From tim.kosse at filezilla-project.org Thu Nov 2 13:26:26 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Thu, 02 Nov 2006 13:26:26 +0100 Subject: [gnutls-dev] Gnutls4Win: gnutls_global_init takes > 10 seconds Message-ID: <4549E3F2.4080401@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On my system (Windows XP SP2), calling gnutls_global_init takes over 10 seconds. While analyzing this problem, I found out that it is caused by libgcrypt. It's random number generator is extremely slow under Windows. While searching for a solution, I found a patch from J. Salvatore Testa on the this page: http://www.securitypunk.com/libgcrypt/ The patch enables libgcrypt to use Windows' own Crypto API. Replacing the libgcrypt-11.dll from GnuTLS4Win with the one from that page solved the problem for me, making gnutls_global_init almost instant. Would it be possible to apply this patch to the next Gnutls4Win version? Without, Gnutls4Win is almost unusable for me. I'll also contact the libgcrypt developers to get this patch into libgcrypt. Regards, Tim Kosse -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSePy8N9+lcqiUkURArcWAKDS485DoBrW5tPTWNBQE3pZEFxHxACgsXl7 Im7dWXPouqo/RxWgIjhpNzw= =rz2b -----END PGP SIGNATURE----- From jas at extundo.com Fri Nov 3 11:36:07 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 03 Nov 2006 11:36:07 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <4549E3F2.4080401@filezilla-project.org> (Tim Kosse's message of "Thu\, 02 Nov 2006 13\:26\:26 +0100") References: <4549E3F2.4080401@filezilla-project.org> Message-ID: <87k62ckeaw.fsf@latte.josefsson.org> Tim Kosse writes: > On my system (Windows XP SP2), calling gnutls_global_init takes over 10 > seconds. > > While analyzing this problem, I found out that it is caused by > libgcrypt. It's random number generator is extremely slow under Windows. > > While searching for a solution, I found a patch from J. Salvatore Testa > on the this page: http://www.securitypunk.com/libgcrypt/ > > The patch enables libgcrypt to use Windows' own Crypto API. Replacing > the libgcrypt-11.dll from GnuTLS4Win with the one from that page solved > the problem for me, making gnutls_global_init almost instant. Hi! I have added a discussion of this, and the link, to . It is weird that it takes a long time only on some systems. I have one old Windows 2000 laptop and one Windows XP SP2 desktop, and it definitely doesn't take 10 seconds. Max 2 seconds is more likely. I'm curious, how fast is your machine? > Would it be possible to apply this patch to the next Gnutls4Win version? > Without, Gnutls4Win is almost unusable for me. > > I'll also contact the libgcrypt developers to get this patch into libgcrypt. I'm not sure the patch is secure, and I'd rather defer this decision to the libgcrypt maintainers. Until we know for certain that the patch won't be included in libgcrypt, I prefer to not include the patch in Gnutls4win, and instead wait for an improved libgcrypt. I recall that there were discussions on the quality of the patch on the libgcrypt list. I'm certainly willing to reconsider if there is more information, I understand a 10s delay is unacceptable... /Simon From tim.kosse at filezilla-project.org Fri Nov 3 13:53:53 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Fri, 03 Nov 2006 13:53:53 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <87k62ckeaw.fsf@latte.josefsson.org> References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> Message-ID: <454B3BE1.6030902@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: > It is weird that it takes a long time only on some systems. I have > one old Windows 2000 laptop and one Windows XP SP2 desktop, and it > definitely doesn't take 10 seconds. Max 2 seconds is more likely. > I'm curious, how fast is your machine? It's an IBM Thinkpad R52, 2GHz Pentium M, 1 GB RAM. Even executing a tiny test program doing nothing else than calling gnutls_global_init takes 5 seconds, almost exclusively spent in the prng routines of libgcrypt. With more complex programs it takes even longer, > 10 seconds if using GnuTLS in a program using wxWidgets. libgcrypt queries HKEY_PERFORMANCE_DATA, that alone takes 3-4 seconds. Furthermore, libgcrypt walks the local heap, which causes the rest of the delay. Around 1 second for a minimal program and increases if the program gets more complex. Only limited by the amount of memory which can be allocated on the heap I think. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSzvh8N9+lcqiUkURAr6pAKDbNXnllB5cuyvVWkgiJmmxUyUH+wCgqQFU Sxs6j76cYCqj3emZKm0rcYc= =fU0f -----END PGP SIGNATURE----- From wk at gnupg.org Fri Nov 3 16:38:14 2006 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 Nov 2006 16:38:14 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <454B3BE1.6030902@filezilla-project.org> (Tim Kosse's message of "Fri\, 03 Nov 2006 13\:53\:53 +0100") References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> Message-ID: <877iyck0bd.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2006 13:53, Tim Kosse said: > libgcrypt queries HKEY_PERFORMANCE_DATA, that alone takes 3-4 seconds. There is a bug in this code fixed in the SVN. You should also run a "diskperf -y" once on your machine. Simon: You might want to add this to the installer. The code we use in libgcrypt is the same as in GnuPG and we never get complaints about missing random performance on Windows. Using the MS API is not an option - you don't know what they are doing. Better be safe and try what we can do. Shalom-Salam, Werner From jas at extundo.com Fri Nov 3 22:33:15 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 03 Nov 2006 22:33:15 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <877iyck0bd.fsf@wheatstone.g10code.de> (Werner Koch's message of "Fri\, 03 Nov 2006 16\:38\:14 +0100") References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> <877iyck0bd.fsf@wheatstone.g10code.de> Message-ID: <87y7qsi5b8.fsf@latte.josefsson.org> Werner Koch writes: > On Fri, 3 Nov 2006 13:53, Tim Kosse said: > >> libgcrypt queries HKEY_PERFORMANCE_DATA, that alone takes 3-4 seconds. > > There is a bug in this code fixed in the SVN. Which file and SVN version? Last time I tried libgcrypt 1.3.0/svn it didn't build for mingw at all, so I'm staying with 1.2.2 for now. /Simon From ametzler at downhill.at.eu.org Sat Nov 4 11:21:01 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sat, 4 Nov 2006 11:21:01 +0100 Subject: [gnutls-dev] Re: Bug#396867: gnutls-bin: does not seem to properly handle rehandshake request In-Reply-To: <20061103123406.GA19867@nechayev.zugschlus.de> References: <20061103123406.GA19867@nechayev.zugschlus.de> Message-ID: <20061104102101.GB2914@downhill.g.la> Hello, this is http://bugs.debian.org/396867 submitted by Marc Haber. cu andreas On 2006-11-03 Marc Haber wrote: > Package: gnutls-bin > Version: 1.4.4-2 > Severity: normal > Hi, > I have one internal https server (running IIS on Windows Server 2003) > which seems to request a rehandshake after the http request was > transmitted. This seems to badly confuse gnutls-cli: > | $ gnutls-cli -p 443 a.b.c.d > | Resolving 'a.b.c.d'... > | Connecting to 'a.b.c.d:443'... > | - Certificate type: X.509 > | - Got a certificate list of 1 certificates. > | > | - Certificate[0] info: > | # The hostname in the certificate does NOT match 'a.b.c.d'. > | # valid since: Wed Jul 20 12:23:32 CEST 2005 > | # expires at: Wed Sep 9 12:34:44 CEST 2009 > | # fingerprint: 6B:22:44:F3:22:CC:BA:36:64:70:0F:C0:D5:CD:87:9E > | # Subject's DN: C=DE,ST=BW,L=City,O=Site,OU=Site,CN=some.invalid.host.name.example > | # Issuer's DN: CN=unqualifiedname > | > | > | - Peer's certificate issuer is unknown > | - Peer's certificate is NOT trusted > | - Version: TLS 1.0 > | - Key Exchange: RSA > | - Cipher: ARCFOUR 128 > | - MAC: MD5 > | - Compression: NULL > | - Handshake was completed > | > | - Simple Client Mode: > | > | GET / HTTP/1.0 > | > | *** Non fatal error: Rehandshake was requested by the peer. > After this, nothing happens any more. Ctrl-C out. > Trying the same with openssl s_client -connect a.b.c.d:443 works fine. > With other servers (for example running apache on Linux), gnutls-cli > works fine as well. > Greetings > Marc > -- System Information: > Debian Release: 4.0 > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.18.1-scyw00225 > Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) > Versions of packages gnutls-bin depends on: > ii libc6 2.3.6.ds1-7 > ii libgcrypt11 1.2.3-2 > ii libgnutls13 1.4.4-2 > ii libgpg-error0 1.4-1 > ii libopencdk8 0.5.9-2 > ii libtasn1-3 0.3.6-2 > ii zlib1g 1:1.2.3-13 -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From tim.kosse at filezilla-project.org Sat Nov 4 16:30:44 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Sat, 04 Nov 2006 16:30:44 +0100 Subject: [gnutls-dev] Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) Message-ID: <454CB224.5070607@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I encountered some problems while trying to use custom push/pull functions in a program compiled with Visual Studio. Just setting errno to EAGAIN and returning -1 caused gnutls to fail with GNUTLS_E_PUSH_ERROR. I found out that libgnutls-13.dll is linked against msvcrt.dll, whereas visual studio programs use a different runtime library (msvcr71.dll for example). These libraries bring along their own version of errno. So the errno inside the program is different from the one used in GnuTLS. A workaround is to load the correct errno from msvcrt.dll: HMODULE crtdll = LoadLibrary(_T("msvcrt.dll")); typedef int* (*t_errno)(void); t_errno pErrno = (t_errno)GetProcAddress(crtdll, "_errno"); *pErrno() = EAGAIN; FreeLibrary(crtdll); Would it be possible to add a function like for example void gnutls_transport_set_errno(int), which does nothing else than setting errno to the provided value? Regards, Tim Kosse -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFTLIk8N9+lcqiUkURAkWdAKDUwpSeZ+z/paTen8N0zq0sCohd8gCfZjcP coCbXLJEiJL7urayR22GY8E= =qL5q -----END PGP SIGNATURE----- From jas at extundo.com Sun Nov 5 09:55:11 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun, 05 Nov 2006 09:55:11 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <454CB224.5070607@filezilla-project.org> (Tim Kosse's message of "Sat\, 04 Nov 2006 16\:30\:44 +0100") References: <454CB224.5070607@filezilla-project.org> Message-ID: <87lkmqi87k.fsf@latte.josefsson.org> Tim Kosse writes: > I encountered some problems while trying to use custom push/pull > functions in a program compiled with Visual Studio. > > Just setting errno to EAGAIN and returning -1 caused gnutls to fail with > GNUTLS_E_PUSH_ERROR. > > I found out that libgnutls-13.dll is linked against msvcrt.dll, whereas > visual studio programs use a different runtime library (msvcr71.dll for > example). These libraries bring along their own version of errno. > > So the errno inside the program is different from the one used in GnuTLS. Ouch. So it seems our POSIX dependencies actually are send + recv + errno, and it is only possible to replace send/recv with new push/pull functions. We should definitely fix this. Grep'ing the code reveals that fortunately the only use is in gnutls_buffers.c, after calling send or recv. > A workaround is to load the correct errno from msvcrt.dll: > > HMODULE crtdll = LoadLibrary(_T("msvcrt.dll")); > typedef int* (*t_errno)(void); > t_errno pErrno = (t_errno)GetProcAddress(crtdll, "_errno"); > *pErrno() = EAGAIN; > FreeLibrary(crtdll); Nice. > Would it be possible to add a function like for example void > gnutls_transport_set_errno(int), which does nothing else than setting > errno to the provided value? I'm considering installing the patch below. What do you think? It makes gnutls_transport_set_errno set a session-specific errno variable, in case there are multiple threads setting and reading from the global errno variable. I know some Unix libraries make errno a thread-local variable, so that gnutls_transport_set_global_errno is actually a safe function, but it seems unsafe to assume this holds for all systems. In particular, I wonder whether 'errno' is a thread-local variable under Windows. Thanks, Simon --- gnutls_int.h 13 Aug 2006 17:08:15 +0200 2.369 +++ gnutls_int.h 05 Nov 2006 09:41:09 +0100 @@ -598,6 +598,13 @@ */ gnutls_datum_t recv_buffer; + /* To avoid using global variables, and especially on Windows where + * the application may use a different errno variable than GnuTLS, + * it is possible to use gnutls_transport_set_errno to set a + * session-specific errno variable in the user-replaceable push/pull + * functions. This value is used by the send/recv functions. */ + int errno; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st; --- gnutls_buffers.c 13 Aug 2006 17:05:52 +0200 2.128 +++ gnutls_buffers.c 05 Nov 2006 09:48:35 +0100 @@ -77,6 +77,54 @@ # include #endif +/** + * gnutls_transport_set_errno: + * @session: is a #gnutls_session_t structure. + * @err: error value to store in session-specific errno variable. + * + * Store @err in the session-specific errno variable. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * If you don't have the @session variable easily accessible from the + * push/pull function, and don't worry about thread conflicts, you can + * also use gnutls_transport_set_global_errno(). + **/ +void +gnutls_transport_set_errno (gnutls_session_t session, int err) +{ + session->errno = err; +} + +/** + * gnutls_transport_set_global_errno: + * @err: error value to store in global errno variable. + * + * Store @err in the global errno variable. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * Whether this function is thread safe or not depends on whether the + * global variable errno is thread safe, some system libraries make it + * a thread-local variable. When feasible, using the guaranteed + * thread-safe gnutls_transport_set_errno() may be better. + **/ +void +gnutls_transport_set_global_errno (int err) +{ + errno = err; +} + /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ @@ -264,6 +312,8 @@ while (left > 0) { + session->errno = 0; + if (session->internals._gnutls_pull_func == NULL) i = recv (GNUTLS_POINTER_TO_INT(fd), &ptr[sizeOfPtr - left], left, flags); @@ -274,10 +324,12 @@ if (i < 0) { - _gnutls_read_log ("READ: %d returned from %d, errno=%d\n", i, - fd, errno); + int err = session->errno ? session->errno : errno; + + _gnutls_read_log ("READ: %d returned from %d, errno=%d gerrno=%d\n", + i, fd, errno, session->errno); - if (errno == EAGAIN || errno == EINTR) + if (err == EAGAIN || err == EINTR) { if (sizeOfPtr - left > 0) { @@ -289,7 +341,7 @@ } gnutls_assert (); - return RET (errno); + return RET (err); } else { @@ -701,6 +753,8 @@ while (left > 0) { + session->errno = 0; + if (session->internals._gnutls_push_func == NULL) i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); else @@ -708,7 +762,9 @@ if (i == -1) { - if (errno == EAGAIN || errno == EINTR) + int err = session->errno ? session->errno : errno; + + if (err == EAGAIN || err == EINTR) { session->internals.record_send_buffer_prev_size += n - left; @@ -726,7 +782,7 @@ ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n - left); - retval = RET (errno); + retval = RET (err); return retval; } From jas at extundo.com Sun Nov 5 10:00:12 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun, 05 Nov 2006 10:00:12 +0100 Subject: [gnutls-dev] Re: Bug#396867: gnutls-bin: does not seem to properly handle rehandshake request In-Reply-To: <20061104102101.GB2914@downhill.g.la> (Andreas Metzler's message of "Sat\, 4 Nov 2006 11\:21\:01 +0100") References: <20061103123406.GA19867@nechayev.zugschlus.de> <20061104102101.GB2914@downhill.g.la> Message-ID: <87hcxei7z7.fsf@latte.josefsson.org> Andreas Metzler writes: > Hello, > this is http://bugs.debian.org/396867 submitted by Marc Haber. > cu andreas > > On 2006-11-03 Marc Haber wrote: >> Package: gnutls-bin >> Version: 1.4.4-2 >> Severity: normal > >> Hi, Hi Marc! >> I have one internal https server (running IIS on Windows Server 2003) >> which seems to request a rehandshake after the http request was >> transmitted. This seems to badly confuse gnutls-cli: > >> | $ gnutls-cli -p 443 a.b.c.d >> | Resolving 'a.b.c.d'... >> | Connecting to 'a.b.c.d:443'... >> | - Certificate type: X.509 >> | - Got a certificate list of 1 certificates. >> | >> | - Certificate[0] info: >> | # The hostname in the certificate does NOT match 'a.b.c.d'. >> | # valid since: Wed Jul 20 12:23:32 CEST 2005 >> | # expires at: Wed Sep 9 12:34:44 CEST 2009 >> | # fingerprint: 6B:22:44:F3:22:CC:BA:36:64:70:0F:C0:D5:CD:87:9E >> | # Subject's DN: C=DE,ST=BW,L=City,O=Site,OU=Site,CN=some.invalid.host.name.example >> | # Issuer's DN: CN=unqualifiedname >> | >> | >> | - Peer's certificate issuer is unknown >> | - Peer's certificate is NOT trusted >> | - Version: TLS 1.0 >> | - Key Exchange: RSA >> | - Cipher: ARCFOUR 128 >> | - MAC: MD5 >> | - Compression: NULL >> | - Handshake was completed >> | >> | - Simple Client Mode: >> | >> | GET / HTTP/1.0 >> | >> | *** Non fatal error: Rehandshake was requested by the peer. > >> After this, nothing happens any more. Ctrl-C out. There is some code in cli.c: static void check_rehandshake (socket_st *socket, int ret) { if (socket->secure && ret == GNUTLS_E_REHANDSHAKE) { /* There is a race condition here. If application * data is sent after the rehandshake request, * the server thinks we ignored his request. * This is a bad design of this client. */ printf ("*** Received rehandshake request\n"); /* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ ret = do_handshake (socket); So it seems there may be some sub-optimal cli.c design here. It would be much easier to fix this if there were a public server that exhibits this problem, so I can debug exactly what gnutls-cli is doing. Any chance of finding one? Btw, I assume this problem confuses gnutls-cli, and not the actual libgnutls, right? In other words, you didn't find this bug because some application that uses libgnutls failed, did you? Thanks, Simon >> Trying the same with openssl s_client -connect a.b.c.d:443 works fine. >> With other servers (for example running apache on Linux), gnutls-cli >> works fine as well. > >> Greetings >> Marc > >> -- System Information: >> Debian Release: 4.0 >> APT prefers unstable >> APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') >> Architecture: i386 (i686) >> Shell: /bin/sh linked to /bin/bash >> Kernel: Linux 2.6.18.1-scyw00225 >> Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) > >> Versions of packages gnutls-bin depends on: >> ii libc6 2.3.6.ds1-7 >> ii libgcrypt11 1.2.3-2 >> ii libgnutls13 1.4.4-2 >> ii libgpg-error0 1.4-1 >> ii libopencdk8 0.5.9-2 >> ii libtasn1-3 0.3.6-2 >> ii zlib1g 1:1.2.3-13 > > > -- > The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal > vision of the emperor's, and its inclusion in this work does not constitute > tacit approval by the author or the publisher for any such projects, > howsoever undertaken. (c) Jasper Ffforde From jas at extundo.com Sun Nov 5 10:24:58 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun, 05 Nov 2006 10:24:58 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <87lkmqi87k.fsf@latte.josefsson.org> (Simon Josefsson's message of "Sun\, 05 Nov 2006 09\:55\:11 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> Message-ID: <87d582i6tx.fsf@latte.josefsson.org> This patch actually compiles... /Simon --- gnutls_int.h 13 Aug 2006 17:08:15 +0200 2.369 +++ gnutls_int.h 05 Nov 2006 10:18:25 +0100 @@ -598,6 +598,16 @@ */ gnutls_datum_t recv_buffer; + /* To avoid using global variables, and especially on Windows where + * the application may use a different errno variable than GnuTLS, + * it is possible to use gnutls_transport_set_errno to set a + * session-specific errno variable in the user-replaceable push/pull + * functions. This value is used by the send/recv functions. (the + * strange name of this variable is because 'errno' is typically + * #define'd.) + */ + int errnum; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st; --- gnutls_buffers.c 13 Aug 2006 17:05:52 +0200 2.128 +++ gnutls_buffers.c 05 Nov 2006 10:20:05 +0100 @@ -77,6 +77,54 @@ # include #endif +/** + * gnutls_transport_set_errno: + * @session: is a #gnutls_session_t structure. + * @err: error value to store in session-specific errno variable. + * + * Store @err in the session-specific errno variable. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * If you don't have the @session variable easily accessible from the + * push/pull function, and don't worry about thread conflicts, you can + * also use gnutls_transport_set_global_errno(). + **/ +void +gnutls_transport_set_errno (gnutls_session_t session, int err) +{ + session->internals.errnum = err; +} + +/** + * gnutls_transport_set_global_errno: + * @err: error value to store in global errno variable. + * + * Store @err in the global errno variable. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * Whether this function is thread safe or not depends on whether the + * global variable errno is thread safe, some system libraries make it + * a thread-local variable. When feasible, using the guaranteed + * thread-safe gnutls_transport_set_errno() may be better. + **/ +void +gnutls_transport_set_global_errno (int err) +{ + errno = err; +} + /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ @@ -264,6 +312,8 @@ while (left > 0) { + session->internals.errnum = 0; + if (session->internals._gnutls_pull_func == NULL) i = recv (GNUTLS_POINTER_TO_INT(fd), &ptr[sizeOfPtr - left], left, flags); @@ -274,10 +324,13 @@ if (i < 0) { - _gnutls_read_log ("READ: %d returned from %d, errno=%d\n", i, - fd, errno); + int err = session->internals.errnum ? session->internals.errnum + : errno; + + _gnutls_read_log ("READ: %d returned from %d, errno=%d gerrno=%d\n", + i, fd, errno, session->internals.errnum); - if (errno == EAGAIN || errno == EINTR) + if (err == EAGAIN || err == EINTR) { if (sizeOfPtr - left > 0) { @@ -289,7 +342,7 @@ } gnutls_assert (); - return RET (errno); + return RET (err); } else { @@ -701,6 +754,8 @@ while (left > 0) { + session->internals.errnum = 0; + if (session->internals._gnutls_push_func == NULL) i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); else @@ -708,7 +763,10 @@ if (i == -1) { - if (errno == EAGAIN || errno == EINTR) + int err = session->internals.errnum ? session->internals.errnum + : errno; + + if (err == EAGAIN || err == EINTR) { session->internals.record_send_buffer_prev_size += n - left; @@ -726,7 +784,7 @@ ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n - left); - retval = RET (errno); + retval = RET (err); return retval; } From tim.kosse at filezilla-project.org Sun Nov 5 13:56:50 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Sun, 05 Nov 2006 13:56:50 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <87d582i6tx.fsf@latte.josefsson.org> References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> Message-ID: <454DDF92.8020707@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: > @@ -701,6 +754,8 @@ > while (left > 0) > { > > + session->internals.errnum = 0; > + > if (session->internals._gnutls_push_func == NULL) > i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); > else > @@ -708,7 +763,10 @@ > > if (i == -1) > { > - if (errno == EAGAIN || errno == EINTR) > + int err = session->internals.errnum ? session->internals.errnum > + : errno; > + > + if (err == EAGAIN || err == EINTR) > { > session->internals.record_send_buffer_prev_size += n - left; > > @@ -726,7 +784,7 @@ > ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", > left, n - left); > > - retval = RET (errno); > + retval = RET (err); > > return retval; > } > What if errno != 0 prior to calling the push function and the push function just sets session->internals.errnum to 0? I think errno has to be initialized with 0 as well. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFTd9y8N9+lcqiUkURAhrKAKDjwfDrMP2Rvk/8GbO5tf0oP12rMwCeN7Fm fYdANRbe30rV4teH53hnPtc= =8tu6 -----END PGP SIGNATURE----- From wk at gnupg.org Sun Nov 5 15:59:30 2006 From: wk at gnupg.org (Werner Koch) Date: Sun, 05 Nov 2006 15:59:30 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <454B7BAB.40401@filezilla-project.org> (Tim Kosse's message of "Fri\, 03 Nov 2006 18\:26\:03 +0100") References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> <877iyck0bd.fsf@wheatstone.g10code.de> <454B7BAB.40401@filezilla-project.org> Message-ID: <87d5826ist.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2006 18:26, Tim Kosse said: > Is that much data neccessary to seed the prng? Yes. You mind what to track Peter Gutmann's changes to cryptlib to check what he changed over time. We might be able to merges some chnages. Hoever this needs to be done with great care. >> Using the MS API is not an option - you don't know what they are >> doing. Better be safe and try what we can do. > > Not even in addition to the other methods? No. It increases complexity. If you don't want a seed file, you have to live with it. Your goal is not to leave any traces but you consider to use the MS Crypto API? How do you know that there are no traces left then? The random seed file is not that sensitive. It is of course good not to reveal it - but it is not more a problem than to use a proprietary API. Shalom-Salam, Werner From wk at gnupg.org Sun Nov 5 16:03:42 2006 From: wk at gnupg.org (Werner Koch) Date: Sun, 05 Nov 2006 16:03:42 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <87y7qsi5b8.fsf@latte.josefsson.org> (Simon Josefsson's message of "Fri\, 03 Nov 2006 22\:33\:15 +0100") References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> <877iyck0bd.fsf@wheatstone.g10code.de> <87y7qsi5b8.fsf@latte.josefsson.org> Message-ID: <878xiq6ilt.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2006 22:33, Simon Josefsson said: > Which file and SVN version? Last time I tried libgcrypt 1.3.0/svn it > didn't build for mingw at all, so I'm staying with 1.2.2 for now. 2006-09-11 Werner Koch * rndw32.c (slow_gatherer_windowsNT): While adding data use the size of the diskPerformance and not its address. Has been fixed in GnuPG more than a year ago. Noted by Lee Fisher. At the same day fixed in trunk and 1.2. No releases yet. Salam-Shalom, Werner From jas at extundo.com Sun Nov 5 17:33:27 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun, 05 Nov 2006 17:33:27 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <878xiq6ilt.fsf@wheatstone.g10code.de> (Werner Koch's message of "Sun\, 05 Nov 2006 16\:03\:42 +0100") References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> <877iyck0bd.fsf@wheatstone.g10code.de> <87y7qsi5b8.fsf@latte.josefsson.org> <878xiq6ilt.fsf@wheatstone.g10code.de> Message-ID: <873b8xj1k8.fsf@latte.josefsson.org> Werner Koch writes: > On Fri, 3 Nov 2006 22:33, Simon Josefsson said: > >> Which file and SVN version? Last time I tried libgcrypt 1.3.0/svn it >> didn't build for mingw at all, so I'm staying with 1.2.2 for now. > > 2006-09-11 Werner Koch > > * rndw32.c (slow_gatherer_windowsNT): While adding data use the > size of the diskPerformance and not its address. Has been fixed in > GnuPG more than a year ago. Noted by Lee Fisher. > > At the same day fixed in trunk and 1.2. No releases yet. Thanks, I found it. The gnutls4win Makefile now apply that patch. Tim, are you able to test whether this solves your problem or not? (Debian's Wine packages seems broken with kernel 2.6.18, so currently I can't build a new Gnutls4win installer...) /Simon PS. The change was installed in svn as follows, in case someone wants to go look at it: http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/cipher/rndw32.c?root=Libgcrypt&rev=1179&r1=1068&r2=1179 comment 'r1179 | wk | 2006-10-05 10:01:11 +0200 (Thu, 05 Oct 2006) | 2 lines fix gcc4 warning (David) and other collected fixes. . From jas at extundo.com Mon Nov 6 12:47:46 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 06 Nov 2006 12:47:46 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <454DDF92.8020707@filezilla-project.org> (Tim Kosse's message of "Sun\, 05 Nov 2006 13\:56\:50 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> Message-ID: <877iy8lrtp.fsf@latte.josefsson.org> Tim Kosse writes: > What if errno != 0 prior to calling the push function and the push > function just sets session->internals.errnum to 0? > I think errno has to be initialized with 0 as well. Standard Unix API semantics is that errno must be set when the function returns negative, and the code in gnutls checks the return value before using the value in errno. However, it seems harmless to set errno to 0 before the call, and it might catch errors in custom push/pull functions. So how about this patch? Thanks, Simon --- gnutls_buffers.c 13 Aug 2006 17:05:52 +0200 2.128 +++ gnutls_buffers.c 06 Nov 2006 12:46:08 +0100 @@ -77,6 +77,58 @@ # include #endif +/** + * gnutls_transport_set_errno: + * @session: is a #gnutls_session_t structure. + * @err: error value to store in session-specific errno variable. + * + * Store @err in the session-specific errno variable. Useful values + * for @err is EAGAIN and EINTR, other values are treated will be + * treated as real errors in the push/pull function. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * If you don't have the @session variable easily accessible from the + * push/pull function, and don't worry about thread conflicts, you can + * also use gnutls_transport_set_global_errno(). + **/ +void +gnutls_transport_set_errno (gnutls_session_t session, int err) +{ + session->internals.errnum = err; +} + +/** + * gnutls_transport_set_global_errno: + * @err: error value to store in global errno variable. + * + * Store @err in the global errno variable. Useful values for @err is + * EAGAIN and EINTR, other values are treated will be treated as real + * errors in the push/pull function. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * Whether this function is thread safe or not depends on whether the + * global variable errno is thread safe, some system libraries make it + * a thread-local variable. When feasible, using the guaranteed + * thread-safe gnutls_transport_set_errno() may be better. + **/ +void +gnutls_transport_set_global_errno (int err) +{ + errno = err; +} + /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ @@ -264,6 +316,9 @@ while (left > 0) { + session->internals.errnum = 0; + errno = 0; + if (session->internals._gnutls_pull_func == NULL) i = recv (GNUTLS_POINTER_TO_INT(fd), &ptr[sizeOfPtr - left], left, flags); @@ -274,10 +329,13 @@ if (i < 0) { - _gnutls_read_log ("READ: %d returned from %d, errno=%d\n", i, - fd, errno); + int err = session->internals.errnum ? session->internals.errnum + : errno; + + _gnutls_read_log ("READ: %d returned from %d, errno=%d gerrno=%d\n", + i, fd, errno, session->internals.errnum); - if (errno == EAGAIN || errno == EINTR) + if (err == EAGAIN || err == EINTR) { if (sizeOfPtr - left > 0) { @@ -289,7 +347,7 @@ } gnutls_assert (); - return RET (errno); + return RET (err); } else { @@ -701,6 +759,9 @@ while (left > 0) { + session->internals.errnum = 0; + errno = 0; + if (session->internals._gnutls_push_func == NULL) i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); else @@ -708,7 +769,10 @@ if (i == -1) { - if (errno == EAGAIN || errno == EINTR) + int err = session->internals.errnum ? session->internals.errnum + : errno; + + if (err == EAGAIN || err == EINTR) { session->internals.record_send_buffer_prev_size += n - left; @@ -726,7 +790,7 @@ ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n - left); - retval = RET (errno); + retval = RET (err); return retval; } From jas at extundo.com Mon Nov 6 12:50:51 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 06 Nov 2006 12:50:51 +0100 Subject: [gnutls-dev] GnuTLS 1.4.5 Message-ID: <873b8wlrok.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.4.5, a bugfix release on the stable 1.4 branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.4.4: ** When a GnuTLS server receive a SSLv2 Client Hello for an unknown TLS ** version, try to negotiate the highest version support by the GnuTLS server, ** instead of the lowest. Reported by . ** Fix typo in doc/examples/ex-serv-pgp.c. Reported by Adam Langley" . Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (3.9MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.4.5.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.4.5.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.4.5.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.4.5.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 49a468de975ee6d10778ac43884ea4febb03d9dc gnutls-1.4.5.tar.bz2 e4527fcd9a7f48ebdf562910f8cb5a281ee9bef9 gnutls-1.4.5.tar.bz2.sig 68fd8ef740c55497f888c73ca833c0a1591b5ba0b2514aee4f506eb4 gnutls-1.4.5.tar.bz2 65416c5219e33532d5404e04c9b9a2e57fd3a42fa95c9ae9494f0199 gnutls-1.4.5.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Mon Nov 6 13:17:18 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 06 Nov 2006 13:17:18 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <877iy8lrtp.fsf@latte.josefsson.org> References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> Message-ID: <454F27CE.8000007@extundo.com> I've created a new Windows installer based on current 1.5 CVS plus the patch discussed in this thread, and the patch against libgcrypt. See the 1.5.4rc1 installer on: http://josefsson.org/gnutls4win/ Please test it. If there are no objections, I'll release 1.5.4 in a week or so. We should also start to plan for a proper 1.6.0 release.. Tim, what is your impression of the latest 1.5 stuff? How close are you to have gnutls do something useful for you under Windows? /Simon From wk at gnupg.org Mon Nov 6 14:46:01 2006 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 Nov 2006 14:46:01 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <877iy8lrtp.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon\, 06 Nov 2006 12\:47\:46 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> Message-ID: <874ptcwuw6.fsf@wheatstone.g10code.de> On Mon, 6 Nov 2006 12:47, jas at extundo.com said: > value before using the value in errno. However, it seems harmless to > set errno to 0 before the call, and it might catch errors in custom If you want gnutls to behave similar to Posix or ISO-C, you should not set errno to 0. Posix states that errno will be not be set to 0 by any function decribed in this volume of IEEE-1003.1. Setting errno to 0 without an error changes the semantics. if ( open (...) < 0 ) { gnutls_foo () fprintf (stderr, "error from open: %s\n", strerror (errno)); } Should print an error if open fails. The printed error will be from open or due to a failure of gnutls_foo. If gnutls_foo succeeds, the result would be a error from open: No Error That is probably not what the user expected. Anyway, mixing different CRTs is not exactly a good idea. You will encounter more and more problems which are even harder to solve. We have the same problem with gpgol (an Outlook extension), however Outlook handles extensions a bit different than a plain DLL and thus the "only" problem we had to solve was to use the correct version of free(). IIRC, the DLL mechanisms has some indirect linking features whoch might be used to solve this problem. Shalom-Salam, Werner From jas at extundo.com Mon Nov 6 15:46:29 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 06 Nov 2006 15:46:29 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <874ptcwuw6.fsf@wheatstone.g10code.de> (Werner Koch's message of "Mon\, 06 Nov 2006 14\:46\:01 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> <874ptcwuw6.fsf@wheatstone.g10code.de> Message-ID: <87y7qomy4a.fsf@latte.josefsson.org> Werner Koch writes: > On Mon, 6 Nov 2006 12:47, jas at extundo.com said: > >> value before using the value in errno. However, it seems harmless to >> set errno to 0 before the call, and it might catch errors in custom > > If you want gnutls to behave similar to Posix or ISO-C, you should not > set errno to 0. Agreed. Since it is now proved to be harmful to set errno 0 here, I've reverted that part of the patch. > Posix states that errno will be not be set to 0 by any function > decribed in this volume of IEEE-1003.1. Setting errno to 0 without an > error changes the semantics. > > if ( open (...) < 0 ) > { > gnutls_foo () > fprintf (stderr, "error from open: %s\n", strerror (errno)); > } > > Should print an error if open fails. The printed error will be from > open or due to a failure of gnutls_foo. If gnutls_foo succeeds, the > result would be a > > error from open: No Error > > That is probably not what the user expected. Yup. > Anyway, mixing different CRTs is not exactly a good idea. You will > encounter more and more problems which are even harder to solve. We > have the same problem with gpgol (an Outlook extension), however > Outlook handles extensions a bit different than a plain DLL and thus > the "only" problem we had to solve was to use the correct version of > free(). IIRC, the DLL mechanisms has some indirect linking features > whoch might be used to solve this problem. I remember the free() problem from libidn, and it now has a similar dummy function idn_free() that simply calls free(). Anyway, what are the additional problems and what is the correct solution to the entire mess? Not linking to any CRT at all? I wonder how much from the CRT gnutls actually needs, it might be possible... Providing more than one gnutls DLL? E.g., gnutls-mscvrt.dll and gnutls-msvcr71.dll? Any other solutions? Perhaps it would be useful to have a build option to build gnutls to not use send/recv/errno at all. Then the caller must always supply its own send/recv functions. That build option should be easy to add. I suspect that this patch goes a long way to fix things, though. /Simon From jas at extundo.com Mon Nov 6 15:51:48 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 06 Nov 2006 15:51:48 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <454F463D.3070700@filezilla-project.org> (Tim Kosse's message of "Mon\, 06 Nov 2006 15\:27\:09 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> <454F27CE.8000007@extundo.com> <454F463D.3070700@filezilla-project.org> Message-ID: <87u01cmxvf.fsf@latte.josefsson.org> Tim Kosse writes: > Simon Josefsson wrote: >> I've created a new Windows installer based on current 1.5 CVS plus the >> patch discussed in this thread, and the patch against libgcrypt. See >> the 1.5.4rc1 installer on: >> >> http://josefsson.org/gnutls4win/ > > Thanks. > >> Please test it. If there are no objections, I'll release 1.5.4 in a >> week or so. > > Two problems: > > 1) The gnutls_transport_set_(global_)errno functions are missing in the > installed headers. Oops, right, added. > 2) gnutls_global_init got A LOT worse, it takes over 50 seconds now. Ouch. Werner, any further ideas? >> Tim, what is your impression of the latest 1.5 stuff? How close are >> you to have gnutls do something useful for you under Windows? > > Considering that I've only started working with GnuTLS about a week ago, > I'm making good progress. I can establish TLS secured connections just > fine using custom push/pull functions. Next I'll have a look at > certificate verification. > The only two issues I encountered so far are the slow initialization and > the errno problem. Thanks for the info. Given that the libgcrypt problems is solvable using the third-party DLL's, and the errno problem seem to be close to solved, I think we are in good shape for 1.6.0. Due to travels, I'll probably not release anything until next week, so you have some time to come up with more problems. :) Thanks, Simon From tim.kosse at filezilla-project.org Mon Nov 6 16:06:31 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Mon, 06 Nov 2006 16:06:31 +0100 Subject: [gnutls-dev] Re: Gnutls4Win: gnutls_global_init takes > 10 seconds In-Reply-To: <873b8xj1k8.fsf@latte.josefsson.org> References: <4549E3F2.4080401@filezilla-project.org> <87k62ckeaw.fsf@latte.josefsson.org> <454B3BE1.6030902@filezilla-project.org> <877iyck0bd.fsf@wheatstone.g10code.de> <87y7qsi5b8.fsf@latte.josefsson.org> <878xiq6ilt.fsf@wheatstone.g10code.de> <873b8xj1k8.fsf@latte.josefsson.org> Message-ID: <454F4F77.3080602@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: > Werner Koch writes: > >> On Fri, 3 Nov 2006 22:33, Simon Josefsson said: >> >>> Which file and SVN version? Last time I tried libgcrypt 1.3.0/svn it >>> didn't build for mingw at all, so I'm staying with 1.2.2 for now. >> 2006-09-11 Werner Koch >> >> * rndw32.c (slow_gatherer_windowsNT): While adding data use the >> size of the diskPerformance and not its address. Has been fixed in >> GnuPG more than a year ago. Noted by Lee Fisher. >> >> At the same day fixed in trunk and 1.2. No releases yet. > Tim, are you able to test whether this solves your problem or not? As I wrote earlier, gathering the disk IO performance stats did not cause any noticeable delay. Werner Koch wrote: > You mind what to track Peter Gutmann's changes to cryptlib to > check what he changed over time. We might be able to merges some > chnages. Hoever this needs to be done with great care. I had a brief look. What I noticed: - - Cryptlib uses CryptGenRandom from the CryptoAPI - - The heap walking is limited in size, the entire heap is no longer walked. In cryptolib, at most 20 heaps are walked, and for each heap only the 20 first entries. Compared to libgcrypt, which walks everything (about 30k heap blocks in my case, still rising as my program gets more complex) - - Cryptolib makes use of Intel's hardware RNG found on some motherboards. A safe optimization, which is neither used by libgcrypt nor cryptolib, which does not have any drawbacks as far as I can see, is to increase the PERFORMANCE_BUFFER_SIZE and PERFORMANCE_BUFFER_STEP constants. Setting PERFORMANCE_BUFFER_SIZE to at least 150k yields a 2 second improvement on my system. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFT0938N9+lcqiUkURAghiAKDCuBmErkbpqejd5Gce5FUJtPDhBwCfV9qo OnuhDOZwXUS75hod6Xw4WIY= =wUke -----END PGP SIGNATURE----- From wk at gnupg.org Mon Nov 6 17:26:11 2006 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 Nov 2006 17:26:11 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <87y7qomy4a.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon\, 06 Nov 2006 15\:46\:29 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> <874ptcwuw6.fsf@wheatstone.g10code.de> <87y7qomy4a.fsf@latte.josefsson.org> Message-ID: <87lkmotucc.fsf@wheatstone.g10code.de> On Mon, 6 Nov 2006 15:46, jas at extundo.com said: > Anyway, what are the additional problems and what is the correct > solution to the entire mess? The CRT (or lets call it libc) is stateful and most implementations use fome kind of mutexes or thread local storage to make it thread-safe. Think only of stdio - it should lead to problems if you pass a stream from one module to another, just like free. > Not linking to any CRT at all? I wonder how much from the CRT gnutls > actually needs, it might be possible... I don't know. From debugging the resource compiler, linker and MAPI stuff I recall that MS has something like indirect linking. I am not sure however. > Providing more than one gnutls DLL? E.g., gnutls-mscvrt.dll and > gnutls-msvcr71.dll? and also gnutls-msvcr72 ? I don't think that this is a proper solution. We need to figure out how this can be done correctly. One problem is that these are only subtle and possible the reason why Windows software sometimes crashes when updating parts of the system. > I suspect that this patch goes a long way to fix things, though. :-( Shalom-Salam, Werner From jas at extundo.com Tue Nov 7 11:14:45 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 07 Nov 2006 11:14:45 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <87y7qomy4a.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon\, 06 Nov 2006 15\:46\:29 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> <874ptcwuw6.fsf@wheatstone.g10code.de> <87y7qomy4a.fsf@latte.josefsson.org> Message-ID: <87d57zpnqi.fsf@latte.josefsson.org> I've installed this patch. Btw, it seems others have run into other errno problems in push/pull functions, see: http://darcs.0x539.de/trac/obby/cgi-bin/trac.cgi/browser/net6/src/encrypt.cpp I think we should use WSAGetLastError to set errno ourselves, but I'll post the patch for this separately. /Simon Index: NEWS =================================================================== RCS file: /cvs/gnutls/gnutls/NEWS,v retrieving revision 2.732 diff -u -p -r2.732 NEWS --- NEWS 6 Nov 2006 11:53:13 -0000 2.732 +++ NEWS 7 Nov 2006 10:10:38 -0000 @@ -5,6 +5,22 @@ See the end for copying conditions. * Version 1.5.4 (unreleased) +** New API functions to set errno in push/pull functions. +Under Windows, setting the errno variable in a push/pull replacement +may end up setting the wrong errno variable, and GnuTLS send/recv +functions become confused about the real errno returned from a failed +push/pull function. Therefor, we have added two APIs to set the errno +variable used by GnuTLS. The APIs can also help to keep things +thread-safe, by avoiding potentially global variables. Typically, +instead of setting errno in your push/pull function, you will call one +of these functions. It is recommended to use +gnutls_transport_set_errno, but if you don't have the session variable +easily accessible in the push/pull replacement function, you can use +gnutls_transport_set_global_errno. + +void gnutls_transport_set_errno (gnutls_session_t session, int err); +void gnutls_transport_set_global_errno (int err); + ** Several OpenPGP API fixes. All suggested by ludovic.courtes at laas.fr (Ludovic Court?s). The most important fix is to change the return value of @@ -28,7 +44,8 @@ This fixes build errors similar to "No r `libgnutls-`expr', needed by `all-am'." when building for Windows. ** API and ABI modifications: -No changes since last version. +gnutls_transport_set_errno: ADD +gnutls_transport_set_global_errno: ADD * Version 1.5.3 (released 2006-10-26) Index: includes/gnutls/gnutls.h.in =================================================================== RCS file: /cvs/gnutls/gnutls/includes/gnutls/gnutls.h.in,v retrieving revision 1.23 diff -u -p -r1.23 gnutls.h.in --- includes/gnutls/gnutls.h.in 5 May 2006 09:07:17 -0000 1.23 +++ includes/gnutls/gnutls.h.in 7 Nov 2006 10:10:38 -0000 @@ -736,6 +736,9 @@ extern "C" void gnutls_transport_set_pull_function (gnutls_session_t session, gnutls_pull_func pull_func); + void gnutls_transport_set_errno (gnutls_session_t session, int err); + void gnutls_transport_set_global_errno (int err); + /* session specific */ void gnutls_session_set_ptr (gnutls_session_t session, void *ptr); Index: lib/gnutls_buffers.c =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls_buffers.c,v retrieving revision 2.128 diff -u -p -r2.128 gnutls_buffers.c --- lib/gnutls_buffers.c 13 Aug 2006 15:08:02 -0000 2.128 +++ lib/gnutls_buffers.c 7 Nov 2006 10:10:38 -0000 @@ -77,6 +77,58 @@ RET (int err) # include #endif +/** + * gnutls_transport_set_errno: + * @session: is a #gnutls_session_t structure. + * @err: error value to store in session-specific errno variable. + * + * Store @err in the session-specific errno variable. Useful values + * for @err is EAGAIN and EINTR, other values are treated will be + * treated as real errors in the push/pull function. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * If you don't have the @session variable easily accessible from the + * push/pull function, and don't worry about thread conflicts, you can + * also use gnutls_transport_set_global_errno(). + **/ +void +gnutls_transport_set_errno (gnutls_session_t session, int err) +{ + session->internals.errnum = err; +} + +/** + * gnutls_transport_set_global_errno: + * @err: error value to store in global errno variable. + * + * Store @err in the global errno variable. Useful values for @err is + * EAGAIN and EINTR, other values are treated will be treated as real + * errors in the push/pull function. + * + * This function is useful in replacement push/pull functions set by + * gnutls_transport_set_push_function and + * gnutls_transport_set_pullpush_function under Windows, where the + * replacement push/pull may not have access to the same @errno + * variable that is used by GnuTLS (e.g., the application is linked to + * msvcr71.dll and gnutls is linked to msvcrt.dll). + * + * Whether this function is thread safe or not depends on whether the + * global variable errno is thread safe, some system libraries make it + * a thread-local variable. When feasible, using the guaranteed + * thread-safe gnutls_transport_set_errno() may be better. + **/ +void +gnutls_transport_set_global_errno (int err) +{ + errno = err; +} + /* Buffers received packets of type APPLICATION DATA and * HANDSHAKE DATA. */ @@ -264,6 +316,8 @@ _gnutls_read (gnutls_session_t session, while (left > 0) { + session->internals.errnum = 0; + if (session->internals._gnutls_pull_func == NULL) i = recv (GNUTLS_POINTER_TO_INT(fd), &ptr[sizeOfPtr - left], left, flags); @@ -274,10 +328,13 @@ _gnutls_read (gnutls_session_t session, if (i < 0) { - _gnutls_read_log ("READ: %d returned from %d, errno=%d\n", i, - fd, errno); + int err = session->internals.errnum ? session->internals.errnum + : errno; + + _gnutls_read_log ("READ: %d returned from %d, errno=%d gerrno=%d\n", + i, fd, errno, session->internals.errnum); - if (errno == EAGAIN || errno == EINTR) + if (err == EAGAIN || err == EINTR) { if (sizeOfPtr - left > 0) { @@ -289,7 +346,7 @@ _gnutls_read (gnutls_session_t session, } gnutls_assert (); - return RET (errno); + return RET (err); } else { @@ -701,6 +758,8 @@ _gnutls_io_write_buffered (gnutls_sessio while (left > 0) { + session->internals.errnum = 0; + if (session->internals._gnutls_push_func == NULL) i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); else @@ -708,7 +767,10 @@ _gnutls_io_write_buffered (gnutls_sessio if (i == -1) { - if (errno == EAGAIN || errno == EINTR) + int err = session->internals.errnum ? session->internals.errnum + : errno; + + if (err == EAGAIN || err == EINTR) { session->internals.record_send_buffer_prev_size += n - left; @@ -726,7 +788,7 @@ _gnutls_io_write_buffered (gnutls_sessio ("WRITE: Interrupted. Stored %d bytes to buffer. Already sent %d bytes.\n", left, n - left); - retval = RET (errno); + retval = RET (err); return retval; } Index: lib/gnutls_int.h =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls_int.h,v retrieving revision 2.369 diff -u -p -r2.369 gnutls_int.h --- lib/gnutls_int.h 13 Aug 2006 15:07:45 -0000 2.369 +++ lib/gnutls_int.h 7 Nov 2006 10:10:38 -0000 @@ -598,6 +598,16 @@ typedef struct */ gnutls_datum_t recv_buffer; + /* To avoid using global variables, and especially on Windows where + * the application may use a different errno variable than GnuTLS, + * it is possible to use gnutls_transport_set_errno to set a + * session-specific errno variable in the user-replaceable push/pull + * functions. This value is used by the send/recv functions. (The + * strange name of this variable is because 'errno' is typically + * #define'd.) + */ + int errnum; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st; From jas at extundo.com Tue Nov 7 11:30:24 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 07 Nov 2006 11:30:24 +0100 Subject: [gnutls-dev] Re: Gnutls4win: Problem with custom push/pull functions, errno and Visual Studio (Workaround included) In-Reply-To: <87d57zpnqi.fsf@latte.josefsson.org> (Simon Josefsson's message of "Tue\, 07 Nov 2006 11\:14\:45 +0100") References: <454CB224.5070607@filezilla-project.org> <87lkmqi87k.fsf@latte.josefsson.org> <87d582i6tx.fsf@latte.josefsson.org> <454DDF92.8020707@filezilla-project.org> <877iy8lrtp.fsf@latte.josefsson.org> <874ptcwuw6.fsf@wheatstone.g10code.de> <87y7qomy4a.fsf@latte.josefsson.org> <87d57zpnqi.fsf@latte.josefsson.org> Message-ID: <878xinpn0f.fsf@latte.josefsson.org> Simon Josefsson writes: > Btw, it seems others have run into other errno problems in push/pull > functions, see: > http://darcs.0x539.de/trac/obby/cgi-bin/trac.cgi/browser/net6/src/encrypt.cpp > I think we should use WSAGetLastError to set errno ourselves, but I'll > post the patch for this separately. Here is the patch, I have installed it. /Simon ** When calling `recv' or `send' Windows errors are handled properly. The Windows recv/send functions doesn't use errno, and GnuTLS now use WSAGetLastError to access the error condition instead. Index: gnutls_buffers.c =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls_buffers.c,v retrieving revision 2.129 retrieving revision 2.131 diff -u -p -u -w -r2.129 -r2.131 --- gnutls_buffers.c 7 Nov 2006 10:13:57 -0000 2.129 +++ gnutls_buffers.c 7 Nov 2006 10:26:17 -0000 2.131 @@ -319,8 +319,31 @@ _gnutls_read (gnutls_session_t session, session->internals.errnum = 0; if (session->internals._gnutls_pull_func == NULL) + { i = recv (GNUTLS_POINTER_TO_INT(fd), &ptr[sizeOfPtr - left], left, flags); +#if HAVE_WINSOCK + if (i < 0) + { + int tmperr = WSAGetLastError(); + switch (tmperr) + { + case WSAEWOULDBLOCK: + session->internals.errnum = EAGAIN; + break; + + case WSAEINTR: + session->internals.errnum = EINTR; + break; + + default: + session->internals.errnum = EIO; + break; + } + WSASetLastError(tmperr); + } +#endif + } else i = session->internals._gnutls_pull_func (fd, &ptr[sizeOfPtr - @@ -761,7 +784,29 @@ _gnutls_io_write_buffered (gnutls_sessio session->internals.errnum = 0; if (session->internals._gnutls_push_func == NULL) + { i = send (GNUTLS_POINTER_TO_INT(fd), &ptr[n - left], left, 0); +#if HAVE_WINSOCK + if (i < 0) + { + int tmperr = WSAGetLastError(); + switch (tmperr) + { + case WSAEWOULDBLOCK: + session->internals.errnum = EAGAIN; + break; + + case WSAEINTR: + session->internals.errnum = EINTR; + break; + + default: + session->internals.errnum = EIO; + break; + } + WSASetLastError(tmperr); + } +#endif else i = session->internals._gnutls_push_func (fd, &ptr[n - left], left); From jas at extundo.com Tue Nov 7 13:38:45 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 07 Nov 2006 13:38:45 +0100 Subject: [gnutls-dev] GnuTLS 1.5.4 aka 1.6.0rc1 - experimental Message-ID: <87r6wfo2i2.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.5.4, a release on the current development branch. We still recommend the 1.4.x branch as the stable version. This release is a release candidate for the next major stable release, 1.6.0. Please test this release as if it were a stable release, and report any regressions since the 1.4.x branch. Hopefully we can release 1.6.0 in a week or so. One goal with the 1.5.x branch is to make Windows x86 a supported platform for GnuTLS. We do this by providing a binary Windows installer of GnuTLS, cross-compiled from GNU/Linux using MinGW and NSIS. The installer is (lightly) tested on Windows 2000 and Windows XP. It is possible to develop applications in Visual Studio or MinGW that links to the library. See http://josefsson.org/gnutls4win/ for more information on the Windows releases. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.5.3: ** New API functions to set errno in push/pull functions. Under Windows, setting the errno variable in a push/pull replacement may end up setting the wrong errno variable, and GnuTLS send/recv functions become confused about the real errno returned from a failed push/pull function. Therefor, we have added two APIs to set the errno variable used by GnuTLS. The APIs can also help to keep things thread-safe, by avoiding potentially global variables. Typically, instead of setting errno in your push/pull function, you will call one of these functions. It is recommended to use gnutls_transport_set_errno, but if you don't have the session variable easily accessible in the push/pull replacement function, you can use gnutls_transport_set_global_errno. Suggested by Tim Kosse . void gnutls_transport_set_errno (gnutls_session_t session, int err); void gnutls_transport_set_global_errno (int err); ** When calling `recv' or `send' Windows errors are handled properly. The Windows recv/send functions doesn't use errno, and GnuTLS now use WSAGetLastError to access the error condition instead. ** Several OpenPGP API fixes. All suggested by ludovic.courtes at laas.fr (Ludovic Court?s). The most important fix is to change the return value of gnutls_openpgp_privkey_get_pk_algorithm and gnutls_openpgp_key_get_pk_algorithm from 'int' to 'gnutls_pk_algorithm_t', which is an enum type (and thus API/ABI compatible with 'int'). ** When a GnuTLS server receive a SSLv2 Client Hello for an unknown TLS ** version, try to negotiate the highest version support by the GnuTLS server, ** instead of the lowest. Reported by . ** Replace old constructs with use of gnulib modules. For example, we can now assume unistd.h, sys/stat.h, sys/socket.h in the code. If the headers doesn't exist on the target system, gnulib will make sure its replacement header files are used instead. ** Fix SOVERSION computation for *.def files. This fixes build errors similar to "No rule to make target `libgnutls-`expr', needed by `all-am'." when building for Windows. ** gnutls_check-version uses strverscmp from gnulib. ** Update of gnulib files. ** API and ABI modifications: gnutls_transport_set_errno: ADD gnutls_transport_set_global_errno: ADD Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (4.1MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.5.4.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.5.4.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.5.4.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.5.4.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 8d9895023a3939f45de95e84e6e9aa9103713e65 gnutls-1.5.4.tar.bz2 09765fad04e6f6bb27fa2cb338544e3cb50575d0 gnutls-1.5.4.tar.bz2.sig 706e17646b8f0152d64204479ef9c157fd2efef45acf9b3267750a56 gnutls-1.5.4.tar.bz2 38a77f2b3d89f288e88086d06b70b063d183ebe75dfd2ddd91ddd226 gnutls-1.5.4.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Tue Nov 7 13:58:07 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 07 Nov 2006 13:58:07 +0100 Subject: [gnutls-dev] GnuTLS 1.5.4 for Windows Message-ID: <87mz73o1ls.fsf@latte.josefsson.org> Don't forget that GnuTLS is available under Windows! The Windows installer contains the library, binaries for the command line tools and all example programs. The manual, in PDF and HTML formats, together with the GTK-DOC style API reference manual in HTML, are also included. This release uses libgpg-error 1.4, (slightly patched) libgcrypt 1.2.3, libtasn1 0.3.7, and gnutls 1.5.4. The source code for those packages, as well as the build makefile, is also included in the installer, but is not installed by default. For more information, such as an explanation how you can write programs using Visual Studio or MinGW that uses to GnuTLS, see: http://josefsson.org/gnutls4win/ There are two known problems: 1. Some of the command line tools (e.g., gnutls-cli) uses select() to check whether there is data to be read from stdin or from the network. The select function doesn't work with file descriptors under Windows, so this currently does not work. I'm working on solving this. Update! This was improved by 1.5.1, but still not perfect. Reports on that are solicited. 2. Initializing libgcrypt takes a long time on some systems, there has been reports that it can take around 10 seconds. There is a patch for libgcrypt to solve this, and there are non-official libgcrypt DLL's that can be used as a drop-in. See link:http://www.securitypunk.com/libgcrypt/[]. Note that it is not clear whether the patch is the right solution or not. We believe this release fixes some problems with send/recv returning failures, but that needs further testing. This is a release candidate for 1.6.0. We intend to release 1.6.0 even with known Windows bugs, and the goal is to fix them throughout the new stable 1.6.x series, with the help from users. The binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-1.5.4.exe (14MB) http://josefsson.org/gnutls4win/gnutls-1.5.4.exe.sig Here are the SHA-1 and SHA-224 checksums: 524f333c97b6147c83b6ca0b46ca143fa42f3588 gnutls-1.5.4.exe bfe70921ad35456e81ca413240b8435f58d805f5 gnutls-1.5.4.exe.sig b8f0331fce44248c9bf28a0529ce9314cc8a206ce37cce3333a0331c gnutls-1.5.4.exe a64f1a421373662e79b96284cc2b760ff1ef891488aa7fddc8c69630 gnutls-1.5.4.exe.sig Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From tim.kosse at filezilla-project.org Tue Nov 7 19:31:52 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Tue, 07 Nov 2006 19:31:52 +0100 Subject: [gnutls-dev] GnuTLS 1.5.4 aka 1.6.0rc1 - experimental In-Reply-To: <87r6wfo2i2.fsf@latte.josefsson.org> References: <87r6wfo2i2.fsf@latte.josefsson.org> Message-ID: <4550D118.5050704@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: > I am happy to announce GnuTLS 1.5.4, a release on the current > development branch. We still recommend the 1.4.x branch as the stable > version. Thanks, gnutls_transport_set_errno works great. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUNEY8N9+lcqiUkURAifUAJ9ig7DnikmfE6diLoR9yZI368g2BQCfYP9p qayi0zYC2T8CpbGcVQdxiF8= =TTCV -----END PGP SIGNATURE----- From tim.kosse at filezilla-project.org Tue Nov 7 19:47:36 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Tue, 07 Nov 2006 19:47:36 +0100 Subject: [gnutls-dev] gnutls_record_send/recv documentation inconsistencies Message-ID: <4550D4C8.6090705@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Currently, the documentation for both gnutls_record_recv as well as gnutls_record_send contains this paragraph: " * If EINTR is returned by the internal push function (the default is * @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned. If * GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN is returned, you must call * this function again, with the same parameters; alternatively you * could provide a NULL pointer for data, and 0 for * size. cf. @code{gnutls_record_get_direction()}." Actually, both the push and the pull functions can be invoked by a call to either of the two functions. In the case of gnutls_record_recv, calling this function with NULL data and/or 0 size, GNUTLS_E_INVALID_REQUEST is returned, even if it failed with GNUTLS_E_AGAIN before. Furthermore, the requirement to "call this function again, with the same parameters" does not hold for gnutls_record_recv either. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUNTI8N9+lcqiUkURAo6iAJ9Zri5OOpCz5dPf4H3ScRcYmbcX/wCfSV9y nAUWQm/ddMvIg3A5WViP0n4= =Qip0 -----END PGP SIGNATURE----- From jas at extundo.com Tue Nov 7 22:38:42 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 07 Nov 2006 22:38:42 +0100 Subject: [gnutls-dev] Re: GnuTLS 1.5.4 aka 1.6.0rc1 - experimental In-Reply-To: <87r6wfo2i2.fsf@latte.josefsson.org> (Simon Josefsson's message of "Tue\, 07 Nov 2006 13\:38\:45 +0100") References: <87r6wfo2i2.fsf@latte.josefsson.org> Message-ID: <878xinkkd9.fsf@latte.josefsson.org> Simon Josefsson writes: > ** API and ABI modifications: > gnutls_transport_set_errno: ADD > gnutls_transport_set_global_errno: ADD Sigh, I forgot to bump the soname correctly, this will be fixed for the next release... /Simon From ametzler at downhill.at.eu.org Wed Nov 8 19:17:18 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Wed, 8 Nov 2006 19:17:18 +0100 Subject: [gnutls-dev] Re: GnuTLS 1.5.4 aka 1.6.0rc1 - experimental In-Reply-To: <878xinkkd9.fsf@latte.josefsson.org> References: <87r6wfo2i2.fsf@latte.josefsson.org> <878xinkkd9.fsf@latte.josefsson.org> Message-ID: <20061108181718.GB2834@downhill.g.la> On 2006-11-07 Simon Josefsson wrote: > Simon Josefsson writes: > > ** API and ABI modifications: > > gnutls_transport_set_errno: ADD > > gnutls_transport_set_global_errno: ADD > Sigh, I forgot to bump the soname correctly, this will be fixed for > the next release... "Bump" as going from c:r:a to c+1:0:a+1, which iirc libtool would translate to libgnutls.so.13.1.1 --> libgnutls.so.13.2.0? So the actual soname would stay unchanged, I think. cu and- Just trying to verify that my understanding of library versioning is more or less correct. -reas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From jas at extundo.com Fri Nov 10 15:27:15 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 10 Nov 2006 15:27:15 +0100 Subject: [gnutls-dev] Re: GnuTLS 1.5.4 aka 1.6.0rc1 - experimental In-Reply-To: <20061108181718.GB2834@downhill.g.la> (Andreas Metzler's message of "Wed\, 8 Nov 2006 19\:17\:18 +0100") References: <87r6wfo2i2.fsf@latte.josefsson.org> <878xinkkd9.fsf@latte.josefsson.org> <20061108181718.GB2834@downhill.g.la> Message-ID: <87ac2zqsvw.fsf@latte.josefsson.org> Andreas Metzler writes: > On 2006-11-07 Simon Josefsson wrote: >> Simon Josefsson writes: > >> > ** API and ABI modifications: >> > gnutls_transport_set_errno: ADD >> > gnutls_transport_set_global_errno: ADD > >> Sigh, I forgot to bump the soname correctly, this will be fixed for >> the next release... > > "Bump" as going from c:r:a to c+1:0:a+1, which iirc libtool would > translate to libgnutls.so.13.1.1 --> libgnutls.so.13.2.0? So the > actual soname would stay unchanged, I think. > cu and- Just trying to verify that my understanding of library > versioning is more or less correct. -reas Yes, I have the same impression of how things should work. I thought of the 'soname' as referring to the entire c:r:a portion, but that is probably incorrect. I wish there were more precisely defined terminology in this area; even Drepper's paper on how to write shared libraries mix and match terminology in different sections. /Simon From tim.kosse at filezilla-project.org Wed Nov 15 15:01:30 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Wed, 15 Nov 2006 15:01:30 +0100 Subject: [gnutls-dev] GnuTLS documentation errata Message-ID: <455B1DBA.8080906@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Section 7.5.2 of the manual, cert_list_size is defined as int in the example code, yet the function gnutls_certificate_get_peers expects an unsigned int. Section 9.2: gnutls_x509_crt_get_expiration_time and gnutls_x509_crt_get_activation_time have the return type time_t, but documentation says int. Regards, Tim Kosse -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFWx268N9+lcqiUkURAuKkAKC5E7+aBM3aJINb03hdx1c4xSbYhwCgqfzb dIVZdCih/I6VY4q42rbyFFQ= =PIgf -----END PGP SIGNATURE----- From jas at extundo.com Wed Nov 15 15:55:36 2006 From: jas at extundo.com (Simon Josefsson) Date: Wed, 15 Nov 2006 15:55:36 +0100 Subject: [gnutls-dev] Re: GnuTLS documentation errata In-Reply-To: <455B1DBA.8080906@filezilla-project.org> (Tim Kosse's message of "Wed\, 15 Nov 2006 15\:01\:30 +0100") References: <455B1DBA.8080906@filezilla-project.org> Message-ID: <87r6w4ep3r.fsf@latte.josefsson.org> Tim Kosse writes: > Section 7.5.2 of the manual, cert_list_size is defined as int in the > example code, yet the function gnutls_certificate_get_peers expects an > unsigned int. Fixed, thanks! > Section 9.2: gnutls_x509_crt_get_expiration_time and > gnutls_x509_crt_get_activation_time have the return type time_t, but > documentation says int. I can't find that problem in the latest manual: http://www.gnu.org/software/gnutls/manual/html_node/X_002e509-certificate-functions.html#X_002e509-certificate-functions If you are not looking in an old version of the manual, could you be more explicit? /Simon From tim.kosse at filezilla-project.org Wed Nov 15 17:10:36 2006 From: tim.kosse at filezilla-project.org (Tim Kosse) Date: Wed, 15 Nov 2006 17:10:36 +0100 Subject: [gnutls-dev] Re: GnuTLS documentation errata In-Reply-To: <87r6w4ep3r.fsf@latte.josefsson.org> References: <455B1DBA.8080906@filezilla-project.org> <87r6w4ep3r.fsf@latte.josefsson.org> Message-ID: <455B3BFC.4000507@filezilla-project.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: >> Section 9.2: gnutls_x509_crt_get_expiration_time and >> gnutls_x509_crt_get_activation_time have the return type time_t, but >> documentation says int. > > I can't find that problem in the latest manual: > http://www.gnu.org/software/gnutls/manual/html_node/X_002e509-certificate-functions.html#X_002e509-certificate-functions > If you are not looking in an old version of the manual, could you be > more explicit? Sorry, my fault. I just realised there's also gnutls_x509_crt_set_expiration_time with return type int. While searching through the documentation I must have mixed them up. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFWzv88N9+lcqiUkURAiq+AKCjM0Gmky64mAp1En9kcX8o3/LHfACgp6HY XDSzBQVGcraKL/fNYNRIkFo= =tpcO -----END PGP SIGNATURE----- From jas at extundo.com Thu Nov 16 15:12:22 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 16 Nov 2006 15:12:22 +0100 Subject: [gnutls-dev] Re: gnutls_record_send/recv documentation inconsistencies In-Reply-To: <4550D4C8.6090705@filezilla-project.org> (Tim Kosse's message of "Tue\, 07 Nov 2006 19\:47\:36 +0100") References: <4550D4C8.6090705@filezilla-project.org> Message-ID: <874pszxyyh.fsf@latte.josefsson.org> Tim Kosse writes: > Currently, the documentation for both gnutls_record_recv as well as > gnutls_record_send contains this paragraph: > > " * If EINTR is returned by the internal push function (the default is > * @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned. If > * GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN is returned, you must call > * this function again, with the same parameters; alternatively you > * could provide a NULL pointer for data, and 0 for > * size. cf. @code{gnutls_record_get_direction()}." > > Actually, both the push and the pull functions can be invoked by a call > to either of the two functions. Really? I thought gnutls_record_recv never sent anything, and vice versa. > In the case of gnutls_record_recv, calling this function with NULL data > and/or 0 size, GNUTLS_E_INVALID_REQUEST is returned, even if it failed > with GNUTLS_E_AGAIN before. > > Furthermore, the requirement to "call this function again, with the same > parameters" does not hold for gnutls_record_recv either. I've changed gnutls_record_recv's docstring to: * If EINTR is returned by the internal push function (the default is * @code{recv()}) then %GNUTLS_E_INTERRUPTED will be returned. If * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must * call this function again to get the data. See also * @code{gnutls_record_get_direction()}. Does this looks right to you? Feel free to suggest specific modifications to improve the problem you find. I'm not sure exactly what we want to happen here, there seems to be some buffering going on which is counter to calling the function again with the same parameters. /Simon From jas at extundo.com Thu Nov 16 15:30:17 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 16 Nov 2006 15:30:17 +0100 Subject: [gnutls-dev] GnuTLS 1.5.5 aka 1.6.0rc2 - last call for 1.6.0 fixes Message-ID: <87zmarwjk6.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.5.5, the (likely) last release on the current development branch. We still recommend the 1.4.x branch as the stable version. This release is the second release candidate for the next major stable release, 1.6.0. It fixes the shared library version, and some minor issues, compared to the last release candidate. Please test this release as if it were a stable release, and report any regressions since the 1.4.x branch. Hopefully, 1.6.0 will be released tomorrow. One goal with the 1.5.x branch is to make Windows x86 a supported platform for GnuTLS. We do this by providing a binary Windows installer of GnuTLS, cross-compiled from GNU/Linux using MinGW and NSIS. The installer is (lightly) tested on Windows 2000 and Windows XP. It is possible to develop applications in Visual Studio or MinGW that links to the library. See http://josefsson.org/gnutls4win/ for more information on the Windows releases. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.5.4: ** Correctly bump shared library version after adding new APIs. This was forgotten in the last release. ** Fix unsigned vs signed problem in ex-x509-info.c example. Reported by Tim Kosse . ** Fix the rsa-md5-collision self test to work for MinGW+Wine. ** Update of gnulib files. ** API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (4.1MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.5.5.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.5.5.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.5.5.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.5.5.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 9a569cc00ce12710d656abf1ab63fab3338bc8e9 gnutls-1.5.5.tar.bz2 1a943fa8dac156ded24fca3eecc2902021a54954 gnutls-1.5.5.tar.bz2.sig baa833f2251f4976ebdf1f233b2084c8e6b4984d150a8ddb0294ee96 gnutls-1.5.5.tar.bz2 8c8ec74d876505c7d8bb78d309a002bbbf4d4f6606f36aa391a392e7 gnutls-1.5.5.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu Nov 16 16:01:31 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 16 Nov 2006 16:01:31 +0100 Subject: [gnutls-dev] Libtasn1 0.3.8 Message-ID: <87velfwi44.fsf@latte.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 0.3.8 (released 2006-11-16) - Fix reading of binary files in asn1Decoding, for Windows. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.3MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.8.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.8.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.8.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.8.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: fe6dc6ff4673e57e0fc5a3587843583739e381d5 libtasn1-0.3.8.tar.gz 25d8dcf2bc963b0ee6b2c01a518d10e88ef6fbb9 libtasn1-0.3.8.tar.gz.sig 03f311d2a68e561743fe40e3d49472d6647dff83b0b6cdb0350afc73 libtasn1-0.3.8.tar.gz d9c79eb77ef434c498efbabd1749431fd7f98a2478cd6b5d86cce2dc libtasn1-0.3.8.tar.gz.sig Enjoy, Fabio, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu Nov 16 16:27:42 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 16 Nov 2006 16:27:42 +0100 Subject: [gnutls-dev] GnuTLS 1.5.5 for Windows Message-ID: <87k61vwgwh.fsf@latte.josefsson.org> Don't forget that GnuTLS is available under Windows! The Windows installer contains the library, binaries for the command line tools and all example programs. The manual, in PDF and HTML formats, together with the GTK-DOC style API reference manual in HTML, are also included. This release uses libgpg-error 1.4, (slightly patched) libgcrypt 1.2.3, libtasn1 0.3.8, and gnutls 1.5.5. The source code for those packages, as well as the build makefile, is also included in the installer, but is not installed by default. For more information, such as an explanation how you can write programs using Visual Studio or MinGW that uses to GnuTLS, see: http://josefsson.org/gnutls4win/ There are two known problems: 1. Some of the command line tools (e.g., gnutls-cli) uses select() to check whether there is data to be read from stdin or from the network. The select function doesn't work with file descriptors under Windows, so this currently does not work. I'm working on solving this. Update! This was improved by 1.5.1, but still not perfect. Reports on that are solicited. 2. Initializing libgcrypt takes a long time on some systems, there has been reports that it can take around 10 seconds. There is a patch for libgcrypt to solve this, and there are non-official libgcrypt DLL's that can be used as a drop-in. See . Note that it is not clear whether the patch is the right solution or not. We believe this release fixes some problems with send/recv returning failures, but that needs further testing. This is a release candidate for 1.6.0. We intend to release 1.6.0 even with known Windows bugs, and the goal is to fix them throughout the new stable 1.6.x series, with the help from users. The binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-1.5.5.exe (14MB) http://josefsson.org/gnutls4win/gnutls-1.5.5.exe.sig Here are the SHA-1 and SHA-224 checksums: d7616392d15cd4525d600c37a90b2a53e9c3ae8d gnutls-1.5.5.exe adaaa93778a34a1343a5004d18d7dc04f8b3e2c0 gnutls-1.5.5.exe.sig 46ecd2c930c95e5b2de61b1bd3fc16f10c488cbf77c087d99ef4528d gnutls-1.5.5.exe 39d4db0bd94db8c98220b5a993df57274bfee03e4c61c4f046039e28 gnutls-1.5.5.exe.sig Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Fri Nov 17 15:36:31 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 17 Nov 2006 15:36:31 +0100 Subject: [gnutls-dev] GnuTLS 1.6.0 Message-ID: <87k61ucf80.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.6.0! This is the first release on our new stable branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. * Version 1.6.0 (released 2006-11-17) ** No changes since 1.5.5. The major changes compared to the 1.4.x branch are: *** A GnuTLS C++ library is part of the official distribution. Currently there are no examples or documentation, but hopefully this will change. See gnutlsxx.h for the API. *** Windows is a supported platform. There are, however, two know bugs. One is related to select() in command line tools (not, nota bene, in the library), the other is a problem with libgcrypt that causes delays. Help is needed to resolve those issues, so we feel we can't delay the release because of this. *** New APIs for custom push/pull function error reporting. The new APIs are gnutls_transport_set_errno and gnutls_transport_set_global_errno. See the release notes for version 1.5.4 for more information. *** Self tests are run under valgrind, if available. See --disable-valgrind. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (4.1MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.6.0.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.6.0.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.6.0.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.6.0.tar.bz2.sig For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-1.6.0.exe (14MB) http://josefsson.org/gnutls4win/gnutls-1.6.0.exe.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: b0600815aeae57cfa21cad19c1da8708c5b25d73 gnutls-1.6.0.tar.bz2 2bb0664136929c140cdecc5c1c2834fb3dcd798f gnutls-1.6.0.tar.bz2.sig 8c8126cf922d33a75c5763773a7428b3da24d7cfbd6bea91c71ff43c gnutls-1.6.0.tar.bz2 235c23d67a4f9f214da959db24d105b74df7e0ceba4cedadba503647 gnutls-1.6.0.tar.bz2.sig 6f6c6318d7687052215559644e5756a0a9179105 gnutls-1.6.0.exe 3d85ee7fafc40e06f4f48f9933ca10bb958347bf gnutls-1.6.0.exe.sig 189a95691ec721ddd1efb8a3a933a0eaae4b8962c2602b14cb810811 gnutls-1.6.0.exe 9dcaaa06ffec1c79b5c5e3c542378b3287fae613f6a785231e306436 gnutls-1.6.0.exe.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed Nov 29 12:47:41 2006 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 29 Nov 2006 12:47:41 +0100 Subject: [gnutls-dev] GnuTLS 1.7.0 - experimental branch with TLS 1.2 support Message-ID: <87d576lbj6.fsf@latte.josefsson.org> Hi! I'm happy to announce the first release on our new development branch. This is NOT what you want for your stable system. It is intended for developers and experienced users. * Version 1.7.0 (released 2006-11-29) ** The default protocol priority try TLS 1.1 and TLS 1.2 too. The details is that the protocol priority set by `gnutls_set_default_priority' has been changed from TLS 1.0 and SSL 3.0 to TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0. ** Preliminary support for TLS 1.2. The client has been successfully tested against https://www.mikestoolbox.org:4433/. ** Anonself test now print a lot of debugging info, including TLS version. ** Doc fixes in OpenCDK, to avoid some gtk-doc warnings. ** Update of gnulib files. ** API and ABI modifications: GNUTLS_TLS1_2: New gnutls_protocol_t enum member. *** Pulled up from stable 1.6.x branch: ** Fix ./configure failure with non-GCC compilers. This fixes the following error message: configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined. Reported by "Michael C. Vergallen" . Here are the compressed sources (4.1MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.0.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.7.0.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.0.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.7.0.tar.bz2.sig Here are the SHA-1 and SHA-224 checksums: d16c228ebf0ed03246e52d2e8f4d01cce8cca75c gnutls-1.7.0.tar.bz2 263ba561f3976024393f3674178176e5d9adec42 gnutls-1.7.0.tar.bz2.sig d5e6d79d176586b94ab96df93e56e3c451648062934b34fb4ddd15ee gnutls-1.7.0.tar.bz2 62455cc5a24849a860e2945b41252964718f8f8601e81d2b3fd480ec gnutls-1.7.0.tar.bz2.sig Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed Nov 29 12:35:20 2006 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 29 Nov 2006 12:35:20 +0100 Subject: [gnutls-dev] Request for goals for GnuTLS 1.7.x Message-ID: <87hcwilc3r.fsf@latte.josefsson.org> Hi! I'm thinking about what the goals for the next development branch, GnuTLS 1.7.x, should be. So far this is what I have: * Support for TLS 1.2, if the IETF TLS WG produces something useful within a few months. If someone wants to work on something new in GnuTLS, now is the time to propose it. Of course, if you just want to suggest something, that is appreciated too, but no promises. :) /Simon From simon at josefsson.org Wed Nov 29 12:47:41 2006 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 29 Nov 2006 12:47:41 +0100 Subject: [gnutls-dev] GnuTLS 1.7.0 - experimental branch with TLS 1.2 support Message-ID: <87d576lbj6.fsf@latte.josefsson.org> Hi! I'm happy to announce the first release on our new development branch. This is NOT what you want for your stable system. It is intended for developers and experienced users. * Version 1.7.0 (released 2006-11-29) ** The default protocol priority try TLS 1.1 and TLS 1.2 too. The details is that the protocol priority set by `gnutls_set_default_priority' has been changed from TLS 1.0 and SSL 3.0 to TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0. ** Preliminary support for TLS 1.2. The client has been successfully tested against https://www.mikestoolbox.org:4433/. ** Anonself test now print a lot of debugging info, including TLS version. ** Doc fixes in OpenCDK, to avoid some gtk-doc warnings. ** Update of gnulib files. ** API and ABI modifications: GNUTLS_TLS1_2: New gnutls_protocol_t enum member. *** Pulled up from stable 1.6.x branch: ** Fix ./configure failure with non-GCC compilers. This fixes the following error message: configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined. Reported by "Michael C. Vergallen" . Here are the compressed sources (4.1MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.0.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.7.0.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.0.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.7.0.tar.bz2.sig Here are the SHA-1 and SHA-224 checksums: d16c228ebf0ed03246e52d2e8f4d01cce8cca75c gnutls-1.7.0.tar.bz2 263ba561f3976024393f3674178176e5d9adec42 gnutls-1.7.0.tar.bz2.sig d5e6d79d176586b94ab96df93e56e3c451648062934b34fb4ddd15ee gnutls-1.7.0.tar.bz2 62455cc5a24849a860e2945b41252964718f8f8601e81d2b3fd480ec gnutls-1.7.0.tar.bz2.sig Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed Nov 29 12:35:20 2006 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 29 Nov 2006 12:35:20 +0100 Subject: [gnutls-dev] Request for goals for GnuTLS 1.7.x Message-ID: <87hcwilc3r.fsf@latte.josefsson.org> Hi! I'm thinking about what the goals for the next development branch, GnuTLS 1.7.x, should be. So far this is what I have: * Support for TLS 1.2, if the IETF TLS WG produces something useful within a few months. If someone wants to work on something new in GnuTLS, now is the time to propose it. Of course, if you just want to suggest something, that is appreciated too, but no promises. :) /Simon From rks at mur.at Wed Nov 29 21:43:30 2006 From: rks at mur.at (Rupert Kittinger-Sereinig) Date: Wed, 29 Nov 2006 21:43:30 +0100 Subject: [gnutls-dev] Request for goals for GnuTLS 1.7.x In-Reply-To: <87hcwilc3r.fsf@latte.josefsson.org> References: <87hcwilc3r.fsf@latte.josefsson.org> Message-ID: <456DF0F2.8020202@mur.at> Simon Josefsson schrieb: > Hi! I'm thinking about what the goals for the next development > branch, GnuTLS 1.7.x, should be. So far this is what I have: > > * Support for TLS 1.2, if the IETF TLS WG produces something useful > within a few months. > > If someone wants to work on something new in GnuTLS, now is the time > to propose it. Of course, if you just want to suggest something, that > is appreciated too, but no promises. :) > > /Simon > > Hardware crypto support would be great. However, I am not sure what would be the proper way to do this. One idea would be to insert a PKCS#11 wrapper around libgcrypt that would allow using different crypto engines, e.g. opensc: http://www.opensc-project.org Rupert -- Rupert Kittinger-Sereinig Krenngasse 32 A-8010 Graz Austria From agl at imperialviolet.org Thu Nov 30 00:14:03 2006 From: agl at imperialviolet.org (Adam Langley) Date: Wed, 29 Nov 2006 15:14:03 -0800 Subject: [gnutls-dev] Request for goals for GnuTLS 1.7.x In-Reply-To: <87hcwilc3r.fsf@latte.josefsson.org> References: <87hcwilc3r.fsf@latte.josefsson.org> Message-ID: <396556a20611291514l45eb8ba2jcd9cb5ec4c16733a@mail.gmail.com> On 11/29/06, Simon Josefsson wrote: > Of course, if you just want to suggest something, that > is appreciated too, but no promises. :) DTLS (TLS over datagrams, e.g. UDP) has been discussed here a couple of times, but I don't actually know if it ever happened. (I just think it would be cool). On a more specific note, I keep meaning to sort out the IO on opencdk so that it can read/write from memory. I got it working for input (using fmemopen), but didn't get round to getting the output working before having to move on. (It just needs to take FILE*'s rather than filenames, then one can use fmemopen and open_memstream) AGL -- Adam Langley agl at imperialviolet.org http://www.imperialviolet.org 650-283-9641 From simon at josefsson.org Thu Nov 30 14:50:47 2006 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 30 Nov 2006 14:50:47 +0100 Subject: [gnutls-dev] Re: Request for goals for GnuTLS 1.7.x In-Reply-To: <396556a20611291514l45eb8ba2jcd9cb5ec4c16733a@mail.gmail.com> (Adam Langley's message of "Wed\, 29 Nov 2006 15\:14\:03 -0800") References: <87hcwilc3r.fsf@latte.josefsson.org> <396556a20611291514l45eb8ba2jcd9cb5ec4c16733a@mail.gmail.com> Message-ID: <87hcwhvya0.fsf@latte.josefsson.org> "Adam Langley" writes: > On 11/29/06, Simon Josefsson wrote: >> Of course, if you just want to suggest something, that >> is appreciated too, but no promises. :) > > DTLS (TLS over datagrams, e.g. UDP) has been discussed here a couple > of times, but I don't actually know if it ever happened. (I just think > it would be cool). Yup. It is quite some work, though, and doesn't fit perfectly with the current design of GnuTLS. Nikos thought it would be easier to create a new project, GnuDTLS or whatever, and implement it separately. It could copy code from GnuTLS. Having a separate library for it is a good idea in general, DTLS is typically useful for embedded devices. > On a more specific note, I keep meaning to sort out the IO on > opencdk so that it can read/write from memory. I got it working for > input (using fmemopen), but didn't get round to getting the output > working before having to move on. (It just needs to take FILE*'s > rather than filenames, then one can use fmemopen and open_memstream) Please send patches. ;) I have little clue about OpenCDK so I'd be happy to give you CVS access if you want to work on it. Copyright assignments to the FSF are required, though. /Simon From simon at josefsson.org Thu Nov 30 14:46:42 2006 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 30 Nov 2006 14:46:42 +0100 Subject: [gnutls-dev] Re: Request for goals for GnuTLS 1.7.x In-Reply-To: <456DF0F2.8020202@mur.at> (Rupert Kittinger-Sereinig's message of "Wed\, 29 Nov 2006 21\:43\:30 +0100") References: <87hcwilc3r.fsf@latte.josefsson.org> <456DF0F2.8020202@mur.at> Message-ID: <87lkltvygt.fsf@latte.josefsson.org> Rupert Kittinger-Sereinig writes: > Hardware crypto support would be great. However, I am not sure what > would be the proper way to do this. One idea would be to insert a > PKCS#11 wrapper around libgcrypt that would allow using different > crypto engines, e.g. opensc: > > http://www.opensc-project.org I started to abstract all crypto-operations in GnuTLS to a general API (see lgl/gc.h) and symmetric encryption, hashes and RNG is implemented, but the large part is to support MPI and RSA/DSA. Defining an abstract API for MPI/RSA/DSA and using it is probably only half of the problem, the other is that GnuTLS internally do things on a very low level. That could be improved too, to move up the abstraction level, and would result in cleaner and simpler code. If anyone wants to work on this, that would be cool. This is a too large project for me to take on without someone sponsoring it. /Simon From guus at sliepen.eu.org Thu Nov 30 13:35:25 2006 From: guus at sliepen.eu.org (Guus Sliepen) Date: Thu, 30 Nov 2006 13:35:25 +0100 Subject: [gnutls-dev] Request for goals for GnuTLS 1.7.x In-Reply-To: <396556a20611291514l45eb8ba2jcd9cb5ec4c16733a@mail.gmail.com> References: <87hcwilc3r.fsf@latte.josefsson.org> <396556a20611291514l45eb8ba2jcd9cb5ec4c16733a@mail.gmail.com> Message-ID: <20061130123525.GV17457@sliepen.eu.org> On Wed, Nov 29, 2006 at 03:14:03PM -0800, Adam Langley wrote: > On 11/29/06, Simon Josefsson wrote: > >Of course, if you just want to suggest something, that > >is appreciated too, but no promises. :) > > DTLS (TLS over datagrams, e.g. UDP) has been discussed here a couple > of times, but I don't actually know if it ever happened. (I just think > it would be cool). I said I'd try to implement that in GNUTLS, however I haven't created anything useful yet. It's not trivial at all. There is one thing that may be helpful for DTLS support, and also for some regular TLS uses, is to have a different way to pass data to GNUTLS. Currently, you either do gnutls_handshake(), gnutls_read() or gnutls_write(), and those functions call read() and write() on the filedescriptors themselves. I can specify custom push and pull functions of course, but that doesn't change much. I'd like to see a function to push data from a (D)TLS stream, received by the application itself, to GNUTLS, and have GNUTLS invoke a callback if it contained application data. -- Met vriendelijke groet / with kind regards, Guus Sliepen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: