[gnutls-devel] gnutls 3.5.11

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls 3.5.11

Nikos Mavrogiannopoulos
Hello, 
 I've just released gnutls 3.5.11. This is a bug fix release on the
3.5.x branch.

* Version 3.5.11 (released 2017-04-07)

** gnutls.pc: do not include libtool options into Libs.private.

** libgnutls: Fixed issue when rehandshaking without a client certificate in
   a session which initially used one. Reported by Frantisek Sumsal.

** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
   certificate parsing. Issues found using oss-fuzz project and were fixed
   by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824

** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
   That allows PKCS#11 operations such as signing to be performed with the
   same object from multiple threads.

** libgnutls: Added support for MacOSX key chain for obtaining trust store's
   root CA certificates. That is, gnutls_x509_trust_list_add_system_trust() and
   gnutls_certificate_set_x509_system_trust() will load the certificates from
   the key chain. That also means that we no longer check for a default trust
   store file in configure when building on MacOSX (unless explicitly asked to).
   Patch by David Caldwell.

** libgnutls: when disabling OpenPGP authentication, the resulting library
   is ABI compatible (with openpgp related functions being stubs that fail
   on invocation).

** API and ABI modifications:
No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.11.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.11.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Filipp Gunbin
Hello,

I seem to have trouble building with gcc-6.3.0 on macOS, can you help
please?

Filipp

/System/Library/Frameworks/CoreFoundation.framework/Headers/CFDateFormatter.h:53:34: error: 'introduced' undeclared here (not in a function)
     kCFISO8601DateFormatWithYear API_AVAILABLE(macosx(10.12), ios(10.0), watchos(3.0), tvos(10.0)) = (1UL << 0),
                                  ^
/System/Library/Frameworks/CoreFoundation.framework/Headers/CFURL.h:777:39: error: 'deprecated' undeclared here (not in a function)
 const CFStringRef kCFURLLabelColorKey API_DEPRECATED("Use NSURLLabelColorKey", macosx(10.6, 10.12), ios(4.0, 10.0), watchos(2.0, 3.0), tvos(9.0, 10.0));
                                       ^
/System/Library/Frameworks/CoreFoundation.framework/Headers/CFURL.h:777:39: error: 'message' undeclared here (not in a function)
 const CFStringRef kCFURLLabelColorKey API_DEPRECATED("Use NSURLLabelColorKey", macosx(10.6, 10.12), ios(4.0, 10.0), watchos(2.0, 3.0), tvos(9.0, 10.0));
                                       ^
In file included from /System/Library/Frameworks/Security.framework/Headers/AuthSession.h:32:0,
                 from /System/Library/Frameworks/Security.framework/Headers/Security.h:43,
                 from system/certs.c:49:
/System/Library/Frameworks/Security.framework/Headers/Authorization.h:192:7: error: variably modified 'bytes' at file scope
  char bytes[kAuthorizationExternalFormLength];

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Nikos Mavrogiannopoulos
On Fri, 2017-04-07 at 17:56 +0300, Filipp Gunbin wrote:
> Hello,
>
> I seem to have trouble building with gcc-6.3.0 on macOS, can you help
> please?

It seems that certain system headers do not compile with gcc on macosx.
You'll have to use clang at this point. Please follow up at:
https://gitlab.com/gnutls/gnutls/merge_requests/342

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Andreas Radke-3
In reply to this post by Nikos Mavrogiannopoulos
With this new release the test suite fails here:

FAIL: trust-store
=================

doit:64: no certificates were found in system trust store!
FAIL trust-store (exit status: 1)



Any idea what has changed?

-Andy
Arch Linux

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Andreas Metzler-3
On 2017-04-08 Andreas Radke <[hidden email]> wrote:
> With this new release the test suite fails here:

> FAIL: trust-store
> =================

> doit:64: no certificates were found in system trust store!
> FAIL trust-store (exit status: 1)

> Any idea what has changed?

Hello,

This happens if gnutls is built with e.g.
--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when
running the testsuite.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Filipp Gunbin
In reply to this post by Nikos Mavrogiannopoulos
On 08/04/2017 09:41 +0200, Nikos Mavrogiannopoulos wrote:

> On Fri, 2017-04-07 at 17:56 +0300, Filipp Gunbin wrote:
>> Hello,
>>
>> I seem to have trouble building with gcc-6.3.0 on macOS, can you help
>> please?
>
> It seems that certain system headers do not compile with gcc on macosx.
> You'll have to use clang at this point. Please follow up at:
> https://gitlab.com/gnutls/gnutls/merge_requests/342

Thanks!

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Andreas Radke-3
In reply to this post by Andreas Metzler-3
Am Sat, 8 Apr 2017 14:39:56 +0200
schrieb Andreas Metzler <[hidden email]>:

> On 2017-04-08 Andreas Radke <[hidden email]> wrote:
> > With this new release the test suite fails here:  
>
> > FAIL: trust-store
> > =================  
>
> > doit:64: no certificates were found in system trust store!
> > FAIL trust-store (exit status: 1)  
>
> > Any idea what has changed?  
>
> Hello,
>
> This happens if gnutls is built with e.g.
> --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
> and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when
> running the testsuite.
>
> cu Andreas
lrwxrwxrwx 1 root root 49 Mar  7
22:05 /etc/ssl/certs/ca-certificates.crt
-> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ


May this happen because we use a symlink? The file is not empty. We
build using
--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit"

The test was introduced with this commit:
https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c5da36

-Andy

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Andreas Metzler-3
On 2017-04-10 Andreas Radke <[hidden email]> wrote:
> Am Sat, 8 Apr 2017 14:39:56 +0200 schrieb Andreas Metzler <[hidden email]>:
>> On 2017-04-08 Andreas Radke <[hidden email]> wrote:
>>> With this new release the test suite fails here:  

>>> FAIL: trust-store
>>> =================  

>>> doit:64: no certificates were found in system trust store!
>>> FAIL trust-store (exit status: 1)  

>> This happens if gnutls is built with e.g.
>> --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
>> and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when
>> running the testsuite.

> lrwxrwxrwx 1 root root 49 Mar  7
> 22:05 /etc/ssl/certs/ca-certificates.crt
> -> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1
> -----BEGIN CERTIFICATE-----
> MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
> AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
> CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ


> May this happen because we use a symlink? The file is not empty. We
> build using
> --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit"

You are using a different trust-store, that is why I wrote "e.g.". If
--with-default-trust-store-file=/some/file is used, then /some/file
needs to contain some certs for the test to succeed. In your case
"pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" would have to
work. Is it possible that your missing some glue-package?

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.11

Nikos Mavrogiannopoulos-2
In reply to this post by Andreas Radke-3
There was an issue with pkcs11 trust stores and this test. Check the repo for the fix.

On April 10, 2017 9:36:59 PM GMT+03:00, Andreas Radke <[hidden email]> wrote:
Am Sat, 8 Apr 2017 14:39:56 +0200
schrieb Andreas Metzler <[hidden email]>:

On 2017-04-08 Andreas Radke <[hidden email]> wrote:
With this new release the test suite fails here:

FAIL: trust-store
=================

doit:64: no certificates were found in system trust store!
FAIL trust-store (exit status: 1)

Any idea what has changed?

Hello,

This happens if gnutls is built with e.g.
--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when
running the testsuite.

cu Andreas

lrwxrwxrwx 1 root root 49 Mar 7
22:05 /etc/ssl/certs/ca-certificates.crt
-> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ


May this happen because we use a symlink? The file is not empty. We
build using
--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit"

The test was introduced with this commit:
https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c5da36

-Andy

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...