Mar 2014 09:45:59 +0100 Subject: [gnutls-devel] More hostname matching goodness In-Reply-To: References: Message-ID: On Sat, Mar 22, 2014 at 4:04 AM, Jeffrey Walton wrote: > Hi Gentleman/Nikos, > Here's another that looks illegal per the RFCs and CA/B Baseline. > Create a server cert with a single SAN of "WWW.*.COM": Hello Jeffrey, This is a legal wildcard based on an rfc2818 interpretation that our wildcard parser was based on. I agree with you that wildcard support shouldn't extend so much. I have already limited the scope of wildcards to just a left-most '*' in gnutls 3.3.0 (to follow rfc6125), with the intention to completely drop wildcard support at some point. I'll also restrict the code of existing releases (3.2 and 3.1) to two domain components after the wildcard rule, to reduce any compatibility issues. Thank you for bringing these issues up. regards, Nikos From nmav at gnutls.org Mon Mar 24 21:19:04 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 24 Mar 2014 21:19:04 +0100 Subject: [gnutls-devel] More hostname matching goodness In-Reply-To: References: Message-ID: <1395692344.4227.4.camel@nomad.lan> On Mon, 2014-03-24 at 15:28 -0400, James Cloos wrote: > NM> with the intention to completely drop wildcard support at some point. > Wildcard support should remain indefinitely. > It is superior to listing every match in the cert. Having to churn > certs just because new hosts are added is riskier than using wildcards. Hello, I am not really sure about it. It does not make much sense to re-use the same key and certificate in a large number of hosts. It pretty much ensures that if any of the hosts is compromised, all of them will. The main reason this was done is in order to reduce the costs to CA-issued certificates, but I don't think that this is still the case. > NM> I'll also restrict the code of existing releases (3.2 and 3.1) to two > NM> domain components after the wildcard rule, > Do you mean at least two right of the wildcard or that the wildcard will > match at most two? At least two components right of the wildcard. regards, Nikos From cloos at jhcloos.com Mon Mar 24 20:28:03 2014 From: cloos at jhcloos.com (James Cloos) Date: Mon, 24 Mar 2014 15:28:03 -0400 Subject: [gnutls-devel] More hostname matching goodness In-Reply-To: (Nikos Mavrogiannopoulos's message of "Mon, 24 Mar 2014 09:45:59 +0100") References: Message-ID: >>>>> "NM" == Nikos Mavrogiannopoulos writes: NM> with the intention to completely drop wildcard support at some point. Wildcard support should remain indefinitely. It is superior to listing every match in the cert. Having to churn certs just because new hosts are added is riskier than using wildcards. NM> I'll also restrict the code of existing releases (3.2 and 3.1) to two NM> domain components after the wildcard rule, Do you mean at least two right of the wildcard or that the wildcard will match at most two? -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From noloader at gmail.com Mon Mar 24 21:36:45 2014 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 24 Mar 2014 16:36:45 -0400 Subject: [gnutls-devel] More hostname matching goodness In-Reply-To: <1395692344.4227.4.camel@nomad.lan> References: <1395692344.4227.4.camel@nomad.lan> Message-ID: On Mon, Mar 24, 2014 at 4:19 PM, Nikos Mavrogiannopoulos wrote: > On Mon, 2014-03-24 at 15:28 -0400, James Cloos wrote: > >> NM> with the intention to completely drop wildcard support at some point. >> Wildcard support should remain indefinitely. >> It is superior to listing every match in the cert. Having to churn >> certs just because new hosts are added is riskier than using wildcards. > > I am not really sure about it. It does not make much sense to re-use > the same key and certificate in a large number of hosts. I can't speak for a lot of the use cases you probably encounter, but I abandoned key rotation some time ago. Now I practice key continuity and re-certify the same key from year to year (sans an event like a key compromise). I do ue a different key for each service (www vs mail, etc). Key continuity appears to be a more desirable property. Key re-certification helps a lot when security diversification techniques are used, like public key pinning. Its also being practiced by folks like Google. Google's certs expire every 30 days or so, while the same public key is re-certifed. Now we need a Public Key Patrol rather than a Cert Patrol. Cert Patrol has become much too noisy because its looking for changes in the wrong places. > It pretty much > ensures that if any of the hosts is compromised, all of them will. I think they are the same problem in a shared hosting environment. If a server get compromised, then it does not matter if the bad guy has to egress 1 key or 1000 keys. The compromise occurred, and the keys are leaving. I also look at it like this: pre-SNI, there were super certs with hundreds of domains under the same key. It does not matter if its one key/cert/lots of domains or lots of keys/single certs/lots of domains. Again, the private keys are leaving regardless of how they are bound and presented. If you are talking about a host with different services (www, mail, openssh), then I don't see it being much different. Once the bad guy gets in, the keys are probably going to leave with him or her. Jeff From nmav at gnutls.org Tue Mar 25 09:55:20 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 25 Mar 2014 09:55:20 +0100 Subject: [gnutls-devel] More hostname matching goodness In-Reply-To: References: <1395692344.4227.4.camel@nomad.lan> Message-ID: On Mon, Mar 24, 2014 at 9:36 PM, Jeffrey Walton wrote: >>> NM> with the intention to completely drop wildcard support at some point. >>> Wildcard support should remain indefinitely. >>> It is superior to listing every match in the cert. Having to churn >>> certs just because new hosts are added is riskier than using wildcards. >> I am not really sure about it. It does not make much sense to re-use >> the same key and certificate in a large number of hosts. > I can't speak for a lot of the use cases you probably encounter, but I > abandoned key rotation some time ago. Now I practice key continuity > and re-certify the same key from year to year (sans an event like a > key compromise). I do ue a different key for each service (www vs > mail, etc). > Key continuity appears to be a more desirable property. Key > re-certification helps a lot when security diversification techniques > are used, like public key pinning. Its also being practiced by folks > like Google. Google's certs expire every 30 days or so, while the same > public key is re-certifed. Note that my comment is on re-using keys on a large number of hosts, not on generating new keys on every certificate update. Key continuity is a good thing and we try to take advantage of it by providing the trust on first use API: http://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-trust-on-first-use-authentication.html > Now we need a Public Key Patrol rather than a Cert Patrol. Cert Patrol > has become much too noisy because its looking for changes in the wrong > places. I certainly agree. >> It pretty much >> ensures that if any of the hosts is compromised, all of them will. > I think they are the same problem in a shared hosting environment. If > a server get compromised, then it does not matter if the bad guy has > to egress 1 key or 1000 keys. The compromise occurred, and the keys > are leaving. > I also look at it like this: pre-SNI, there were super certs with > hundreds of domains under the same key. It does not matter if its one > key/cert/lots of domains or lots of keys/single certs/lots of domains. > Again, the private keys are leaving regardless of how they are bound > and presented. I find it is better to have individual certificates that share the same private key, rather than allowing wildcard certificates (that still share the same private key). In the latter case you have a certificate for an unlimited amount of hosts, while in the former, just for the set you're interested in. In any case, the plan to completely remove wildcards is in the long-run, it is not going to happen in the next release of gnutls. Possibly the decision will be based on data of their actual usage. regards, Nikos From dkg at fifthhorseman.net Wed Mar 26 23:25:47 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Mar 2014 18:25:47 -0400 Subject: [gnutls-devel] [PATCH] update README to reflect gmplib licensing change Message-ID: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net> As of version 6.0.0, gmplib moved its licensing from LGPLv3+ to a dual-license LGPLv3+/GPLv2+ license. This licensing change affects the licenses under which versions of GnuTLS can be redistributed. Update the README to reflect this change. --- README | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README b/README index be27c68..beff45e 100644 --- a/README +++ b/README @@ -104,11 +104,13 @@ LICENSING Since GnuTLS version 3.1.10, the core library has been released under the GNU Lesser General Public License (LGPL) version 2.1 or later. -Note, however, that new versions of the gmplib library used by GnuTLS -are distributed under LGPLv3, and as such binaries of this library -need to be distributed under LGPLv3. If this is undesirable older -versions of the gmplib which are under LGPLv2.1 (e.g., version 4.2.1) -may be used instead. +Note, however, that version 6.0.0 and later of the gmplib library used +by GnuTLS are distributed under a LGPLv3+ or GPLv2+ dual license, and +as such binaries of this library need to be distributed under the same +LGPLv3+ or GPLv2+ dual license. If this is undesirable older versions +of the gmplib which are under LGPLv2.1 (e.g., version 4.2.1) may be +used instead. (gmplib versions between 4.2.2 through 5.1.3 were +licensed under LGPLv3+ only). The GNU LGPL applies to the main GnuTLS library, while the included applications as well as gnutls-openssl -- 1.9.0 From nmav at gnutls.org Thu Mar 27 09:11:37 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 27 Mar 2014 09:11:37 +0100 Subject: [gnutls-devel] [PATCH] update README to reflect gmplib licensing change In-Reply-To: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net> References: <1395872747-9491-1-git-send-email-dkg@fifthhorseman.net> Message-ID: <1395907897.7496.0.camel@nomad.lan> On Wed, 2014-03-26 at 18:25 -0400, Daniel Kahn Gillmor wrote: > As of version 6.0.0, gmplib moved its licensing from LGPLv3+ to a > dual-license LGPLv3+/GPLv2+ license. > > This licensing change affects the licenses under which versions of > GnuTLS can be redistributed. Thank you. It is applied. regards, Nikos From nmav at gnutls.org Thu Mar 27 17:54:46 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 27 Mar 2014 17:54:46 +0100 Subject: [gnutls-devel] gnutls 3.3.0pre0 Message-ID: <1395939286.30082.0.camel@nomad.lan> Hello, I've just released gnutls 3.3.0pre0. This is a pre-release of the next stable branch, which adds new features, optimizations and cleanups to the GnuTLS library. * Version 3.3.0 (pre-release 2014-03-27) ** libgnutls: The initialization of the library was moved to a constructor. That is, gnutls_global_init() is no longer required unless linking with a static library or a system that does not support library constructors. ** libgnutls: static libraries are not built by default. ** libgnutls: PKCS #11 initialization is delayed to first usage. That avoids long delays in gnutls initialization due to broken PKCS #11 modules. ** libgnutls: The PKCS #11 subsystem is re-initialized "automatically" on the first PKCS #11 API call after a fork. ** libgnutls: certificate verification profiles were introduced that can be specified as flags to verification functions. They are enumerations in gnutls_certificate_verification_profiles_t and can be converted to flags using GNUTLS_PROFILE_TO_VFLAGS() ** libgnutls: Added the SYSTEM priority string initial keyword. That allows a compile-time specified configuration file to be used to read the priorities. That can be used to impose system specific policies. ** libgnutls: Increased the default security level of priority strings (NORMAL and PFS strings require at minimum a 1008 DH prime), and set a verification profile by default. The LEGACY keyword is introduced to set the old defaults. ** libgnutls: Added support for the name constraints PKIX extension. Currently only DNS names and e-mails are supported (no URIs, IPs or DNs). ** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. ** libgnutls: Added new API in x509-ext.h to handle X.509 extensions. This API handles the X.509 extensions in isolation, allowing to parse similarly formatted extensions stored in other structures. ** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS can be used to specify a particular subgroup as the number of bits in gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). ** libgnutls: DH parameter generation is now delegated to nettle. That unfortunately has the side-effect that DH parameters longer than 3072 bits, cannot be generated (not without a nettle update). ** libgnutls: Separated nonce RNG from the main RNG. The nonce random number generator is based on salsa20/12. ** libgnutls: The buffer alignment provided to crypto backend is enforced to be 16-byte aligned, when compiled with cryptodev support. That allows certain cryptodev drivers to operate more efficiently. ** libgnutls: Depend on p11-kit 0.20.0 or later. ** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has been removed. It was not approved by IETF. ** libgnutls: The experimental xssl library is removed from the gnutls distribution. ** libgnutls: Reduced the number of gnulib modules used. ** certtool: Timestamps for serial numbers were increased to 8 bytes, and in batch mode to 12 (appended with 4 random bytes). ** libgnutls: Added --enable-fips140-mode configuration option (unsupported). That option enables (when running on FIPS140-enabled system): o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. o Self-tests on initialization on ciphers/MACs, public key algorithms and the random generator. o HMAC-SHA256 verification of the library on load. o MD5 is included for TLS purposes but cannot be used by the high level hashing functions. o All ciphers except AES are disabled. o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). o All keys (temporal and long term) are zeroized after use. o Security levels are adjusted to the FIPS140-2 recommendations (rather than ECRYPT). ** API and ABI modifications: gnutls_privkey_generate: Added gnutls_pkcs11_crt_is_known: Added gnutls_fips140_mode_enabled: Added gnutls_sec_param_to_symmetric_bits: Added gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962) gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw) gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw) gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw) gnutls_pubkey_verify_params: Added gnutls_privkey_export_ecc_raw: Added gnutls_privkey_export_dsa_raw: Added gnutls_privkey_export_rsa_raw: Added gnutls_privkey_import_ecc_raw: Added gnutls_privkey_import_dsa_raw: Added gnutls_privkey_import_rsa_raw: Added gnutls_privkey_verify_params: Added gnutls_x509_name_constraints_init: Added gnutls_x509_name_constraints_deinit: Added gnutls_x509_crt_get_name_constraints: Added gnutls_x509_name_constraints_add_permitted: Added gnutls_x509_name_constraints_add_excluded: Added gnutls_x509_crt_set_name_constraints: Added gnutls_x509_name_constraints_get_permitted: Added gnutls_x509_name_constraints_get_excluded: Added gnutls_x509_name_constraints_check: Added gnutls_x509_name_constraints_check_crt: Added gnutls_x509_crl_get_extension_data2: Added gnutls_x509_crt_get_extension_data2: Added gnutls_x509_crq_get_extension_data2: Added gnutls_subject_alt_names_init: Added gnutls_subject_alt_names_deinit: Added gnutls_subject_alt_names_get: Added gnutls_subject_alt_names_set: Added gnutls_x509_ext_import_subject_alt_names: Added gnutls_x509_ext_export_subject_alt_names: Added gnutls_x509_crl_dist_points_init: Added gnutls_x509_crl_dist_points_deinit: Added gnutls_x509_crl_dist_points_get: Added gnutls_x509_crl_dist_points_set: Added gnutls_x509_ext_import_crl_dist_points: Added gnutls_x509_ext_export_crl_dist_points: Added gnutls_x509_ext_import_name_constraints: Added gnutls_x509_ext_export_name_constraints: Added gnutls_x509_aia_init: Added gnutls_x509_aia_deinit: Added gnutls_x509_aia_get: Added gnutls_x509_aia_set: Added gnutls_x509_ext_import_aia: Added gnutls_x509_ext_export_aia: Added gnutls_x509_ext_import_subject_key_id: Added gnutls_x509_ext_export_subject_key_id: Added gnutls_x509_ext_export_authority_key_id: Added gnutls_x509_ext_import_authority_key_id: Added gnutls_x509_aki_init: Added gnutls_x509_aki_get_id: Added gnutls_x509_aki_get_cert_issuer: Added gnutls_x509_aki_set_id: Added gnutls_x509_aki_set_cert_issuer: Added gnutls_x509_aki_deinit: Added gnutls_x509_ext_import_private_key_usage_period: Added gnutls_x509_ext_export_private_key_usage_period: Added gnutls_x509_ext_import_basic_constraints: Added gnutls_x509_ext_export_basic_constraints: Added gnutls_x509_ext_import_key_usage: Added gnutls_x509_ext_export_key_usage: Added gnutls_x509_ext_import_proxy: Added gnutls_x509_ext_export_proxy: Added gnutls_x509_policies_init: Added gnutls_x509_policies_deinit: Added gnutls_x509_policies_get: Added gnutls_x509_policies_set: Added gnutls_x509_ext_import_policies: Added gnutls_x509_ext_export_policies: Added gnutls_x509_key_purpose_init: Added gnutls_x509_key_purpose_deinit: Added gnutls_x509_key_purpose_set: Added gnutls_x509_key_purpose_get: Added gnutls_x509_ext_import_key_purposes: Added gnutls_x509_ext_export_key_purposes: Added gnutls_digest_self_test: Added (conditionally) gnutls_mac_self_test: Added (conditionally) gnutls_pk_self_test: Added (conditionally) gnutls_cipher_self_test: Added (conditionally) gnutls_global_set_mem_functions: Deprecated Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.0pre0.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Sun Mar 30 19:37:53 2014 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 30 Mar 2014 19:37:53 +0200 Subject: [gnutls-devel] 3.3.0pre0 - [sparc] Bus error on chainverify test Message-ID: <20140330173753.GB3217@downhill.g.la> Hello, 3.3.0pre0's testsuite produces an error on sparc: ------------- (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ ./tests/chainverify Bus error (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ ------------- (gdb) run Starting program: /home/ametzler/GNUTLS/gnutls28-3.3.0~pre0/./tests/chainverify [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/sparc-linux-gnu/libthread_db.so.1". Program received signal SIGBUS, Bus error. asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315 315 if (p->down) (gdb) bt #0 asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315 #1 0xf7f3f18c in gnutls_x509_crt_import (cert=0x1bf10, data=0xffffd668, format=GNUTLS_X509_FMT_PEM) at x509.c:207 #2 0x00010f40 in doit () at chainverify.c:1279 #3 0x00010b30 in main (argc=0, argv=0xffffd7c4) at utils.c:146 (gdb) ------------- I have built against included minitasn for improved debugging output. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Mon Mar 31 10:16:06 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 31 Mar 2014 10:16:06 +0200 Subject: [gnutls-devel] 3.3.0pre0 - [sparc] Bus error on chainverify test In-Reply-To: <20140330173753.GB3217@downhill.g.la> References: <20140330173753.GB3217@downhill.g.la> Message-ID: On Sun, Mar 30, 2014 at 7:37 PM, Andreas Metzler wrote: > Hello, > 3.3.0pre0's testsuite produces an error on sparc: > ------------- > (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ ./tests/chainverify > Bus error > (sid_sparc-dchroot)ametzler at smetana:~/GNUTLS/gnutls28-3.3.0~pre0$ > ------------- > (gdb) run > Starting program: /home/ametzler/GNUTLS/gnutls28-3.3.0~pre0/./tests/chainverify > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/sparc-linux-gnu/libthread_db.so.1". > Program received signal SIGBUS, Bus error. > asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315 > 315 if (p->down) > (gdb) bt > #0 asn1_delete_structure2 (structure=0x1bf10, flags=0) at structure.c:315 > #1 0xf7f3f18c in gnutls_x509_crt_import (cert=0x1bf10, data=0xffffd668, > format=GNUTLS_X509_FMT_PEM) at x509.c:207 > #2 0x00010f40 in doit () at chainverify.c:1279 Thank you. That's a pretty weird issue as I can't see what could have caused an alignment problem at this code, and this code shouldn't have been called at all. I'll try to check it soon. regards, Nikos