http://blog.gmane.org/gmane.comp.encryption.gpg.gnutls.devel hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3043 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Sam Varshavchik 2008-08-31T22:42:53 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3042 Hi, In response to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492775 I went though and added all the missing options from gnutls-cli's manpage, removing --xml along the way. Please find attached the resulting diff. Thanks, James _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel James Westby 2008-08-29T16:25:48 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3041 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-29T11:45:53 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3040 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-29T11:21:38 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3035 Nikos, opencdk calls this function -- it seems it should use the new crypto layer instead. However, I can't find any way to get the block length of a cipher in the new framework. Should this be added? /Simon Simon Josefsson 2008-08-28T11:24:13 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3030 Linux Fedora 6 gnutls-2.5.4 ./configure --with-gnu-ld --prefix=/usr --with-included-libtasn1 Making all in opencdk make[3]: Entering directory `/usr/src/other/gnutls-2.5.4/lib/opencdk' /bin/sh ../../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib -I../../includes -I../../includes -I../../lgl -I../../lgl -pipe -I/usr/local/include -g -O2 -Wno-pointer-sign -MT armor.lo -MD -MP -MF .deps/armor.Tpo -c -o armor.lo armor.c gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib -I../../includes -I../../includes -I../../lgl -I../../lgl -pipe -I/usr/local/include -g -O2 -Wno-pointer-sign -MT armor.lo -MD -MP -MF .deps/armor.Tpo -c armor.c -fPIC -DPIC -o .libs/armor.o In file included from ../../lib/gnutls_int.h:112, from opencdk.h:30, from armor.c:37: ../../lib/gnutls_mpi.h:29:23: error: libtasn1.h: No such file or directory In file included from ../../lib/gnutls_cert.h:30, from ../../lib/gnutls_int.h:238, from opencdk.h:30, from armor.c:37: This does not work: # include <libtasn1.h> This will work # include "../../lib/minitasn1/libtasn1.h" Same problem in lib/gnutls_cert.h jth.net ApS 2008-08-28T00:03:48 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3024 Hello, some symbols in libgnutls-openssl are not renamed from their originals in OpenSSL. Unfortunately this causes conflicts when the application indirectly links to some library which then links to openssl. The situation can happen for example in case the system is configured to use ldap in the nsswitch.conf. The nss_ldap links to openldap libraries which is itself linked to the real OpenSSL libraries. Some symbols are then resolved from real OpenSSL and some from libgnutls-openssl which causes crashes because they are of course ABI incompatible. See: https://bugzilla.redhat.com/show_bug.cgi?id=446860 and https://bugzilla.redhat.com/show_bug.cgi?id=460310 The proposal is to use #defines in the public headers of gnutls/openssl.h to rename the symbols so they do not clash with real OpenSSL. It would of course require SONAME bump of libgnutls-openssl and rebuild of the dependent applications. What do you think about this proposal? Tomas Mraz 2008-08-27T15:15:15 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3009 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Daniel Kahn Gillmor 2008-08-22T18:14:00 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3001 Hello there, I have a quick question for you guys, I hope someone can give me a hand with this. The thing is that I do not know how to access the X509 cert and key from within a gnutls_certificate_server_credentials object. Allow me to summarize the problem. All this is happening in a server; I create one of the certificate_server_credentials structures for each virtual server and then, I read the key and cert for each of them by calling the gnutls_certificate_set_x509_key_file() function. Right after that, gnutls_certificate_server_set_retrieve_function() sets the SNI callback from which I can access the virtual server credentials that I'd like the TLS connection to use. However, there is where it gets kind of confusing to me. How am I supposed to set the cert.x509 and key.x509 values in the gnutls_retr_st structure? Is there a way to get those values by using the certificate server credential object? Thanks! -- Greetings, alo http://www.alobbs.com/ Alvaro Lopez Ortega 2008-08-21T21:17:56 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2995 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-18T23:07:57 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2987 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-08-14T08:37:44 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2985 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Daniel Kahn Gillmor 2008-08-14T02:15:37 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2980 Hello, [sorry to reposting on the same topic as in help-gnutls, but the content is slightly different] I am wanting to use the gnutls library to achieve TLS over a multi-stream SCTP connection, as detailed in RFC 3436. Unfortunately it seems that the current support in gnutls for providing custom transport functions is not sufficient to achieve this. For people who are not familiar with SCTP, I'll now give a short introduction on this protocol. SCTP is a reliable transport protocol (as TCP), message-oriented (as UDP), which provides the capability to create multiple streams inside one connection. The messages in one stream are ordered, but each stream is independent from the others. This allows (in some applications) to avoid head-of-the-line blocking problem that occurs in TCP when some data is lost during a transmission. SCTP also provides other interesting features such as support for multihoming. On an API point of view, one socket object is created, and the number of streams is negotiated between the endpoints. sendmsg() function is used to send a message on this socket, with some options available to specify the stream on which the message is sent. recvmsg() function receives a message from any stream, and the message contains the stream id on which it was received in its meta-data. RFC3436 specifies how TLS should be used to secure SCTP connections. In a row, independent pairs of streams (bi-directional) are used as independent TLS channels. For example, if an SCTP connection between two peers negotiates 4 outbound streams and 6 inbound streams, then 4 TLS handshakes will occur on streams 0 to 3, and the two remaining inbound streams are not protected by TLS. In its current state, the gnutls library misses the ability to have several gnutls_session_t associated to a single connection object. It is a problem on message reception, because we can determine the session to which a message belongs only *after* we receive it. This demultiplexing operation is not currently allowed in gnutls, AFAIU. I am considering to implement such support in the gnutls library, either as a new session object ("gnutls_session_multistream_t") or as an extension of the current session object (adding new fields to it). Basically, the differences are: -> ability to define a number of independent communication channels (bi-directional streams) in the object. -> storage for this same number of sessions states (the current gnutls_session_t) -> different prototype of the push and pull transport callbacks, that take an additional parameter (the stream id on which to send / on which the message was received) The functions such as gnutls_handshake would also need a new version, either as gnutls_handshake_multistream or merged in the same function, to provide the ability to negociate the TLS sessions on all streams. I have no knowledge of the gnutls code so far, so I'd like to hear comments from the experienced developpers on this topic, before I start. More specifically, would such feature be considered for inclusion in a future release when it is stable? Would you give me advices and hints for implementing this cleanly? Thank you in advance, Sebastien. Sebastien Decugis 2008-08-01T05:26:17 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2977 Ok, I've made some updates, firstly removing specific references to DNS since this is no longer specifically meant to be for DNS and other changes to remove references to using the user id field, and instead using user attributes to have the information in a format much more suitable for computers, this makes more sense to me than a blob of string doesn't need to be split up and parsed to extract the information. http://open-pgp.info/wiki/index.php?title=Standardisation_of_OpenPGP_Keys_for_Server_Purposes Is there anything I've missed or overlooked at all? Duane 2008-07-27T00:27:49 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2972 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Duane 2008-07-24T05:07:44 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2963 _______________________________________________ Gnutls-devel mailing list Gnutls-devel< at >gnu.org http://lists.gnu.org/mailman/listinfo/gnutls-devel Simon Josefsson 2008-07-08T15:44:08 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2960 Hello, I've found out this via valgrind: ==5806== 7,698 (504 direct, 7,194 indirect) bytes in 9 blocks are definitely lost in loss record 175 of 248 ==5806== at 0x4C220BC: calloc (vg_replace_malloc.c:397) ==5806== by 0xED2FE11: _asn1_add_node_only (structure.c:54) ==5806== by 0xED2FFF2: _asn1_copy_structure3 (structure.c:398) ==5806== by 0xED3038D: asn1_create_element (structure.c:690) ==5806== by 0x9733F7A: _gnutls_x509_decode_octet_string (common.c:832) ==5806== by 0x9734243: _gnutls_x509_read_value (common.c:912) ==5806== by 0x974756E: _decode_pkcs12_auth_safe (pkcs12.c:76) ==5806== by 0x9748A67: gnutls_pkcs12_get_bag (pkcs12.c:598) Attached is a patch which fixes it. HTH, Colin Leroy 2008-07-04T12:07:11 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2952 The GnuTLS 2.5.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. This release should contain no changes other than the result of 'make indent' compared to v2.5.0. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.5.1.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.5.1.tar.bz2 Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.5.1 (released 2008-07-02) ** Indent code. ** API and ABI modifications: No changes since last version. Simon Josefsson 2008-07-02T15:53:27 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2951 The GnuTLS 2.5.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. This release contains a merge of Nikos' gnutls_with_mpi branch. It should now be possible to replace the libgcrypt calls to your own callbacks. A lot of low-level code has changed since 2.4.x, so expect this to be unstable. I intend to release 2.5.1 shortly after this release, to indent all code to conform to the GNU Coding Standards. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.5.0.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.5.0.tar.bz2 Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.5.0 (released 2008-07-02) ** Port fixes from v2.4.1 release, see below. ** Added API to replace and update the crypto backend. The header gnutls/crypto.h is now officially supported, and declares the symbols below. ** Rewritten opencdk crypto backend, to use the gnutls internal one. ** Update gnulib and translations. The gnulib gc crypto code has been removed since it was never finished and is no longer even used. An internal non-libgcrypt crypto implementation may be added in the future, but we'll decide that later on. ** API and ABI modifications: gnutls_crypto_bigint_register2: ADDED. gnutls_crypto_cipher_register2: ADDED. gnutls_crypto_digest_register2: ADDED. gnutls_crypto_mac_register2: ADDED. gnutls_crypto_pk_register2: ADDED. gnutls_crypto_rnd_register2: ADDED. gnutls_crypto_single_cipher_register2: ADDED. gnutls_crypto_single_digest_register2: ADDED. gnutls_crypto_single_mac_register2: ADDED. Simon Josefsson 2008-07-02T15:52:08 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2949 Hi Ludovic, On the master trunk there has been some heavy internal changes recently, but no incompatible API changes as far as I understand, and now the guile self-tests fails: make[3]: Entering directory `/home/jas/src/gnutls/guile/tests' guile: uncaught throw to gnutls-error: (#<gnutls-error-enum The Diffie Hellman prime sent by the server is not acceptable (not long enough).> handshake) make[3]: *** [check-TESTS] Interrupt Actually I need to ctrl-c it to cancel it. Do you have any idea? How would I debug this, anyway? I am a bit at a loss when running into any guile problem. Thanks, /Simon Simon Josefsson 2008-06-30T22:23:56 http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2948 Below is my analysis of the problem. The patch is short: From 0fee3917077e191dea3c9787c95c072979532086 Mon Sep 17 00:00:00 2001 From: Simon Josefsson <simon< at >josefsson.org> Date: Mon, 30 Jun 2008 22:44:47 +0200 Subject: [PATCH] (_gnutls_handshake_hash_buffers_clear): Make sure deinitialized MAC hashes are initialized. Report and tiny patch from Tomas Mraz <tmraz< at >redhat.com>. --- lib/gnutls_handshake.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index d798180..0192c9f 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c < at >< at > -69,11 +69,12 < at >< at > int _gnutls_server_select_comp_method (gnutls_session_t session, /* Clears the handshake hash buffers and handles. */ -inline static void +static void _gnutls_handshake_hash_buffers_clear (gnutls_session_t session) { _gnutls_hash_deinit (&session->internals.handshake_mac_handle_md5, NULL); _gnutls_hash_deinit (&session->internals.handshake_mac_handle_sha, NULL); + session->internals.handshake_mac_handle_init = 0; _gnutls_handshake_buffer_clear (session); } Simon Josefsson 2008-06-30T21:42:18 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.encryption.gpg.gnutls.devel