From simon+gnutls-dev at josefsson.org Wed Jan 2 23:31:01 2002 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Wed Jan 2 23:31:01 2002 Subject: [gnutls-dev] [patch] nits in 0.3.1 Message-ID: gnutls_check_version() in the header file changed, but the source code of the function and the autoconf macros wasn't updated. Reverting to the old definition of gnutls_check_version() make it work. Also, the autoconf macro didn't delete the temp file in all cases. Index: lib/gnutls.h.in.in =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls.h.in.in,v retrieving revision 2.4 diff -u -r2.4 gnutls.h.in.in --- lib/gnutls.h.in.in 2001/12/19 20:02:00 2.4 +++ lib/gnutls.h.in.in 2002/01/02 22:25:53 @@ -146,7 +146,7 @@ void gnutls_handshake_set_max_data_buffer_size( GNUTLS_STATE state, int max); /* returns libgnutls version */ -const char* gnutls_check_version(void); +const char* gnutls_check_version(const char *req_version); /* Functions for setting/clearing credentials */ int gnutls_clear_creds( GNUTLS_STATE state); Index: lib/libgnutls.m4 =================================================================== RCS file: /cvs/gnutls/gnutls/lib/libgnutls.m4,v retrieving revision 2.4 diff -u -r2.4 libgnutls.m4 --- lib/libgnutls.m4 2001/11/26 10:50:38 2.4 +++ lib/libgnutls.m4 2002/01/02 22:25:53 @@ -152,8 +152,8 @@ LIBGNUTLS_CFLAGS="" LIBGNUTLS_LIBS="" ifelse([$3], , :, [$3]) - rm -f conf.libngnutlstest fi + rm -f conf.libgnutlstest AC_SUBST(LIBGNUTLS_CFLAGS) AC_SUBST(LIBGNUTLS_LIBS) ]) From nmav at hellug.gr Thu Jan 3 12:03:02 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Thu Jan 3 12:03:02 2002 Subject: [gnutls-dev] [patch] nits in 0.3.1 In-Reply-To: References: Message-ID: <20020103145818.345f6eb1.nmav@hellug.gr> On Wed, 02 Jan 2002 23:26:57 +0100 Simon Josefsson wrote: > gnutls_check_version() in the header file changed, but the source code > of the function and the autoconf macros wasn't updated. Reverting to > the old definition of gnutls_check_version() make it work. Also, the > autoconf macro didn't delete the temp file in all cases. Thank you. I've just applied it. > Index: lib/gnutls.h.in.in > =================================================================== > RCS file: /cvs/gnutls/gnutls/lib/gnutls.h.in.in,v > retrieving revision 2.4 > diff -u -r2.4 gnutls.h.in.in > --- lib/gnutls.h.in.in 2001/12/19 20:02:00 2.4 > +++ lib/gnutls.h.in.in 2002/01/02 22:25:53 > @@ -146,7 +146,7 @@ > void gnutls_handshake_set_max_data_buffer_size( GNUTLS_STATE state, int max); > > /* returns libgnutls version */ > -const char* gnutls_check_version(void); > +const char* gnutls_check_version(const char *req_version); > > /* Functions for setting/clearing credentials */ > int gnutls_clear_creds( GNUTLS_STATE state); > Index: lib/libgnutls.m4 > =================================================================== > RCS file: /cvs/gnutls/gnutls/lib/libgnutls.m4,v > retrieving revision 2.4 > diff -u -r2.4 libgnutls.m4 > --- lib/libgnutls.m4 2001/11/26 10:50:38 2.4 > +++ lib/libgnutls.m4 2002/01/02 22:25:53 > @@ -152,8 +152,8 @@ > LIBGNUTLS_CFLAGS="" > LIBGNUTLS_LIBS="" > ifelse([$3], , :, [$3]) > - rm -f conf.libngnutlstest > fi > + rm -f conf.libgnutlstest > AC_SUBST(LIBGNUTLS_CFLAGS) > AC_SUBST(LIBGNUTLS_LIBS) > ]) > > > _______________________________________________ > Gnutls-dev mailing list > Gnutls-dev at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnutls-dev -- Nikos Mavroyanopoulos From nmav at hellug.gr Sat Jan 5 19:45:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Sat Jan 5 19:45:01 2002 Subject: [gnutls-dev] gnutls 0.3.2 Message-ID: <20020105203942.2d6ce312.nmav@hellug.gr> I've just released gnutls 0.3.2. The news in this version are: - Corrected bug which did not allow a client to accept multiple CA names - Added gnutls_fingerprint() - Added gnutls_x509pki_extract_certificate_serial() - Added gnutls_b64_encode_fmt() and gnutls_b64_decode_fmt() - Corrected behaviour in version advertizing - Updated documentation - Prefixed all types in gnutls.h with 'GNUTLS_' to avoid namespace collisions -- Nikos Mavroyanopoulos From nmav at hellug.gr Tue Jan 8 16:30:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Tue Jan 8 16:30:01 2002 Subject: [gnutls-dev] gnutls logo contest results Message-ID: <20020108171706.214144ba.nmav@hellug.gr> Now that the logo contest is over, I'd like to thank all the participants in the contest[0]. As as the result of the Logo contest, the gnutls project has now a logo[1]. The logo was selected by the Gnutls developers. The winning entry was submitted by Claus Schrammel, who receives a gnutls.org email address. [0] see http://www.gnu.org/software/gnutls/logo-contest/ [1] see http://www.gnu.org/software/gnutls/logo-contest/claus-gnutls1.png -- Nikos Mavroyanopoulos From Jean-Eric.Cuendet at linkvest.com Thu Jan 10 21:28:01 2002 From: Jean-Eric.Cuendet at linkvest.com (Jean-Eric Cuendet) Date: Thu Jan 10 21:28:01 2002 Subject: [gnutls-dev] GNU TLS usage Message-ID: Hi, I just discovered GNU TLS and have 2 questions: - Is GNU TLS already used in some programs? - Could GNU TLS be used in apache instead of SSL + certificate - If so, would a web server be trusted like if signed by verisign if I have its key signed and trusted in my key ring? Thanks. -jec From nmav at hellug.gr Fri Jan 11 22:02:02 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Fri Jan 11 22:02:02 2002 Subject: [gnutls-dev] GNU TLS usage In-Reply-To: References: Message-ID: <20020111225447.5d138b57.nmav@hellug.gr> On Wed, 9 Jan 2002 16:07:22 +0100 "Jean-Eric Cuendet" wrote: > Hi, > I just discovered GNU TLS and have 2 questions: > - Is GNU TLS already used in some programs? As far as I know gnutls is used in wmbiff and mutt. > - Could GNU TLS be used in apache instead of SSL + certificate No due to license problems. GPL http servers can be used with gnutls. > - If so, would a web server be trusted like if signed by verisign if I > have its key signed and trusted in my key ring? I don't completely understand. However gnutls supports X.509 certificates, thus you shouldn't notice a different behaviour in the PKI. > Thanks. > -jec -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From guillaume at morinfr.org Thu Jan 17 10:52:02 2002 From: guillaume at morinfr.org (Guillaume Morin) Date: Thu Jan 17 10:52:02 2002 Subject: [gnutls-dev] [PATCH] fix for a bug in gnutls_recv_handshake() Message-ID: <20020117095005.GA389@morinfr.org> Hi, I made this patch for a problem I've been experiencing. The details are in the Debian BTS http://bugs.debian.org/123616. in STATE8, _gnutls_recv_handshake_header returns 0, but since malloc is not called for this value, dataptr is unitialized. Here is the fix (you'll note that I have forced its initialization what is not needed, but since it hid the bug, I think it is cleaner...) --- lib/gnutls_handshake.c.old Tue Jan 15 00:53:36 2002 +++ lib/gnutls_handshake.c Tue Jan 15 00:55:39 2002 @@ -865,7 +865,7 @@ { int ret; uint32 length32 = 0; - opaque *dataptr; + opaque *dataptr = NULL; HandshakeType recv_type; ret = _gnutls_recv_handshake_header(state, type, &recv_type); @@ -890,7 +890,7 @@ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if (dataptr == NULL) { + if (dataptr == NULL && length32) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } HTH. -- Guillaume Morin Debian - What your mom would use if it were twenty times easier. http://www.copyleft.net/ From Marc.Huber at web.de Thu Jan 17 10:59:01 2002 From: Marc.Huber at web.de (Marc Huber) Date: Thu Jan 17 10:59:01 2002 Subject: [gnutls-dev] gnutls-0.3.2 bugs Message-ID: <20020116003500.A8397@kpnqwest.de> Trying to follow the instructions in src/README.srpcrypt I found that - _gnutls_sbase64_encode() doesn't NUL-terminate strings smaller than 4 byte, and probably does the wrong thing for longer strings (I haven't done any in-depth auditing on this, so I might be wrong.) - _gnutls_get_random() tries to gnutls_free() a gcry_malloc()ed pointer - crypt_int() tries to free() a gnutls_malloc()ed pointer - read_conf_values(): _gnutls_sbase64_decode() doesn't allocate memory on failure, so gnutls_free() shouldn't be called. Cheers, Marc diff -cr gnutls-0.3.2.original/lib/auth_srp_sb64.c gnutls-0.3.2/lib/auth_srp_sb64.c *** gnutls-0.3.2.original/lib/auth_srp_sb64.c Tue Jul 31 03:16:01 2001 --- gnutls-0.3.2/lib/auth_srp_sb64.c Tue Jan 15 23:15:25 2002 *************** *** 144,150 **** ret += (data_size * 4) / 3; ! (*result) = gnutls_malloc( ret + 1); if ((*result) == NULL) return -1; --- 144,150 ---- ret += (data_size * 4) / 3; ! (*result) = gnutls_calloc(1, ret + 1); if ((*result) == NULL) return -1; *************** *** 171,177 **** return tmp; } memcpy(&(*result)[j], tmpres, tmp); - (*result)[j+tmp] = 0; } return strlen(*result); --- 171,176 ---- diff -cr gnutls-0.3.2.original/lib/gnutls_random.c gnutls-0.3.2/lib/gnutls_random.c *** gnutls-0.3.2.original/lib/gnutls_random.c Sun Dec 23 14:18:39 2001 --- gnutls-0.3.2/lib/gnutls_random.c Tue Jan 15 23:03:33 2002 *************** *** 75,81 **** } memcpy( res, buf, bytes); ! gnutls_free(buf); return 0; #endif --- 75,81 ---- } memcpy( res, buf, bytes); ! gcry_free(buf); return 0; #endif diff -cr gnutls-0.3.2.original/src/crypt.c gnutls-0.3.2/src/crypt.c *** gnutls-0.3.2.original/src/crypt.c Sun Dec 23 14:19:00 2001 --- gnutls-0.3.2/src/crypt.c Wed Jan 16 00:17:17 2002 *************** *** 380,386 **** if (put==0) { fprintf(fd, "%s:%s:%u\n", username, cr, iindex); } ! free(cr); fclose(fd); fclose(fd2); --- 380,386 ---- if (put==0) { fprintf(fd, "%s:%s:%u\n", username, cr, iindex); } ! gnutls_free(cr); fclose(fd); fclose(fd2); *************** *** 422,428 **** tmp_size = _gnutls_sbase64_decode(p, len, &tmp); if (tmp_size < 0) { - gnutls_free(tmp); return -1; } if (gcry_mpi_scan(g, GCRYMPI_FMT_USG, tmp, &tmp_size)) { --- 422,427 ---- From guillaume at morinfr.org Thu Jan 17 10:59:02 2002 From: guillaume at morinfr.org (Guillaume Morin) Date: Thu Jan 17 10:59:02 2002 Subject: [gnutls-dev] [PATCH] fix for a bug in gnutls_recv_handshake() Message-ID: <20020116113409.GA657@morinfr.org> Hi, I made this patch for a problem I've been experiencing. The details are in the Debian BTS http://bugs.debian.org/123616. in STATE8, _gnutls_recv_handshake_header returns 0, but since malloc is not called for this value, dataptr is unitialized. Here is the fix (you'll note that I have forced its initialization what is not needed, but since it hid the bug, I think it is cleaner...) --- lib/gnutls_handshake.c.old Tue Jan 15 00:53:36 2002 +++ lib/gnutls_handshake.c Tue Jan 15 00:55:39 2002 @@ -865,7 +865,7 @@ { int ret; uint32 length32 = 0; - opaque *dataptr; + opaque *dataptr = NULL; HandshakeType recv_type; ret = _gnutls_recv_handshake_header(state, type, &recv_type); @@ -890,7 +890,7 @@ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if (dataptr == NULL) { + if (dataptr == NULL && length32) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } HTH. PS: Please keep me CC'ed since I am not subscribed. -- Guillaume Morin Debian - What your mom would use if it were twenty times easier. http://www.copyleft.net/ From nmav at hellug.gr Thu Jan 17 14:02:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Thu Jan 17 14:02:01 2002 Subject: [gnutls-dev] gnutls-0.3.2 bugs In-Reply-To: <20020116003500.A8397@kpnqwest.de> References: <20020116003500.A8397@kpnqwest.de> Message-ID: <20020117130656.16668e3e.nmav@hellug.gr> On Wed, 16 Jan 2002 00:35:00 +0100 Marc Huber wrote: > Trying to follow the instructions in src/README.srpcrypt I found that > - _gnutls_sbase64_encode() doesn't NUL-terminate strings smaller than > 4 byte, and probably does the wrong thing for longer strings (I > haven't done any in-depth auditing on this, so I might be wrong.) > - _gnutls_get_random() tries to gnutls_free() a gcry_malloc()ed pointer > - crypt_int() tries to free() a gnutls_malloc()ed pointer > - read_conf_values(): _gnutls_sbase64_decode() doesn't allocate memory > on failure, so gnutls_free() shouldn't be called. Thank you for the bug reports and the fixes. There is a long time since I've tested srpcrypt thus bugs may exist. I'll try to find time to clean it up. > Cheers, > Marc -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From nmav at hellug.gr Thu Jan 17 14:03:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Thu Jan 17 14:03:01 2002 Subject: [gnutls-dev] [PATCH] fix for a bug in gnutls_recv_handshake() In-Reply-To: <20020116113409.GA657@morinfr.org> References: <20020116113409.GA657@morinfr.org> Message-ID: <20020117124211.3c409d9e.nmav@hellug.gr> On Wed, 16 Jan 2002 12:34:09 +0100 Guillaume Morin wrote: > Hi, > I made this patch for a problem I've been experiencing. > The details are in the Debian BTS http://bugs.debian.org/123616. > in STATE8, _gnutls_recv_handshake_header returns 0, but since malloc is > not called for this value, dataptr is unitialized. Here is the fix > (you'll note that I have forced its initialization what is not needed, > but since it hid the bug, I think it is cleaner...) Thank you for tracing this problem. I'll commit this patch to the cvs. However It seems strange that _gnutls_recv_handshake_header() returned 0. Does gnutls work in this system with this patch applied? > --- lib/gnutls_handshake.c.old Tue Jan 15 00:53:36 2002 > +++ lib/gnutls_handshake.c Tue Jan 15 00:55:39 2002 > @@ -865,7 +865,7 @@ > { > int ret; > uint32 length32 = 0; > - opaque *dataptr; > + opaque *dataptr = NULL; > HandshakeType recv_type; > > ret = _gnutls_recv_handshake_header(state, type, &recv_type); > @@ -890,7 +890,7 @@ > return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; > } > > - if (dataptr == NULL) { > + if (dataptr == NULL && length32) { > gnutls_assert(); > return GNUTLS_E_MEMORY_ERROR; > } > > HTH. > > PS: Please keep me CC'ed since I am not subscribed. > > -- > Guillaume Morin > > Debian - What your mom would use if it were twenty times easier. > http://www.copyleft.net/ -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From guillaume at morinfr.org Thu Jan 17 14:13:01 2002 From: guillaume at morinfr.org (Guillaume Morin) Date: Thu Jan 17 14:13:01 2002 Subject: [gnutls-dev] [PATCH] fix for a bug in gnutls_recv_handshake() In-Reply-To: <20020117124211.3c409d9e.nmav@hellug.gr> References: <20020116113409.GA657@morinfr.org> <20020117124211.3c409d9e.nmav@hellug.gr> Message-ID: <20020117131108.GA1520@morinfr.org> Dans un message du 17 jan ? 12:42, Nikos Mavroyanopoulos ?crivait : > Thank you for tracing this problem. I'll commit this patch to the cvs. > However It seems strange that _gnutls_recv_handshake_header() returned 0. > Does gnutls work in this system with this patch applied? Yes, it works at least on three sytems with that patch. _gnutls_recv_handshake_header() always returns 0 in STATE8 (HELLO_DONE) iirc, when I use it with Debian mutt (patched to use gnutls) and imap-ssl (courier-ssl as server). It is 100% reproducible. Regards, -- Guillaume Morin Pastis servi, pastis bu (Patrice) From nmav at hellug.gr Sat Jan 19 12:44:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Sat Jan 19 12:44:01 2002 Subject: [gnutls-dev] gnutls 0.3.3 Message-ID: <20020119134002.2e393f17.nmav@hellug.gr> I've just released gnutls 0.3.3. The news in this release are: - Added gnutls_x509pki_verify_certificate() - Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem() - Bug fixes in srpcrypt (based on patch by Marc Huber) - Bug fixes in the Handshake protocol (based on patch by Guillaume Morin) - Corrected library versioning -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From simon+gnutls-dev at josefsson.org Sat Jan 19 21:00:01 2002 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Sat Jan 19 21:00:01 2002 Subject: [gnutls-dev] API comment Message-ID: From nmav at hellug.gr Sat Jan 19 23:28:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Sat Jan 19 23:28:01 2002 Subject: [gnutls-dev] gnutls 0.3.4 Message-ID: <20020120002330.2ffe886b.nmav@hellug.gr> It seems that we've got a new version again. This version corrects some stuff in DHE RSA key exchange. This stuff was responsible for some strange handshake failures. -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From nmav at hellug.gr Sun Jan 20 08:54:02 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Sun Jan 20 08:54:02 2002 Subject: [gnutls-dev] API comment In-Reply-To: References: Message-ID: <20020120095051.07e5451b.nmav@hellug.gr> On Sat, 19 Jan 2002 20:56:40 +0100 Simon Josefsson wrote: > From gnutls.h: > GNUTLS_BulkCipherAlgorithm gnutls_cipher_get_algo( GNUTLS_STATE > state); GNUTLS_KXAlgorithm gnutls_kx_get_algo( > GNUTLS_STATE state); GNUTLS_MACAlgorithm > gnutls_mac_get_algo( GNUTLS_STATE state); GNUTLS_CompressionMethod > gnutls_compression_get_algo( GNUTLS_STATE state); > IMHO abbrevations ("algo") are bad in the long run, but in this > case it might better to remove the "_algo" part alltogether (only > two of the four things are algorithms, the other are > 'methods'). It also makes it consistent with the names of Well it may not look nice, but algorithm applies to all of them. We have encryption algorithms (ciphers), mac algorithms, key exchange algorithms (the diffie hellman algorithm), and even compression algorithms (the deflate algorithm). Even if rfc2246 calls them methods, I do not believe this is a major problem. > (Maybe #define the old names to the new ones for a couple of major > releases.) Changing the api that way means that the next versions would not be binary compatible. I'll try to keep binary and source compatibility for versions which have the same minor number (ie 0.3.x should be binary compatible for every x). -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From nmav at gnu.org Fri Jan 25 11:25:01 2002 From: nmav at gnu.org (Nikos Mavroyanopoulos) Date: Fri Jan 25 11:25:01 2002 Subject: [gnutls-dev] openpgp for TLS Message-ID: <20020124235500.776ef47d.nmav@gnu.org> The latest news in the Openpgp support for gnutls is that I've just submited an internet draft that extends TLS to allow openpgp keys, which updates the old draft by NAI. Timo Schulz is already working in an OpenPGP library based on libgcrypt, and he is currently doing modifications for use in gnutls. This will speed up the development process since I'll only have to focus in the TLS part. So in gnutls 0.4.0 we'll have openpgp support. -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From nmav at hellug.gr Fri Jan 25 15:50:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Fri Jan 25 15:50:01 2002 Subject: [gnutls-dev] gnutls 0.3.5 Message-ID: <20020125164232.68828f68.nmav@hellug.gr> I've just released gnutls 0.3.5. It seems that some debugging code has escaped and allowed some attacks against RSA private keys. You must update if you're using gnutls with a private keys. - Corrected the RSA key exchange method, to avoid attacks against PKCS-1 formating. -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From nmav at hellug.gr Fri Jan 25 23:41:01 2002 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Fri Jan 25 23:41:01 2002 Subject: [gnutls-dev] API comment In-Reply-To: References: Message-ID: <20020126003724.733f8af8.nmav@hellug.gr> On Sat, 19 Jan 2002 20:56:40 +0100 Simon Josefsson wrote: > From gnutls.h: > GNUTLS_BulkCipherAlgorithm gnutls_cipher_get_algo( GNUTLS_STATE > state); GNUTLS_KXAlgorithm gnutls_kx_get_algo( > GNUTLS_STATE state); GNUTLS_MACAlgorithm [...] > IMHO abbrevations ("algo") are bad in the long run, but in this > case it might better to remove the "_algo" part alltogether (only I reconsidered this and I'm not much in favour of the algo abbreviation. I'll drop the '_algo' part in 0.4.0. -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr