http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3042 Hi, In response to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492775 I went though and added all the missing options from gnutls-cli's manpage, removing --xml along the way. Please find attached the resulting diff. Thanks, James _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel James Westby 2008-08-29T16:25:48 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3041 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-29T11:45:53 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3040 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-29T11:21:38 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3039 I looked into this more, and you should be able to compile with EXTRA_PKI set to 0 if you want to reduce code size. Setting EXTRA_PKI to 0 disables features such as: * CRL * PKCS#7 * PKCS#12 * X.509 certificate generation including signing * Certificate requests However the code necessary to verify X.509 signature remains, so you shouldn't be vulnerable to many more problem compared to before. Except that CRLs won't be verified, of course, but practically nobody uses CRLs anyway so.... your choice. Note that the command line tools and many self-tests won't build because they need this extra functions. The libraries should build fine, at least it does here. /Simon Simon Josefsson 2008-08-29T09:39:53 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3038 I believe I have fixed it with this patch: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=b855779d46c07ae5a03280536e24f8405c374dcf I'll release 2.5.5 later today, please test it. /Simon Simon Josefsson 2008-08-29T08:01:31 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3037 Hopefully I will have a time to write such patch some time in the next month. Tomas Mraz 2008-08-29T08:21:53 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3036 Sorry, I didn't mean to belittle your contribution -- I wasn't talking about the code per se but the idea of having a OpenSSL compatibility library in GnuTLS generally. However, since people use it, I think we can keep the code and apply any patches sent to us, but at least right now I don't see anyone doing much work beyond that. /Simon Simon Josefsson 2008-08-29T08:04:51 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3035 Nikos, opencdk calls this function -- it seems it should use the new crypto layer instead. However, I can't find any way to get the block length of a cipher in the new framework. Should this be added? /Simon Simon Josefsson 2008-08-28T11:24:13 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3034 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Andrew McDonald 2008-08-28T21:11:19 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3033 Christian, we now have removed this code in GnuTLS too. If you find other code which looks strange when you review it, please let us know! Finding things like this is time consuming and often happens just by chance when someone reads the code like you've done. /Simon Simon Josefsson 2008-08-28T08:03:55 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3032 Here is the patch I installed. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=cf07213ed160ce93d14a5801ace847b12b281ee5 /Simon Simon Josefsson 2008-08-28T08:01:37 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3031 done. Now the _gnutls_cipher_get_block_size() is used. Nikos Mavrogiannopoulos 2008-08-28T20:29:16 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3030 Linux Fedora 6 gnutls-2.5.4 ./configure --with-gnu-ld --prefix=/usr --with-included-libtasn1 Making all in opencdk make[3]: Entering directory `/usr/src/other/gnutls-2.5.4/lib/opencdk' /bin/sh ../../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib -I../../includes -I../../includes -I../../lgl -I../../lgl -pipe -I/usr/local/include -g -O2 -Wno-pointer-sign -MT armor.lo -MD -MP -MF .deps/armor.Tpo -c -o armor.lo armor.c gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib -I../../includes -I../../includes -I../../lgl -I../../lgl -pipe -I/usr/local/include -g -O2 -Wno-pointer-sign -MT armor.lo -MD -MP -MF .deps/armor.Tpo -c armor.c -fPIC -DPIC -o .libs/armor.o In file included from ../../lib/gnutls_int.h:112, from opencdk.h:30, from armor.c:37: ../../lib/gnutls_mpi.h:29:23: error: libtasn1.h: No such file or directory In file included from ../../lib/gnutls_cert.h:30, from ../../lib/gnutls_int.h:238, jth.net ApS 2008-08-28T00:03:48 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3029 I agree that libgnutls-openssl is ugly... however, I think there are some licensing corner cases where libgnutls-openssl actually is useful to some people. I think if people send patches we can apply them, but I don't see any reason to do anything beyond that. /Simon Simon Josefsson 2008-08-27T21:36:11 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3028 On Wed, Aug 27, 2008 at 6:58 PM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos< at >gmail.com> wrote: I'm not so much against any such patch. I'm mostly against maintaining this gnutls-openssl library. I think we should drop it. regards, Nikos Nikos Mavrogiannopoulos 2008-08-27T15:59:56 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3027 I think this is too much fuss. The gnutls-openssl layer is quick and dirty fix. I wouldn't recommend to any applications to use it. Either use openssl or gnutls directly. If you have this issue why not recompile the application with openssl instead? Nikos Mavrogiannopoulos 2008-08-27T15:58:04 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3026 ok then! I thought you were talking about the whole pkcs7 parsing functionality. regards, Nikos Nikos Mavrogiannopoulos 2008-08-27T15:54:12 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3025 Hi Tomas! That is sort of the idea... However, I understand the problems it can cause as you describe. I like it. gnutls/openssl.h should thus contain a set of #define's such as: #define MD5_Init gnutls_openssl_MD5_Init Fortunately we have never guaranteed binary level compatibility with OpenSSL, so this change does not require any API changes in applications that uses libgnutls-openssl, just a recompile. It will indeed require a SONAME bump, and currently both libgnutls and libgnutls-openssl share the same SONAME version. We have discussed before if and how these versions can be separated. I suspect we have to make a decision now. Please send a patch for further discussions. Thanks, /Simon Simon Josefsson 2008-08-27T15:34:57 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3024 Hello, some symbols in libgnutls-openssl are not renamed from their originals in OpenSSL. Unfortunately this causes conflicts when the application indirectly links to some library which then links to openssl. The situation can happen for example in case the system is configured to use ldap in the nsswitch.conf. The nss_ldap links to openldap libraries which is itself linked to the real OpenSSL libraries. Some symbols are then resolved from real OpenSSL and some from libgnutls-openssl which causes crashes because they are of course ABI incompatible. See: https://bugzilla.redhat.com/show_bug.cgi?id=446860 and https://bugzilla.redhat.com/show_bug.cgi?id=460310 The proposal is to use #defines in the public headers of gnutls/openssl.h to rename the symbols so they do not clash with real OpenSSL. It would of course require SONAME bump of libgnutls-openssl and rebuild of the dependent applications. What do you think about this proposal? Tomas Mraz 2008-08-27T15:15:15 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3023 Ah, no. What I suggest is to remove the code to read PKCS#7 certificate chains in the gnutls_certificate_set_x509_key* functions. The current code hasn't worked since v0.9.0 and apparently nobody has missed it, see tests/set_pkcs7_cred.c for example code. Storing certificate chains in PKCS#7 blobs is not what that standard is intended for. Getting rid of the code may speed up loading certificate slightly, and will definitely improve code readability. The PKCS#7 functions used by certtool --p7-info are fine. What do you think? /Simon Simon Josefsson 2008-08-27T14:46:25 http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3022 Isn't it the code being used by --p7-info? Nikos Mavrogiannopoulos 2008-08-27T14:22:29 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.encryption.gpg.gnutls.devel