From itp at ximian.com Tue Apr 1 00:25:01 2003 From: itp at ximian.com (Ian Peters) Date: Tue Apr 1 00:25:01 2003 Subject: [gnutls-dev] [PATCH] compile error in libextra Message-ID: <1049149484.1313.3.camel@filbert> gnutls 0.9.4 doesn't compile out of the box on RH8 with a function prototype mismatch in libextra/gnutls_openpgp.[ch]. Patch attached. Ian -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-0.9.4-libextra-prototype-mismatch.patch Type: text/x-patch Size: 487 bytes Desc: not available URL: From itp at ximian.com Tue Apr 1 00:28:01 2003 From: itp at ximian.com (Ian Peters) Date: Tue Apr 1 00:28:01 2003 Subject: [gnutls-dev] [PATCH] another large RSA modulus problem Message-ID: <1049149658.1313.7.camel@filbert> The same Thawte certificate as last time (with a 2048 byte signature length) triggers a new problem in lib/x509/x509.c. Patch bumps length from 640 to 2400. Should this just be MAX_PARAMETER_SIZE instead? Also, any particular reason you're overestimating sizes like this? In most of these cases you can assume powers of two, so, why e.g. 640 instead of 512, etc? Ian -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-0.9.4-2048-byte-signature.patch Type: text/x-patch Size: 422 bytes Desc: not available URL: From nmav at gnutls.org Tue Apr 1 01:06:02 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Apr 1 01:06:02 2003 Subject: [gnutls-dev] [PATCH] another large RSA modulus problem In-Reply-To: <1049149658.1313.7.camel@filbert> References: <1049149658.1313.7.camel@filbert> Message-ID: <20030331230643.GA13531@gnutls.org> On Mon, Mar 31, 2003 at 05:27:38PM -0500, Ian Peters wrote: > The same Thawte certificate as last time (with a 2048 byte signature > length) triggers a new problem in lib/x509/x509.c. Patch bumps length > from 640 to 2400. Should this just be MAX_PARAMETER_SIZE instead? > Also, any particular reason you're overestimating sizes like this? In > most of these cases you can assume powers of two, so, why e.g. 640 > instead of 512, etc? I do not remember why. In any case I've dropped the MAX_PARAMETERS_SIZE limitation, so there shouldn't be any problem now. > Ian -- Nikos Mavroyanopoulos From kyhwana at world-net.co.nz Tue Apr 1 10:53:01 2003 From: kyhwana at world-net.co.nz (Daniel Richards) Date: Tue Apr 1 10:53:01 2003 Subject: [gnutls-dev] GNU TLS https server Message-ID: <20030331225756.011e0b20.kyhwana@world-net.co.nz> Err hey, you guys know your https cetificate expired a month or so ago? -- Daniel Richards "It's not stupid, it's advanced." -Tallest - Invader Zim. From nmav at gnutls.org Tue Apr 1 10:51:01 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Apr 1 10:51:01 2003 Subject: [gnutls-dev] [PATCH] compile error in libextra In-Reply-To: <1049149484.1313.3.camel@filbert> References: <1049149484.1313.3.camel@filbert> Message-ID: <20030401085341.GA14619@gnutls.org> On Mon, Mar 31, 2003 at 05:24:45PM -0500, Ian Peters wrote: > gnutls 0.9.4 doesn't compile out of the box on RH8 with a function > prototype mismatch in libextra/gnutls_openpgp.[ch]. Patch attached. Thanks. Commited. > Ian -- Nikos Mavroyanopoulos From nmav at gnutls.org Tue Apr 1 21:46:01 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Apr 1 21:46:01 2003 Subject: [gnutls-dev] GNU TLS https server In-Reply-To: <20030331225756.011e0b20.kyhwana@world-net.co.nz> References: <20030331225756.011e0b20.kyhwana@world-net.co.nz> Message-ID: <20030401194911.GA5023@gnutls.org> On Mon, Mar 31, 2003 at 10:57:56PM +1200, Daniel Richards wrote: > Err hey, you guys know your https cetificate expired a month or so ago? Who cares? This is just a test server with a dummy certificate. > -- > Daniel Richards > "It's not stupid, it's advanced." > -Tallest - Invader Zim. -- Nikos Mavroyanopoulos From ivo at o2w.nl Thu Apr 3 13:19:01 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Thu Apr 3 13:19:01 2003 Subject: [gnutls-dev] [algernon@bonehunter.rulez.org: Bug#187434: libgnutls5: OpenPGP certificates deadlock] Message-ID: <20030403111941.GB7090@juarez> FYI. Ivo -- Norton SystemWorks 2002 includes a file erasure program called Wipe Info. In the manual (page 160), we learn that "Wipe Info uses hexadecimal values to wipe files. This provides more security than wiping with decimal values." - Bruce Schneier -------------- next part -------------- An embedded message was scrubbed... From: Gergely Nagy Subject: Bug#187434: libgnutls5: OpenPGP certificates deadlock Date: Thu, 03 Apr 2003 12:53:42 +0200 Size: 4393 URL: From nmav at gnutls.org Tue Apr 8 20:19:01 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Apr 8 20:19:01 2003 Subject: [gnutls-dev] gnutls 0.9.5 Message-ID: <20030406170243.GA5179@gnutls.org> Changes since 0.9.4: - Several improvments in the PKCS #7 handling - Eliminated several hard coded constants in MPI parameters. -- Nikos Mavroyanopoulos From ivo at o2w.nl Sun Apr 13 16:16:03 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Sun Apr 13 16:16:03 2003 Subject: [gnutls-dev] [algernon@sirc.hu: Bug#188838: libgnutls5: Server name indication does not appear to work] Message-ID: <20030413141615.GA7336@juarez> FYI, what do you think of the attached patch? Ivo -- "C combines the power of assembler with the portability of assembler." - Anonymous, alluding to Bill Thacker -------------- next part -------------- An embedded message was scrubbed... From: Gergely Nagy Subject: Bug#188838: libgnutls5: Server name indication does not appear to work Date: Sun, 13 Apr 2003 15:46:12 +0200 Size: 3852 URL: From nmav at gnutls.org Mon Apr 14 09:45:02 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon Apr 14 09:45:02 2003 Subject: [gnutls-dev] [algernon@sirc.hu: Bug#188838: libgnutls5: Server name indication does not appear to work] In-Reply-To: <20030413141615.GA7336@juarez> References: <20030413141615.GA7336@juarez> Message-ID: <20030414074519.GA1725@gnutls.org> On Sun, Apr 13, 2003 at 04:16:16PM +0200, Ivo Timmermans wrote: > FYI, what do you think of the attached patch? A patch the corrects the problem is attached. It seems that the problem was indeed in the send part :) > Ivo -- Nikos Mavroyanopoulos -------------- next part -------------- Index: ext_server_name.c =================================================================== RCS file: /cvs/gnutls/gnutls/lib/ext_server_name.c,v retrieving revision 2.11 diff -u -u -r2.11 ext_server_name.c --- ext_server_name.c 25 Mar 2003 18:01:47 -0000 2.11 +++ ext_server_name.c 14 Apr 2003 07:38:42 -0000 @@ -46,7 +46,7 @@ if (session->security_parameters.entity == GNUTLS_SERVER) { DECR_LENGTH_RET(data_size, 2, 0); len = _gnutls_read_uint16(data); - + if ( len != data_size) { /* This is unexpected packet length, but * just ignore it, for now. @@ -121,7 +121,8 @@ ssize_t data_size = _data_size; int total_size = 0; - /* this function sends the client extension data (dnsname) */ + /* this function sends the client extension data (dnsname) + */ if (session->security_parameters.entity == GNUTLS_CLIENT) { /* uint16 */ @@ -130,9 +131,12 @@ i < session->security_parameters.extensions.server_names_size; i++) { - /* count the total size */ + /* count the total size + */ len = session->security_parameters.extensions.server_names[i].name_length; - /* uint8 + uint16 + size */ + + /* uint8 + uint16 + size + */ total_size += 1 + 2 + len; } @@ -141,7 +145,7 @@ /* UINT16: write total size of all names */ DECR_LENGTH_RET( data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER); - _gnutls_write_uint16(total_size, p); + _gnutls_write_uint16(total_size-2, p); p += 2; for (i = 0; @@ -179,8 +183,7 @@ } } } - if (total_size == 0) - return 0; + return total_size; } From ivo at o2w.nl Mon Apr 14 19:40:02 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Mon Apr 14 19:40:02 2003 Subject: [gnutls-dev] Session resuming in gnutls-cli Message-ID: <20030414174005.GA26159@juarez> Hi, gnutls-cli -r -p 993 imap.o2w.nl: Resolving 'imap.o2w.nl'... Connecting to '213.133.41.126:993'... - Certificate type: X.509 - Certificate info: ... - Compression: NULL - Disconnecting - Connecting again- trying to resume previous session *** Handshake has failed GNUTLS ERROR: Error in the push function. An strace reveals: write(1, "- Connecting again- trying to re"..., 54- Connecting again- trying to resume previous session) = 54 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 connect(3, {sa_family=AF_INET, sin_port=htons(993), sin_addr=inet_addr("213.133.41.126")}, 16) = 0 send(-1, "\26\3\1\0\203\1\0\0\177\3\1>\232\362\17}|w\21\253O\37;"..., 136, 0) = -1 EBADF (Bad file descriptor) write(2, "*** Handshake has failed\n", 25*** Handshake has failed) = 25 write(2, "GNUTLS ERROR: Error in the push "..., 42GNUTLS ERROR: Error in the push function. Apparently the sample client in doc/examples/ex-client-resume.c does work correctly. Ivo -- Bus error From algernon at boszorka.mad.hu Tue Apr 15 14:00:01 2003 From: algernon at boszorka.mad.hu (Gergely Nagy) Date: Tue Apr 15 14:00:01 2003 Subject: [gnutls-dev] Re: Session resuming in gnutls-cli In-Reply-To: <20030414174005.GA26159@juarez> References: <20030414174005.GA26159@juarez> Message-ID: <833ckkgad2.wl@iluvatar.ath.cx> This patch fixes the problem for me: --- gnutls5-orig/src/cli.c 2003-02-04 13:52:25.000000000 +0100 +++ gnutls5-work/src/cli.c 2003-04-14 21:06:41.000000000 +0200 @@ -278,6 +278,8 @@ err = connect(sd, (SA *) & sa, sizeof(sa)); ERR(err, "connect"); + + hd.fd = sd; } else { break; } The problem was - as I see - that even though a new connection was made, the FD wasn't set up properly. hd.fd is only touched outside of the for loop, but socket_bye() sets it to -1. So in the next iteration, it will still be -1. As is my wrong habit, the patch was made to fix the problem, without deeper understanding of the underlying mechanisms. It may or may not be a correct fix, but it appears to be one :) From nmav at gnutls.org Tue Apr 15 16:02:02 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Apr 15 16:02:02 2003 Subject: [gnutls-dev] Re: Session resuming in gnutls-cli In-Reply-To: <833ckkgad2.wl@iluvatar.ath.cx> References: <20030414174005.GA26159@juarez> <833ckkgad2.wl@iluvatar.ath.cx> Message-ID: <20030415140241.GA1562@gnutls.org> On Mon, Apr 14, 2003 at 09:14:17PM +0200, Gergely Nagy wrote: > This patch fixes the problem for me: And for me as well. I've just commited the patch. Thank you! > --- gnutls5-orig/src/cli.c 2003-02-04 13:52:25.000000000 +0100 > +++ gnutls5-work/src/cli.c 2003-04-14 21:06:41.000000000 +0200 > @@ -278,6 +278,8 @@ > > err = connect(sd, (SA *) & sa, sizeof(sa)); > ERR(err, "connect"); > + > + hd.fd = sd; > } else { > break; > } -- Nikos Mavroyanopoulos From algernon at bonehunter.rulez.org Sun Apr 20 12:54:02 2003 From: algernon at bonehunter.rulez.org (Gergely Nagy) Date: Sun Apr 20 12:54:02 2003 Subject: [gnutls-dev] _gnutls_x509_cert2gnutls_cert fails on FreeBSD Message-ID: <20030420105517.GA18494@gandalph.mad.hu> Hi! In an attempt to get the latest version of my software to run on FreeBSD, I think I stumbled upon a bug in GNUTLS. Whenever I try to add a trust file (gnutls_certificate_set_x509_trust_file), I get back an ASN1 parse error: "ASN1 parser: Element was not found.". However, the same program with the same CA, cert and key files works like a charm on GNU/Linux. So far, I traced it down to _gnutls_x509_cert2gnutls_cert(). I'm a bit reluctant to trace it further since my gdb on the FreeBSD box is broken, and inserting random printf()s and recompiling is a PITA, and I'm not even sure I'm on the right track - this function, according to the comment, parses DER format certs. However, my cert is PEM, as far as I know (however, it may happen that it gets converted to DER internally, I didn't check that yet). Oh, I'm using GNUTLS 0.8.6 from the ports collection. Browsing the NEWS file of CVS HEAD, I see: - Added an strnstr() function and the requirement in some functions to use null terminated PEM structures is no more. Might this be relevant? -- Gergely Nagy From algernon at bonehunter.rulez.org Sun Apr 20 13:42:01 2003 From: algernon at bonehunter.rulez.org (Gergely Nagy) Date: Sun Apr 20 13:42:01 2003 Subject: [gnutls-dev] _gnutls_x509_cert2gnutls_cert fails on FreeBSD In-Reply-To: <20030420105517.GA18494@gandalph.mad.hu> References: <20030420105517.GA18494@gandalph.mad.hu> Message-ID: <20030420114318.GB18494@gandalph.mad.hu> > Oh, I'm using GNUTLS 0.8.6 from the ports collection. Browsing the NEWS > file of CVS HEAD, I see: > > - Added an strnstr() function and the requirement in some functions to > use null terminated PEM structures is no more. > > Might this be relevant? (Answering myself:) Yes. Would it be possible to backport this to 0.8? Cheers, -- Gergely Nagy From nmav at gnutls.org Sun Apr 20 19:03:01 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun Apr 20 19:03:01 2003 Subject: [gnutls-dev] _gnutls_x509_cert2gnutls_cert fails on FreeBSD In-Reply-To: <20030420114318.GB18494@gandalph.mad.hu> References: <20030420105517.GA18494@gandalph.mad.hu> <20030420114318.GB18494@gandalph.mad.hu> Message-ID: <20030420170502.GA2227@gnutls.org> On Sun, Apr 20, 2003 at 01:43:18PM +0200, Gergely Nagy wrote: > > Oh, I'm using GNUTLS 0.8.6 from the ports collection. Browsing the NEWS > > file of CVS HEAD, I see: > > - Added an strnstr() function and the requirement in some functions to > > use null terminated PEM structures is no more. > > Might this be relevant? > (Answering myself:) Yes. > Would it be possible to backport this to 0.8? I don't think that this is the case, since your error is a DER parsing error, and the above patch is not about it. Does the 0.9.x version of gnutls works for you? If not could you try compiling with enabling the DEBUG definition in gnutls_int.h? > > Cheers, > -- > Gergely Nagy -- Nikos Mavroyanopoulos From algernon at bonehunter.rulez.org Sun Apr 20 19:18:01 2003 From: algernon at bonehunter.rulez.org (Gergely Nagy) Date: Sun Apr 20 19:18:01 2003 Subject: [gnutls-dev] _gnutls_x509_cert2gnutls_cert fails on FreeBSD In-Reply-To: <20030420170502.GA2227@gnutls.org> References: <20030420105517.GA18494@gandalph.mad.hu> <20030420114318.GB18494@gandalph.mad.hu> <20030420170502.GA2227@gnutls.org> Message-ID: <20030420171908.GA26900@gandalph.mad.hu> > > > Oh, I'm using GNUTLS 0.8.6 from the ports collection. Browsing the NEWS > > > file of CVS HEAD, I see: > > > - Added an strnstr() function and the requirement in some functions to > > > use null terminated PEM structures is no more. > > > Might this be relevant? > > (Answering myself:) Yes. > > Would it be possible to backport this to 0.8? > > I don't think that this is the case, since your error is a DER parsing > error, and the above patch is not about it. Does the 0.9.x version of > gnutls works for you? Yes, it does. I tried 0.9.4. I don't really know why I got the impression that the above change helped... > If not could you try compiling with enabling the DEBUG definition in gnutls_int.h? Although 0.9.4 worked for me, if enabling this can be of help to backport a fix to 0.8, I'll try a compile with it. From algernon at bonehunter.rulez.org Wed Apr 23 11:45:02 2003 From: algernon at bonehunter.rulez.org (Gergely Nagy) Date: Wed Apr 23 11:45:02 2003 Subject: [gnutls-dev] [solved?] _gnutls_x509_cert2gnutls_cert fails on FreeBSD In-Reply-To: <20030420171908.GA26900@gandalph.mad.hu> Message-ID: <20030423094659.GA9044@gandalph.mad.hu> Interestingly enough, I grabbed the 0.8.6 sources from ftp.gnutls.org, compiled it like this: ./configure --prefix=/usr/local/gnutls8 $EDITOR lib/gnutls_int.h (#define DEBUG and X509_DEBUG) make && make install Then linked my app to it, and it worked *duh*: (gdb) run -p 443 -o ssl Starting program: /tmp/thy/thy-0.4.329/src/thy -p 443 -o ssl X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 5 29 35, FALSE X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 16 840 1 113730 1 13, FALSE X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 5 29 35, FALSE I could even connect to it with the fresly compile gnutls-cli, and it worked like a charm. With the one from the FreeBSD ports, the client died with an ASN.1 parse alert, and the server reported a failed handshake. Compiling from FreeBSD ports still doesn't work, though they don't have any kind of relevant patch - just one to configure, which is harmless. If there is anything more I can try, please tell, I'd really like to track this down.. Cheers, -- Gergely Nagy From nmav at gnutls.org Wed Apr 23 12:32:01 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Wed Apr 23 12:32:01 2003 Subject: [gnutls-dev] [solved?] _gnutls_x509_cert2gnutls_cert fails on FreeBSD In-Reply-To: <20030423094659.GA9044@gandalph.mad.hu> References: <20030420171908.GA26900@gandalph.mad.hu> <20030423094659.GA9044@gandalph.mad.hu> Message-ID: <20030423103355.GA2874@gnutls.org> On Wed, Apr 23, 2003 at 11:46:59AM +0200, Gergely Nagy wrote: > Then linked my app to it, and it worked *duh*: > (gdb) run -p 443 -o ssl > Starting program: /tmp/thy/thy-0.4.329/src/thy -p 443 -o ssl > X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 5 29 35, FALSE > X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 16 840 1 113730 1 13, FALSE > X509_EXT: CERT[iluvatar.ath.cx]: Unsupported Extension: 2 5 29 35, FALSE > I could even connect to it with the fresly compile gnutls-cli, and it > worked like a charm. With the one from the FreeBSD ports, the client > died with an ASN.1 parse alert, and the server reported a failed > handshake. > Compiling from FreeBSD ports still doesn't work, though they don't have > any kind of relevant patch - just one to configure, which is harmless. > If there is anything more I can try, please tell, I'd really like to > track this down.. Maybe they did use libtasn 0.2.x. The 0.8.x series of gnutls needs libtasn 0.1.2. > Cheers, > -- > Gergely Nagy -- Nikos Mavroyanopoulos From sean.gao at sun.com Tue Apr 29 13:08:55 2003 From: sean.gao at sun.com (Sean Gao) Date: Tue Apr 29 13:08:55 2003 Subject: [gnutls-dev] [Bugs] building 0.9.6 failed on Solaris 8 Message-ID: <3EAC9D1B.9000704@sun.com> Hi, there Recently I have tried to build 0.9.6 on Solaris 8 for times but unfortunately it is always failed. I have tried with both Forte 6.0 update2 (cc5.3) and gcc 3.2, and after correcting some syntax checking issues, the building process always ends with errors when it try to make gnutls-serv in the src subdirectory. I have attached the output of bothing building process with this e-mail. I would be very appreciated if you could provide me some help on this issue. Cheers -Sean -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: forte.err.out URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gcc.err.out URL: