headers
Simon Josefsson | 11 Jun 00:19

GnuTLS 2.3.14 - third release candidate for 2.4.0

This the third release candidate for 2.4.0.  Anything that doesn't live
up to the expectations on a stable release should be reported before
this turns into the real 2.4.0.  We hope to release 2.4.0 within a week
or two.  I'm going away a few days, but will be back next Monday.  If
there has been no reports then, perhaps I can release 2.4.0 early next
week....

The goals for the 2.3.x branch are tracked at:

http://trac.gnutls.org/cgi-bin/trac.cgi/milestone/gnutls-2.4

Alas, the spammers have found our trac site so it is almost useless. :(
Hopefully I can move it to another host soon...  Is anyone interested in
helping to admin it?  Can anyone sponsor a VPS to run this on?  Help!

More ideas are welcome, just create a new ticket.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.14.tar.bz2
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.14.tar.bz2

No Windows binaries for this release because the openpgp-certs self-test
failed under Wine, I'll investigate and fix before 2.4.0.

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
(Continue reading)

Permalink | Reply |
headers
Simon Josefsson | 11 Jun 10:41

openpgp-certs failure under wine

The gnutls-serv started from openpgp-certs doesn't seem to start under
Wine, here is the output:

jas <at> mocca:~/gnutls4win/build/gnutls-2.3.14/tests/openpgp-certs$ ../../src/gnutls-serv -q -p
5557 --pgpcertfile
../../../../src/gnutls-2.3.14/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg
--pgpkeyfile ../../../../src/gnutls-2.3.14/tests/openpgp-certs/srv-secret.gpg -d 4711
NOTE: you should run 'diskperf -y' to enable the disk statistics
DBG: rndw32: get performance data problem: ec=2
Set static Diffie Hellman parameters, consider --dhparams.
|<2>| ASSERT: ../../../../src/gnutls-2.3.14/lib/openpgp/privkey.c:125
|<2>| ASSERT: ../../../src/gnutls-2.3.14/lib/gnutls_openpgp.c:379
|<2>| ASSERT: ../../../src/gnutls-2.3.14/lib/gnutls_openpgp.c:500
Error[-59] while reading the OpenPGP key pair
('../../../../src/gnutls-2.3.14/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg', '../../../../src/gnutls-2.3.14/tests/openpgp-certs/srv-secret.gpg')
Error: GnuTLS internal error.
Echo Server ready. Listening to port '5557'.

select(): Success
jas <at> mocca:~/gnutls4win/build/gnutls-2.3.14/tests/openpgp-certs$ 

I can reproduce the openpgp key import error using certtool and the
particular OpenPGP file:

jas <at> mocca:~/gnutls4win/build/gnutls-2.3.14/tests/openpgp-certs$
~/gnutls4win/build/gnutls-2.3.14/src/certtool --pgp-certificate-info --infile
../../../../src/gnutls-2.3.14/tests/openpgp-certs/srv-public-127.0.0.1-signed.gpg -d 4711
NOTE: you should run 'diskperf -y' to enable the disk statistics
DBG: rndw32: get performance data problem: ec=2
|<2>| ASSERT: ../../../../src/gnutls-2.3.14/lib/openpgp/pgp.c:124
(Continue reading)

Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 12 Jun 12:21

Re: openpgp-certs failure under wine

> Tracing it further, it seems it OpenCDK is returning EOF when parsing
> the OpenPGP key, I'm not sure why.
>
> Nikos, can you reproduce this?  You'll need to install mingw32, wine,
> binfmt-support and run ./configure --host=i586-mingw32msvc
> --build=i686-pc-linux-gnu if you are using debian.

Unfortunately not. gnutls couldn't compile with the setup (something
about missing libgcrypt etc).

> I'm leaving now, but will look into this next week unless you or someone
> else has had time to debug it.

I'm also leaving for holidays today so I'll be unable to work on this soon.

regards,
Nikos
Permalink | Reply |
headers
Simon Josefsson | 15 Jun 23:05

Re: openpgp-certs failure under wine

"Nikos Mavrogiannopoulos" <n.mavrogiannopoulos <at> gmail.com> writes:

>> Tracing it further, it seems it OpenCDK is returning EOF when parsing
>> the OpenPGP key, I'm not sure why.
>>
>> Nikos, can you reproduce this?  You'll need to install mingw32, wine,
>> binfmt-support and run ./configure --host=i586-mingw32msvc
>> --build=i686-pc-linux-gnu if you are using debian.
>
> Unfortunately not. gnutls couldn't compile with the setup (something
> about missing libgcrypt etc).
>
>> I'm leaving now, but will look into this next week unless you or someone
>> else has had time to debug it.
>
> I'm also leaving for holidays today so I'll be unable to work on this soon.

It seems the self-test also fails under Debian buildds:

http://bugs.debian.org/486269

I guess the use of 127.0.0.2 isn't portable?

Anyway, I think the simplest thing to do is to disable the self-test for
now, it was added too late in the release cycle and we don't have time
to work out the problems with it.  We can fix it in the 2.5.x branch.

/Simon
Permalink | Reply |
headers
Daniel Kahn Gillmor | 12 Jun 16:46
Face

Re: GnuTLS 2.3.14 - third release candidate for 2.4.0

On Tue 2008-06-10 18:23:01 -0400, Simon Josefsson wrote:

> * Version 2.3.14 (released 2008-06-11)
>
> ** libgnutls [OpenPGP]: Changed OpenPGP verification behaviour.
> An OpenPGP certificate is now only considered verified if all the user
> IDs are verified.

I've tested this change against Andreas Metzler's debian packaging of
2.3.14, and it looks correct.  A single unverifiable User ID on the
certificate causes verification failure.  This "fail closed" behavior
is significantly better than the earlier "fail open" behavior.
Thanks!

Hopefully for gnutls 2.6 we can cook up more nuanced OpenPGP
certificate verification, where irrelevant unverified UserIDs don't
cause a failure.

Thanks for all the work on this,

       --dkg

_______________________________________________
Gnutls-devel mailing list
Gnutls-devel <at> gnu.org
http://lists.gnu.org/mailman/listinfo/gnutls-devel
Permalink | Reply |
headers
Simon Josefsson | 15 Jun 23:03

Re: GnuTLS 2.3.14 - third release candidate for 2.4.0

Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> writes:

> On Tue 2008-06-10 18:23:01 -0400, Simon Josefsson wrote:
>
>> * Version 2.3.14 (released 2008-06-11)
>>
>> ** libgnutls [OpenPGP]: Changed OpenPGP verification behaviour.
>> An OpenPGP certificate is now only considered verified if all the user
>> IDs are verified.
>
> I've tested this change against Andreas Metzler's debian packaging of
> 2.3.14, and it looks correct.  A single unverifiable User ID on the
> certificate causes verification failure.  This "fail closed" behavior
> is significantly better than the earlier "fail open" behavior.
> Thanks!
>
> Hopefully for gnutls 2.6 we can cook up more nuanced OpenPGP
> certificate verification, where irrelevant unverified UserIDs don't
> cause a failure.
>
> Thanks for all the work on this,

Great.  Thanks for confirming the status.  I think we are ready for
2.4.0, but I'll do another release candidate now to make sure.

/Simon
Permalink | Reply |

Gmane